Risk Management: A structured approach

Risk is an effect of uncertainty on the objectives orperceived outcome of a project or enterprise. Risk management pertains to theidentification of risks, assessing their impact, prioritisation of such risksand a plan to mitigate the same. Managing risks is not a one-time activity, butcontinues throughout the life cycle of a project or venture. It comprises of afour step process:

•             Identification

   

•             Assessment

•             Treatment

•             Review

Identification

This involves continuous identification of events that couldpotentially delay or prevent the completion of any task, thereby impacting theability to achieve project goals. Here we need to examine the various sourcesfrom where risks can originate, which could be internal or external to aproject. Dependencies on factors (both within the system and external agencies)and historical data from similar projects provide an insight into areas forconsideration of risk. One could start by considering anything that could gowrong, even if it is quite obvious or trivial. Capturing these obviousuncertainties will start the ball rolling and will lead further. Riskidentification is an iterative process. New risks get identified as the projectkeeps on progressing.

Assessment

Risk assessment is the determination of qualitative orquantitative value of a risk. It includes an evaluation of the probability ofoccurrence of a risk and the magnitude of impact in case of occurrence.Assessment is a prerequisite to prioritisation.

Qualitative Risk Analysis – Risk analysis starts byprioritising risks as per the order of significance. A major technique forqualitative analysis is the Risk Matrix, which can be analysed as a 3×3, or a5×5 matrix, the size being based upon the granularity of tracking. Here, X-axisdenotes Impact and Y-axis denotes probability of occurrence. The Top Right handcorner depicts Red Zone or Critical risks, needing immediate attention. TheBottom Left is minor risks or Green Zone, indicating risks which can beignored. The middle diagonal portion represents Amber Zone, or non-criticalrisks, but the ones which require mitigation.

Quantitative Risk Analysis – Quantitative analysis includestechniques to quantify the consequence of such risks. It employs tools toestimate the likelihood and impact (financial as well as non-financial) of theoccurrence of a risk related event. These could include Sensitivity Analysis,Failure Mode Effects Analysis (FMEA), scenario-based prediction of fatalities,Decision Tree, Expert Judgment, Expected Monetary Value analysis andSimulation.

Using qualitative risk analysis, we estimate the impact ofthe risk on a pre-defined scale. Next, we estimate the probability of theoccurrence of this risk, again on a pre-defined scale. These scores arecombined to give an overall risk ranking. There is a variety of practices tocombine the scores, a popular one being the product of occurrence and impact.However, one could assign a weightage or include a normalisation factor tocompute such scores. After calculation of risk scores, these are sorted andprioritised. The impact and likelihood of the risks needs to be periodicallyreassessed.

Treatment

There are basically four ways to deal each risk:

•             Accept –We may not have an action plan for a risk where both the impact and occurrenceare low, or the cost of mitigation is too high. In such a case, we just acceptthe risk and monitor it.

•             Transfer– The risk is transferred to another entity. An example could be out-sourcingcertain activities to an external agency.

•             Mitigate– Risk mitigation focuses on a plan for reducing the probability of occurrenceand impact of a risk. The following approaches are commonly adopted formitigation :

o             Go slowon activities associated with risk.

o             Spreadthe risk – across multiple alternatives.

o             Reducerisk through Management control

o             Insureagainst risk

o             Adoptimproved technology

•             Avoid –Risk avoidance pertains to altering partly the scope of items or changing theapproach so that the risk gets bypassed.

Reducing any one of the three factors—threats,vulnerabilities, impact—results in a significant reduction in risk.

Review

The risks need to be monitored to ensure action plans formitigation, acceptance, changes in the impact or likelihood of occurrence andto ascertain the relevance of existing risks and introduction of new risks. Itis a continuous and ongoing process, requiring a constant review and updation.An integral component of the risk management process is the Risk register,which is used to record the risks and provide on-going action plans for theirremedy and mitigation. Risk registers are not static and are designed to be astrong project management tool.

The main considerations for risk management are:

•             Riskmanagement affects all aspects of a project and determines the success of theproject.

•             Riskmanagement is a continuous and iterative process.

•             Riskmanagement demands to be accorded a very high priority

•             Eachidentified risk has to be assessed, a mitigation plan created thereon andtracked to closure.

Author has 30 years of industry experience in globaldelivery management 

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen + thirteen =