When a risk becomes a problem, it typically isn’t the result of a sudden, solitary misstep, but the culmination of a series of errors that could have been avoided altogether by adhering to the core tenets of effective risk management planning. Non-compliance can hold several adverse consequences, ranging from liability concerns and project delays to damaged relationships and profit losses.
Risk management strives to highlight and triage such threats, measure potential associated ramifications, and develop an effective strategy for resolution.
This explainer highlights the importance of establishing a risk management plan, outlines techniques for both identifying and prioritizing threats, and breaks down each checkpoint within this five-step process. It also provides sample risk management planning checklists from various industries, to reference when compiling your own. Note: Your new checklist should evolve organically as you complete projects and experience new risk events.
Table of Contents
It's tempting to liken the concept of risk management in business to health insurance, in that, its true worth is only made evident in the event something goes horribly wrong. There are several fundamental problems with this analogy, however.
Health insurance actions are reactive. Take a doctor's visit, for example. Even if your doctor were to administer an ongoing prescription for a chronic illness, its symptoms had to first present, just to get you through the door for an assessment. That prescription is a direct reaction to your health risk event.
Project risk management, on the other hand, is inherently preemptive and proactive in the interest of minimizing or completely eliminating panicked reactive solutions to otherwise avoidable, risk-related problems.
The following passage from the nonprofit trade association Project Management Institute's chief set of global standards, rules and guidelines informing the project management industry—The Project Management Body of Knowledge (PMBOK)—further expounds upon perhaps one of its core tenets: that risk management is more than just an attempt to prevent loss, it’s an opportunity for gain, too.
“Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality,” it states. “A risk may have one or more causes and, if it occurs, may have one or more impacts. A cause may be a given or potential requirement, assumption, constraint, or condition that creates the possibility of negative or positive outcomes. For example, causes could include the requirement of an environmental permit to do work, or having limited personnel assigned to design the project. The risk is that the permitting agency may take longer than planned to issue a permit; or, in the case of an opportunity, additional developmental personnel may become available who can participate in design, and they can be assigned to the project.”
Here are several startling statistics about risk management planning demonstrating its role as an imperative ingredient to overall profitability:
- A lack of clear goals/organization changing priorities is the most common factor lending itself to project failure rates. (PMI's Pulse of the Profession 2017: Success Rates Rise: Transforming the High Cost of low Performance)
- 70% of companies report having at least one failed project in the last year. (KPMG New Zealand: Project Management Survey 2010)
- Organizations lose $109 million for every $1 billion invested in projects and programs. (PMI's Pulse of the Profession 2014 :The High Cost of Low Performance)
- High-performing organizations successfully complete 89% of their projects compared with low performers, who only complete 36% successfully, and waste almost 12 times more resources than high performers. (PMI's Pulse of the Profession 2014)
Project Management Institute's Pulse of the Profession 2015: Capturing the Value of Project Management outlines the most common causes of project failure below.
The following pie chart details the percentage of projects considered successful, challenged, or failed in a particular example, defining these as:
- Success = delivered on time, on budget, and required features and functions
- Challenged = late, over budget, and/or with fewer than the required features and functions
- Failed = either cancelled prior to completion or delivered and never used
To recap: High-performing organizations utilize risk management planning best practices; low-performing organizations fall victim to risk most often; the most common causes of project failure are all factors that are directly addressed in risk management planning best practices; and nearly 11% of all funds allocated to organizational projects are lost to inadequately planned-for risk events. That's 11% more than your (presumably) high-performing organization can, or should, afford.
The numbers are conclusive: Risk management is critical to the success of your business.
Step One: Identify
The road to finalizing a concise-yet-thorough risk management checklist is paved with good thought processes. Utilize proven methods of risk analysis to determine the most likely causes of loss-related risk, and subsequently, to devise a plan of action for each potential risk event.
The first set of risk management procedures involves identifying any and all risks that could get in the way of any team member completing the task at hand, while also maintaining legal compliance standards. Then, enter all those risks into a document called a Risk Register, to be referenced throughout the course of the risk management plan's development.
It can be overwhelming for a project manager to delve into all that could possibly go wrong throughout the course of a particular initiative, but putting in the time to critically think through all worst-case scenarios is a key component of effective risk management. While the project manager is the ultimate agent for change, the risk-managing power of thoughtful collaboration, especially in the nascent stages of project development, cannot be overstated.
Before choosing between different information-gathering techniques, consider the following questions regarding scope of work, resources, timeline, budget, and project deliverability:
- What is the scope of work? Are all parts of the project familiar, or are you dealing with tasks that are new to you or your team? If there are new tasks, have you identified all the risks associated with them?
- Do you have adequate resources available to complete your project? Are your personnel trained, or will they require training? Have you completed background checks or utilized a vendor credentialing system?
- How long should this project take to complete? Are there any scheduling conflicts to resolve before beginning work? Is the timeline outlined in your contract realistic?
- How detailed is your budget? Are you at risk of overrunning your budget?
- Can you deliver this project? Are you making any promises you may not be able to keep? What could hinder your ability to deliver the project's goals?
Techniques for Gathering Information
You know the old adage: If you make assumptions, you’re prone to set yourself, and others, up for failure. (Or something like that.) To thwart the likelihood of falling victim to risks associated with wrongful assumptions, there's assumption analysis.
It includes the following three-step process:
First: The project manager and team members document all assumptions made during the project planning process.
Next: Identify all risks to the project from each assumption, based on the potential inaccuracies or inconsistencies these may contain.
Finally: Determine whether each assumption is valid (worth the associated risks), or not.
To brainstorm is to produce an idea or way of solving a problem by holding a spontaneous group discussion.
Picking the brains of your select, trusted group of team members in search of personally unforeseen risk threats/opportunities is encouraged, particularly if you’re working with third-party contractors that you haven't before, or completing a project with an unfamiliar scope of work. There's no limit to what you might learn by listening to others' ideas and experiences.
Event Inventories or Loss Data
Event-based inventory is a control method triggered by a specific event and entails completing physical counts for SKU items. For example: If a retailer's database is reporting inventory levels below respective reorder points, a physical inventory may be triggered, to A) Calculate shrinkage, B) Fix database errors, and/or C) Investigate possible root causes of the loss event.
Note: This process is especially important in retail and manufacturing environments. Factors to consider when consulting your loss data might include:
- Susceptibility to theft
- Complexity of the year-end inventory procedure
- Prior-period misstatements
Seeking access to a risk management consultation expert suggests humility, leadership, and compassion for stakeholders. Such judgment may be sought from any group or individual with specialized knowledge or training; just don't forget to consider the expert's potential biases the same way you would anyone else's when evaluating their input.
Facilitated workshops bring key stakeholders together, face-to-face with project managers, to achieve team alignment in an efficient manner. This method works on several levels:
- Facilitated workshops grant stakeholders the opportunity to talk through differences of opinion, with a project manager present to backstop the conversation with unique area expertise. This can build trusting relationships, display competency, and improve communication within the organization.
- Workshops conveniently gather big players from different company departments (finance, marketing, operations, and human resources, for example), who are all working toward a common goal, into the same room, to work together to define cross-functional requirements.
Interviews, Self-assessments, Questionnaires & Surveys
Interviews: If you've ever dreamed of becoming a reporter, this is your time to shine. Experienced project team members, stakeholders, and industry experts all hold a wealth of knowledge just waiting to be tapped into. What better way to identify risks than to ask the folks who have tried, failed, and learned from their mistakes already, so you don't have to?
Self-assessments: This is only effective if the participant is self-aware and honest. To placate inherent biases, utilize a pre-written self-assessment template, such as that found here.
Questionnaires/Surveys: Of all the methods outlined in this section, interviews likely seem the simplest, fastest route to the answers you're looking for. Here's the hitch, however: People can, and will, lie to your face, to save face. Questionnaires and surveys may be kept anonymous, and give participants more time to consider prompts, hopefully leading to more thoughtful responses.
Take your time and be thorough throughout the Identify component. This will help streamline subsequent risk management stages.
Step 2: Analyze
After you've identified all your risks—threats and opportunities—it's time to determine the severity and probability of each. To simplify this process, group all risks into appropriate categories, based on perceived similarities around root causes.
At the end of this stage, you'll have an understanding of the nature of your risks, the likelihoods of occurrences, and can then begin making judgments about which should be addressed, and with what level of urgency.
Techniques for Prioritizing Risk
There exist both qualitative and quantitative methods for assessing risk. Utilizing a mixed-method approach provides the most comprehensive framework to base your finished risk management plan upon.
This maps and prioritizes an organization’s Strengths, Weaknesses, Opportunities, and Threats (SWOT). In the context of risk management, the process entails brainstorming for each of the four parts, then conducting an analysis to combine related factors into appropriate categories. Next, you’ll prioritize all of the items in a forced rank order. Finally, you’ll begin to define strategies that:
- Use strengths to take advantage of opportunities
- Use strengths to avoid threats
- Take advantage of opportunities by overcoming weaknesses
- Minimize weaknesses and avoid threats
Qualitative Risk Analysis
Before risk management plans can be crafted and implemented, a risk narrative should be fleshed out. Qualitative risk analysis contributes to that narrative by describing specific risks as they relate to: hazards, consequences (severity), probability, and final risk.
The results of your qualitative risk analysis may then be used for a Contingency Analysis (sensitivity analysis/if-then analysis), which seeks to plot actionable items to be carried out in the case of specific risk events.
Quantitative Risk Analysis
The purpose of a QRA is to translate qualitative concepts into measurable metrics with the intention of figuring these into protective plans for the project's budget and schedule. The quantified value assigned to a particular risk will then be added to the project cost or time estimate as a contingency value.
Methods for determining contingency values encompass: Heuristic Methods, Expected Value Methods, Probability Distribution Methods, Interdependency Models, and Empirical Methods, all of which are detailed here.
Thorough quantitative risk analysis can get expensive, so QRA may be reserved for only those risks deemed a high priority. Once a value is assigned to a potential risk, the impact is labelled as either an increase or decrease in cost and/or time, or as a percentage range with a particular distribution, which is then factored into a final, quantifiable assessment of total risk.
Step 3: Evaluate
In step two, we discussed analyzing risk based upon probability and severity, the combination of which ultimately constitutes total risk magnitude. In step three, you begin to make judgments regarding whether a given risk is imminent or costly enough to warrant preemptive treatment, or a risk you're willing to take.
A common tool used at this stage of risk management planning is a risk assessment matrix.
Techniques for Developing Your Risk Assessment Matrix
There are four steps to developing a risk assessment matrix:
- Identify risk universe.
- Determine risk criteria.
- Assess the risks.
- Prioritize the risks.
If you've completed steps one and two of risk management planning (Identify and Analyze), then the processes for collecting metrics to plug into your risk assessment matrix should be well underway. By the time you reach the evaluation stage of risk management planning, you and your team have already:
- Identified all potential risk events that could negatively impact the progress of your project
- Analyzed, categorized and ranked all of the items in their respective matrices
Now, you’re ready to accept whatever message your findings happen to illustrate. For this, you’ll want to develop your own risk assessment matrix (or probability/impact matrix) that encompasses both your qualitative and quantitative reasoning. This entails cross-referencing all your newfound knowledge of risk severity with respective risk probability across multiple analytical methods, to ultimately determine which risks are to be considered high, medium, and low priority.
Step 4: Treat
Once you’ve created your risk assessment matrix, you should have a concrete idea about what the high, medium and low priority risks to your project are, and may begin crafting plans of action for risk avoidance, as well as protocols for the unfortunately inevitable instances when risk events do happen.
This is also referred to as risk response planning.
Techniques for Risk Response Planning
One way to remove risk from a project is to eliminate its root cause. In project management, this means axing the tasks associated with the risk, altogether.
This is not always a feasible option. Sometimes, you just have to do things you don't want to. (At least, that's what my mom says.) For those instances, there are four other risk response planning strategies to consult.
You've likely heard or perhaps even repeated the mantra: "Give me the strength to accept the things I cannot change." Certain risks are simply unavoidable, and come with no clear solution. This is what your risk management plan was built for! Go forth and plan the risk into the project!
3. Monitor and Prepare
For risks too massive to accept with open arms, but too integral to the project to avoid, there's monitoring and preparing. This entails:
- Naming and documenting potential risk triggers, and monitoring those contingencies closely.
- Creating an airtight plan of action that can be set in motion the moment the risk occurs, before beginning.
Here's a riddle: If you were afflicted with third-degree burns, and a genie offered you the magical power to dial those burns down to first-degree burns, how quickly would you start believing in genies?
Hopefully, third-degree burns are not listed on your risk register, but if they are, there's good news: Reducing the probability and severity of a given risk is possible, and usually doesn't even require a genie, or any magic at all, for that matter.
For example, to reduce the probability of burns, you might invest in a non-flammable suit; to reduce severity, perhaps you'd consider having a medical trauma specialist on call.
One best practice to follow is to always prioritize reducing the probability of a risk ahead of planning for severity mitigation. It's more proactive to lessen the likelihood the negative event will ever take place, than to simply brace for impact.
Risk transfer means unloading the burden of risk onto another party. If you work with third-party contractors/contingent laborers, careful insurance documentation and vendor credentialing could save your company from detrimental worker's compensation and/or general liability suits.
Before agreeing to take on a project, review the suggested brainstorming questions at the beginning of this post. If the job is too big or unfamiliar for you and your team to fulfill the contracted project requirements and goals, outsource some or all of the project to someone better equipped for the job.
Step 5: Monitor/Review
Your risk register is full and contingency values have been figured into your project's budgetary and scheduling plans. It's time to put your risk management efforts to the test, but remember: Risk management is a perpetual practice of high-performing organizations, so your efforts should be ongoing.
Techniques for Continued Risk Management
Assessments & Meetings
Risk assessment should always be on the agenda at status meetings, include ongoing reassessments of imminent risks, and inform the team of any risks that are no longer threats.
Review and document the efficacy of each risk response.
Variance & Trend Analysis
Comparing planned results to actual results using performance data to control and monitor risk events.
Root Cause Analysis
Re-evaluate root causes of any risk events that occurred to identify the failed system, implement protocols if the root cause is that there were none, and categorize the risks correctly during your next round of risk identification.
Once your five-step risk management plan is complete, it should cover the following (in great detail):
- Process - details each task within a project
- Budget - outlines allocation of funds
- Risk Register - a repository for all threats identified, including additional information about each risk, such as its nature and mitigation measures, etc.
- Roles & Responsibilities
- Reporting Structure/Hierarchy
- Risk Categories
- Analysis or Anticipation Report of Likely Risks
- Solutions or Mitigation Strategies, Varying from High-Impact to Low-Impact Risks
Healthcare (Centers for Disease Control and Prevention)
Agriculture (U.S. Department of Agriculture)
Transportation (U.S. Department of Transportation)
Construction and Engineering (U.S. Army)
Financial Services (Financial Services Authority, U.K.)
Retail (Occupational Health and Safety, safety, AU)
Retail (Occupational Health and Safety, loss prevention, AU)
Creating a risk management checklist uniquely tailored to your industry and business model helps identify risks and avoid consequential mishaps.
Business Credentialing Services (BCS) specializes in providing a diverse spectrum of risk management compliance services to businesses across a wide range of industries. From developing and implementing effective, solution-oriented risk management strategies to utilizing automated tracking software for certificates of insurance, regulatory screenings and document management, BCS possesses the team and technology to ensure your business is well-protected. Contact us today to learn more.