Project
failure can put business survival in jeopardy. David Honour explores
how project risk management can help prevent the threat arising.
Statistics show that 50 percent of projects are delivered late
or over budget. 25 percent fail completely. Only 25 percent are
delivered on-time and on budget (1). Although some project failures
occur simply because the project was under-resourced, the majority
are due to predictable and preventable occurrences. Some project
failures can put business survival in jeopardy, making effective
project risk management a business continuity issue, as well as
simply good business practice.
Every project is unique and faces a variety
of risks. The identification, analysis and mitigation of these
risks results in a much greater likelihood that the project will
succeed. This is the basis of project risk management. This article
will explain the basics of project risk management and how to
implement it in your current projects.
RISK
To appreciate the benefits of project risk management it is important
to understand some basic concepts about risk.
Risk has two main components; impact and
likelihood.
Impact is a reflection of the pain or discomfort
that may be caused by an event. It can be measured quantitatively
(in pounds and pence for example) or qualitatively (high / moderate
/ low impact).
Likelihood is an indication of the probability
that a particular event will occur.
Taken together, these two components indicate
how great a threat a particular risk is to a project. This is
termed the 'exposure' to risk.
FIRST STEPS IN RISK MANAGEMENT
Risk profiling
In order to be able to manage the risks to a project, it is necessary
to understand what risks it faces. This results in the creation
of a ‘risk profile’ for the project. The risk profile
consists of three ‘sub-profiles’. First comes the
threat profile. Here an examination of the project is made and
the potential damaging risks that it faces are identified. After
this an ‘impact profile’ is created. This takes the
threat profile and considers how much ‘pain’ would
be felt by the project should individual risk events occur. Finally,
a ‘gap profile’ is created. This reflects the current
defences that are in place to protect the project against its
risks and highlights areas of weakness where additional defences
will be necessary.
Dependency
Once a risk profile has been created the next step is to understand
how these risks inter-relate. When a risk event occurs its effects
spread throughout the project until they reach ‘barriers’
which prevent the risk effects continuing. For example, an uninterruptible
power supply (UPS) is a good example of a barrier against the
threat of power loss. Extreme events may cause large areas of
the project to be affected. The propagation of effects through
the project is due to the interdependency of processes, people
and systems and can be modelled to assist the project risk management
process.
CREATING A PROJECT RISK MANAGEMENT PLAN
We have now arrived at a stage where we have identified the risks
that a project faces, the potential severity and probability of
these risks and how they inter-relate. The next step is to create
a project risk management plan which will help us to take proactive
steps to prevent and control risks. This has two main aspects:
mitigation and response.
Mitigation
Mitigation is the implementation of measures and processes that
prevent a risk event happening or which interrupt and reduce the
severity of the impact should it occur. The project risk management
plan needs to examine the threat, impact, dependency and gap profiles
and determine which risks should be mitigated. The most important
are high-impact, high likelihood risks; the least important are
low impact, low likelihood risks.
For each risk there are various mitigation
choices:
* Remove the risk: for example if your project
office is at risk because it is in an earthquake zone, relocating
the office to a geologically stable location would completely
remove that risk.
* Cease the activity: if any one aspect of
the project threatens the whole of the project, negotiating the
removal of that aspect from the project specification would remove
that risk.
* Reduce the likelihood: taking measures
to lower the probability that a risk event will take place. For
example losing computer processing capability might be a substantial
risk to your project. Investing in a high availability system
would reduce the probability that your computer systems would
suffer downtime.
* Reduce the impact: this does not mitigate
the likelihood of a risk happening but lowers the pain felt by
the project if it occurs. For example losing a key member of staff
is hard to prevent, but good knowledge management and role-sharing
would reduce the impact on the project of such a loss.
* Warning systems: early warnings of some
risks can be given to help the project team respond in such a
way that the impact of the risk is reduced. A simple example is
a hurricane weather warning which enables the securing and protection
of a project work site before a storm hits. Risk warning systems
can often be built into management information systems to provide
indications that a risk event is becoming more likely to happen.
* Risk avoidance: if you are aware of a risk
it is often possible to change working practices so that it is
avoided. For example your project may be at risk of coming to
a standstill because a crucial component has not been delivered.
Obtaining the component well in advance would constitute risk
avoidance.
* Risk transfer / sharing: a simple example
of risk transfer is insurance, where financial risk is passed
from the company exposed to the risk to an insurance company which
assumes responsibility for the cost of the impact of the risk.
On a project it is often possible to share risks, especially financial
ones, with other partners so that an individual company’s
exposure to the risk’s impact is reduced.
* Risk acceptance: this is the choice to
do nothing - to decide that a risk is either too expensive to
mitigate, so unlikely to happen that doing nothing about it is
an acceptable option, or of such minimal impact that mitigation
is unnecessary.
The project risk management plan should record
the mitigation measures that need to be taken and should create
action plans to ensure that the required processes and protections
are actually implemented.
Response
This aspect of the project risk management plan deals with measures
that will be taken to quickly get back to business-as-usual on
the project should a risk event occur. It creates a crisis response
action plan that can be followed for guidance to ensure the quickest
and most effective recovery.
Plan review
The project risk management plan should be completed before the
commencement of the project. However, most projects progress in
defined stages and it often appropriate that the project risk
management plan is reassessed at intervals throughout the project
life-cycle. This ensures that the plan is always current and that
newly identified risks can be mitigated. It may also be the case
that some mitigation measures that were appropriate for earlier
stages are no longer necessary and can be stepped down, potentially
making significant financial savings.
Assistance
Project risk management can be a complex discipline, especially
for large-scale projects. Many companies find it helpful to either
bring in outside support, using consultants experienced in risk
profiling and mitigation. Others use software which can help guide
and enhance the risk assessment process as well as storing and
outputting the project risk plan is user friendly and easily understood
formats.
CONCLUSION
Many companies invest substantial sums of money in project management
software and tools yet are left scratching their corporate heads
when time after time projects overrun or fail, damaging profits,
reputation and share price. The key to success lies in effective
project risk management. Without this organisations are effectively
walking blindfolded into the unknown, with no clear idea of what
might go wrong, no preventative measures in place and no plan
of how to respond when a crisis occurs.
David Honour is editor of Continuity
Central.
(1) ‘Project success through project
risk management’ David Tilk, PriceWaterhouseCoopers
•Date:
26th March 2004 •Region: Worldwide •Type:
Article •Topic: BC
general
Rate this article
or make a comment - click
here
