“Ladies and gentlemen, please observe the following safety recommendations.” Show
We have all heard those words when we are on board an airplane—in fact, many of us could probably recite from memory the cabin instructions from the flight attendant prior to take-off. But beyond that repetitive message, have you ever thought about what is behind those instructions? One thing is clear: despite all technological advances and the statistics suggesting that it is safe to fly, flying still puts us in a vulnerable situation. In following the cabin instructions, we are part of a practical risk management exercise that will increase our chances of arriving safe and sound at our destination. Risks constitute part of our daily life just as they constitute part of the life of projects. According to the definition of the Project Management Institute, project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more of the project’s management objectives, such as the project scope, schedule, cost, or quality. But how can we manage uncertain events? The process is always the same: first, identify the risk; second, measure the probability that the risk will occur and its impact; third, respond; and finally, monitor the risks and responses. “Please be careful when opening and removing objects from the overhead compartments, as items might fall and injure other passengers.” There are many things that can go wrong during a flight, ranging from a routine delay to turbulence that causes us to spill our coffee to a mechanical failure that puts our lives in danger. Some risks can be easily identified. To know if there is a risk of delays or bad weather, you just have to look at the airline’s web page. On the other hand, certain risks, such as possible mechanical failure, are difficult for a regular passenger to identify. To determine these risks one has to turn to other techniques, such as consulting with experts on the topic. Obviously, in real life it is difficult to consult with an airline’s mechanics. Fortunately for projects, however, we have an easier alternative to obtain the opinions of all the actors involved. It simply involves carrying out a participatory exercise or, as it is known in risk management terms, a risk workshop. “In the event of decompression, put on your own mask first before assisting others.” When we complete the risk identification exercise, we will have a list of numerous events that could affect our flight…or our project. In a context of limited resources, we cannot address all of those risks, so it is essential to find a way to prioritize them. To do that we use two variables: the probability that a risk will occur, and the impact it would have on our objectives. By combining these two variables, we can define the level of each risk. For example, if we are traveling on vacation during the peak season, when airports are more frequently overcrowded, there is a high probability that the airline will lose one of our bags. The impact of this loss can be significant. Consequently, this is a high risk that should be prioritized over lesser risks. Determining the precise level of the risk depends on the historical information available. If we have traveled many times with the same airline and it has never lost our bags, we could adjust the probability level downward and, consequently, adjust the risk level downward as well. If we have not traveled with this airline, we could—and should—obtain information from social networks or even review statistics to correctly estimate the probability and impact of the loss of the bags. In risk management, information is power. The more information we have, the more precise will be our estimate of the risk level and the more efficient will be the allocation of our resources. “Safety regulations prohibit the use of large electronic devices during take-off and landing.” Once we have evaluated our risks, it is normal to begin to think about what actions to take. This is what we call a Response Plan. Normally when we talk about responding to risks we immediately think of mitigating them—that is, how to reduce the impact of the risk and/or the probability that the risk will materialize. Although this is a viable alternative, there are other strategies. When we travel, there is a certain possibility that our checked bags will get lost, but in addition to mitigating this risk by attaching personal identification tags to our bags, we can transfer this risk by purchasing insurance to cover against loss of the bags. Another management strategy is to avoid the risk by traveling only with carry-on bags. Or, finally, we can accept the risk and live with the consequences. “The captain has turned on the fasten your seat belt sign, please return to your seat.” We have come to the moment of truth, it is time to implement the responses that we have planned. At this stage, the WHEN is just as or more important than the WHAT. Immediately implementing all the responses is not always the most efficient option. For example, when we board the airplane we are aware that there could be turbulence at any moment during the flight. However, very few of us keep our seatbelts fastened during the entire flight. We only fasten them at certain moments when there is a higher risk of turbulence. Those moments are not random, but rather are triggered by certain events. The pilot monitors a series of atmospheric variables, and only when they surpass a given threshold (trigger) does he or she tell us that there is a greater risk of turbulence in the minutes ahead and that we need to fasten our seatbelts. “At this time you may use computers and other large electronic devices.” Our work does not end with implementation of the response. It can happen that, after having purchased our ticket and planned our trip, new information comes up that prompts us to review the original analysis and plan. It is essential to continually monitor our trip—or project—in order to identify new risks, adjust the level of the risks already identified, and redefine the responses. The pilots of the airline on which we are going to fly could announce that they are on strike. This new information would certainly change our plans. Automatically, new risks would appear and the levels of other risks would change. The risk of cancellation of the flight, which we had perhaps considered nonexistent under normal conditions, now could be very real. The level of other risks, such as a flight delay, could increase. Of course, if our risks change, our responses change as well. If the risk of a delay increases, we might need to take more aggressive steps in response, such as buying insurance (transfer) or changing the dates of our flight (avoid), instead of more moderate responses such as buying a flexible ticket that allows for changes (mitigate) or simply accepting the possibility of a delay (accept). In conclusion, a risk management methodology helps us make better decisions in uncertain situations. By understanding these steps in detail, we increase the probability of achieving our objectives, both in everyday life and for in projects that we lead. If you would like to learn more about project risk management, we invite you to sign up for the online course that will begin at the end of March. From apppm Developed by Jonas Heiberg Larsen AbstractProjects are part of a dynamic and fast-changing world. Therefore there is a degree of uncertainty and unpredictability in projects. In order to minimize uncertainties and unforeseeable events related to a project, risks are identified and managed throughout the project lifecycle. A risk is an uncertain event that can have e negative effect on one or more objects in a project such as time, cost, performance or scope [1] [2]. This Wiki-article will describe the risk management Process, Risk matrix, Rumsfeld's Unknown-Knowns, inherent- and residual risks. At last limitations and advantages of risk management will be discussed and a brief overview of other relevant reading material is given. Please note that this article only covers the risk (threat) management of a project and does not look into opportunities management (risks with a positive effect). In order to control and manage risks, the Risk Management Process (RMP) is used. RMP is divided into four main categories Identify risks, Assess risks, Treat risks and Monitor risks. However, RMP is a continuous process, which happens throughout the lifecycle of a project. [2] [3] The different natures of risks can be categorized with D. Rumsfeld's Unknown-Knowns and assessed with the risk matrix (both residual- & inherent risk). When treating a risk, the risk managers can choose to Avoid, Reduce, Share or Accept the risk. The risks can be monitored by using a risk register, where risks and countermeasures can be mapped. Risk management is an essential tool to use in project management and helps managers get an overview of potential obstacles that can occur or prevent a team from achieving their goals. Risk management is a highly importent discipline and should be present in all projects, however, its importance is often neglected. [2] [4] IntroductionRisk definitionRisk can be defined as follows: "Risk is an uncertain event or condition that if occurs, has a positive or negative effect on one or more project objectives such as time, cost and quality, or effect of uncertainty on objectives" All activities in an organization involve risks. These risks can be managed by identifying them, analyzing them and then evaluating whether the risk should be modified by risk treatment in order to satisfy the organization's risk criteria. During this process, risk managers communicate with stakeholders and monitor the risk. The controls are modified to ensure that the amount of risk treatment is minimized. [2](pV) Risk identification is the "process of finding, recognizing and describing risks" [2](p4). Risk identification involves the identification of risk sources, event, causes and potential consequences. The identification can involve historical data, theoretical analysis, expert opinions, and stakeholder needs [2](p4). However identification is only the first step, managers also need to analyze the risk to the most significant ones can be dealt with on an ongoing basis [5](p219). Rumsfeld's Unknown-KnownsThe different nature of risks can be categorized with former US Defense Secretary, Donald Rumsfeld's definition. Rumsfeld categorizes risks as the following [6] :
Risk matrixRisk matrix [7]When the risk elements to be managed is identified, the next step is to ensure that either the likelihood is reduced or the impact of that activity occurring. The risk matrix is one of the most used tools for risk evaluation. The matrix can be used to determine the size of a risk & whether or not a risk is sufficiently controlled. The risk-matrix is compiled of two dimensions Probability (also called likelihood) and Impact (also called severity). Likelihood is the measure of how likely a given event is, and impact is the effect the risk can do. The combination of these two dimensions gives a collective risk rating in the matrix. Usually, the risk-matrix consists of 3 different risk ratings: Low (Acceptable), Medium and high (Not acceptable), however, some matrixes also have a 4. level very high [7]. The horizontal and vertical scale can have different values or tags, however, in this case, both impact and probability have a scale from 1-5. An example of a risk rating could have a probability of 3 (possible), and an impact of 2 (Minor) would have a collective risk ration of medium [5](p223). The numeric scale of 1-5 can be hard for managers to visualize and use, therefore more subjective values like unlikely and likely is often used, as seen in the table below.
Residual - & Inherent risksIdentified risks can be categorized into two different categories, depending on, if controls fail or not. The residual risk is the identified risk as it is today, with the controls in place. An example could be the risk of "financial loss if the bank is robbed", however, we have a control in place and hired security people. The inherent risk is the risk we face if the controls for the residual risk fail. For instance, all the security people get food poisoning, and the bank's protection is therefore gone. Naturally the Impact/Probability for the inherent risk should be greater or equal to the ratings in the residual [2] [8]. Risk Management Process (RMP)Risk Management Process [9]The Risk Management Process can be divided into four main categories Identify risks, Assess risks, Treat risks and Monitor risks. Identify risksThe first process is "Identify risks", here potential risk events and their characteristics that can have a negative effect on the project is identified. The identification of risk is a repeatable process since risks can change or new risks are discovered, throughout the project's lifecycle. The identification process can consist of a variety of different stakeholders, project management team, experts, senior managers, etc. Assess risksThe second process is "Assess risks", which is used to measure and prioritize risks. In the assessment of risks the probability of each risk occurring & the corresponding impact for the project, if the risk does occur. The probability and impact are then used to prioritize the risks. This process is also repetitive throughout the project. The Risk matrix, as described earlier, can be used for accessing the risks. Treat risks/ControlThe third process is "Treat risks", here actions to reduce risks, are developed and determined. The treatment of risks can consist of adding additional resources (manpower, budget) into the schedule. However, the treatment should be customized to fit the individual risk and be as realistic and cost-effective as possible. The process also includes measures to avoid, mitigate or deflect the risk. Another possibility is to develop contingency plans which can be used if the risk occurs [1](p138). Risk Treatment consists of a range of options for mitigating the risk, assessing options, and preparations for implementing action plans. As mentioned earlier (in section Risk matrix) the highest risks should be addressed first and so on and forth. Of course, the cost of treating the risk should be evaluated and compared with a potential loss by risk. Depending on the type and nature of the risk, the following options are available [10]:
Monitor risksThe fourth process is "Monitor risks", here actions to track and monitor risks are developed. One of the most common approaches to risk monitoring is to use a risk register, which is initiated at the start of a project and continually reviewed and updated. A risk register should as a minimum contain the following information:
It is important to note that risks should be monitored, reviewed and controlled on an ongoing base. The controlling of risks is done by continuous tracking of identified risks while identifying and analyzing new risks. Risks and the effectiveness of controls and mitigations should be evaluated throughout the project life cycle [3](p142). Risk managementRisk management in different industriesRisk management is relevant for all industries. However, the degree of importance and impact can vary a lot. Risk management is highly essential in sectors like finance/banks, Formula One, drilling oil & gas or space programs. Where big money can be lost, reputations ruined or even lives lost. Risk management is especially important in the following areas:
The parameters used to measure the impact can also vary a lot. For an R&D project, the impact measurements could be delays, financial and mistakes while a bank could use reputational, regulatory, and financial scales to measure the impact. The space program could be an operational risk such as the risk of burning up when astronauts are reentering the atmosphere. While financial institutions could loose reputation or customers if they have a security breach, like hacking or transferring the wrong amount of money from one customer to another. Examples of good and bad risk managementBad:
Good:
Implementing Risk managementSteps in implementing Risk management [16]The steps to implementing risk management can be divided into the following steps [16]:
Limitations and advantages of Risk management (discussion)AdvantagesBy having an effective and structured risk management system, organizations will get the following benefits:
There are many more benefits of good risk management than just the ones listed here, but this is some of the important ones for organizations. Risk management helps organization overview and control risks and therefore make better decisions. Risk management is therefore highly relevant and should be implemented and used in organizations. LimitationsRisk management has an array of advantages. However, risk management also has some limitations:
Risk Management Process is concerned with managing the identified and quantified risks & mitigations and does not tackle other types of uncertainty like the cost to develop a new prototype or if customers will buy the product [1](pp.134-135). Furthermore, a lot of time and resources can potentially be spent on prioritizing and assessing, risks that are not likely to occur, which will divert resources that could have allocated more efficiently.
The ISO 31000 is probably the most used risk management standard. However, it has some flaws, which managers need to take into consideration. First, a considerable amount of scientific literature arguing for the ISO 31000 is outdated since it uses ideas of risk assessment and characterization as used in the 1970s and 1980s, which does not take the fast-changing and connected world which projects happens in today into account [18]. Second, the ISO 31000 is often criticized for having a narrow scope, for instance, the standard does not include setting objectives, but it does require that objectives are set. Furthermore, the guidelines provided in the ISO 31000 can be harder to understand and implement in Small and Medium-sized Enterprises which is why the ISO 31000 SME [19] can be an additional standard, which managers need to take into consideration. Therefore it is vital that risk managers do not blindly follow the ISO 31000, but read material from multiple sources, for instance, the literature listed in section Annotated Bibliography. ConclusionThere will always be risks in projects, and how they are managed will have a large impact on the success of a project [5](p232). Bad or no risk management can lead to immense losses and complications, whereas great risk management will lead to better decision making, quality, and budgets for projects. Naturally, risk management has some limitations such as its time consumption and the missing ability to remove all delays/risks. The RMP helps manages to get an overview of potential obstacles that can occur or prevent the team from achieving their goals. By identifying the risks, managers can map them and initiate appropriate measurements to counter them. It is important that managers use risk management, and spent time on improving and develop the risk management programme of companies. Even though risk management naturally is a more integrated and important discipline in some industries, it is recommended that it is used at least to some degree throughout all projects and companies. LiteratureReferences CredibilityThis section contains a brief discussion of the used online sources credibility. This is done to ensure transparency and provide a high-quality list of sourcing which the reader can follow up on.
However, a more general critic of the use of online source could be based on the following:
As earlier stated the used online sources are relatively credible (point 1-2). When considering the change and outdatedness (point 3-4), the webpages was last edited between 29-09-2015 and 02-02-2018, which is relatively new and relevant. Since all the internet pages used are on a factual and information level, and not analytical the risk of exposure to company interests are minimal (point 5). In conclusion, the used internet pages are credible sources. References
Annotated BibliographyWikipedia articles
Books
Articles
|