Project risk management (2)

Another important method of identifying risks early, especially with EPC projects, is through the scope of work that includes analysing the Work Breakdown Structure (WBS). The main output of this process is the risk register which includes the likely root causes of such risks and list of potential responses. It is instructive to note that risk identification should not be assumed as finished until enough is known about the project being undertaken.

Qualitative risk analysis

The qualitative risk analysis process is the first of the risk assessment phase. Not all risks that are identified and listed are going to be addressed. There might not be enough time and resources to meet this challenge. The very vital ones need to be analysed in relation to their probability and potential impact on the project so as to determine the ones that warrant extra scrutiny and response. Qualitative risk analysis is subjective as it is also iterative based on newly discovered risks in the course of executing the project. The likelihood of occurrence and the effect, usually the consequences, positive or negative impacts and cost of such events. The typical numerical scale employed to measure risks ranges from 1-10 or whether Low, Medium or High. One universal means used in this process is the Probability and Impact Matrix. This matrix is used as a watch-list and an evaluation parameter to determine which risks are urgent thereby deserving better attention than the others. Data and information collected at this point are assessed to verify their reliability and accuracy. Outputs from this process may include updates to the risk register, risk categorisation and whether to proceed to the quantitative risk analysis stage.

Quantitative risk analysis

This is the second phase in the risk assessment stages dealing with the relative importance and impact of identified risk items. The process involves the use of mathematical techniques and models to numerically project the probability and consequences of risks. Quantitative risk analysis is a more objective process but is not a compulsory process for some projects. The process actually puts numbers in terms of costs and time on the individual risks that had undergone qualitative risk analysis. The process is carried out to determine the overall project risk exposure, cost and schedule reserves, quantified probability of meeting project objectives and which risks deserve most attention. Sensitivity, Monte Carlo, Decision Tree and the expected monetary value analysis of the highest-rated risks are done at this stage of the risk management process. Further updates to the risk register are some of the outputs of this process.

Risk response and risk response strategies

This process is about what to do to the risks that have been deemed to warrant a response and ways to go mitigating such risks. These responses prescribe ways to eliminate or reduce threats and enhance or exploit opportunities. In both cases actions are taken to get rid of or decrease the probabilities of impact of threats before they happen and/or to improve opportunities and/or increase the probability of their impact. The risk response or mitigation strategies for threats are different from those of opportunities. The mitigation strategies for threats are Avoidance, Prevention, Reduction, Mitigation and Transfer (deflection, insurance, hedging or allocation), while Exploitation, Enhancement and Sharing are used for opportunities. Acceptance works for both sets of risks. As far as threats are concerned, avoidance and mitigation are used to deal with high impact and priority risks while transference and acceptance can be used for low impact and priority risks. For opportunities, exploitation of risks can always be pursued.

It is important to note that while responding to the various threats and opportunities, the solutions must be appropriate to the severity to the risk and that one response can used to address more than one risk. Outputs of this process are updates to the project management plan and the risk register with references to residual risks, risk triggers, risk owners, contingency plans, fall back plans, contracts and reserves (contingency and management).

Risk control

Risk control and monitoring is an essential part of the risk management process. Risk management is most effective and less costly if identified risks are monitored, controlled and adjusted as needed. That is why it is top priority for corporations and projectized companies to have an insight into and control of risks. Regular monitoring and control ensures constant updates to the risk management process and it further helps in the execution of the project management plan. Some of the actions involved in this process include monitoring of residual risks, ensuring proper risk management procedures are followed, developing and updating new risk responses if there is need for it, integrated change control, monitoring risk triggers, performing trend and variance analysis against project performance data, recommendation of counteractive and corrective measures and actions and usage of the reserves. Further actions during this process are workarounds, risk audits, risk register updates, reserve analysis, risk reassessments and follow-up meetings.

Conclusion

The benefits of proactive project risk management are huge. This is only possible if we make risk management part of the project right from the start. Communication between and amongst all the stakeholders plays a big role in this process. Risk ownership after the potential risks have been identified and analysed helps keep risks from being overlooked or forgotten. Risk management should be a continuous process throughout the lifecycle of a project. Lessons learned from previous projects are also very important and are usually veritable sources of answers to a variety of challenges that future projects might experience. No longer should risk management be considered only for risk management professionals but for top management and the project team who will take charge and make sure all bases are covered. Studies have shown that corporations, enterprises, organisations and government departments that make risk management as an integral part of their ethos and strategic plans experience less problems in managing projects and also those projects come in on time, within budget and within scope.

Ayodele Akingbade