Project Risk Management

By Thomas Hernandez,2014-06-13 12:39
8 views 0
Project Risk Management

    Project Risk Management


    The purpose of this document is to present some general guidelines for managing those

    risks associated with a project. As each project is unique, the approach used to manage

    the project’s risk must be adjusted to match the needs of the project. Included with these

    guidelines is a Risk Management Plan template and a Risk Mitigation template that may

    be used for recording, analyzing and tracking project risks. The steps involved in

    performing risk management include Risk Identification, Risk Analysis, Risk

    Prioritization, Risk Response Strategies and Risk Response Plan.

    Step 1 - Risk Identification The first step in performing risk management is to identify as many potential risks

    associated with the project as possible. Although this activity is primarily performed

    during the Planning phase, it should occur throughout the entire project. As each

    potential risk is identified, a brief description of the risk is created and recorded. During

    the risk identification process there is no analysis of the risks being presented. Each risk

    is recorded as it is stated and the next risk is then presented. To help identify potential

    risks, items such as lessons learned, the project work plan (WBS) and other documents

    may be used.

The Risk Management Plan template has been provided to assist in identifying and

    documenting potential project risks. The template provides a place where the identified

    potential risk descriptions may be entered. To aid in organizing the identification process,

    this template has been divided into sections by each project life cycle phase and the

    different project management areas. Also to assist in getting the process started, a basic

    listing of common risks associated with projects is provided. The team may start with

    these common project risks and determine if they are or are not relevant to the project.

    Step 2 - Risk Analysis Once it is felt all the risks that can be identified have been, then each of the risks need to

    be analyzed. This first involves discussing and clarifying each risk to make sure there is

    a good understanding of the risk. When the risk has been clarified the next step is to 1.

    determine the probability of the risk occurring and 2. determine the impact the risk will

    have on the project if it does occur. This information can be recorded on the Project

    Management Plan template next to each of the risk descriptions. Please note that the

    impact includes determining the consequence the risk will have on the project which may

    include missed target dates, increased cost and so on which may also be recorded on the

    template. When performing risk analysis the project team needs to keep in mind the

    project’s success factors and how the risk may impact those factors.

    For the probability the following scale may be used:

    1 = Very Unlikely 0% to 5% probability 2 = Unlikely 6% to 35% probability

    3 = Likely 36% - 65% probability


4 = Highly Likely 66% to 95% probability

    5 = Almost Certain 96% to 100% probability

For impact there is a number of different ways to look at it as risk may impact a number

    of different factors within the project such as costs, project schedule, lost opportunity and

    so on. The anticipated consequence of a risk, if it occurs, needs to be documented for

    those. For the impact the following scale may be used:

1 = Almost No impact on scope/cost/schedule/opportunities

    2 = Minor impact on scope/cost/schedule/opportunities

    3 = Moderate impact on scope/cost/schedule/opportunities

    4 = Significant impact on scope/cost/schedule/opportunities

    5 = Project Failure

Below is an example of an impact matrix that may be used. Because all projects are

    unique, these factors may not fit in every case. For example a project with a mandated

    implementation date would have Project Failure with even the slightest slippage in the


    Project 1 Almost No 2 Minor 3 Moderate 4 Significant 5 Project Impact Impact Impact Impact Impact Failure

    Scope Minor areas Major areas Scope End Product Scope

    change of scope of scope changes is effectively

    barely impacted impacted unacceptable Useless

    noticeable to customer

    Insignificant Schedule Overall Overall Overall Schedule

    schedule slippage schedule schedule schedule

    slippage <5% slippage 5 slippage 11 slippage >20

    10% 20% %

    Insignificant Cost change Cost change Cost change Cost Cost

    cost change <5% 5 - 10% 11 - 20% change >20


    Quality Only minor Quality Quality End Product Quality

    degradation applications reduction reduction is effectively

    barely are affected requires unacceptable Useless

    noticeable customer to customer


    By multiplying the probability by the impact you determine the Risk Factor. The higher the Risk Factor the greater the risk to the project. The Risk Factor may be record on the

    Risk Management Plan template.

Step 3 - Risk Prioritization

    Because you cannot nor should not try to manage ALL risks associated with a project,

    you need to prioritize the risks to determine which ones should be managed. By using

    the Risk Factors you can see what risks may have the greatest impact on the project.


Using this information plus any other information from the project team and stakeholders,

    rank the risks in priority order from highest to lowest for those risks having a significant

    impact on the project. (Determining what risks have a significant impact on the project

    and should be ranked depends on the project and its ability to accept certain amounts of

    risk.) The priority for the ranked risks may be recorded on the Risk Management Plan


Step 4 - Risk Response Strategies

    When the risks have been identified, analyzed and prioritized the next step is to

    determine how to respond to each risk. Within the risk response strategies there are four


    1. Mitigation, which is reducing the probability and/or the impact of an adverse risk.

    This is primarily used for those risks that are to be managed by the project team.

    2. Acceptance, which is accepting the risk as is and doing nothing. This is generally

    taken for those risks with a low Risk Factors. It may be used for higher rank risks

    where a contingency plan is developed. If the risk occurs the contingency plan is

    put into operation.

    3. Avoidance, which is eliminating the cause of the risk such as revising the scope to

    exclude that part involving the risk.

    4. Transference, which is placing the responsible for the risk and it consequence on

    someone outside the project.

Once it is determined how each risk will be responded to, those requiring actions will be

    assigned to team members as the Risk Owners. The team is overall responsible for the

    project’s risks and the Risk Owner is the person assigned to coordinate the efforts of the

    team in managing the risks. The Risk Owner is generally the person most familiar with

    the risk subject. The Risk Owner is responsible for the development and/or overseeing

    the creation of the Risk Response Plan and the action items to be taken within the risk


Step 5 - Risk Response Plan

    For those risks that have a response strategy of Mitigation, Acceptance, Avoidance or

    Transference a risk response plan needs to be developed.

Mitigation - The most common form of managing a risk is through mitigation. Within

    this approach a risk response plan is developed that presents the various ways the

    probability and/or impact of the risk may be lessened. For those risks being mitigated,

    the Risk Owner needs to formulate ideas as to how the risk’s probability and/or impact

    may be reduced. These are general statements covering the various areas that may be

    concentrated on to lessen the risk. Action items are then developed to outline specific

    actions that will be taken to support those ideas in reducing the probably and impact of

    the risk. These action items may also be included in the project plan. A Risk Mitigation

    template has been developed to assist in this process.

Risk Mitigation Template Fields Definition

    Risk Description Enter the description of the risk as stated in the Risk


    Management Plan

    Risk Item Identifier Enter the risk identification information, such as Requirements

    #3, that was assigned to the risk in the Risk Management Plan.

    Risk Priority Enter the priority of the risk as stated in the Risk Management


    Risk Factor Enter the Risk Factor for the risk as stated in the Risk

    Management Plan.

    Risk Response Enter the response strategy being used for the risk (mitigation,

    Strategy avoidance, acceptance or transference) as indicated in the Risk

    Management Plan.

    Risk Status Indicate the current status of the risk; open, closed, cancelled

    or on-hold.

    Last Updated Enter the date when the Risk Response Plan was last updated.

Risk Owner Enter the name of the individual who is primarily responsible

    for managing the risk.

    Date Assigned Record the date the risk was assigned to the Risk Owner.

    Consequence if Risk Enter a description of the impact/consequence of the risk

    Occurs including scope, schedule, costs, and lost opportunity.

    Areas where List those areas that may be concentrated on to lessen the

    Probability may be probability of the risk from occurring. Reduced

    Areas where Impact List those areas that may be concentrated on to lessen the

    may be Reduced impact if the risk does occur. Attachments If there are any attachments, please reference them here.

    Action Items Within this section list all of the very specific actions that will

    be taken to manage this risk. including how the actions will

    be performed and if appropriate when.

Acceptance Because no action is taken to manage this risk the only thing that needs to

    be documented in the Risk Response Plan is the consequence of the risk if it occurs. No

    additional planning needs to be developed unless it is decided that a contingency plan

    will be developed. If this is the direction then the contingency plan needs to be

    development and the risk monitored.

Avoidance Because a change is made to the project, such as revising the scope to

    eliminate the risk, no Risk Response Plan needs to be developed. It is very possible that

    the project change management process needs to be followed as a result in changing the


Transference - When the placing the responsible for a risk and it consequence on

    someone outside the project the project team needs to documented who and how the risk

    responsibility if being transferred. This can be recorded in the consequence section of the

    Risk Management Plan template.


Report this document

For any questions or suggestions please email