Editor's Note: In the July article "Project Management 101," a successful project plan was broken down into nine components. This article focuses on No. 8, the risk assessment and response plan. To read the previous article, click here.
People manage risk in a variety of ways—some do so in a highly structured manner, while others take a much more laissez-faire approach.
Some people think that since you cannot know what will happen, don't worry about it; just deal with it when it happens. Unfortunately, those who manage risk this way will most likely be managing the risk of losing their job.
In this context, risk refers to an unforeseen event which causes a deviation from the project plan. Using this definition, risk refers to both positive and negative events. For instance, if the cost of certain materials drops during the course of a project, this is a positive risk event. When negative events take place, it is a negative risk event. It is important that the project manager plan for all possible risk events, both positive and negative, by creating a risk assessment and response plan.
The risk assessment and response plan (RARP) attempts to look at all aspects of the project and asks:
- What could happen?
- What would the effect be on the project?
- What will we do if it does happen?
Identifying Potential Risks
First, develop a list of all the things that could reasonably happen during the project. Obviously, someone could take this to the extreme and list every conceivable event that could affect the project (nuclear war, the world end, etc...). Therefore, when listing items, it is important to consider not only their possibility but also their probability. For instance, I live three hundred miles from the Atlantic Ocean. A tsunami could devastate one of my construction projects, but the likelihood of such an event occurring is unlikely; therefore, the low probability eliminates it from my list of possible risk events.
How you go about listing the possible risk events will vary depending on how your company operates and how large the project team is. One way is to hold a brainstorming session. Gather members of the project team, key stakeholders, subject matter experts and possibly customers into a room and ask them to list possible risk events. You can also do this portion virtually, if necessary. It may take some encouragement to get people to speak up if this is a new way of doing things in your work environment.
Once you have built a list of the risk events, they should be categorized. You can do this in whatever way is helpful for your project.
Determining Probability and Impact
Next, assign a probability of occurrence, as well as what the possible impact will be. For instance, depending on the time of year you are starting the project, inclement weather may be a major obstacle for your project. By looking at past weather trends and weather forecasts, you can come up with a number for how this may affect your project. Let's say that by looking at past weather patterns, you learn that it rains an average of three days per week to such an extent that you will have to stop working on the project, and that this weather will last for one month. Let's also say that the month has thirty total days, eight are non-working days (weekend) and twenty-two are working days, approximately 26 and 74 percent, respectively. Therefore, you will most likely lose nine days of work due to rain.
Now that you have established the risk event (loss of nine working days), determine the likelihood of this event taking place. Sometimes this can be statistically determined, other times it is an educated guess based upon the information you have. For this example, let's say you feel 80 percent confident you will lose the nine days due to rain. Now that you have estimated the probability of this risk event occurring, you need to determine the impact it will have on your project.
You can consider the impact in one of two primary ways: days or dollars. Let's use dollars. Since you are familiar with your project, you believe that the loss of a day will cost you $1,000. Therefore, if this risk event takes place, you stand to lose upwards of $9,000.
You will need to follow the above example for each risk event that you identify as a reasonable priority. Not all events listed during the brainstorming session will be as complex as the examples, whereas others may be much more complex. However, if the risk event is given a high priority, then a likelihood of occurrence and an impact needs to be assigned to the event. You can also expedite this process by creating a likelihood scale, such as the one below:
| Low | Moderate | High | |
| Likelihood | 0-30% | 31-60% | 61-100 |
Using a scale such as this one would allow you to more effectively categorize risk events, as well as provide people with an easier way to remember how serious a risk event is without trying to remember exact percentages. Some people even color code the risk events as a visual cue.
Quantifying the Effects of Risk Events
Once you have assigned a likelihood of occurrence and an impact to each risk event, quantify the effects of the risk events. Doing this is a relatively simple calculation; simply multiply the likelihood of occurrence by the impact. Using the previous example, multiply the 80 percent by the $9,000, which yields $7,200. Therefore, you believe that this risk event could most likely cost your project $7,200. This is a relatively simple technique for determining the impact of a risk event. There are many more complex models available, such as sensitivity analysis, expected monetary value analysis, decision tree analysis, and modeling and simulation techniques such as the Monte Carlo Technique. These models are beyond the scope of this article, but are very beneficial in the right project environment.
Once you have calculated the monetary impact of each risk event, you will have a picture of how important it is for you to attempt to adequately manage the risk of your project. If you fail to develop plans to advert or minimize these risks, you will see how much it could cost you. Creating a RARP is one of the most valuable steps you perform while planning your project.
Now that we have an idea of what risk events could occur, as well as how likely they are to occur and the cost that their impact could have on the project, how do you keep these events from taking place or at least minimize their effects?
Developing Risk Responses
There are three basic methods for dealing with negative risk events: avoid, transfer and mitigate. Avoidance is pretty obvious. Simply sidestep the risk event. This is sometimes not an option, but often it is. Sometimes buyers ask for items that require too much risk on our part, and we simply refuse to do the work due to the fact that it may be unsafe, or we cannot guarantee results. This is the avoidance technique. Some of the risk events you have listed may be able to use this strategy, as the likely impact of the risk event is too great to bear and cannot be transferred or mitigated; this takes us to the next technique: transference.
Transferring a risk is often a very viable solution. It is often used without people even thinking of it in these terms. This technique is used when you transfer risk to a third-party-commonly accomplished through the use of insurance. Insurance policies transfer the risk of loss to a third party in situations stipulated in the insurance policy. Every contractor does this. Another common method of transferring risk is using subcontractors for areas of the project where the principal feels as though he lacks the necessary expertise. This is often done when the necessary work cannot be performed through in-house people, or because the complexity or risk of a certain task is so great, the primary project team wants to transfer that risk to another party.
The third technique for reducing risk is to mitigate the effects of the possible risk event. You can either attempt to mitigate the probability of a risk event occurring, or you can attempt to mitigate the impact the risk event will have when it occurs. Either way, the goal is to come up with some plan that changes the dynamics in such a way to reduce risk. Obviously, this creates the possibility of another risk event, but you should pursue strategies where the new possible risk event is more attractive than the former.
Note: Don't get caught up with the terminology by trying to label risk events in a certain way or worrying about when one strategy seems to blur with another. The important item to remember is that you are trying to reduce the risks that you may encounter throughout your project. If any strategy or tool is unhelpful in that, remove it.
Even while you work to determine how to avoid risk events, you should make a plan in case the event does actually take place. For each of the risk events, develop a specific plan of action to be implemented if it becomes necessary. This ensures that you are as ready as possible to manage the project.
After determining what could go wrong with our project, developing a concrete plan for managing the risk events you have identified is crucial for project success.
Managing Risks While Executing the Project
To guide the project team in managing and controlling risks while the project is being executed, inform project team members of the risks identified. You cannot expect them to act on information they do not have. Have someone act as a risk response manager if the size of the project team allows. Many times this is done by the project manager who will need to enlist the informal help of those around him. The responsible party may assign certain risk monitoring responsibilities to those who will be working in the area of the project where the risk event will most likely be noticed. This person acts as a first-line of defense, seeking to ensure that the proper response strategies are implemented if necessary.
As the project progresses, the RARP must be updated periodically. This ensures that the project team is kept abreast of all developments. This could mean documenting that certain risk events have or have not occurred and are therefore no longer necessary to track, or it may mean reducing their priority or impact as the project develops.
Obviously, projects never go perfectly. As the project progresses, perform risk assessments on an some ongoing basis, and see if new risk events have come on the horizon that need to be analyzed. The life of a project is dynamic, which means that the project plan needs to be dynamic as well.
Each organization approaches managing risk in a different manner. Some companies use a less formal method, which works well for them, while others prefer a more formal structure. I prefer something in-between, a moderately formal plan, which allows for a certain amount of flexibility. If you need help developing risk management procedures for your company, look for the PMP® certification by the Project Management Institute, as it should ensure that you are working with someone who has both the education and experience necessary to help you.
Construction Business Owner, September 2007
