
Published July 23, 2018 • 15 minute read
Published July 23, 2018 • 15 minute read
When a risk becomes a problem, it typically isn’t the result of a sudden, solitary misstep, but the culmination of a series of errors that could have been avoided altogether by adhering to the core tenets of effective risk management planning. Non-compliance can hold several adverse consequences, ranging from liability concerns and project delays to damaged relationships and profit losses.
Risk management strives to highlight and triage such threats, measure potential associated ramifications, and develop an effective strategy for resolution.
This explainer highlights the importance of establishing a risk management plan, outlines techniques for both identifying and prioritizing threats, and breaks down each checkpoint within this five-step process. It also provides sample risk management planning checklists from various industries, to reference when compiling your own. Note: Your new checklist should evolve organically as you complete projects and experience new risk events.
Table of Contents
Part I: (Statistics) Numbers Don't Lie: Good Risk Management Plans Save Projects
It's tempting to liken the concept of risk management in business to health insurance, in that, its true worth is only made evident in the event something goes horribly wrong. There are several fundamental problems with this analogy, however.
Health insurance actions are reactive. Take a doctor's visit, for example. Even if your doctor were to administer an ongoing prescription for a chronic illness, its symptoms had to first present, just to get you through the door for an assessment. That prescription is a direct reaction to your health risk event.
Project risk management, on the other hand, is inherently preemptive and proactive in the interest of minimizing or completely eliminating panicked reactive solutions to otherwise avoidable, risk-related problems.
The following passage from the nonprofit trade association Project Management Institute's chief set of global standards, rules and guidelines informing the project management industry—The Project Management Body of Knowledge (PMBOK)—further expounds upon perhaps one of its core tenets: that risk management is more than just an attempt to prevent loss, it’s an opportunity for gain, too.
“Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality,” it states. “A risk may have one or more causes and, if it occurs, may have one or more impacts. A cause may be a given or potential requirement, assumption, constraint, or condition that creates the possibility of negative or positive outcomes. For example, causes could include the requirement of an environmental permit to do work, or having limited personnel assigned to design the project. The risk is that the permitting agency may take longer than planned to issue a permit; or, in the case of an opportunity, additional developmental personnel may become available who can participate in design, and they can be assigned to the project.”
Here are several startling statistics about risk management planning demonstrating its role as an imperative ingredient to overall profitability:
Project Management Institute's Pulse of the Profession 2015: Capturing the Value of Project Management outlines the most common causes of project failure below.
The following pie chart details the percentage of projects considered successful, challenged, or failed in a particular example, defining these as:
To recap: High-performing organizations utilize risk management planning best practices; low-performing organizations fall victim to risk most often; the most common causes of project failure are all factors that are directly addressed in risk management planning best practices; and nearly 11% of all funds allocated to organizational projects are lost to inadequately planned-for risk events. That's 11% more than your (presumably) high-performing organization can, or should, afford.
The road to finalizing a concise-yet-thorough risk management checklist is paved with good thought processes. Utilize proven methods of risk analysis to determine the most likely causes of loss-related risk, and subsequently, to devise a plan of action for each potential risk event.
The first set of risk management procedures involves identifying any and all risks that could get in the way of any team member completing the task at hand, while also maintaining legal compliance standards. Then, enter all those risks into a document called a Risk Register, to be referenced throughout the course of the risk management plan's development.
It can be overwhelming for a project manager to delve into all that could possibly go wrong throughout the course of a particular initiative, but putting in the time to critically think through all worst-case scenarios is a key component of effective risk management. While the project manager is the ultimate agent for change, the risk-managing power of thoughtful collaboration, especially in the nascent stages of project development, cannot be overstated.
Before choosing between different information-gathering techniques, consider the following questions regarding scope of work, resources, timeline, budget, and project deliverability:
You know the old adage: If you make assumptions, you’re prone to set yourself, and others, up for failure. (Or something like that.) To thwart the likelihood of falling victim to risks associated with wrongful assumptions, there's assumption analysis.
It includes the following three-step process:
First: The project manager and team members document all assumptions made during the project planning process.
Next: Identify all risks to the project from each assumption, based on the potential inaccuracies or inconsistencies these may contain.
Finally: Determine whether each assumption is valid (worth the associated risks), or not.
To brainstorm is to produce an idea or way of solving a problem by holding a spontaneous group discussion.
Picking the brains of your select, trusted group of team members in search of personally unforeseen risk threats/opportunities is encouraged, particularly if you’re working with third-party contractors that you haven't before, or completing a project with an unfamiliar scope of work. There's no limit to what you might learn by listening to others' ideas and experiences.
Event-based inventory is a control method triggered by a specific event and entails completing physical counts for SKU items. For example: If a retailer's database is reporting inventory levels below respective reorder points, a physical inventory may be triggered, to A) Calculate shrinkage, B) Fix database errors, and/or C) Investigate possible root causes of the loss event.
Note: This process is especially important in retail and manufacturing environments. Factors to consider when consulting your loss data might include:
Seeking access to a risk management consultation expert suggests humility, leadership, and compassion for stakeholders. Such judgment may be sought from any group or individual with specialized knowledge or training; just don't forget to consider the expert's potential biases the same way you would anyone else's when evaluating their input.
Facilitated workshops bring key stakeholders together, face-to-face with project managers, to achieve team alignment in an efficient manner. This method works on several levels:
Interviews: If you've ever dreamed of becoming a reporter, this is your time to shine. Experienced project team members, stakeholders, and industry experts all hold a wealth of knowledge just waiting to be tapped into. What better way to identify risks than to ask the folks who have tried, failed, and learned from their mistakes already, so you don't have to?
Self-assessments: This is only effective if the participant is self-aware and honest. To placate inherent biases, utilize a pre-written self-assessment template, such as that found here.
Questionnaires/Surveys: Of all the methods outlined in this section, interviews likely seem the simplest, fastest route to the answers you're looking for. Here's the hitch, however: People can, and will, lie to your face, to save face. Questionnaires and surveys may be kept anonymous, and give participants more time to consider prompts, hopefully leading to more thoughtful responses.
Take your time and be thorough throughout the Identify component. This will help streamline subsequent risk management stages.
After you've identified all your risks—threats and opportunities—it's time to determine the severity and probability of each. To simplify this process, group all risks into appropriate categories, based on perceived similarities around root causes.
At the end of this stage, you'll have an understanding of the nature of your risks, the likelihoods of occurrences, and can then begin making judgments about which should be addressed, and with what level of urgency.
There exist both qualitative and quantitative methods for assessing risk. Utilizing a mixed-method approach provides the most comprehensive framework to base your finished risk management plan upon.
This maps and prioritizes an organization’s Strengths, Weaknesses, Opportunities, and Threats (SWOT). In the context of risk management, the process entails brainstorming for each of the four parts, then conducting an analysis to combine related factors into appropriate categories. Next, you’ll prioritize all of the items in a forced rank order. Finally, you’ll begin to define strategies that:
Before risk management plans can be crafted and implemented, a risk narrative should be fleshed out. Qualitative risk analysis contributes to that narrative by describing specific risks as they relate to: hazards, consequences (severity), probability, and final risk.
The results of your qualitative risk analysis may then be used for a Contingency Analysis (sensitivity analysis/if-then analysis), which seeks to plot actionable items to be carried out in the case of specific risk events.
The purpose of a QRA is to translate qualitative concepts into measurable metrics with the intention of figuring these into protective plans for the project's budget and schedule. The quantified value assigned to a particular risk will then be added to the project cost or time estimate as a contingency value.
Methods for determining contingency values encompass: Heuristic Methods, Expected Value Methods, Probability Distribution Methods, Interdependency Models, and Empirical Methods, all of which are detailed here.
Thorough quantitative risk analysis can get expensive, so QRA may be reserved for only those risks deemed a high priority. Once a value is assigned to a potential risk, the impact is labelled as either an increase or decrease in cost and/or time, or as a percentage range with a particular distribution, which is then factored into a final, quantifiable assessment of total risk.
In step two, we discussed analyzing risk based upon probability and severity, the combination of which ultimately constitutes total risk magnitude. In step three, you begin to make judgments regarding whether a given risk is imminent or costly enough to warrant preemptive treatment, or a risk you're willing to take.
A common tool used at this stage of risk management planning is a risk assessment matrix.
There are four steps to developing a risk assessment matrix:
If you've completed steps one and two of risk management planning (Identify and Analyze), then the processes for collecting metrics to plug into your risk assessment matrix should be well underway. By the time you reach the evaluation stage of risk management planning, you and your team have already:
Now, you’re ready to accept whatever message your findings happen to illustrate. For this, you’ll want to develop your own risk assessment matrix (or probability/impact matrix) that encompasses both your qualitative and quantitative reasoning. This entails cross-referencing all your newfound knowledge of risk severity with respective risk probability across multiple analytical methods, to ultimately determine which risks are to be considered high, medium, and low priority.
Once you’ve created your risk assessment matrix, you should have a concrete idea about what the high, medium and low priority risks to your project are, and may begin crafting plans of action for risk avoidance, as well as protocols for the unfortunately inevitable instances when risk events do happen.
This is also referred to as risk response planning.
1. Avoidance
One way to remove risk from a project is to eliminate its root cause. In project management, this means axing the tasks associated with the risk, altogether.
This is not always a feasible option. Sometimes, you just have to do things you don't want to. (At least, that's what my mom says.) For those instances, there are four other risk response planning strategies to consult.
2. Acceptance
You've likely heard or perhaps even repeated the mantra: "Give me the strength to accept the things I cannot change." Certain risks are simply unavoidable, and come with no clear solution. This is what your risk management plan was built for! Go forth and plan the risk into the project!
3. Monitor and Prepare
For risks too massive to accept with open arms, but too integral to the project to avoid, there's monitoring and preparing. This entails:
4. Mitigation
Here's a riddle: If you were afflicted with third-degree burns, and a genie offered you the magical power to dial those burns down to first-degree burns, how quickly would you start believing in genies?
Hopefully, third-degree burns are not listed on your risk register, but if they are, there's good news: Reducing the probability and severity of a given risk is possible, and usually doesn't even require a genie, or any magic at all, for that matter.
For example, to reduce the probability of burns, you might invest in a non-flammable suit; to reduce severity, perhaps you'd consider having a medical trauma specialist on call.
One best practice to follow is to always prioritize reducing the probability of a risk ahead of planning for severity mitigation. It's more proactive to lessen the likelihood the negative event will ever take place, than to simply brace for impact.
5. Transference
Risk transfer means unloading the burden of risk onto another party. If you work with third-party contractors/contingent laborers, careful insurance documentation and vendor credentialing could save your company from detrimental worker's compensation and/or general liability suits.
Before agreeing to take on a project, review the suggested brainstorming questions at the beginning of this post. If the job is too big or unfamiliar for you and your team to fulfill the contracted project requirements and goals, outsource some or all of the project to someone better equipped for the job.
Your risk register is full and contingency values have been figured into your project's budgetary and scheduling plans. It's time to put your risk management efforts to the test, but remember: Risk management is a perpetual practice of high-performing organizations, so your efforts should be ongoing.
Risk assessment should always be on the agenda at status meetings, include ongoing reassessments of imminent risks, and inform the team of any risks that are no longer threats.
Review and document the efficacy of each risk response.
Comparing planned results to actual results using performance data to control and monitor risk events.
Re-evaluate root causes of any risk events that occurred to identify the failed system, implement protocols if the root cause is that there were none, and categorize the risks correctly during your next round of risk identification.
Once your five-step risk management plan is complete, it should cover the following (in great detail):
Healthcare (Centers for Disease Control and Prevention)
Agriculture (U.S. Department of Agriculture)
Transportation (U.S. Department of Transportation)
Construction and Engineering (U.S. Army)
Financial Services (Financial Services Authority, U.K.)
Retail (Occupational Health and Safety, safety, AU)
Retail (Occupational Health and Safety, loss prevention, AU)
Creating a risk management checklist uniquely tailored to your industry and business model helps identify risks and avoid consequential mishaps.
Business Credentialing Services (BCS) specializes in providing a diverse spectrum of risk management compliance services to businesses across a wide range of industries. From developing and implementing effective, solution-oriented risk management strategies to utilizing automated tracking software for certificates of insurance, regulatory screenings and document management, BCS possesses the team and technology to ensure your business is well-protected. Contact us today to learn more.
Learn from the pros about risk-mitigation, document tracking, and more, with expert articles from BCS.
This beginner’s guide acts as a roadmap to protecting your organization from third-party liability risk.
Learn to navigate risk management