Mastering Project Risk Management: A Simple Four-Step Process

Risk, by definition, is an event that has not yet occurred, but we anticipate its potential impact on our project and have plans in place to deal with it if it happens. The operative word here is 'IF.' Therefore, to simplify, project risk management involves asking ourselves, 'What could derail the project?' and then developing strategies to manage those risks.

What steps can we take to manage risks effectively for our projects? Here is a simple four-step process you can adopt: 

1.     Identify risks

The first step in every project risk management approach is to identify potential risks that could impact your project. It’s crucial for the project stakeholders to agree on a definition of risk before attempting to identify them.

To efficiently identify project risks, you can follow these steps:

      I.         Conduct workshops involving team members and stakeholders—those who might be impacted by or could impact the project. Encourage participants to freely express their opinions, ensuring clear outcomes from the discussion.

     II.         Seek 'Lessons learned' information from similar completed projects. Valuable lessons learned can provide a significant advantage.

2.     Document the risks

Every project should maintain a risk log or register that captures information about each risk. The log doesn’t need to be overly complex, but a simple table format, like the following, can serve as a good starting point:

3.     Analyse the impact of each risk

A risk isn’t worth managing unless it poses a significant threat to the project. We can apply different analysis techniques to understand the potential impact of a risk. The first technique is Qualitative Analysis, a method of quickly assessing the likelihood of a risk occurrence and its impact based on intuition. Essentially, it involves taking a subjective view of the risk to decide whether it's worth pursuing or not. This technique usually results in assigning each risk a probability and impact assessment. For example:

By examining the probability and impact columns, it's easier to determine which risks should be actively managed and which ones can remain on the watch list. In this example, R1 takes higher priority than R2.

The second technique is Quantitative Analysis, and it’s about quantifying the risk in a tangible way – usually expressed as a monetary value. For example, we can find out how much it’d cost to repair a water-damaged Amani suit. Let’s say the cost is $200, then we now have an objective assessment of the total impact of the risk. Quantitative analysis technique can be time consuming and costly to perform, so it’s usually applied to high priority risks only. 

4.     Determine actions for each risk

We need strategies to minimise or even eliminate the impact of risks if possible.

Fortunately, we have millennia of experience managing risks in our civilisations, providing us with several effective strategies.

Strategy 1: Avoid the risk.

Using the example of the risk of the Amani suit getting wet in the rain, we could choose not to leave the house at all if we believe the cost of repairing the ruined suit outweighs the benefit of making the trip. 

Strategy 2: Transfer the risk.

If we must make the trip for a job interview but don’t want to risk the expense of repairing my expensive Amani suit, we can opt for insurance. For a nominal fee, insurance companies can bear the risk on our behalf, relieving us of the potential cost burden.

Strategy 3: Mitigate the risk.

A simple solution to the aforementioned risk is to carry an umbrella. In case of rain, the Amani suit remains dry, and we need not worry about repair costs. This strategy involves planning to deal with the risk, and it's the most common approach to risk management.

Strategy 4: Accept the risk.

Suppose you've won the lottery, and the cost of repairing a water-damaged Amani suit is inconsequential. In that case, you might not bother with the previous three risk management strategies and simply wear the suit without any concerns. We often 'accept' the risk if it's unimportant to us.

Lastly, continue repeating steps (a) through (d) throughout the project life cycle. Effective risk management requires the continual execution of all these steps until the project reaches successful completion.