Different projects are exposed to different levels of risk, so the project risk management process must be scaleable to meet the varying degrees of risk challenge. While we can apply a common risk process to any project, that process can be implemented at different levels, from a few simple informal steps to a fully rigorous and integrated process.
A typical risk process should include the following eight steps:
1. Risk Process Initiation: Define the scope, objectives and parameters of the risk process.
2. Risk Identification: Identify all currently knowable risks, including both threats and opportunities.
3. Risk Assessment: Evaluate key characteristics of individual risks, prioritise them for further action, and find any patterns of risk exposure. Optionally use quantitative techniques to evaluate the combined effect of risks on the project outcome.
4. Risk Response Planning: Determine appropriate response strategies and actions for each risk.
5. Risk Response Implementation: Implement agreed actions, determine whether they are working, and identify any secondary risks.
6. Risk Communication: Inform stakeholders about the current risk exposure and its implications for project success
7. Risk Review: Review changes in risk exposure, identify additional actions as required, identify new risks, and assess the effectiveness of the project risk process
8. Lessons-Learned Review: Identify risk-related lessons to be learned for future projects
How can we scale this process to fit the risk challenge of a particular project? Scaleable elements include:
- Risk responsibilities. In the simplest case the project manager may undertake all the elements of the risk process as part of their overall responsibility for managing the project, without using a risk specialist such as a Risk Champion or Risk Coordinator. At the other extreme a complex risky project may require input from people with particular risk skills, and a dedicated risk team may be employed, either from within the organisation or from outside.
- Methodology and processes. A low-risk project may be able to incorporate the risk process within the overall project management process, without the need for specific risk management activities. A more risky project may need to use a defined risk process, perhaps following a recognised risk methodology.
- Tools and techniques. The simplest risk process might involve a team brainstorm as part of another project meeting, recording risks in a spreadsheet, and monitoring actions through the regular project review meetings. The most risky projects may require a wide range of techniques for risk identification, assessment and control, to ensure that all aspects of risk exposure are captured and dealt with appropriately.
- Supporting infrastructure. The lowest-risk projects may require no dedicated risk infrastructure, whereas high-risk projects demand robust support from integrated toolkits with high levels of functionality. It is important to get the level of infrastructure right as too much support can strangle the risk process and too little support can leave it unable to function.
- Reporting requirement. For some projects the risk reporting can be incorporated into routine project reports, whereas others may demand a variety of specific risk reports targeted to the needs of different stakeholders, providing each group of stakeholders with risk information that matches their interest in the project.
- Review and update frequency. It may be sufficient on low-risk or short duration projects to update the risk assessment only once or twice during the life of the project. Other projects which are more risky or of longer duration may need a regular risk update cycle, say monthly or quarterly, depending on the project’s complexity and rate of change.
Decisions on each of these scaleable aspects should be documented in the project’s Risk Management Plan, as part of the Risk Process Initiation step. Projects are not equally risky, and the risk process must be scaleable to match the level of risk challenge faced by each project.[© Copyright October 2012, David Hillson/Risk Doctor & Partners]