There are usually four steps considered in managing any risk. This will vary from author to author, so we will stick with the Project Management Institute’s Guide to the Project Management Body of Knowledge. The PMBOK lists the steps in the risk process as follows:
- Risk identification
- Risk quantification
- Risk response
- Risk control
Tell me more …
Risk identification is the process of identifying the threats and opportunities that could occur during the life of the project along with their associated uncertainties. The life of the project means the complete life cycle of the project, not just the time the project team is in place, the time until the final acceptance by the customer, or even the end of the warranty period. Risks should be considered through the useful life of the product or service that we are providing by doing this project. The risk of corrosion causing a catastrophic product failure during the useful life of a product that we have designed and built should be considered, and corrective action should be taken in accordance with the seriousness of the threat. Risks can be identified in a large number of ways, and all of the productive and economical ways should be employed.
Risk quantification is the process of evaluating the risk as a potential threat or opportunity. We are mainly concerned about two items: risk probability and risk impact. Risk probability tells us the likelihood that the risk will take place, and risk impact is the measure of how much pain or happiness will result if it does take place. Risks that have very high impacts with very low probabilities and risks that have very low impacts with high probabilities are usually of little concern, so we need to consider the combination of these two items before considering how important a risk is. The combination of impact and probability is called severity.
We do not need to worry too much about the risk of a hurricane impacting our construction of an apartment building if the project is taking place in Moscow. Hurricanes seldom occur there so there is a very low probability—even though the impact of a category five hurricane on Moscow would probably be quite significant. We may want to worry about the risk of heavy snowfall, however, which does occur frequently.
We also do not need to worry too much about the risk that one of the construction workers on the project will call in sick one day during the project. Although the probability is very high that this will occur more than once in the life of the project, we are able to anticipate this problem and the impact is relatively small even for skilled workers.
What we do need to concern ourselves about are the risks that have a relatively high impact and a relatively high probability of occurring.
Risk response is the process of doing something about the risk. It is how we respond to risks. In this process we address the best approaches to dealing with a risk that has a high enough severity that consequences of the risk cannot be accepted.
Responding to a risk includes ignoring the risk, letting it happen, and worrying about the consequences at the time. It also includes doing something about the risk before it happens. This might be putting together a work-around plan that can be quickly implemented when the risk occurs. It might include subcontracting the responsibility of the risk to an outside vendor or even an insurance company, or it might include avoiding the risk altogether.
Risk control is the process of controlling the risks. This involves keeping track of the risks that have occurred and can no longer occur, the risks that can still occur, and changes in the probability and impact of such risks. Generally, a reporting system is maintained so that the current picture of the risks is known.