Show
The Risk Management Process is a clearly defined method of understanding what risks and opportunities are present, how they could affect a project or organization, and how to respond to them. The 4 essential steps of the Risk Management Process are:
Four Steps of the Risk Management Process Step 1: Risk IdentificationThe first step in the risk management process is to identify all the events that can negatively (risk) or positively (opportunity) affect the objectives of the project:
These events can be listed in the risk matrix and later captured in the risk register. A risk (or opportunity) is characterized by its description, causes and consequences, qualitative assessment, quantitative assessment and mitigation plan. It can also be characterized by who is responsible for its action. Each of these characteristics are necessary for a risk (or opportunity) to be valid. In order to be managed effectively, the Risks and Opportunities (R&O) identified must be as precise and specific as possible. The title of the risk or opportunity must be succinct, self-explanatory and clearly defined. All members of the project can and should identify R&O, and the content of these is the responsibility of the Risk (or Opportunity) Owners. Risk Managers are responsible for ensuring that a formal process for identifying risks and developing response plans are conducted through exchanges with risk owners. We will explain each of these roles in further detail in our next article on Risk Management Team Roles. Below are examples of tools to help identify R&O:
Step 2: Risk AssessmentThere are two types of risk and opportunity assessments: qualitative and quantitative. A qualitative assessment analyzes the level of criticality based on the event’s probability and impact. A quantitative assessment analyzes the financial impact or benefit of the event. Both are necessary for a comprehensive evaluation of risks and opportunities. Qualitative AssessmentThe Risk Owner and the Risk Manager will rank and prioritize each identified risk and opportunity by occurrence probability and impact severity, according to the project’s criticality scales. Evaluating occurrence probability (P): This is determined preferably based on experience, the progress of the project, or else by speaking to a risk expert, and is on a scale of 1 to 99%. For example, suppose the risk that: “the inability of supplier X to conduct studies on a modification Y by the end of 2025” is 50% probable. This could be determined from feedback and analysis of the supplier’s workload. Evaluating impacts severity (I): To assess the overall impact, it is necessary to estimate the severity of each of the impacts defined at the project level. A scale is used to classify the different impacts and their severities. This ensures that the assessment of the risk and opportunity is standardized and reliable. The criticality level of a risk or opportunity is obtained by the equation: Criticality = P x I The purpose of the qualitative assessment is to ensure that the risk management team prioritizes the response on critical items first. Quantitative AssessmentIn most projects, the objective of the quantitative assessment is to establish a financial evaluation of a risk’s impact or an opportunity’s benefit, should it occur. This step is carried out by the Risk Owner, the Risk Manager (with support of those responsible for estimates and figures), or the management controller depending on the organizational set up in the company. These amounts represent a potential additional cost (or a potential profit if we are talking about an opportunity) not anticipated in the project budget. For this, it is therefore necessary:
This step will make it possible to estimate the need for additional budget for risks and opportunities of the project. Step 3: Risk TreatmentIn order to treat risks, an organization must first identify their strategies for doing so by developing a treatment plan. The objective of the risk treatment plan is to reduce the probability of occurrence of the risk (preventive action) and/or to reduce the impact of the risk (mitigation action). For an opportunity, the objective of the treatment plan is to increase the likelihood of the opportunity occurring and/or to increase its benefits. Depending on the nature of the risk or opportunity, a response strategy is defined for the project. The following 7 strategies are possible: The 7 Risk Response Strategies 7 Risk Response Strategies
Monitoring the progress of the treatment plan is the responsibility of the risk owner. They must report regularly to the risk manager, who must keep the risk register up to date. Note: The cost of a risk mitigation plan must be integrated into the budget of the project. When defining a treatment plan:
When does risk become an issue?Anticipating Risks and Opportunities It is possible that, despite the actions put in place to mitigate or prevent it, a risk probability could increase and reach 100%. Once a risk is confirmed, we no longer refer to it as a risk but as an issue. The Risk Manager must then inform the various project stakeholders who will relay that a risk has become an issue and transfer it to the issue log. Step 4: Risk Monitoring and ReportingRisks and opportunities and their treatment plans need to be monitored and reported on. The frequency of this will depend on the criticality of risk/opp. By developing a monitoring and reporting structure it will ensure there are appropriate forums for escalation and that appropriate risk responses are being actioned.
In the previous article we identified the Risk and Opportunity Management Plan or ROMP as one of the five essential elements of Project Risk Management. It should include not only the project stakeholders and steering members, but the governance cadence for monitoring and reporting on risks and opportunities. How this is organized and governed is defined by the Risk Manager in conjunction with the Project Manager. We will go over both of these roles as well as additional roles within the Risk Management Team in more detail in our next article. This article was written by: Marie BELGODERE, Jérémie CLAUSTRE, Capucine COMTE, Alioune DIALLO, Emmanuel LATGE, Jessy MIGNOT, Ingrid NGOBAY, Pierre PETILLON, Louann SUGDEN, Chris WAMAL. Loved what you just read? Let's stay in touch.No spam, only great things to read in our newsletter. What are the characteristics of a risk event?What are 5 Key Characteristics of Risk?. Situational. Changes in a situation can result in new risks. ... . Time-based. ... . Interdependence. ... . Magnitude Dependent. ... . Value-Based.. What is risk acceptance strategy?Accepting risk, or risk acceptance, occurs when a business or individual acknowledges that the potential loss from a risk is not great enough to warrant spending money to avoid it. Also known as "risk retention," it is an aspect of risk management commonly found in the business or investment fields.
What are the 4 risk response strategies?Since project managers and risk practitioners are used to the four common risk response strategies (for threats) of avoid, transfer, mitigate and accept, it seems sensible to build on these as a foundation for developing strategies appropriate for responding to identified opportunities.
What are the 5 risk response strategies?5 Risk Response Strategies You Will Have to Consider After Assessing Risks. Risk Response Strategy #1 – Avoid. ... . Risk response strategy #2 – Reduce. ... . Risk response strategy #3 – Transfer. ... . Risk response strategy #4 – Accept. ... . Risk response strategy #5 – Take risks.. |