lbs
News & Events
Project Risk Management: a cultural approach
Project Risk Management: a cultural approach
News & Events
Project Risk Management: a cultural approach
Project Risk Management: a cultural approach
lbs

(By Paolo Cecchini, PMP, PMI-RMP, PMO Leader, Project Management Specialist, Risk Manager)
24/11/2015

Gestire-i-rischi-di-progetto

Business Continuity & Crisis Management

“Find your project’s risks before they find you”

Introduction

Waking up and preparing your coffee this morning you took a risk. Going at work by car, by bike or on foot you took a risk. If you decided to put your money on a bank account or use it to invest in stocks you took a risk. If you decided to spend your weekend gambling, you took a risk. Risk is always present in every activity, especially when decision is required. Embracing the correct risk management strategy is definitely useful in everyday life, but becomes fundamental in project management where, to guarantee project success, it is necessary to implement a transition from reactive risk management to proactive, predictive risk management.

History

Risk as such is very well known since ancient times, but its structured management started after the big changes in numbering systems, the understanding of statistical principles behind probability and the increase in popularity of gambling and betting. But it was only during the Renaissance that a “scientific” management of statistical concepts applied to gambling started to appear. Although the Arabic numbering system, featuring digits worldwide used nowadays, has been introduced in Europe in between 1000 and 1200 A.C., making possible calculations beyond simple sums and subtractions, we had to wait the Renaissance for the digits 0-9 to completely replace the roman numerals. Actually the first probabilistic study on gambling (cards, dices, betting) dates back to Renaissance, from Girolamo Cardano, an italian mathematician, philosopher and doctor. A well-structured analysis of risk management started after the second world war, evolving towards the current structure after 1955 and improving from 1970 up to now both in financial and operational environment.

A risk management culture

The foundation of an effective risk management is the existence in the organization (all levels) of the related culture. The message spread by this culture is that risk management is part of everyday life for all the members of the organization. In other words the goal of the risk culture is to create a well-defined environment where both managers and professionals are always looking for risks and related responses in order to use previous experience for effective decision making. There are several obstacles moving against risk culture creation, first of all the risk management costs. Among them:

  • very short timeframes;
  • lack of confidence in risk management processes;
  • fear of negative interpretation of risk identification process.

Almost always the common root cause of the issues listed above is the lack of understanding, by top level management, of the benefits that an effective risk management policy could bring to the company. This is also the reason why

  • it is difficult to get well dimensioned resources for risk management;
  • in case of limited resources availability risk management activities are the first to be canceled (almost always).

It is then vital for the project manager or the risk manager the creation of a project environment where all the main stakeholders are completely aware of the importance and effectiveness of proper risk management. There are several actions that can be implemented to reach this goal. Among them:

  • get consensus and support from top level management;
  • enroll an expert risk management professional;
  • provide specific risk management education;
  • put in place a well performing risk management communication policy;
  • use the right risk management tools;
  • create a risk management knowledge base and use it for future projects.

Risk definition and description

From the project point of view the most common definition of risk is the one adopted by the Project Management Institute:

“Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, or quality”

It is important to underline the fact, almost always ignored at least in our Mediterranean culture, that with the word “risk” we can refer to positive (opportunities) or negative (threats) events. It is therefore important, during the risk identification phase, to identify both threats and opportunities and to handle them in the proper way.

In a well structured risk management process, every identified risk is defined using a risk metalanguage including at least the following:

  • cause
  • event
  • effect

Beside the risk definition with the metalanguage, the two most important parameters to define a risk (positive or negative) are the probability of the event and the impact on one or more project objectives. As we’ll see later on when talking about quantitative risk analysis, it is common habit to assign a symbolic value to the risk multiplying its probability by its impact.

Risk Management process

Effective risk management must be supported by a rigorous and well defined process. Main goal of risk management is to minimize threats probability and impact and to maximize opportunities probability and impact. The Project Management Institute defines for project risk management a structure composed by six separate processes:

  • Plan Risk Management
  • Identify Risks
  • Perform Qualitative Risk Analysis
  • Perform Quantitative Risk Analysis
  • Plan Risk Responses
  • Control Risks

As a general guideline every process is characterized by a well defined list of input data (Inputs), a set of tools and techniques to process input data and a well defined list of output data (Outputs) composed by the results of process computation that can be Inputs to other risk management processes at the same time. The entire set of risk management processes is repeated during the whole project life cycle as performing activities to deliver project outcomes can generate new risks. Project risk originates from the uncertainty naturally included in all projects; two risk macro categories can be defined:

  • known risks: the ones that have been previously identified, analyzed and provided with response actions in order to mitigate their probability and impact (or to enhance them in the case of opportunities);
  • unknown risks: the ones that can’t be identified (unpredictable) and therefore can’t be proactively managed but you can only react if and when they occur.

It is also worthwhile to define a few concepts that enhance risk definition and characterization inside organizations and among stakeholders:

  • risk attitude: the level of risk that organizations or stakeholders are willing to accept and how they approach it;
  • risk appetite: degree of uncertainty an entity is willing to take on in anticipation of a reward (PMBoK 5th Edition);
  • risk tolerance: the degree, amount or volume of risk that an organization or individual will withstand (PMBoK 5th Edition);
  • risk threshold: measures along the level of uncertainty or the level of impact at which a stakeholder may have a specific interest. Below that risk threshold the organization will accept the risk, above that risk threshold the organization will not tolerate the risk (PMBoK 5th Edition).

As already said before, effectiveness of risk management process is guaranteed only if the entire organization shows complete acknowledgment and acceptance for this activity.

Plan Risk Management

This process defines how risk management activities will be performed; it also ensures that resources involved in risk management are well balanced with relevance of the project for the organization. A well-defined and detailed planning of risk management activities will result in a huge increase of success probability. At the end of the process a Risk Management Plan document will be released.

Identify Risks

This process drives the identification of risks that could have an impact on one or more project objectives, depicting all risks characteristics. Tasks included in this process will supposedly allow the project team to know in advance events that could affect project objectives, making possible the implementation of a proactive management. The result of the process is the first draft of the risk register, a document containing all relevant information on identified risk that will be progressively updated with results from subsequent risk management processes.

Perform Qualitative Risk Analysis

This process, by mean of qualitative analysis of probability and impact of all identified risks, provides a prioritized list of them with the aim to reduce the project uncertainty level and to focus the team on high priority risks. Using qualitative analysis techniques mainly based on high level estimation of probability and impact (not numerical evaluation but with definitions like high-medium-low) the process provides as output an update of the risk register with new relevant information.

Perform Quantitative Risk Analysis

This process, by means of numerical and statistical techniques, allows the in depth evaluation of the overall project risk. Moreover it provides an important evaluation tool for decision makers. Tools and techniques used for this kind of analysis are quite complex and therefore expensive; that’s the reason why even if obtained results allow predicting the future of the project (in terms of profitability) with a very high confidence factor, they are used only for high priority risks.

Plan Risk Responses

This process, using results from previous analysis, defines and plans a set of risk response actions aimed to decrease probability and/or impact of negative risks (threats) and to increase probability and/or impact of positive risks (opportunities). It is very important to clarify that despite the name “response actions”, these actions are not performed when the risk happens, but before the risk can happen in order to modify risk probability and/or impact for the benefit of the project. Risk responses are defined according to the different risk response strategies:

  • negative risks (threats):
    • Avoid: avoidance is simply avoiding the risk; can be accomplished in many different ways and generally happens early in the project when any change will result in fewer impacts;
    • Transfer: transference is a response strategy where risk and its ownership is transferred to a third party; the risk doesn’t disappear (it is just moved). Transference nearly always involves payment of a risk premium to the third party being in charge to handle the risk;
    • Mitigate: Mitigation is a strategy aimed to reduce the probability and/or impact of an identified risk; mitigation is done before the risk happens, cost and time for mitigation has to be lower than cost and time involved repairing the damage caused by the risk. The risk may still happen but hopefully impact will be very low;
    • Accept: Acceptance is a strategy that simply accepts the risk because no other action is feasible; passive acceptance requires no action, the project team deals with the risks as they happen. Active acceptance involves developing a contingency plan should the risk occur.
  • positive risks (opportunities):
    • Exploit: This strategy may be selected for opportunities where the organization wishes to ensure that the opportunity is realized; it tries to eliminate the uncertainty associated with the opportunity ensuring it will happen;
    • Enhance: This strategy is used to increase the probability and/or positive impacts of an opportunity; it tries to identify and maximize key drivers of these impacts as this may increase the probability for the opportunity to happen;
    • Share: this strategy involves allocating some ownership of the opportunity to a third party best able to pursue the opportunity itself;
    • Accept: this strategy accepts the opportunity in order to gain advantage from it but without actively pursuing it.

Control Risks

This process takes care of previously defined response plans implementation, identified risks tracking and monitoring, residual and secondary risks monitoring, new risks identification and risk management efficiency evaluation. This process also ensures that the risk management process is performed iteratively during the entire project life cycle.

Project Risk Management in Ericsson

Project management culture is so strongly embedded in our company that we have defined our own project management methodology (hugely based on Project Management Institute guidelines), globally adopted. As a consequence the project risk management has a very high relevance in our business process, also due to the fact that all our solutions are delivered as projects and therefore their success is fundamental for company health. Inside our project management methodology the risk management process has a very high priority, so high that specific actions have been put in place to optimize and enhance it. Actions span from dedicated training to existing process audit to existing tools verification to new tools adoption analysis. Great emphasis is put on risk management process introduction since the very early stages of offer negotiation with the customer, with the aim to increase risk identification effectiveness and enhance response plan development in order to get better project results, with benefits for the customer and the provider as well.

Conclusions

What has been described above is just a scratch on the surface of a complex and fascinating discipline highly relevant for any kind of task. In the needs of shortness I haven’t analyzed for instance stakeholder communication issues that dealing with risks have very high priority and are quite complex. I hope this short introduction triggered your interest for this discipline and conveyed the message that we have access to more sophisticated tools to increase predictability than the crystal ball.

Business Continuity & Crisis Management

Publication date
December 22 2015
Categories
News & Events
 
Publication date
December 22 2015
Categories
News & Events
Last news
WIPO-Luiss 1st Global INTAN-Invest Conference
Online Open Evening | Master Full-time
Career-booster for Managers: Introducing the DBA in Higher Education Leadership and Management