Some experts have said that a strong risk management process can decrease problems on a project by as much as 80 or 90 percent. In combination with solid project management practices, having a well-defined scope, incorporating input from the appropriate stakeholders, following a good change management process, and keeping open the lines of communication, a good risk management process is critical in cutting down on surprises, or unexpected project risks. Such a process can also help with problem resolution when changes occur, because now those changes are anticipated and actions have already been reviewed and approved, avoiding knee jerk reactions.
Before one can embark on a risk management process, one must have a solid understanding of some key definitions. Project risks as defined from a PMI perspective are, at their core, unknown events. These events can be positive or negative, so that the word "risk" is inherently neutral. That said, most of the time and focus is spent handling negative project risks, or "threats," rather than positive project risks, or "opportunities."
Often, companies that do perform a risk management process on a fairly typical multi-month project (no longer than 12 months) will identify and manage possibly five to ten easily recognised project risks. However, that number should in fact be much higher. With a high number of project risks identified early on, a team's awareness of what to look for is increased, so that potential problems are recognised earlier and opportunities are seen more readily.
It may seem that project risks cannot be managed without taking away from the actual work of the project. However, this can effectively be accomplished with a seven-step risk management process that can be utilised and modified with each project.
The Risk Management Process
Step one of the risk management process is to have each person involved in the planning process individually list at least ten potential risk items. Often with this step, team members will assume that certain project risks are already known, and therefore do not need to be listed. For example, scope creep is a typical problem on most projects. Yet it still must be listed because even with the best practice management processes in place, it could still occur and cause problems on a project over time. Therefore it should be addressed rather than ignored.
Step two of the risk management process is to collect the lists of project risks and compile them into a single list with the duplicates removed.
Step three of the risk management process is to assess the probability (or likelihood), the impact (or consequence) and the detectability of each item on the master list. This can be done by assigning each item on the list a numerical rating such as on a scale from 1 to 4 or a subjective term such as high, medium, or low. Detectability is optional, but it can be simple to assess - if a risk is harder to see, such as with scope creep, then it's a riskier item. If it's easier to catch early, such as loss of management support or loss of a key resource, then it's lower risk.
Step four of the risk management process is to break the planning team into sub-groups and to give a portion of the master list to each sub-group. Each sub-group can then identify the triggers (warning signs) for its assigned list of project risks. All triggers should be noted, even minor ones. Normally there will be at least three triggers for each risk.
Step five of the risk management process is for those same sub-groups to identify possible preventive actions for the threats and enhancement actions for the opportunities.