Risk and Opportunities Management
Developed by Anika Zandra Alcoat
In project management, uncertainty is a common parameter, given that projects are unpredictable and only an estimate of a future situation. In order to prevent uncertainties, project risks are identified and managed throughout the project life cycle. Risk management is a central concept and plays an important role in maintaining projects stability and success throughout the project. Risk management identifies potential obstacles that may arise and hinder the project team from achieving expected goals. Identifying risks is a repeatable process since new risks become known and others become unknown. Noteworthy risks are not only downsides, referred to as threats, but also upsides, referred to as opportunities. Opportunities may arise as a result of unexpected turns and have a positive impact on the project. Risk management is highly relevant and therefore present in all projects.
By using qualitative and quantitative risk management methods, uncertainties are identified and assessed in a structured way that helps projects stay on track. This article focuses on Rumsfeld’s unknown unknowns, the risk management process and response strategies to threats and opportunities.
The risk management process, RMP, may be divided into seven process steps: communication and consultation, establishing the context, risk identification, risk analysis, risk evaluation, risk treatment and monitoring and review. This process aims to ensure that risk is managed effectively, efficiently and coherently across an organization . At last, this article will outline and discuss the risk management process' limitations and advantages in a project management aspect.
In all projects there is indistinctness, which leads to assumptions being made. These assumptions are uncertain and can affect the project’s cost, scope, time or resources . Risks can be defined as "An uncertain event or condition that, if it occurs, has a positive or negative impact on one or more project objectives such as scope, schedule, cost or quality" . Risk management is a beneficial concept applicable in every project. The concept aims to improve decision-making processes by identifying, assessing and mitigating relevant uncertainties in a structured way . Due to the negative consequences of uncertainties, risks management is highly relevant and should be managed carefully.
Donald Rumfeld's Unknown Unknowns
The American politician and businessman, Donald Rumfeld, distinguishes between four categories of risk. The first category is identified as "known knowns" describing the things we know we know. Examples could be a project’s location, the type of project etc. The second category is defined, as "known unknowns" describing the things we know are uncertain. Examples could be how many workers are needed to complete a particular task or unpredictable weather conditions. The third category is defined as the "unknown unknowns". This category describes uncertainties that we could not have known in advance and let alone foresee their consequences, e.g. natural cataclysms. The last category is defined as "unknown knowns" describing risks that cannot be identified precisely due to multiplicity, but whose total negative impact on the project appears certain. An example of this category could be the Russian Winter Olympic Games in Sochi in 2014. The games in Sochi experienced significant cost overruns at 289% . Another example in connection to Russia is the widespread corruption of local officials. The risk is known in Russia but not officially recognised and can therefore be perceived as an unknown known.
The practice of risk management is to minimize negative impacts or threats to the project and maximize the upside impact of opportunities. To be a successful project manager it is therefore essential to understand what could possibly go wrong, assess risks’ probability and impact and thereby plan how to mitigate risks optimally.
Risk management involves planning and prioritizing risks before they occur, handling emerged risks and control and monitor risks, by using quantitative or qualitative approaches. By using quantitative approaches including mathematical models, it is possible to calculate and estimate potential negative and positive outcomes. However risk management activities are primarily based on qualitative data 
Qualitative data include subjective perceptions since people value risks differently and therefore also value potential consequences differently. Gathering different viewpoints could be a challenging activity, when representing different project stakeholders. Obtaining viewpoints and ratings for each risk is a matter of unifying opinions. A method used for assessing low-high risks is the so-called probability impact matrix, see Figure1. This figure shows the positioning of identified risks. Noteworthy, Figure1 is an example of a potential matrix and therefore the matrix can change dependent on different projects.
Risks placed within the red boxes hold extreme or high risks and need to be avoided since they have the potential to greatly impact the project's quality, time or cost performance. Risks placed within the orange boxes hold moderate risks and can be mitigated or transferred. This category has the potential to slightly impact cost, quality and time performance. Risks placed within the green boxes hold low risks and can be ignored or accepted since they have a relatively little impact on cost, quality and time performance.
From Figure1 it has been identified that not all risks can be eliminated, but mitigation and plans can be developed to lessen their potential impact. The risk management process is an iterative process that begins in the early project phases and is conducted throughout the project’s development.
The practice of risk management process is systematically thinking about all possible outcomes even before they occur and outline procedures to accept, transfer, mitigate and avoid the impact of emerged risks.
Risk Management Process
The risk management process, RMP, can be divided into seven steps: communication and consultation, establishing the context, risk identification, risk analysis, risk evaluation, risk treatment and monitoring and review. The seven process steps will be outlined and described below.
- Communication and Consultation
This process comprises communication and consultation with external and internal stakeholders and should take place throughout the seven risk process steps. This first step should especially focus on the exchange of relevant information and coordination of stakeholders’ perceptions. Communication and consultation between the stakeholders should mainly focus on the following aspects: the objectives, the scope and criteria. Last-mentioned include risk sources, consequences and related events, analysis method, judgment of evaluation criteria and suitable treatments for identified risks. Furthermore the project stakeholders are kept informed through reports, that summarise the current risk management activities .
- Establishing the Context
This step includes defining the objectives and scope for the risk management process and furthermore determines criteria against which risks will be assessed. Establishing the context does not only address the company internal but also external. Internal factors include the role of the risk management process within the organization as well as the basic criteria used to evaluate risks throughout the following 5 process steps. Establishing the context also include the integration and implementation of risk management processes during other processes in the organization, comprising methods, roles and responsibilities of the people involved in the risk management and the outlined goals of the risk management process.
- Risk Identification
The third process step consists of identifying sources of risk, potential areas of impact and outlining consequences . Identifying risks in normally done in groups with both experienced and less experienced members and often people working within similar projects are invited . The risk identification step is an iterative process that is managed throughout the project’s life cycle. This step aims to develop a comprehensive list of potential risks implied their impact and likelihood. This list is normally used in the following step, "risk analysis".
- Risk Analysis
The risk analysis is mainly concerned around prioritizing and classifying risks. This could be done by using the earlier mentioned probability impact matrix, see Figure1. Identified risks are analyzed to achieve a better understanding of the treatment needed either to transfer, mitigate or avoid the analyzed risk. The analysis may also identify unforeseen opportunities that may be pursued to provide additional benefit.
- Risk Evaluation
The risk evaluation focuses on prioritizing and deciding appropriate treatments for risks holding extreme, high or moderate risks. The risk evaluation is based on information gathered from the risk analysis and decision criteria, developed and defined during the establishment of context . Moderate-extreme risks will continue to the following step "risk treatment", while low impact risks will be ignored or accepted.
- Risk Treatment
The purpose of treating risks is to develop options and determine actions to enhance opportunities and reduce threats to project objectives . Different treatment opportunities are analyzed regarding cost-benefit tradeoffs and normally one or more options are developed and transferred to the project management for implementation . Risk treatment includes measures and plans to avoid the risks, to mitigate risks, to deflect risks or develop plans to handle unforeseen risks if they occur. Decided treatments, expected benefits and the re-evaluated risks are transferred to the last step of the risk management process, "monitoring and review".
- Monitoring and Review
This step oversees both situational risks within the organization as well as the risk management process itself . The purpose of monitoring and controlling risks is to minimize disruption to the project by determining whether the risk responses have the desired effect . This is done by identifying and analyzing new risks, monitoring trigger conditions for contingency plans and reviewing progress on treated risks while evaluating the effectiveness of the chosen treatment. The risk management process should be applied when new risks arise or when project milestones are reached.
Information gathered from the risk management process is collected in a risk management plan. The layout of such risk management plans will vary but normally contain the following steps :
- Risk identification
- Event description
- Description of consequence or impact
- Probability impact
- Risk exposure
- Risk response
Response Strategies to Threats and Opportunities
As mentioned earlier, uncertainties and unexpected occurrences can affect the project either negatively or positively. The risk management process analyzes and manages, in particular, negative impacts threatening the project. These threats are either accepted, mitigated, transferred or avoided. The four response strategies will be described in the following:
- Accept/ Ignore
For the accepted/ignored threats, where any response is not likely to have an impact on the project objectives, no risk response is planned. When actively accepting the risk the idea is that the uncertainty is being accepted whether it has a positive or negative impact. Accepting opportunities means keeping a separate contingency reserve to manage the risk if it occurs while accepting threats means hoping that the risk never occurs.
The number of threats that can be managed by using the avoidance or transfer strategies are usually limited . Therefore the mitigation or acceptance strategies are commonly used. The aim of risk mitigation is to reduce the size of the risk and thereby lie beneath a limit of risk acceptability. Determining acceptable risks can be imposed by using risk severity comprising high/moderate/low impact risks, see Figure1. The size of a potential threat can be reduced by either managing the probability and make the risk less likely or managing the impact and thereby reduce the severity. When dealing with risks, preventive responses are better than curative responses, since the first mentioned is more proactive and have the potential to imply risk avoidance .
Transferring risks involve allocating ownership and thereby finding a third party taking responsibility for the risk and best able to handle the potential opportunity. The aim of this response strategy is therefore to enable effective management.
The avoidance strategy aims to remove the cause of the risk or execute the project differently while still aiming to achieve project objectives. For instance, the project scope or the project schedule could be changed accordingly to risk avoidances. Not all risks can be avoided or eliminated and for some, this response strategy might be too expensive or time consuming.
Opportunities can be managed in the following ways, see Figure2:
- Exploit opportunities
- Share opportunities
- Enhance opportunities:
The aim of this response strategy is to eliminate the uncertainty associated with a particular upside risk . Whereas the strategy of risk treatment aims to reduce probability of occurrences to approximately 0, the exploit strategy seeks to raise the probability to 100%. This strategy is the most aggressive of the response strategies and is usually applied when those Golden Opportunities arise, containing high probability and high positive impact. The strategy of exploiting opportunities, can either response directly or indirectly. The direct response includes making positive decisions to include an opportunity in the project scope. E.g. if an opportunity was identified that market share would increase if a competitor withdrew from the market, active steps would be taken to either buy out the competitor or by forming a potential alliance. The indirect response includes handling the project in a different way by allowing the opportunity to be achieved while still fulfilling the project objectives .
The aim of this strategy is to share an opportunity involving allocating ownership to another party, who is best able to handle the opportunity, both in terms of maximizing the probability of the occurrence and in increasing potential benefits. Project stakeholders are considered potential owners of handling this type of response strategy, since they already have an interest in the project and are therefore likely to take responsibility for managing identified opportunities .
For risks that cannot be exploited or shared this type of response strategy aims to modify the size of the risk to make it more acceptable . The aim of threats it to mitigate the risk by reducing the probability of occurrences and/or the severity of impact. In the same way opportunities can be enhanced, by increasing the probability and/or impact, by identifying and maximizing key risk drivers.
Given the different risk response strategies, different approaches have been developed to manage risks optimally. One possible approach focuses on prioritizing response strategies according to their intensity, see Figure3.
When using this approach, the aggressive or intense strategies of avoid and exploit should be considered first, since these strategies have the possibility of eliminating uncertainties by removing treats or conquering opportunities . The second priority considers whether another party other than the project or organization should take over the risk, by either transferring a threat or sharing an opportunity. When it is not considered possible to either avoid/ exploit or transfer/ share, responses should be made aiming to mitigate threats and enhance opportunities. The last response option focuses on accepting risks after the three previous mentioned have been considered.
Noteworthy, it is important to remember, that one single response strategy may not be sufficient to deal with a particular risk. In this situation the risk should be reviewed, to determine whether the chosen response strategy is appropriate and has the intended effect.
The following section will describe the risk management process’ limitations and disadvantages and highlight potential advantages when using the method.
Limitations and Critical Reflection
When using the risk management process there are some aspects that need to be taken into consideration. E.g. it is important for the project manager to know what kind of people are handling and doing the assessment of potential risks. The cultures of different companies and countries can have very different perceptions in assessing consequences and what situations can be accepted. Therefore it is important to have in mind that people’s opinions regarding risks and addressing risks can be fundamentally diverse .
Furthermore there is a probability, that risks are improperly prioritized and assessed, which induces loosing valuable time on risks that are not likely to occur. Spending too much time assessing unlikely risks can divert resources that could be used more profitably elsewhere.
Given that the concept of RMP is applied extensively among projects, the process contains many advantages, which can benefit both small and large-scale projects. According to the PMI projects with a thorough and well-executed risk management process can expect a 15% higher success rate than standard projects .
- 17% increase in cost efficiency
- 15% increase in schedule efficiency
By using the RMP and thus identifying and managing risks, project managers can plan ahead and potentially mitigate or reduce problem occurrences. Any organization that effectively manages risks will experience benefits throughout a number of areas, including the following   :
- Increased ability to deliver project on time
- Enables decision-makers to confront risk and uncertainty in a realistic manner
- Fewer unexpected surprises
- An ability to quickly grasp and discover new opportunities. With greater liquidity follows the ability to capture emerging opportunities
- Enhanced communication between business units and departments
- Improved strategic and business planning
- Permits a thorough analysis of alternative options
- More effective use of resources: The planning and developing risk approaches helps protecting the resources of the organization
- Improved liability leading to an enhanced reputation among potential clients
- Harvesting reusable knowledge: The risk management process holds inputs from various stakeholders and their different experiences and insights. This achieved know-how can potentially be reused for future endeavors and thereby save time, resources and money
Risk management in general aids in making better decisions concerning uncertainties and risks, by using either qualitative or quantitative methods. The methods aim to detect potential risks comprising threats and opportunities. The risk management methods are not able to predict all project risks but beneficial opportunities and potential threats can be realized when applying methods. Therefore risk management methods and particularly the RMP is highly recommended.
For more information about risk management in general and the risk management process, the following readings are suggested:
- Maylor, Harvey. "Project Management", 4th. Edition. 2010. Pearson. Ch. 10. "Risk and Opportunities Management". p. 217-239 
- In this chapter Harvey Maylor focuses on determining the principles of risks and uncertainties. Furthermore the author describes qualitative and quantitative approaches, including the sensitivity analysis, the Monte Carlo simulation and the programme evaluation and review technique (PERT).
- Hillson, David. "Effective Opportunity Management for Projects - Exploiting Positive Risk", 2005. Ch. 7. ""Planning Responses"" pp. 134-152 
- This chapter focuses on selecting response strategies by different risk levels. David Hillson distinguishes between threat responses and opportunity responses and describes how to manage identified risks properly.
- Ottosson, Hans. "Practical Project Management - For Building and Construction", 23. July 2012. Auerbach Publications. Ch. 6.11. "Risk and Uncertainty Management" pp. 215-228 
- Within this chapter Ottosson introduces the risk management concept, the impact of risk perceptions and describes the risk management process. Furthermore the author introduces risk management tools such as the risk breakdown structure, RBS, and the Ishikawa/fishbone diagram.
- IRIS Intelligence. "Why Manage Risk", 2010. 
- IRIS Intelligence is an intuitive and user friendly risk management software package. According to IRIS, this software embeds best practice risk management methodology in a fully automated system, that can be instantly customized to match specific customer preferences and reporting requirements . This article focuses on describing different advantages and benefits when using risk management in projects.
- ↑ 1.0 1.1 1.2 1.3 1.4 Geraldi, Joana, Thuesen, Christian, Oehmen, Josef. How to Do Projects, 29. January 2016. Version 0.5.
- ↑ 2.0 2.1 2.2 2.3 2.4 2.5 Ottosson, Hans. Practical Project Management - For Building and Construction, 23. July 2012. Auerbach Publications.
- ↑ PMI. A Guide to the Project Management Body of Knowledge,5th. Edition 2013. Project Management Institute.
- ↑ 4.0 4.1 4.2 Dansk Standard. ISO 21500 - Guidance on Project Management, 27. September 2009.
- ↑ Flyvbjerg, Bent, Stewart, Allison, Budzier, Alexander. The Oxford Olympics Study 2016 - Cost and Overrun at the Games, 20. July 2016.
- ↑ 6.0 6.1 6.2 ' Maylor, Harvey. Project Management, 4th. Edition. 2010. Pearson.
- ↑ 7.0 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 Hillson, David. Effective Opportunity Management for Projects - Exploiting Positive Risk, 2005. pp. 142-145. Marcel Dekker Inc.
- ↑ 8.0 8.1 8.2 8.3 IRIS Intelligence. Why Manage Risk, 2010.
- ↑ 'Mok, C., K., Tummala, Rao, Leung, H., M.. Practices, barriers and benefits of risk management process in building services cost estimation, 1997.