Formalized risk management is an under-utilised practice in project management where the focus is typically on schedule and budget. This affects most aspects of a project including evaluation, assessment, selection, planning, collaboration, execution, and control. And, it begs the question: How many project decisions are made without formally evaluating potential consequences? In an economic climate where budgets are tight, resources limited, and competition fierce, the case for implementing formalised risk management is stronger than ever. In an article focusing on the new challenges facing today's business leaders, The Economist magazine reports that CEOs need to implement a reliable risk management solution throughout their enterprise. Such a solution not only analyses risk, but also alerts senior management of potential problems at an early stage.
"A disciplined approach to assessing operational risks makes good business sense. Beyond Sarbanes-Oxley compliance, developing a multi-step operational risk assessment process can save companies millions." [AMR Research]
The business challenges mentioned by The Economist are greatly affected by the need to meet strict reporting and realtime disclosure requirements of the Sarbanes-Oxley Act of 2002. The implementation of a formalised risk management process is increasingly being recognised as a means to help meet such requirements as well as improve project performance at the same time.
Risk management is an important means of reducing uncertainty, controlling costs, and improving decision-making within projects and organisations. If risk is not proactively managed, an organisation may be seriously threatened by unplanned events, which could result in unexpected expenditures, project delays, quality issues or failing to meet corporate objectives.
Unfortunately, risk management is often a lower priority for those who are best positioned to deal with risks early—the project managers and team members. By the time risk information is rolled-up and reconciled for the executive team, it is often too late to react.
Companies that are looking to promote better risk management at all levels of the organisation need software that delivers a cross-project and company-wide picture of risk exposure in real-time. They need a system that helps identify and mitigate risks, reduces uncertainty, and outlines the organisation’s combined exposure across all projects.
Many different risk management software solutions are available - catering for both qualitative risk management, and quantitative risk management.
What is Qualitative Risk Management?
Most real life projects have multiple risks and uncertainties, which affect projects in different ways. In such cases computerised qualitative risk management tool could become the only feasible way not only to manage project uncertainties in current projects, but also to provide input for future projects.
If risks and uncertainties are registered in comprehensive database, it will help to mitigate availability heuristics. Decision maker will judge about probability of the event’s occurrence based of reliable set of data. In qualitative risk management software each risk has accompanied by the set of standard parameters: severity, impacts, mitigation plans, etc. It helps to mitigate representativeness heuristics, because decision will less likely be influenced by more detailed scenario. If risks are properly registered and updated during the course of the project, it helps to mitigate negative impact of selective perception and management biases. Assessment of risks of future project will be done based on objective analysis of risks in current project. If assessment of risk is done based on objective recorded historical data, the “anchor” for decision making may not be present. It can reduce negative impact of anchoring.
What is Quantitative Risk Management?
Quantitative risk management helps determine the chance that a project will be completed on time and within a budget, identify critical project parameters that affect the project schedule, determine project success rate, make a decision about viable project alternative, etc. All these wonderful things can be meaningless, if they are not based on reliable set of historical data about risks and uncertainties.
Quantitative risk analysis software can statistically process data from qualitative tools. Most quantitative risk analysis tools perform Monte Carlo simulation to determine how risks will affect project schedule. One of the methods of modeling risks and uncertainties calls Event Chain Methodology. According to this methodology, an activity in most real projects is not a continuous uniform process. It is affected by the external events, which transform task from one state to another. These events should be properly captured in qualitative risk management software. The events can cause other events, which will create the event chains. These event chains will significantly affect the course of the project. The identification of the critical chain of events makes it possible to mitigate their negative affects.
Risk Management Process
PMBOK defines Risk Management process as :
- Risk Identification
- Risk Quantification
- Risk Response Development
- Risk Response Control
Risk Identification :
Its a analysis of complete job scope and is conducted as a group session which involves all keey members of project. The result of this meet is "Risk Register" which identifies all the probable risks on the job. CII guidelines are generally used which is made up of 4 sections, 14 categories and 82 elements. The 4 sections are : 1) Commercial, 2) Country, 3) Facilities, 4) Productions and Operations.
Here, Risk Analysis and ranking is performed. Risk Analysis is done by identifying the nature of risk (Increase or decrease the cost), location of risk (unaccounted cost or extention/reduction of schedule), magnitude of risk (based on risk register, and estimating the range), distributing the risk (apply varying PDF's) and performing distribution (usually Monte Carlo technique).
Risk Response Development:
Once choose on how to respond to risks such as, Avoidance (Change the project plan to remove risk), Transference (Pass risk to another party i.e., Client/Subcontractor), Mitigation (Take steps to reduce the risk) and acceptance (Nothing can be done but we know its there)
Risk Response Control:
This can be done by developing risk plan and monitoring it on regular basis.