Project Risk Management PrinciplesThe principles of project risk management can be stated very simply. Any project organisation is subject to risks. One which finds itself in a state of perpetual crisis, is failing to manage risks properly. Failure to manage risks is characterised by inability to decide what to do, when to do it, and whether enough has been done. Risk Management is a facet of Quality, using basic techniques of analysis and measurement to ensure that risks are properly identified, classified, and managed.
In order to manage risks we have to understand what a risk is. The official definition provided by Professor James Garven, University of Texas at Austin is from the American Risk and Insurance Association:
Risk management is the systematic process of managing an organization's risk exposures to achieve its objectives in a manner consistent with public interest, human safety, environmental factors, and the law. It consists of the planning, organizing, leading, coordinating, and controlling activities undertaken with the intent of providing an efficient pre-loss plan that minimizes the adverse impact of risk on the organization's resources, earnings, and cash flows.The most helpful definition is that given by Larry Krantz, Chief Executive of Euro Log Ltd here in the UK. Larry says that 'A risk is a combination of constraint and uncertainty'. All project managers face constraints in their projects, and also uncertainty. So they could minimise the risk in the project either by eliminating constraints (a nice conceit) or by finding and reducing uncertainty
The illustration plots uncertainty against constraint. The curved line indicates the 'acceptable level of risk', whatever that may be in the individual case. The risk may be reduced to an acceptable level by reducing either or both of uncertainty and constraint. In practice, few people have the opportunity to reduce constraint, so most focus on the reduction of uncertainty. It is also worth noting from the diagram that total elimination of risk is rarely achieved. So we have to consider how to manage that remaining risk most effectively.There are two stages in the process of Project Risk Management, Risk Assessment and Risk Control. Risk Assessment can take place at any time during the project, though the sooner the better. However, Risk Control cannot be effective without a previous Risk Assessment. Similarly, most people tend to think that having performed a Risk Assessment, they have done all that is needed. Far too many projects spend a great deal of effort on Risk Assessment and then ignore Risk control completely.
Risk Assessment has three elements:
Explore the entire project plans and look for areas of uncertainty.
Specify how those areas of uncertainty can impact the performance of the project, either in duration, cost or meeting the users' requirements.
Establish which of those Risks should be eliminated completely, because of potential extreme impact, which should have regular management attention, and which are sufficiently minor to avoid detailed management attention.
In the same way, Risk Control has three elements, as follows:
Take whatever actions are possible in advance to reduce the effect of Risk. It is better to spend money on mitigation than to include contingency in the plan.
Plan for Emergencies.
For all those Risks which are deemed to be significant, have an emergency plan in place before it happens.
Measure and Control.
Track the effects of the risks identified and manage them to a successful conclusion