6.3. Risk Identification and Evaluation
Managing risks on projects is a process that includes risk assessment and a mitigation strategy for those risks. Risk assessment includes both the identification of potential risks and the evaluation of the possible impact of the risk. A risk mitigation plan is designed to eliminate or minimize the impact of the risk events—occurrences that hurt the project. Identifying risk is both a creative and a disciplined process. The creative process includes brainstorming sessions where the team is asked to list everything that could go wrong. All ideas are welcome at this stage, and the evaluation of the ideas will come later.
Risk Identification
A more disciplined process involves using checklists of potential risks and evaluating the likelihood that those events might happen to the project. Some companies and industries develop risk checklists based on experience from past projects. These checklists can be helpful to the project manager and project team in identifying specific risks on the checklist and expanding the team’s thinking. The past experience of the project team, project experience within the company, and experts in the industry can be valuable resources for identifying potential risks on a project.
Identifying the sources of risk by category is another method for exploring potential risks in a project. Some examples of categories for potential risks include the following:
- Technical
- Cost
- Schedule
- Client
- Contractual
- Weather
- Financial
- Political
- Environmental
- People
You can use the same framework as the work breakdown structure (WBS) to develop a risk breakdown structure (RBS). A risk breakdown structure organizes the risks that have been identified into categories using a table with increasing levels of detail to the right. The people category can be subdivided into different types of risks associated with the people. Examples of people risks include not finding people with the skills needed to execute the project or the sudden unavailability of key people.
Example: Risks in John’s Move
In John’s move, John makes a list of things that might go wrong with his project and uses his work breakdown structure as a guide. A partial list for the planning portion of the RBS is shown in Table 9.1. The result is a clearer understanding of where risks are most concentrated. This approach helps the project team identify known risks but can be restrictive and less creative in identifying unknown risks and risks not easily found inside the WBS.
| Level 1 | Level 2 | Level 3 |
|---|---|---|
| Plan Move | Contact Dion and Carlita | Dion backs out |
| Carlita backs out | ||
| No common date available | ||
| Host Planning Lunch | Restaurant full or closed | |
| Wrong choice of ethnics food | ||
| Dion or Carlita have special food allergies preferences | ||
| Develop and Distribute Schedule | Printer out of toner | |
| Out of paper |
Risk Evaluation
After identifying the potential risks, the project team evaluates each risk based on the probability that a risk event will occur and its possible loss. Not all risks are equal. Some risk events are more likely to happen than others, and the cost of a risk can vary greatly. Evaluating the risk for the probability of occurrence and the severity or the potential loss to the project is the next step in the risk management process.
Having criteria to determine high-impact risks can help narrow the focus on a few critical risks that require mitigation. For example, suppose high-impact risks could increase the project costs by 5% of the conceptual budget or 2% of the detailed budget. Only a few potential risk events meet these criteria. These are the critical potential risk events that the project management team should focus on when developing a project risk mitigation or management plan. Risk evaluation is about developing an understanding of which potential risks have the greatest possibility of occurring and can have the greatest negative impact on the project (Figure 6.1). These become the critical few.
There is a positive correlation—both increase or decrease together—between project risk and project complexity. A project with new and emerging technology will have a high complexity rating and a correspondingly high risk. The project management team will assign the appropriate resources to the technology managers to ensure the accomplishment of project goals. The more complex the technology, the more resources the technology manager typically needs to meet project goals, and each of those resources could face unexpected problems.
Risk evaluation often occurs in a workshop setting. Building on identifying the risks, each risk event is analyzed to determine the likelihood of occurrence and the potential cost if it did occur. The likelihood and impact are rated high, medium, or low. A risk mitigation plan addresses the items with high ratings on both likelihood and impact.
Engineers are trained to use risk management tools like the risk matrix shown in Figure 6.2, in which the probability of the risk is multiplied by the severity of consequences if the risk does indeed materialize.
This and other risk management tools can be useful because they provide an objective framework for evaluating the seriousness of risks to your project. However, any risk assessment tool can do more harm than good if it lulls you into a false sense of security, so you make the mistake of believing you have foreseen every possible risk that might befall your project. You don’t want to make the mistake of believing that the tools available for managing risk can ever be as precise as the tools we use for managing budgets and schedules, even as limited as those tools are.
Perhaps the most important risk management tool is your ability to learn about the project. The more you know about a project, the better you will be at foreseeing the many ways the project could go awry and what the consequences will be if they do, and the better you will be at responding to unexpected challenges.
Example: Risk Analysis of Equipment Delivery
A project team analyzed the risk of some vital equipment not arriving on time for the project. The team identified three pieces of equipment that were critical to the project and would significantly increase costs if they were late in arriving. One of the vendors, who was selected to deliver an important piece of equipment, had a history of being late on other projects. The vendor was good and often took on more work than it could deliver on time. This risk event (the identified equipment arriving late) was rated as high likelihood of a high impact. The other two pieces of equipment had a high impact on the project but with a low probability of occurring.
Not all project managers conduct a formal risk assessment on a project. One reason, as found by David Parker and Alison Mobey in their phenomenological study of project managers, was a low understanding of the tools and benefits of a structured analysis of project risks (Parker & Mobey, 2004). The lack of formal risk management tools was also seen as a barrier to implementing a risk management program. Additionally, the project manager’s personality and management style play into risk preparation levels. Some project managers are more proactive and develop elaborate risk management programs for their projects. Other managers are reactive and are more confident in their ability to handle unexpected events when they occur. Yet others are risk averse and prefer to be optimistic and not consider risks or avoid taking risks whenever possible.
On projects with a low-complexity profile, the project manager may informally track items considered risk items. On more complex projects, the project management team may develop a list of items perceived to be higher risk and track them during project reviews. On projects of even greater complexity, the process for evaluating risk is more formal with a risk assessment meeting or series of meetings during the project’s life to assess risks at different phases. On highly complex projects, an outside expert may be included in the risk assessment process, and the risk assessment plan may take a more prominent place in the project implementation plan.
Generally, for complex projects, statistical models are sometimes used to evaluate risk because there are too many different possible combinations of risks to calculate them one at a time. One example of the statistical model used on projects is the Monte Carlo simulation, which simulates a possible range of outcomes by trying many different combinations of risks based on their likelihood. The output from a Monte Carlo simulation provides the project team with the probability of an event occurring within a range and for combinations of events. For example, the typical output from a Monte Carlo simulation may indicate a 10% chance that one of the three important pieces of equipment will be late and that the weather will also be unusually bad after the equipment arrives.
“9.2. Risk Management and Project Success” and “9.3. Risk Management Process” from Essentials of Project Management by Adam Farag is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted. Modifications: both sections were combined and risk mitigation was removed.
