Risk Management Process

Risk Management process can be considered as answering the following key questions:


1. What all can possibly go wrong (Risk Identification)?
The first step towards an effective Risk Management is identifying all the possible risks. A point to note here is, quantum of the risks by no way indicate the success or failure of the project. Hence this process needs to be unbiased and non-judgmental. One of the key challenges faced in this phase is need of a structured and repeatable approach of Risk Identification that will ensure that all the aspects of the Project are probed.

Some of the common tools employed for Risk Identification are:
• Checklists and guidelines
• Risk Repository / re-use of historic data
• Brainstorming and Experience (within and outside the team)
• Taxonomy Based Questionnaire (TBQ) by SEI

The deliverable of this phase is an exhaustive list of Risks.

Which risks do I take care of (Risk Analysis)?

The 80-20 rule applies here too. It is important to have a prioritized list of risk list to work on. One of the approaches used in our organization is Risk Exposure which is computed as – Risk Exposure = Risk Probability * Risk Impact.

Here Risk Probability is the likely hood of the risk materializing (expressed in %) mainly derived from historic data and Risk Impact is a number between 0 and 10. Quantitative and Qualitative guidelines are available to arrive at the risk impact. All Risks that have high probability (>=70%) and or high impact (>=7) are considered for Risk Planning.

The deliverable of this phase is a prioritized Risk List.

Note – there are various ways available to assess the probability and impact and quantify the same.

3. What do I do with these prioritized risks (Risk Planning)?

Some of the common strategies for Risk Planning are:
• Risk Transfer - causing another party to accept the risk, typically by contract, insurance or by hedging.
• Risk Avoidance - includes not performing an activity that could carry risk.
• Risk Reduction (i.e. Risk Mitigation) - involves methods that reduce the severity of the loss should the risk occur.
• Risk Acceptance (i.e. Risk Retention) - involves accepting the loss when it occurs. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained.
It may not be possible to use all the strategies all the time. Once the strategies have been determined, they should be documented in a risk management plan (RMP) or as part of the project plan. Decisions taken need to have a rational (and or data points) to support.

The deliverable of this phase is a Risk Management Plan.

4. Am I doing what I planned to do (Risk Tracking)? Things are going as planned (or not), what do I do (Risk Control)?

Once the plan is made and implemented, it is a must to continuously monitor the status of various risks and action items implemented as a part of RMP. Metrics need to be defied to enable objective tracking. Tracking can be event driven e.g. completion of a milestone or frequency based e.g. every week-end. In case any deviations are observed in the risk status or implemented plan, we need to take appropriate actions. Similar to the PDCA cycle, we need to trigger the Risk Management cycle again.