How to manage risk in Project Management !


Often tagged with a negative connotation, risk is looked upon as a negative entity affecting the course of project management process. Any experienced project manager would say otherwise. Unlike the traditional notions, risks are not always bad. There are good risks too. Hence risks are classified as Positive and Negative risks. Akin to negative threats which represent threats, positive risks represent opportunities to the project. Risk in a project represents unforeseen events which can have a positive or a negative impact. It is the omnipresence of risks in any project which makes risk management an important area of project management. Identifying risks early and managing them effectively can give the project manager an upper hand and prevent delays in project delivery.
Risk Management
English: Risk management sub processes
Risk management sub processes (Photo credit: Wikipedia)

There are many definitions to Risk Management; however, it can be summed up as the process of identifying, categorizing, analyzing and responding to risks through the project management cycle in order to assist in rational decision making. Projects often get started on time, but sometime in the future they go off-track.  Brakes are applied on a fast paced project because of untimely collision with risks. Often, such risks are unexpected in nature which ambush an otherwise unprepared team during the project. It is this nature of risks which make them all the more dangerous. What makes situation worse is the reactive attitude of teams in such situations. Teams get into a rapid fire-fighting mode and start making hasty decisions due to time and delivery pressures. Without a sound action plan in place for handling such risks, judgments are made on loose experiences thus causing an untamable crisis to erupt. Ultimately all unmanaged risks have a financial impact, which is why risk management has assumed an important place in project management.

Risk Management is not all about dashboards, trackers and presentations. It is about sound decision making after meaningful inferences from such artifacts. These decisions will vary depending on the nature of the risk, the probability of the risk, its impact and its resolution. Since the risks cannot be anticipated, it takes a trained eye to widen the vision and identify them. However, over the course of time, one becomes accustomed to the process of identifying and assessing risks of any project due to valuable learning from one’s own experience.
On a generic level, risk management process is quote straightforward in nature. Organizations may choose to modify/customize the process according to their business specific processes/needs. Risk management begins by identifying the various kings of risks which may affect a project. Once identified, these risks are categorized under various heads based on their nature, impact, probability etc. Categorizing risks helps in identifying the common influences, causes, impact and corrective actions regarding that particular risk. Risks are then quantified on a statistical scale to arrive at a specific number indicating the significance of the risk. The response plan is charted out detailing the roles and responsibilities of the team involved. Finally, a control method is necessary to monitor and tracks risks on a regular basis to prevent any other major impact. Risk management also involves assessing the stakeholder’s tolerance levels. The stakeholders in this case include the client, the vendors, third parties, government etc. and finally your company. Different parties may have different risk appetites, it is important to asses each one’s risk appetite and arrive at an overall tolerance indicator. This indicator helps in identifying which risks are acceptable and which are out of bounds.
The entire risk management process is charted below. Please note that this is only indicative in nature and steps can be added/modified/deleted as the situation dictates.
 Risk Management Process
Identify Risks: This is the first phase of risk management and any risks identified here can be mitigated early, thus minimizing the financial and non-financial impacts. As mentioned before, it takes a trained eye to identify risks pre-emptively. Although experience in this regard matters, there are various techniques which can helps rookies in identifying risks associated with a project. This phase has to be undertaken with utmost seriousness as it helps in the team in drawing an action plan in place for future crises. The team can get in a defensive mode and plan for unintended forthcoming events. The various techniques available to identify risks are

·Brainstorming: A technique wherein team members put forth their ideas and identify risks based on their personal experiences. For this technique to be successful, all ideas need to be documented without passing judgment on any.
·Drill Down analysis: A technique wherein a particular process is drilled down to its individual components. Such a microscopic analysis helps in simplifying the process and makes it easier to identify risks. Other techniques like Why-Why analysis or Fish Bone Diagram too can be used to serve this purpose.
·SWOT analysis: This helps in identifying the Strengths, Weakness, Threats and Opportunities of a particular project. The threats are the negative risks and Opportunities are the Positive risks. Doing a quick SWOT analysis helps in leveraging strengths, improving on weaknesses, working towards opportunities and warding off threats.
·Failure analysis: This technique involves studying failed projects/assignments and determining the causes of failure. The causes of failure will help in linking risks to the failures.

·Interviews: In this technique, personal interviews are conducted with project managers of varying experience levels to get their inputs on possible risks areas.
This is not a comprehensive list. There are other techniques like Flow charts, experience judgments, Audits, scenario building, Focus groups, Delphi technique which can be used for identifying risks.
Dangerous Risk Adrenaline Suicide by Fear of F...
Dangerous Risk – Adrenaline Suicide by Fear of Falling (Photo credit:

Categorize Risks:  Risks are broadly categorized into business risks and generic risks. Business risks are risks specific to a particular business area. For example, a pharmaceutical industry may have a different set of risk factors as compared to an oil industry. Such a categorization will help in collective assessment of risks and identify common preventive or corrective actions. The second category of risks is generic risk which is common to all projects irrespective of the industry/business process. Financial risk may be an example of such a generic risk. Each project may have its own structure and differences, but there are some categories which are common to all. The project team should be able to relate to these risks use them in assessment process. These generic risks can further be divided as operational risks which include risks related to delivery, costs, capability, time etc. and stakeholder risks which involve risks that can be generated by the various parties involved in the project. Other than the abovementioned categorization, risks can also be classified on the threat levels (High, Medium, and Low). Categorizing risks will help in organizing risks into broader headings, thereby facilitating a macroscopic level risk assessment. Finally, categorization will help in creating a foundation for common awareness, understanding and attention.

Quantify Risks: Once risks are identified and categorized, the team will not have sufficient resources in terms of people/time to handle all the risks. Hence, risk quantification is an effective methodology of prioritizing the risks aiding the team in developing effective action plans for the risks. On a very simple scale, the risks can be quantified in terms of its impact and probability. The impact and probability needs to be measured separately. Each risk can then be plotted on a 2-dimensional plot of impact v/s probability to obtain a quantitative factor for the risk. A matrix can be used to prioritize the risks as Critical, High, Medium and Low.  Any risk which has a high probability and high impact needs to be given high attention because of its wide spread effects. Any risk with low probability and low impact is a low risk and resources can be rationed for such risks for a later point of time of the project.
Once the risk is quantified, a detailed assessment strategy has to be drawn up to determine the root cause of the risk. The critical risks needs to be considered on priority and should be broken down into its constituent levels. This helps in simplification of complex risks and makes it easier for the team to develop suitable mitigating strategies. The impact assessment needs to be thorough should help the team determine the target of the said impact. For instance, a risk could impact the project cost, project timelines, and the soundness of the deliverables or all three. The information gathered in this format will help the team in gaining valuable insights during project delivery and the necessary inputs will assist the team in designing effective risk controlling techniques.
Risk Response: With all the aforementioned stages completed, now comes the most important part. This stage can determine the success or failure of the project and the efficiency of execution of this stage can sway the balance on either sides.  Based on the initial analysis done by the team, some risks may require close attention while others may need some detailing in action. The strategies for risk response depends upon the stage at which the risk is expected and its subsequent impact. Priority too makes a difference if there are two or more risks are anticipated at any given point of the time during the project. One or more of the below responses can be deployed when a negative risk is foreseen during the project.

·Avoid: This technique involves changing the project course such that the particular risk is never encountered. This technique is usually helpful when the appropriate risks are identified during the initial stages and/or if the risk is too dangerous to be dealt with. Deploying this strategy removes the susceptibility of the project to that risk because the latter no longer exists. Ex: Shifting the project to a different location because of a threat of a natural disaster in the current location.

·Mitigate: This is the most common action plan deployed for risks. Although identified at the earliest stages, there are some risks which cannot be avoided at any cost. In such circumstances, there is no option but to take the risk head on and devise a mitigating plan for the same. Since the plan is put in place before the risk is encountered, minor/negligible impact on the project is expected. The initial mitigation strategy should minimize the chances of the risk occurrence. In spite of minimizing, should the risk continue to haunt the project, a contingency plan needs to be put in place to ward off the risk. In certain cases, the project may be brought to a complete standstill till some risks are fully mitigated. Such exigencies should be considered when the project charter is being drawn up.

·Transfer: This strategy involves altering the project plan so that a third party assumes responsibility for the risk. Ex: Buying insurance cover on a project so that the company doesn’t have to take full responsibility during an unforeseen eventuality. This can be deployed only if there is an outside agency ready to assume the responsibility, failing which the team has to double back on the above two strategies.
Risk Control: Once the response strategies are triggered and the risks are taken care of, the buck doesn’t stop there. It is important to document all the risks and the strategies deployed to handle those. Risks have to be continually monitored to identify any change in the status or the severity of the risk. Control charts, heat assessment templates, project dashboards, risk registers are some of the common tools used by the project team to control risks. Such control methodologies will help in risk profiling, risk reporting and risk governance during project delivery. Risks are not static; hence they need to be tracked on a regular basis to keep abreast of the situation and to make appropriate changes to the project charter, if necessary. Finally, risk control will ensure that the risks are never let out of sight, no matter how unimportant they seem.
After having touched the basics of risk management, we shall look at some of the highlights of a good risk management plan.

·Aid in capturing, tracking and mitigating key program risks throughout the project cycle

·Should have resolute strategies for handling risks

·Aid in proactive decision making

·Provide for an effective communication mechanism for key stakeholders

·Addressing known risks proactively

·Provide for a simple governance framework which will help in risk control mechanism

·Simple to adopt, yet detailed in approach

Risks are pervasive in nature. While some can be avoided, most of them will have to be dealt with.  A large project will have more risks as compared to a smaller one, however, all risks have to be identified and planned for. Risk management will allow a project manager to effectively handle and address the risks in a timely fashion. A good risk management plan will help in avoiding untimely surprises; prevent risks being a showstopper for the project. Finally, a well-defined plan will help in pre-emptive identification and mitigation of risks, saving both time and money. 

[The article has been written by Nitin Bhat. He is presently working as Senior Associate Consultant with Infosys.]

You will love reading: Theory X Manager.  Must read article Managing the employees

What's your opinion ?

Loading Facebook Comments ...

Leave a reply

Contact Us

Send us an email and we'll get back to you, asap.


©2017 India's Finest Management Portal. IdeasMakeMarket and its logo are registered trademarks.

How to manage risk in Project Management !

by time to read: 11 min

Log in with your credentials

Forgot your details?