The Project Management Body of Knowledge (“PMBOK”) defines project risk management as the process of conducting risk management planning, identification analysis, response planning, and controlling risk on a project (PMI, 2016). The objectives of project risk management are to increase the likelihood and impact of positive events and decrease the likelihood and impact of negative events in a project. Effective risk management strategies allow companies to identify the project’s strengths, weaknesses, opportunities, and threats. By planning for expected or unexpected events, companies can be ready to react appropriately (e.g. mitigate negative risk or capitalize on positive risk) when such events occur during the project lifecycle.
To ensure the success of a project, it is important to define how organizations manage potential risks which may arise during the course of the project and whether companies decide to transfer, accept, or work around the risk. Achieving a project’s goals depends heavily upon risk management being implemented, incorporated, and analyzed throughout the lifecycle of the project.
Risk management plans are critical in the overall project management process as the plans define specifically how a company identifies and analyzes risk to a project. This includes aggregating all risks which could impact a project and assessing the risks for aspects such as probability, impact, ranking, triggers, responses, and owners. Low risk events usually have little or no impact on the cost, schedule or performance of a project; whereas, moderate risks occurring to a project can cause an increase in the project’s cost, disruption of the project’s schedule and/or degradation of the project team’s performance. High risk events are likely to cause a significant increase in the budget of a project, disruption of the project’s schedule or performance problems of one or more individuals who are responsible for the management of a project. One or more high risk events occurring during the project could cause management to pause and/or halt a project altogether. During the planning stage of a project, it is important to include personnel from key departments in risk brainstorming conversations, as certain risks could be missed if proper representation from effected departments are not involved. The individuals included in such brainstorming sessions would be dependent on the project and the organizational setup of the company. Best practices include senior management from IT and the organization most affected by the project serving as projects sponsors (provided the scope of the project warrants involvement from both groups). Proper sponsorship not being involved through the planning phase of the project lifecycle could lead to harmful impacts to the overall health of the project. If management is not behind the purpose and need of the project, it could potentially fail to progress or be implemented at the end (Hopkins, 2006).
An effective project risk management plan should include (Stockl, 2016):
Risks to a project can be identified through a number of methods. Risks can be identified through initial risk assessments, on-going control self-assessments or internal or external audits – all of which are valuable vehicles to identifying risks. These tools can be crucial in monitoring and managing risk that may impact the critical path of the project and its overall success. Utilizing these tools will allow management to make more informed decisions regarding a project and determine the correct level of safeguards and controls which should be put in place.
There are three major types of risks that would need to be considered during planning and analyzed during the entire lifecycle of a project. Many projects hold planning meetings to identify risks during the initial stages of the planning process and these meetings should continue throughout the entire project lifecycle. Known risks should be identified in the initial stages of a project. Examples of known risks include scheduling conflicts, potential weather patterns or seasonality considerations which might affect the project, technology or communication issues. Unknown risks are risks that are identified throughout the project which could not have been considered in conjunction with planning procedures performed. Examples of unknown risks include issues with a certain vendor, quality concerns during testing, key members of the project team quitting unexpectedly, or running out of server space while trying to implement a system.
The third type of risk is a positive risk. A positive risk is a positive outcome of the project which has subsequent effects that need to be managed. Specifically, a positive risk is an unknown risk as a result of a project that brings a positive opportunity for the company. An example of a positive risk of a project would be a company implementing a new web interface to order products from which results in a larger than expected number of people ordering a product and a company’s warehouse to be overloaded with orders. This is an unknown positive outcome of a project that the company would need to manage through the risk management procedures outlines within the plan (Hillson, 2014).
These risk types can be categorized in three “impact” groups, high, moderate or low:
There are five ways to manage risk, in any of the three categories.
These five risk management options will play a role in the way management implements controls and makes critical financial decisions. The way the project team and project sponsors identify how to handle the risk will have a direct effect on the internal controls that are implemented, whether they are detective (detect events after they occur) or preventive (prevent events from happening) controls. Critical financial decisions will also be affected by risk mitigation plan. Should management decide to accept the risk, they will need to identify a more conservative plan in order to make sure they cover any avenues that the accepted risk could affect (Hillson, 2014).
Having a risk management plan in place better assists project team’s abilities to identify and prepare for known and unknown risks. It also helps ensure the right resources are aware and available to help minimize negative risks and promote positive risks/opportunities. Risk management plans lead to overall higher rates of success for projects. Such plans need to be communicated and distributed by the project manager to the project team and any other key stakeholders that may be involved during the term on the project. This helps project managers and project sponsors keep abreast with any known risks. Having the risk management plan in place and available to those key stakeholders will allow the team to identify new risks, their triggers, and how to plan for them. By having a plan to identify, avoid or accept potential risks which a project may encounter as it progresses in its lifecycle, companies can ensure that the project team and other key stakeholders can respond effectively when challenges emerge and require intervention (Bragantini & Ferrante 2014).
By planning and preparing for the known and unknown risks of the project, the success rate of projects undertaken by organizations can improve drastically. Specifically, project teams will be better prepared to tackle obstacles encountered and be well-positioned to meet targeted objectives. Project teams will also be better equipped to identify any new potential threats to a project, as the guidelines and expectations will have been set through the formation of the risk management plan. Having a risk management plan in place will reduce the vulnerability of a project and minimize the impact of negative risks (or maximize the effects of positive risks) to the project team and the organization as a whole.
Some benefits of having a risk management plan are as follows:
Risk management is crucial for the success of any project. This risk assessment allows the project team to identify risks and action plans to reduce the impact of negative risks on a project and the resources assigned to it. Successful risk management improves the success of the project and overall health of the company.