Link to Project Risk Management PrinciplesLink to Elements of Project Risk ManagementLink to When to use Project Risk ManagementLink to Planning a Risk AssessmentLink to Low Risk Project ManagementLink to Home Page      


The Elements of Project Risk Management

{If you need any information on the subject which is not answered by these pages please Email us.)

In Project Risk Management Principles we have seen an overview of the principles involved. This article takes a deeper view of the elements of both Risk Assessment and Risk Control, and proposes some whimsical considerations which we believe are worthy of serious thought.

The Elements of Risk Assessment

We have shown these elements as three separate branches of the same tree. This is correct, but it is important to remember that the process is in fact an iterative one, and the Risk Assessment is only completed when the Assessors and Project Manager are satisfied that any undetected risks are now insignificant.

Identify Uncertainties (and Constraints)

Explore the entire project plans and look for areas of uncertainty or constraints. It is not possible to stress too often that "The project will be late." is not a risk, it is an impact. We need to crawl over the plans to search for things which could make the project late. The risk could be expressed as "We have underestimated the likely duration of task xxx."





Some examples of areas of uncertainty are

Failure to understand who the project is for
Failure to appoint an executive user responsible for sponsoring the project
Failure to appoint a fully qualified and supported project manager
Failure to define the objectives of the project
Failure to secure commitments from people who are needed to assist with the project
Failure to estimate costs accurately
Failure to specify very precisely the end users' requirements
Failure to provide a good working environment for the project
Failure to tie in all the people involved in the project with contracts or Documents of Understanding

Analyse Risks

The chart plots Probability of occurrence of a risk, which is another way of saying how uncertain the success of the task would be, against the Impact. By Impact we mean the severity of the effect on either the budget, the timeliness of project completion, or the ability of the project to meet the users' requirements. Whether the severity of Impact or the Probability is high or low is a matter for the judgement of the Risk Assessor and the Project Manager - even with rational method involved we are still talking of an art!

We have classified the four sectors of the graph, perhaps whimsically, as:

High Probability, High Impact. These are dangerous animals and must be neutralised as soon as possible.
Low Probability, High Impact. These are dangerous animals which can be avoided with care. However, we all remember the old joke that it is difficult to remember when one is up to the arse in alligators that the original objective was to drain the swamp.
High Probability, Low Impact. We all know that delightful pup will grow into an animal which can do damage, but a little training will ensure that not too much trouble ensures.
Low Probability, Low Impact. The largest cat is rarely the source of trouble, but on the other hand a lot of effort can be wasted on training it!

List each of your identified Risks, decide on the probability occurrence of each, and define the expected impact on schedule, budget, and ability to meet the users' requirements.

Prioritise Risks

By now you have really done this. Tigers have to be neutralised i.e. the risks must be mitigated early on. Alligators have to be watched, and there must be an action plan in place to stop them from interfering with the project. Puppies similarly have to be watched, but less stringently and with less urgent containment plans. Kittens can be ignored at the peril of the project manager.

The Elements of Risk Control

Mitigate Risks.

You would do this for all those risks categorised above as Tigers. We can mitigate risks by reducing either the probability or the impact. Remember that we identified the risk by seeking uncertainty in the project. The probability can be reduced by action up front to ensure that a particular risk is reduced. An example is to employ a team to run some testing on a particular data base or data structure to ensure that it will work when the remainder of the project is put together around it. The technique of building a pilot phase of the project is an example of risk mitigation. Unfortunately it often fails, because the team works closely with the pilot user group, and then thinks that all the problems are solved for the roll out. This is rarely the case.

Plan for Emergencies.

By performing the risk assessment, we know the most likely areas of the project which will go wrong. So the project risk plan should include, against each identified risk, an emergency plan to recover from the risk. As a minimum, this plan will name the person accountable for recovery from the risk, the nature of the risk and the action to be taken to resolve it, and the method by which the risk can be spotted. A risk which has been mitigated may still be a significant and dangerous risk - it is rare for a tiger to be converted to a kitten by action before the event. These will require emergency plans as well as alligators and puppies. Kittens can probably be allowed to play at will, provided we are satisfied they really are kittens!

Measure and Control.

The owner of each risk should be responsible to the project manager to monitor his risk, and to take appropriate action to prevent it from going on, or to take recovery action if the problem does occur.

Nothing can be controlled which cannot be measured. In a project there are three things which can always be measured - the schedule, the cost, and the users satisfaction. For some more detailed thoughts on this topic see Elements of Project Success. If, when you get to this point, you realise that you cannot measure a particular risk, then back you go into Risk Assessment!

icon7.wmf (5304 bytes)Project Risk Management Index

icon7.wmf (5304 bytes)Project Risk Management Principles

icon7.wmf (5304 bytes)When to use Project Risk Management

icon7.wmf (5304 bytes)Planning a Project Risk Assessment

icon7.wmf (5304 bytes)The Four Phases of a Project

Robert Tusler

To discuss the contents of this article, or for advice or information about project risk management, write to us by clicking here.

Robert Tusler is a member of the Alliance of Business Consultants


This Page was created using WebEdit, 14 August 1996
Most recent revision 04 July 1998


Copyright details:

Copyright 1996 Robert Tusler

You may read these pages on-line, and download them to read later, for your own personal use.
This copyright notice must appear on every page that you print from here.
You must not redistribute these pages or any part of them in any form or medium without first obtaining my consent.
You are welcome to set up links to this website from others - just mail me to tell me if you're doing this please.