Risk Management: A structured approach

Risk is an effect of uncertainty on the objectives or perceived outcome of a project or enterprise. Risk management pertains to the identification of risks, assessing their impact, prioritisation of such risks and a plan to mitigate the same. Managing risks is not a one-time activity, but continues throughout the life cycle of a project or venture. It comprises of a four step process:

•             Identification

•             Assessment

•             Treatment

•             Review

Identification

This involves continuous identification of events that could potentially delay or prevent the completion of any task, thereby impacting the ability to achieve project goals. Here we need to examine the various sources from where risks can originate, which could be internal or external to a project. Dependencies on factors (both within the system and external agencies) and historical data from similar projects provide an insight into areas for consideration of risk. One could start by considering anything that could go wrong, even if it is quite obvious or trivial. Capturing these obvious uncertainties will start the ball rolling and will lead further. Risk identification is an iterative process. New risks get identified as the project keeps on progressing.

Assessment

Risk assessment is the determination of qualitative or quantitative value of a risk. It includes an evaluation of the probability of occurrence of a risk and the magnitude of impact in case of occurrence. Assessment is a prerequisite to prioritisation.

Qualitative Risk Analysis – Risk analysis starts by prioritising risks as per the order of significance. A major technique for qualitative analysis is the Risk Matrix, which can be analysed as a 3×3, or a 5×5 matrix, the size being based upon the granularity of tracking. Here, X-axis denotes Impact and Y-axis denotes probability of occurrence. The Top Right hand corner depicts Red Zone or Critical risks, needing immediate attention. The Bottom Left is minor risks or Green Zone, indicating risks which can be ignored. The middle diagonal portion represents Amber Zone, or non-critical risks, but the ones which require mitigation.

Quantitative Risk Analysis – Quantitative analysis includes techniques to quantify the consequence of such risks. It employs tools to estimate the likelihood and impact (financial as well as non-financial) of the occurrence of a risk related event. These could include Sensitivity Analysis, Failure Mode Effects Analysis (FMEA), scenario-based prediction of fatalities, Decision Tree, Expert Judgment, Expected Monetary Value analysis and Simulation.

Using qualitative risk analysis, we estimate the impact of the risk on a pre-defined scale. Next, we estimate the probability of the occurrence of this risk, again on a pre-defined scale. These scores are combined to give an overall risk ranking. There is a variety of practices to combine the scores, a popular one being the product of occurrence and impact. However, one could assign a weightage or include a normalisation factor to compute such scores. After calculation of risk scores, these are sorted and prioritised. The impact and likelihood of the risks needs to be periodically reassessed.

Treatment

There are basically four ways to deal each risk:

•             Accept – We may not have an action plan for a risk where both the impact and occurrence are low, or the cost of mitigation is too high. In such a case, we just accept the risk and monitor it.

•             Transfer – The risk is transferred to another entity. An example could be out-sourcing certain activities to an external agency.

•             Mitigate – Risk mitigation focuses on a plan for reducing the probability of occurrence and impact of a risk. The following approaches are commonly adopted for mitigation :

o             Go slow on activities associated with risk.

o             Spread the risk – across multiple alternatives.

o             Reduce risk through Management control

o             Insure against risk

o             Adopt improved technology

•             Avoid – Risk avoidance pertains to altering partly the scope of items or changing the approach so that the risk gets bypassed.

Reducing any one of the three factors—threats, vulnerabilities, impact—results in a significant reduction in risk.

Review

The risks need to be monitored to ensure action plans for mitigation, acceptance, changes in the impact or likelihood of occurrence and to ascertain the relevance of existing risks and introduction of new risks. It is a continuous and ongoing process, requiring a constant review and updation. An integral component of the risk management process is the Risk register, which is used to record the risks and provide on-going action plans for their remedy and mitigation. Risk registers are not static and are designed to be a strong project management tool.

The main considerations for risk management are:

•             Risk management affects all aspects of a project and determines the success of the project.

•             Risk management is a continuous and iterative process.

•             Risk management demands to be accorded a very high priority

•             Each identified risk has to be assessed, a mitigation plan created thereon and tracked to closure.

Author has 30 years of industry experience in global delivery management