4 Steps to Risk Analysis & Management

How many of you grimace when you see the appointment in your diary for a risk analysis review meeting? Have we forgotten how useful this should really be? Are we also afraid to take risks? Without some risk, we cant push the boundaries out.

Why has this happened and more importantly, what can we do about it. Risk analysis should be equivalent to putting on a bullet proof jacket in combat – it is there for our protection and conducted properly adds real value to our projects. The reason why we should utilise it to remove or reduce the risks which threaten our project success.

So what framework do we have for Risk Analysis and Management?

I am suggesting that we take a 4 Step Process and apply it always and from the very outset (feasibility) of our project. The 4 steps are:

1. Risk Identification

2. Risk Analysis

3. Risk Response Plan

4. Risk Monitoring and Control

So let’s start at the beginning

You have just taken over on a new project and are busy, busy, busy. You believe that the key is to get the scope nailed down, the team built and the funding secured – we will take a look at risks later on – they are not really that important, because this is essentially the same as a project we did last year, but bigger and with more aggressive delivery dates.

That is a lot of assumption – if they are all TRUE, then you are in the clear; if any of them are FALSE, then you are ignoring potentially fatal risks – russian roulette comes to mind.

Apart from that, risk identification is going to influence how (and possibly what) you choose to execute the project and will also possibly influence your calculation of required contingency requirements.

So let’s start with “Risk Identification”.

In order to address this properly we need to define “What” the activity is and “How” we will execute it.

Let’s start with the WHAT
The key objective of this stage is to capture any risk/problems which might occur during the delivery of the project objectives which may impact our chances of success.

The HOW is a little bit more detailed
Here we will need to have some brainstorming sessions with the client and key technical resources so that we can evaluate the type of things that might happen, how likely they are to happen and finally, what the impact of such an event would be.
So let’s take a look at a framework that would allow us to analyze and manage the risks for our project from the outset – let’s call it the Kevlar Jacket Approach.

Step 1 – Risk Identification

As stated above, to aid in identifying the risk, we first need to identify the right people to aid us in this – technical experts, customer, project manager. Once we have identified the right team, we then need to conduct the risk analysis – here we need to use a mix of:

1. One on one meetings

2. Brainstorming meetings

3. Review of previous project risk and issue registers

Risk Identification

During these activities we need to capture key information to allow us to analyze, respond and manage these risk. During the identification step, make sure that you capture the following:

1. Give each risk a unique identifier – a simple number from 1 to n.

2. A risk description which is sufficiently detailed enough for anyone reading the risk register to understand the risk or ask intelligent questions of the person who identified the risk.

3. A risk indicator – i.e. any event which might be an early warning sign of the risk occurring, or may trigger a sequence of events that if not controlled properly would lead to the risk occurring.

4. Categorise the risks into specific buckets – e.g. Safety, technical, commercial etc..

5. Record who identified the risk, on what date

6. Record during what activity was it captured – e.g. brainstorming session, 1 on 1 interview – this will be useful for analysis across projects and will help you continuously improve your risk analysis process.

So that then covers the information you need to capture once you have identified a specific risk. The next step is to analyse it and get a detailed understanding of what its occurrence would mean.

Step 2 – Risk Analysis

Once you have identified a risk you need to analyze it – you need to once again ensure that you have all the right people present to conduct this in a meaningful way.

Risk Analysis

The key activities here are:

1. Get an understanding of the impact to the project/business if the risk did in fact materialise – this will require key input from the customer and the technical experts.

2. Rank this in terms of significance, using a scoring system of 1 to 5, where 0 = none, 1 = low and 5 = very high – make sure that this is discussed in detail and there is a reasoned basis for the score.

3. Gain an understanding of the probability of this event occurring and rank this in terms of probability, using a scoring system of 1 to 5, where 0 = none, 1 = low and 5 = very high – make sure that this is discussed in detail and there is a reasoned basis for the score.

4. Now calculate a Risk Score = Significance x Probability

5. Colour code the risk based on score – define Red, Yellow and Green bands e.g. 0-5 = Green, 6-12 = Yellow, >12 = Red.

Now we have some useful information to go forward with – the next step is to build a plan to either reduce the impact or eliminate the opportunity for it to occur. We are now in the realm of managing our risks and we must build a risk response plan – our next step.

Step 3 – Risk Response Plan

Here we start to look at how we manage the risk we have identified – we have 4 main strategies that we can use, and we are going to call the them 4 T’s.

Risk Response

The 4 T’s

1. Terminate (often referred to as Avoidance)

2. Transfer

3. Treat (oftener referred to as Mitigate)

4. Tolerate

So, let’s look at each of these individually.

Terminate is where specific steps are taken to ensure that the risk is eliminated (avoided) or that the impact it had is prevented.

Transfer is where the risk is passed to another party; the weakness with this is that the risk does not go away, it’s just causes someone else a problem.

Treat is where by taking certain actions immediately, the risks can be reduced.

Tolerate is what it says and the reason we tolerate them is that despite the fact that we cant do much to reduce or eliminate them, the benefits of taking them far outweigh the penalties/cost.

Step 4 – Risk Monitoring and Control

This is the routine part and requires the project manager to be diligent and monitor the status of the risk, the residual score by reassessing the risk at critical junctures and the risk state – is it static increasing or declining. This is a key activity and depending on the trend and significance may require a renewed effort by the project team to ensure that identified risks are dealt with appropriately.

Risk Monitoring

Finally, the housekeeping. Put all of this information in one central location – A risk register. Make sure that all key stakeholders are informed on this and agree with your plan of action.

Would love to hear your comments and am delighted to answer any questions you might have.

Author

William Lacey

Project Delivery Lumus Ltd