Home >

What is Risk Management?

A risk is a possible unplanned event. It can be positive or negative. In project management the success of our projects depends on our ability to predict a particular outcome. Since risks are the unpredictable part of the project, it is important for us to be able to control them as much as possible and make them as predictable as possible. A pure risk or threat is a risk that has only a negative possibility as an outcome. A business risk is a normal risk of doing business. It can have a good or bad outcome. An opportunity is a risk that has only good outcomes. These risks can be of two types, known risks and unknown risks. The known risks are those that we can identify, and the unknown risks are those that cannot be anticipated at all.

Risk management is the process of identifying, analyzing, and quantifying risks, responding to them with a risk strategy, and then controlling them.

Tell me more …

Risk has uncertainty as its main characteristic. Risks can be thought of as project tasks with the exception that project tasks are work tasks that must be done as part of the project, and risks are work tasks that may or may not have to be done in order to complete the project. The uncertainty associated with any risk relates to the knowledge that we have about it. The greater the knowledge we have about a risk, the less uncertainty there will be about it.

Risk management must be done throughout any project. We must do it at the beginning of the project, at the end of the project, and many times during the project. In the beginning, there is little known about the project, and the uncertainty is at its highest, however small the amount of money that has been put into the project at this point. Care must be exercised not to ignore risks that are identified in the beginning of the project. These risks seem distant and unrealistic in the enthusiasm of starting a new project, but it is truly disheartening to have to deal with a problem on an emergency basis in the middle of the project when it was brought up during the writing of the project charter and forgotten. For example, one of the project team members tells us that the customer has asked for a special salt spray test in the past and we might have to do it again for this new project. He also mentions that our old salt spray test cabinet is no longer usable since it was destroyed when it was dropped off a truck. A little investigation would find that the salt spray test cabinet is custom-made and must be ordered six months before delivery by the only company certified to make the device.

At the end of the project, risks are still important. There are certainly fewer risks at the end of the project than at other times, but there is little time or budget left for them at the end of the project. Even risks that are not all that serious in the beginning and middle portions of the project become serious when time and money to handle them are both short near the end of the project. Two weeks before the project is supposed to have final acceptance with the customer, we find that the requirement for the user manual is not the 30 pages we anticipated but the 300 pages the customer now tells us we must write.

Risks are things that may or may not have to be done. All risks have a probability and an impact. If a risk has a probability of 1.0 it means it is certain to happen; if the risk is 0.0, it is certain not to happen. So, all risks will have a probability that is somewhat less than 1.0 and somewhat greater than 0.0, and all risks have an impact associated with them. If the impact is zero, the risk has no effect and can be ignored.

Of great importance in projects is the question of known and unknown risks. Known risks are pretty obvious. A known risk is a risk that we can identify. The problem is that we can never identify all the risks in a project. It would be too expensive to do it and if we tried to do it, we would spend much more money than the risk would cost if it did happen. We are normally satisfied to find an acceptable level of risks. That is, we will identify a practical number of risks. The practical number of risks we identify is a function of our risk tolerance, a topic we will discuss later in this chapter.

Since it will never be practical to find all of the risks in a project, it follows that there will be risks that are not identified. These are the unknown risks. Just because we do not identify particular risks does not mean that we do not have to set money aside for them. The known risks will be budgeted in the contingency budget, and the unknown risks will be budgeted in the management reserve.

It is important to note that the impact cost of the risk is not put into the project’s performance or operating budget.