Struggling with risk management? Does it feel like you do an awful lot of work to address risks in your project but your efforts do not pay off? Perhaps the risk responses you implemented do not have the desired effect?
Does the above sound familiar? Perhaps the answer lies in how you and your team think about risk and the care you take to state the risk clearly. In this article, we will introduce Risk Statements as an essential building block to solid risk management processes. We will start by outlining a typical risk management process before explaining what good risk statements look like and the value they bring to the risk management effort (and hence: to the project!).
Risk is … the Potential of a situation or event to impact the achievement of specific objectives
Association for Project Management Body of Knowledge 7th edition
Or: a risk is something that may or may not happen, and if it was to happen it would have either a good bad impact on the project.
Risk is about uncertainty – we do not know for sure what will happen, therefore we have a risk.
Risk Management is … a process that allows individual risk events to be understood and managed proactively, optimising success by minimising threats and maximising opportunities.
Association for Project Management Body of Knowledge 7th edition
The risk management process
A risk management process typically consists of the following steps (Note: the naming of stages below is aligned with Axelos’ Management of Risk Qualification, allow for some variation in terminology and exact steps to suit your organisation’s culture and the needs of your industry):
1) Identify risks
The aim of this step is to identify as many risks to the project as possible. It would be great to say “Identify all risks” but we just have to accept that will never be possible – there will always be risks we cannot foresee (so-called “unknown unknowns”).
Risks can be identified in many ways, including:
- Reviewing lessons learned from previous projects. Robust knowledge management, i.e how learnings happen and are shared has a huge impact on the project team’s ability to identify, assess and plan for risks!
- Using checklists. If your organization usually delivers projects on similar themes, like construction, IT installations, events etc there are probably categories and themes of risks that occur often that can form a checklist or prompts for risk identification
- A risk identification workshop with the team, Sponsor and relevant experts. This workshop needs to be facilitated to get the most of the combined knowledge and experience in the group, but variations on brainstorming can be very effective!
All identified risks should be entered in the Project Risk Log or Risk Register (sometimes called RAID log – Risk, Assumptions, Issues and Dependencies log)
2) Assess and Estimate risks (APM refers to this as “Assess”)
- Once risks have been identified they have to be assessed and estimated to identify their Probability (how likely it is that they will occur) and their Effect (or Impact) on the project or its objectives (if they were to happen how good or bad would it be?)
- A risk assessment is important because it increases the team’s understanding of risks and also helps identify what risks must be prioritised.
- The risk register must be updated with the findings from the Assess and Estimate step.
3) Plan responses
For each risk, the most appropriate response must be chosen. There are always different options available so the project team should ensure they choose the most attractive response for each risk based on likely it is to address the risk, and how costly the response will be in comparison to what it will achieve.
A risk response should never be worse than the risk itself!
The APM recognises the following typical responses:
|Avoid – the risk is avoided altogether
||Exploit – Make the most of the opportunity
|Transfer – get insurance
||Share – profits with a partner
|Mitigate – reduce likelihood and/or impact
||Enhance – either likelihood and/or impact
|Accept – active decision to take no action
||Reject- active decision to not pursue
|Contingency – Plan B/ fall back plan
All planned responses should be recorded in the risk register.
4) Implement responses
- The planned response is included in the project schedule and the most appropriate person to take action is assigned as the risk owner.
- The owner as well as updates about actions taken should be recorded in the risk register.
5) Review (APM refers to this as “Monitor”)
Risk Management is an ongoing process throughout the project and the risk register should be considered a “living” document to be reviewed and updated at least monthly, along with other project progress reviews.
The purpose of risk monitoring is to verify:
- Are our risk responses working?
- Have known risks changed (worsened or improved)
- Have new risks emerged?
The risk register must be updated with the findings from Review.
- The goal of all risk work is to be able to close each risk out, i.e manage it to a point where the uncertainty is reduced entirely or at least to acceptable levels so that no further action is needed.
- Closed risks should not be deleted from the risk register, instead, their record should be updated to say “closed” and the information should be saved and archived.
- Risks that cannot be closed by the project must be handed over to someone in Business as Usual at project end to ensure they do not damage Business as Usual or prevent benefits realisation!
Set your risk management up for success
By using a good practice process like the one above you increase the chances of managing your risks effectively, thereby increasing the chances that your project can be delivered as planned.
There is one additional thing you can do to increase the effectiveness of your risk management efforts and make sure you get the most value from the risk management process, and that is to ensure that all identified risks are formulated using proper risk statements.
What is a risk statement?
A risk statement is simply how the risk is formulated when it is written down to ensure that it is explicitly clear to anyone what the risk is. Good risk statements create a shared understanding of the risk, supports good decision making and makes risk management efforts more effective. Poorly worded risk statements can cause misunderstanding, bad decision making and can ultimately lead to a waste of time, money or even project failure!
Risk statements are the building blocks of the risk management process and therefore forms the foundations that allow you to build good risk plans. Poor statements mean your risk plans might collapse!
Let’s look at an example.
Your team is leading a project to build a new resort on a remote tropical island. In your risk identification workshop one of your team members identifies the following as a risk:
“the island is only accessible by boat”
You look at this statement and think that you know exactly what they mean, to you this is pointing to the fact that the island is remote, and only accessible by boat so therefore it offers the perfect opportunity to build an exclusive relaxation resort for wealthy people who want a break from their stressful modern lives. This opportunity must be exploited!
What your team member meant to communicate was that because the island is only accessible via boat, and since the area suffers from heavy storms every fall you might not be able to transport construction material in time to complete the planned building work according to schedule.
How could this misunderstanding have been avoided? Quite simple: by using proper risk statements.
A good risk statement will communicate three elements:
- The cause = why the risk is happening.
- The risk event = the actual risk that, if it happened could have an impact on the project
- The effect (or impact) of the risk = what will happen if the risk realises.
It could look something like this:
Because the island is only accessible by boat and there are usually severe storms in September, there is a threat that we will not be able to deliver construction material on time, meaning building work will be delayed by 6 months
|Because the island is only accessible by boat and there are usually severe storms in September…
||… there is a threat that we will not be able to deliver construction material on time …
||… meaning building work will be delayed by 6 months
By writing risks as proper risk statements the project team ensures:
- Potential misinterpretation of risk is reduced (see above example)
- More risk is likely to be identified
Consider our tropical island example. By reviewing your team member’s risk statement you identified a separate opportunity that should have its own entry in the risk register and its own response. It might look something like this:
Because the island is only accessible by boat there is an opportunity to offer an exclusive environment for relaxation, meaning we can target wealthy clients and increase the price per night by 25%
- Each cause can have multiple risks associated with them.
- Each risk event can have multiple causes and multiple effects.
- Each effect might be associated with multiple risks.
- All aspects of risk are understood.
By identifying the cause and effect of the risk it gives the team a better ability to do a good risk assessment (i.e determine the level of likelihood and effect of the risk).
4) Appropriate and relevant responses can be planned for each risk
Ever heard the expression “bandaid solution”?! It is used to describe solutions that act as a bandaid, i.e a plaster put over an existing wound or cut to hold it together and prevent it from getting worse. Generally, the expression is taken to imply a short term solution that does not treat the cause of a problem, it is something we do after the damage has been done and it is not likely to help us in the long term.
Well… a lot of risk responses are bandaid solutions because they address the symptom of the risk (the effect) rather than the cause. Properly written risk statements can help avoid this situation because it makes the cause explicitly clear and should make it clearer to the team where they need to place their efforts.
If a specific risk event has several causes you may need to respond to every single cause to manage the risk effectively. Proper risk statements can help identify multiple causes and thereby make it easier to identify those situations!
This article has outlined a typical risk management process and explained what proper risk statements look like and how they add value to the risk management process, and indirectly contribute to project success.