Risk is a traditional and mandatory topic in project management.
Risk means the probability of certain adverse events occurring that will have a negative impact on the implementation of the project.
What is risk in project management?
Project risks are understood as all factors (situations, events, conditions, or decisions) necessary for the successful course of the activities, obtaining the planned results, and realization of the project objectives. Reference: “Project risk management, analysis and mitigation in Agile projects“, https://bvop.org/learn/pmriskmanagement/ (BVOP.org)
Sources of risk
External risks of the project
The external risks of the project are related to the surrounding environment. External risks are contained in the following areas:
relevance of the project
the similarity of the project objectives with the development strategies
the institutional environment of the project
legal and regulatory framework
problems related to environmental protection
impact on target groups and stakeholders
fears that the final results will meet the requirements but not the expectations
These are the threats that the project will not be able to realize its final results within the allotted time and funds due to internal reasons for the organization. These risks can be managed on a daily basis by the project team.
Sources of internal risks:
problems with the supply of goods and services
– problems with finding suppliers
– problems with concluding contracts
– problems with the timely delivery of goods and services
– problems with installation and commissioning of machines
– problem with the quality of goods and services
problems related to organizational factors
– inappropriate organizational structure of the project team
– additional staff involvement
– lack of management experience
– problems in the team
– problems with partners
– lack of skills
problems with determining the results:
– there should be gaps in determining the results
– inability to define the requirements for the results well enough
– inability to fully meet the requirements using available means and approaches
– presence of innovations in the project
– quality control problems
– the risk that the specific requirements for the results will not be fully met
Once the risks and their sources are identified, they are recorded in a risk register, which is monitored and updated during the project implementation.
Risk analysis is directly related to risk management. It shows that you are aware of the possible risks and threats and that you have weighed them carefully.
The analysis includes the following activities:
- risk identification – identification of potential risks for the project
- risk measurement – determining the importance of each risk by assessing the probability of the adverse event occurring and the consequences thereof
- risk assessment – a decision as to whether the level of risk is acceptable or, if not, what action to take to reduce it, Read more: Assessing the Risk in Project management and Quantitative approaches to risk
The results of the analysis are reflected in a risk register, such as:
- All identified risks are recorded
- The importance of each of them is determined on a certain scale
- The probability of everyone coming true is determined
- The assessment of each risk is calculated as a product of importance and probability
- The risk assessment of the whole project is equal to the largest of the assessments of the individual analyzed risks
- Risk control measures are defined
Assumptions and preliminary obligations
Preliminary obligations are conditions that must exist before the start of the project.
Prerequisites are conditions that are necessary for the effective implementation of the project but are not mandatory for its start.
The preconditions and preliminary obligations can be:
- new laws
- adoption of normative acts
- administrative, regulatory, economic relief
- availability of base
- availability of staff
- availability of equipment, etc.
The activities that can be undertaken for risk management and control can be divided into the following groups:
- non-acceptance (rejection of the project)
- providing for a fallback option in case of risk realization
Degree of the importance of the risks
These are risks that are so great that they jeopardize the implementation of the project and are very likely to hinder it. These risks cannot be prevented or reduced. They lead to the rejection of the project.
An example of this type of risk is starting (or including) an activity that requires a special permit or license without securing them in advance.
These are risks that are not large and do not significantly jeopardize the implementation of the project. Under these conditions, the risks are accepted by being recorded in a risk register and must be monitored continuously during the implementation of the project.
Conditionally acceptable risks
These are risks that are important for the implementation of the project but can be prevented or reduced if the project is redesigned or another more appropriate alternative for its implementation is taken. This can be achieved if:
- all assumptions made for the successful implementation of the project are clearly stated
- provision has been made to provide the necessary staff
- the responsibilities of each institution – participant in the project are unambiguously described
- it is assumed that the existing way of working will not change significantly
- possible bureaucratic and other delays are taken into account
- regular monitoring and control of the project is planned
- the reasons why risk can be accepted are clarified
- the preconditions or preliminary obligations are determined. This also includes risk transfer activities to third parties (eg an insurer).
- a contingency plan and contingencies are provided for in the event that the risk materializes
There has been a lot of talks lately about risk management. Not that it is a new topic, but the times are such that the degree of uncertainty and uncertainty is so great that it forces each of us to manage risk to some degree and in a way that we determine to be correct and adequate.
On a daily basis, organizations are faced with internal and external factors and influences that create uncertainty – whether, when, and to what extent they will be able to achieve their goals. The effect that this uncertainty has on the organization’s goals is a risk.
An important feature is that the risk can have positive and negative consequences. This means that the risk can expose the organization to both threats and opportunities. But in both cases, how the risk will be managed is crucial.
Risk management is an integral part of the overall management of the organization. Effective risk management is achieved only when it is fully integrated into the system and management processes of the organization.
How is effective risk management achieved?
Applying the 11 risk management principles presented in ISO 31000: 2009. The role of these principles is to inform and guide the organization in the risk management process. Understanding and applying the principles in all aspects of the organization’s management is crucial. In addition, they serve as indicators of the results of risk management and the increase in value for the organization from effective risk management.
Principles of risk management
We present 11 universal principles of risk management.
1. Risk management supports the creation and protection of value.
The purpose of risk management is to help the organization achieve its goals. The assistance consists in detecting and influencing the factors that give rise to uncertainty. In this way, the risk is not managed by itself, but in a way that allows the goals to be achieved and the results to be improved.
2. Risk management is an integral part of all processes in the organization.
The activities performed by the organization, as well as the decisions it makes lead to the emergence of risk. Therefore, risk management is not considered as a separate activity, but is part of the responsibilities of management and is an integral part of all processes in the organization, including strategic planning, project management, change management.
3. Risk management is part of decision-making.
Risk management enables informed decision-making. When decision-makers have the necessary information, they can make informed choices to identify possible decisions, prioritize and differentiate between different alternatives.
4. Risk management explicitly addresses uncertainty.
Risk management takes into account the nature of the uncertainty, its impact on the objectives, and ways to eliminate it. Risk can only be successfully managed or managed if the nature and source of the uncertainty are understood. An important point is to perform an in-depth analysis of uncertainty to prevent its underestimation or overestimation.
5. Risk management is systematic, structured, and timely.
Risk management requires the introduction of organizational practices that take into account the risks associated with all decisions. Read more: “Managing Risks: A New Framework”, https://hbr.org/2012/06/managing-risks-a-new-framework
It is crucial that the risk management process is implemented at the right time to make decisions. Otherwise, favorable opportunities may be lost or significant losses may be caused.
The structured approach is related to the application of the risk management process in accordance with the regulation defined in ISO 31000.
6. Risk management is based on the best available information.
The quality of the available information is crucial for a correct understanding of the risks. Sources of information can be data from past periods, experience, feedback, observation, analysis, expert assessment. Sometimes the information available may be limited, which must be taken into account in decision-making, as well as any other type of uncertainty associated with it. The reliability and accuracy of the information must be assessed regularly for accuracy, applicability, and timeliness.
7. Risk management is adaptive.
To meet the needs of each organization, risk management must be applied in accordance with the external and internal environment and the characteristics of the particular organization. Every organization is different and has its own culture, environment, management style and there is no single and correct way to develop and implement the risk management process. Flexibility and adaptability are needed to achieve the desired result.
8. Risk management takes into account human and cultural factors.
People’s behavior, abilities, and perceptions can facilitate or hinder the achievement of the organization’s goals, which in itself is a risk and must be managed. Managers must take into account the influence of human and cultural factors and understand and manage their impact by:
show respect and understanding of individual differences;
respect people’s views;
recognize the efforts of individuals;
show objectivity, etc.
9. Risk management is transparent and inclusive.
The principle presupposes appropriate and timely participation of all participants in the process and especially of those who make the decisions. Stakeholder participation in the process allows them to clearly present their views to be taken into account in risk management. The key to applying this principle is building trust. Trust is a fragile and particularly sensitive condition that can be easily broken. To avoid this, relevant stakeholders need to be involved at every stage of the risk management process. In this regard, the issues of ensuring confidentiality, security, and protection of the information provided and used in the process become especially relevant.
10. Risk management is dynamic, repetitive, and responsive to change.
Any change in the external and/or internal environment or in the goals of the organization inevitably leads to a change in risks. Successful risk management implies that the process is designed in a way that reflects the dynamics of change, whether in the organization or in the external or internal environment. Because every change leads to the emergence of new risks, disappearance, or change of existing ones.
11. Risk management facilitates the continuous improvement of the organization.
Improvement is at the core of everything. There must be continuous improvement in the risk management process as well as in every other aspect of the organization. Of course, the process should not be overly complicated, because in this way the opportunity to look for favorable opportunities will be limited and the flexibility of the organization’s response will be reduced.