What is project risk? Well, "project risk is an uncertain event or condition that, if it occurs, has a positive or a negative effect on a project objective. A risk has a cause and, if it occurs, a consequence. For example, a cause may be requiring a permit or having limited personnel assigned to the project. The risk even is that the permit may take longer than planned, or the personnel may not be adequate for the task. If either of these uncertain events occur, there will be a consequence on the project cost, schedule, or quality. Risk conditions could include aspects of the project environment that may contribute to project risk such as poor project management practices, or dependency on external participants that cannot be controlled." (Project Management Institute, 2000, p. 127). Bear in mind that not all risk is negative, in some cases risk can cause opportunity as well.
It is generally not possible to eliminate all risk in a project. Thus, a project manager needs to identify, analyze, and respond to project risk and determine levels of acceptable risk tolerance. Risk can be both an opportunity or a threat to project objectives. Generally this consists of six processes as defined by the Project Management Institute (2000) which are risk management planning, risk identification, qualitative risk analysis, quantitative risk analysis, risk response planning (risk mitigation), and risk monitoring and control.
Risk management is something that should happen throughout a project. It is particularly important to assess risk in relation to cost, schedule, and scope face lines both at the start of the project and as the project proceeds. Risk management is basically the overall company strategy for identifying and managing risk.
Risk identification entails determining what risks might affect a project and the characteristics of those risks. Some may be more likely, but less critical. Others may be very critical even if not very likely. It is important to adequately identify risks so the project team is less likely to be taken by surprise. As a part of risk management, the project team should work to identify risks from the start of the project and, if the risk could have a negative effect, then identify what can be done to mitigate or remove that risk. Some projects will be more risk tolerant than others because there is more potential benefit. However, almost all projects have risks that could stop the project which if addressed could be avoided or minimized. For example, an outdoor concert runs the risk of rain the day of the concert.
While there are many methods used to identify risks this chapter will discuss six: documentation reviews, brainstorming, Delphi technique, nominal group technique, Crawford slip, and affinity diagramming. Some other methods that can be used for risk management include expert interviews, checklists, analogies, or diagramming techniques.
Documentation review is like it sounds, it is reviewing all documentation to date on the particular project at hand as well as reviewing lessons learned from prior similar projects. A part of this documentation review should be looking for gaps, or negative risks that do not yet have an identified mitigation plan. It can also involve looking for gaps that could end up being risk opportunities.
Brainstorming entails working as a group. Typically there are about 10 to 15 participants who may or
may not know each other but are stakeholders of some sort even if not necessarily formal members of the project
team. A meeting is called where the group works together to make a comprehensive list of all possible risks. The
first step is to set the ground rules. The most important ground rule is that there are no wrong answers. The
idea is to come up with as many viable and relevant risks as possible.
The next step is to have each participant individually create their own list of risks before
discussing with others. After that, the group discusses all of the items found on individual lists and creates a
master list. Next the group discusses if there are any further additions to the master list that that were
sparked by other items. At this point the group can discuss the relative importance of the risks and their
likelihood. In total, a brainstorming session is usually less than two hours.
The Delphi technique is similar to brainstorming. However in this case the participants do not know one another. A questionnaire is created that asks about potential risks. The questionnaire is given to each participant to answer individually. The Delphi technique doesn't necessarily happen face-to-face. It could use a platform like electronic mail or similar. After all of the questionnaire results have been received, they are categorized by the Project Lead. The categorized list is then circulated to the group for comments and additions. The Project Lead then works to determine the relative importance of the risks and their likelihood.
Multivoting (nominal group technque) is discussed in in the Process Management Issue Identification section but is also used on risk management.
The Crawford slip is perhaps the fastest method for identifying risks. It usually takes less than half an hour. A group of stakeholders is identified and told they will be asked 10 questions. They are then told that the same answer cannot be used for more than one question. They are generally given about one minute to answer each question. The same question is then repeated 10 times. The question could be something like “What is the primary cause for XX occurring in YY environment”.
Affinity diagramming is discussed in the Process Management Issue Identification section, but it is also actively used in risk
management.
Qualitative risk analysis involves assessing the likelihood and impact of identifiable risks using qualitative methods. Qualitative methods emphasize objective measurements and the collecting of data through poles, questionnaires, surveys, or similar. The focus is on narrative from respondents Instead of on numbers or numeric values. Qualitative methods generally ask questions like why and how as it seeks to explain and understand. There are four principal types of quantitative research: descriptive, correlational, causal comparative, and experimental.
There are a variety of tools that can be used for qualitative risk analysis. Qualitative assessment could include group discussions, interviews, open-ended surveys, or similar. An opening discussion should be the risk tolerance of the company overall and the risk tolerance given for this particular project. There are also some decision support tools that may prove useful such as considering Porter's five forces.
Image taken from http://www.ifm.eng.cam.ac.uk/dstools/choosing/import.html
Quantitative methods focus on numbers and numeric values. They are concerned with who, what, where, and when.
They often involve the measurement of variables and use statistical data analysis. Quantitative methods should
be easily replicated. Quantitative risk analysis entails numerically analyzing the probability of each risk and
consequence. As with qualitative risk analysis, an opening discussion should be the risk tolerance of the
company overall and the risk tolerance given for this particular project.
Risk response planning, also known as risk mitigation in the case of negative risks, involves determining options and actions in the case or risk that improve opportunities and limit threats.
It is important to discuss not just risk tolerance, but also risk probability. Within the risk probability the team should consider if it is a conditional probability based on if some other event occurs or If it has statistical independence. With statistical independence, the addition rule applies: Probability(A or B) = Probability(A) + Probability(B). In cases where there is not statistical independence, the multiplication rule applies: Probability(A and B) = Probability (A|B) x Probability(B).
In essence, with risk, we can :
Project Management Institute (2000). A Guide to the Project Management Body of Knowledge. Newton Square, PA: Project Management Institute, Inc.