Risk Management

The Risk Management Process: 4 Essential Steps

Home
Blog
Risk Management
Risk Management Process

Aug 22nd, 2024

Risks are inevitable in the world of project management and can pose significant problems to project objectives. Being able to perceive these risks in advance and devise a strategy to deal with them is what ensures a project’s success.

In this article, we explore the four steps of the Risk Management Process, including how to identify and assess potential project-related risks and opportunities, as well as how to respond to them efficiently. Let’s uncover how this strategic process can lead to a more resilient project management.

The Risk Management Process is a clearly defined method of understanding what risks and opportunities are present, how they could affect a project or organization, and how to respond to them. Formalizing this process within your organization along with communicating the tools and methods used will strengthen your Project Risk Management overall, paving the way for much greater project success.

The 4 essential steps of the Risk Management Process are:

Identify the risk.
Assess the risk.
Treat the risk.
Monitor and Report on the risk.

Step 1: Risk Identification

The first step in the risk management process is to identify all the events that can negatively (risk) or positively (opportunity) affect the objectives of the project:

Project milestones
Financial trajectory of the project
Project scope

These events can be listed in the risk matrix and later captured in the risk register.

A risk (or opportunity) is characterized by its description, causes and consequences, qualitative assessment, quantitative assessment, and mitigation plan. It can also be characterized by who is responsible for its action. Each of these characteristics are necessary for a risk (or opportunity) to be valid.

To be managed effectively, the Risks and Opportunities (R&O) identified must be as precise and specific as possible. The title of the risk or opportunity must be succinct, self-explanatory, and clearly defined.

All members of the project can and should identify R&O, and once they’ve been identified, the content of them is the responsibility of the Risk Owners. Risk Managers are responsible for ensuring that a formal process for identifying risks and developing response plans are conducted through exchanges with Risk Owners.

Below are examples of tools to help identify R&O:

Analysis of existing documentation
Interviews with experts
Conducting brainstorming meetings
Using the approaches of standard methodologies – such as Failure Modes, Effects and Criticality Analysis (FMECA), Cause Trees, etc.
Considering the lessons learned from R&Os encountered in previous projects
Using pre-established checklists or questionnaires covering the different areas of the project (Risk Breakdown Structure or RBS)

Step 2: Risk Assessment

There are two types of risk and opportunity assessments: qualitative and quantitative. A qualitative assessment analyzes the level of criticality based on the event’s probability and impact. A quantitative assessment analyzes the financial impact or benefit of the event. Both are necessary for a comprehensive evaluation of risks and opportunities.

Qualitative Assessment

The Risk Owner and the Risk Manager will rank and prioritize each identified risk and opportunity by occurrence probability and impact severity, according to the project’s criticality scales.

Evaluating Probability of Occurrence (P):

This is usually on a scale of 1 to 99% and is determined based on experience, the progress of the project, or by speaking to a risk expert.

For example, suppose the risk that: “the inability of supplier X to conduct studies on a modification Y by the end of 2025” is 50% probable. This could be determined from feedback and analysis of the supplier’s workload.

Evaluating Impact Severity (I):

To assess the overall impact, it is necessary to estimate the severity of each of the impacts defined at the project level. A scale is used to classify the different impacts and their severities. This ensures that the assessment of each risk or opportunity is standardized and reliable.

The criticality level of a risk or opportunity is obtained by the equation: Criticality = P x I

The purpose of the qualitative assessment is to ensure that the risk management team prioritizes the response on critical items first. Keep in mind, the assessment of each risk’s probability or impact severity is what makes this “qualitative”; however, assigning a numerical value to this evaluation allows us to objectively prioritize them.

Quantitative Assessment

In most projects, the objective of the quantitative assessment is to establish a financial evaluation of a risk’s impact or an opportunity’s benefit, should it occur. This step is carried out by the Risk Owner, the Risk Manager (with support of those responsible for estimates and figures), or the management controller depending on the company’s organizational set up. These amounts represent a potential additional cost (or a potential profit if we are talking about an opportunity) that was not anticipated in the project budget.

For this, it is therefore necessary to evaluate any additional costs incurred by the risk (or undesired event). Then, the cost of the risk’s consequences is calculated by adding these values.

Evaluating any potential costs incurred means to financially review:

Hours of internal engineering
Hours of subcontracting
Additional work to do
Amendments and/or claims made to contracts
Etc.

This step allows us to estimate the need for additional budget for risks and opportunities of the project.

Step 3: Risk Treatment

In order to treat risks, an organization must first identify their strategies for doing so by developing a treatment plan. The objective of the risk treatment plan is to reduce the probability of the risk occurring (preventive action) and/or to reduce the impact of the risk (mitigation action).

For an opportunity, the objective of the treatment plan is to increase the likelihood of the opportunity occurring and/or to increase its benefits. Depending on the nature of the risk or opportunity, a response strategy is defined for the project. The following 7 strategies are possible:

7 Risk Response Strategies

Accept: Do not initiate any action but continue to monitor.
Mitigate/Enhance: Reduce (for a risk) or increase (for an opportunity) the probability of occurrence and/or the severity of impact.
Transfer/Share: Transfer responsibility of a risk to a third party who would bear the consequences of the problem (share the benefits of a realized opportunity).
Avoid/Exploit: Eliminate the risk entirely / take advantage of the opportunity.

Monitoring the progress of the treatment plan is the responsibility of the Risk Owner. They must report regularly to the Risk Manager, who must keep the Risk Register up to date.

Note: The cost of a risk mitigation plan must be integrated into the budget of the project.

When defining a treatment plan:

Each action begins with an action verb and has a clear purpose.
Each action has an actionee (who is responsible) and a deadline.
Actions that could generate costs must be tracked and considered in the project.
For example: to reduce the risk of your car breaking down, a treatment plan could be to have it checked annually by a repair shop.

When does risk become an issue?

It is possible that, despite the actions put in place to mitigate or prevent it, a risk probability could increase and reach 100%. Once the event confirmed (or certain), we no longer refer to it as a risk but as an issue. The Risk Manager must then inform the various project stakeholders who will relay that a risk has become an issue and transfer it to the issues log.

Step 4: Risk Monitoring and Reporting

Risks and opportunities and their treatment plans need to be monitored and reported on. The frequency of this will depend on the risk criticality. Developing a monitoring and reporting structure will ensure there are appropriate forums for escalation and that appropriate risk responses are being actioned on.

Recall that the Risk and Opportunity Management Plan, or ROMP, is one of the five essential elements of Project Risk Management. It should include not only the project stakeholders and steering members, but the governance cadence for monitoring and reporting on risks and opportunities. How this is organized and governed is defined by the Risk Manager in conjunction with the Project Manager.

In Summary

Understanding the complex nature of risk management is a significant step towards enhancing your project outcomes. By understanding each step of the risk management process, you will have a comprehensive toolkit to identify, assess, and respond to possible risks and opportunities. The next goal is to formalize this process across your organization and ensure it is followed consistently.

This not only gives you more control over your project’s direction, but it also encourages growth and development within your organization. Remember, every member of your team has a role to play in identifying risks and opportunities. So, embrace the process, learn from previous experiences, and advance towards a future filled with potential.

Thank you for the contributions of Marie BELGODERE, Jérémie CLAUSTRE, Capucine COMTE, Alioune DIALLO, Emmanuel LATGE, Jessy MIGNOT, Ingrid NGOBAY, Pierre PETILLON, Louann SUGDEN, Chris WAMAL, and the MIGSO-PCUBED Risk Management Community of Practice.

Looking for Risk Management support?

Our risk experts are an email away.

On the same subject

Risk Appetite: Understanding your maturity

The role of the Risk Manager and their team

Indian businesswoman sitting at workplace desk build tower of wooden blocks play game, apply skills and creative approach close up image. Improve precision, business strategic thinking concept

5 Key Elements of Risk Management