Developed by Samira Ehrari
Risk management is a very interesting and important topic in each area in our society. Actually everyone knows what a risk is; it is a part of our life. Each step or each decision we make, is full of risks, whether we notice it or not, but when we look at our professional life, then we have to take an action for each risk arise, because it has a negative effect and the effect can have consequences in terms of economic, professional reputation, environmental, safety and societal outcomes. This article focuses on for example how an organization or project handles its risks and which framework could be relevant or helpful for it. Now a day, the risk management is an important part of project, program and portfolio management. In order to end up a project successfully and deliver it on time and within budget, it is important to get an overview of the risks, which is associated to the project. Most of the projects fail due to the lack of risk management [Why projects fail 2011]. In many projects the risks are not proactively identified, analyzed and mitigated or even in some projects the risk is a part of project's planning process, the projects fail because the resources are not completely utilized to get the full advantage [Oehmen et. al.2012 and Zwikael and Ahn 2011]. This article further talks about the risk and different level of risks in organization level and how to identify the projects risks by using some of standard guidelines for risk management such as ISO 31000, ISO 2700S, DS/ISO 31000 Risk management- Principles and guidelines and M_O_R principles, which is a standard risk management framework, which can be used by any organization on any projects regardless of its size. NOTE: This article might be similar to other articles; Risk analysis, risk register, Risk management strategy in project portfolios
Definition of risk management
You can find different tools and definition for risk depending on the context in which it is used. A definition from Oxford English Dictionary sounds like “the possibility that something unpleasant or unwelcome will happen” [Oxford English Dictionary]. This is more general and related more to your every day. In decision theory, Luce and Raiffa relate risk to make decisions under known probabilities of the states of nature [Product Management Innovation 2009] and Frank Knight define the risk in economic theory as “risk arises when the decision maker can assign probabilities to possible outcomes”. A well-known definition of the risk in the domain of project management considers the risk as “an uncertain event or condition that, if it occurs, has a positive (opportunity) or negative (threat) impact on project objectives” [Innovation and Product Management] Frank Knight defines the uncertainty and risk as “...Uncertainty must be taken in a sense radically distinct from the familiar notion of Risk, from which it has never been properly separated. … The essential fact is that "risk" means in some cases a quantity susceptible of measurement, while at other times it is something distinctly not of this character; and there are far-reaching and crucial differences in the bearings of the phenomena depending on which of the two is really present and operating. … It will appear that a measurable uncertainty, or "risk" proper, as we shall use the term, is so far different from an un-measurable one that it is not in effect an uncertainty at all" [Ariane Chapelle]. Frank Knigh’s definition is more useful according to project, program and portfolio management. In many projects, risk is the uncertainty, which is associated with any kind of the action and projects in organization’s context that must understand and effectively manage during the project’s process and improve the results [Luce and Raiffa].
Different types of risk management definitions can be found and the choice of definition depends on how big a concept of risk is used in order to which risks are covered by the definition. There is not a complete tool or solution that fits in every project, creating a new or changes the existing risk management process according to the project's goal is always helpful and flexible process that will ultimately result in a solution to the individual organization or project. Risk is always based on imagination of how the project will be completed. It can be defined on the basis of an existing plan, for example, the project must be completed in 6 months. The risk of delay is bigger than if the project must be completed in one year. If the new technologies are a part of the project plan, that you have to use the new technologies is the risk bigger than use the known technologies. Therefor the risk is based on an existing plan; the same project may have very different risks, if you change the project’s plan. [Risk Management,concepts and methods].
To minimize the uncertainty and reduce the risks on the project, you may regularly look back to your risk analysis, because most of the projects fail due to lack of risk management, in many projects the risks are not proactively identified, analyzed and mitigated or even in some projects the risk is a part of projects planning process, The projects fail because they do not invest their resources completely and do not pay attention to it. Risk management is the most important part of the project planning process. It is a management tool, which project manager uses to analyses the risk factor within a project group or projects. Project group must be informed of the main risks and how they will deal with those risks. Often it requires extra resources to eliminate risks; these resources must allocate the project group. Many studies have pointed as well that the risk management has a big role in projects success [Tara Duggan]. The report by Jacob and Kwak highlights the positive contribution of risk management to improve the project selection, review and resource allocation of new product development projects. It used in many areas such as public debate, research, danger of disease, death or accidents, threatening environmental problems in terms of risk of climate changes, CO2 , pollution and so on. It is also used in many other projects such as customer needs and price, new technology and resources, construction and delivery projects, research projects and interests and other tasks.
Benefit of risk management
Risk management helps you to identify your projects strengths, weaknesses, opportunities and threats [Jacob and Kwak]. These four factors are a part of SWOT-analyse. By identifying your projects strengths and opportunities you can reduce the weaknesses and threats and there by your project’s risks, you will be aware of the unexpected events and you can immediately take actions to reduce the losses [Overview of risk management]. There are many reasons for managing risks. Here are some main reasons: First of all, risk management results in an overview and a number of options for an action to avoid known and unknown risk and reduce the impact of those [Power in projects & portfolio].
- Saving resources: Time, assets, income, property and people are all valuable resources that can be saved if fewer claims occur.
- Protecting the reputation and public image of the organization.
- Preventing or reducing legal liability and increasing the stability of operations.
- Increases the organizations profits and competitiveness and reflects an attractive professional approach to project work.
- Protecting people from harm.
- Protecting the environment.
- Enhancing the ability to prepare for various circumstances.
- Assisting in clearly defining insurance needs.
- By managing the risks, you can increase the quality of the project deliverable
- Protects public image
- Protects people from harm
- Prevents/reduces legal liability
- Protects the environment
Three Levels of operational risk management
The risk management in an organization can be categorized in three levels of operation- [three level of operational risk management].
- Strategic level:
At strategic level, operational risk management relates to the vision of the business, expansion planned over a few couple of years, the product position and the target customers in the market. In other words, the strategic operational risk management relates to the implementation of the risk demands. It must be defined at the top management level and must be deployed in a top-down manner through all the levels of the organization. At this level, top managers should not expect that all process would be accomplished without defects, free errors, flaws or less than perfect projects, demanding such a standard leads to over management and paralysis. It creates nervous leaders, that can be afraid to make tough decisions in crisis and unwilling to take risks necessary for success in projects, In this level op managers must be aware of risk management, understand it and must be ready to support a project manager’s decision in those situations. The top managers must accept that things may go wrong, even if a project manager has a lot of experience and knowledge in that area. In this level the risks has a very high impact in the organization, because you will define the risks based on your Business Plan and Processes, where strategic goals are defined. These risks are expected to be managed by the organization’s CEO [Operational Risk Management, February 2002]
- Tactical level
At tactical level, the set of operational risk management tools and controls helps to reduce the number and intensity of the projects. It provides the risk manager with a second line of defense. The effect of the risk responses deploys at tactical level, such as loss, fines and near misses reductions Tactical operational risk management emphasizes on loss prevention and risk reduction techniques, process control, loss data analysis, key risk indicators, risk self-assessments and business expansion plans are some of the vast array of tools and techniques that have been developed to reduce the frequent occurrence of the risk elements and to reduce their impact on the overall project. There always should be a connection between strategic and tactical level, the vision or mission statements defines in strategic level and the projects, programmes, their deliverables and its requirements describes in tactical level. Many projects fail because of less communication between strategic vision and tactical project deliverables and requirements. [Integrated Risk Management, as a framework for Organizational Success].
- Operational level
Operational level provides a natural reduction of the operational incidents by redesigning all those processes that were prone to errors, removing any unnecessary tasks and useless controls, standardizing the procedures and improving the productivity. Operational risk management targets the operational efficiency and process design. Work flows are redesigned in this level to improve the work speed by eliminating the errors. Staff Operational risk management must spread over all these three levels, in order to be more effective and efficient
Risk management does not tell you to take a number of actions to tackel or facilitate an unexpected situation. It is a framework that helps you to apply leadership at all levels to meet project's requirements and to improve the project's result.
How to develop a risk analysis
Risk Management can be developed in two different ways [Best Management Practice]:
- By using the standard risk guidelines such as ISO 31000, which managers can go step by step and identify the risks and analyse the situation of each phase and take an action for each risk, that have negative impact on each situation. In this step more leaders must participate in order to reduce the impact of risks and take care of each situation.
- By using more general analysis or guidelines to define the project's goals and reduce the risks without managing it and less management participation.
In the first option many standard guidelines and analysis can be used such as ISO 31000, IEC/ISO 311010, and ISO 73-2009 and many others. The International Organization for Standard (ISO ) risk management provides principles, general guidelines; framework and a process for managing the risks- It can be used by any project, organization regardless of its size. ISO 31000 summarizes all the central activities and main points, which an organization might go through to manage their risks effectively and increase their chance to reach their goals. It doesn’t contain any specific techniques in order to use, but it mentions that an organization must follow risk identification tools and techniques, that match the projects and its goals. Another ISO standard application is ISO/IEC 31010, Risk Management, which contains of some risk assessment techniques and steps that gives an understanding of the risks, which can have a negative impact on an organization’s achievement of its goals and the adequacy and effectiveness of controls already in place. Risk assessment helps decision makers to take the correct decisions, for example which tools and techniques must be used to treat the risks and how to choose the best opportunities. The following techniques described on ISO 31010
- Risk identification
- Risk analysis - consequence analysis
- Risk analysis– qualitative, semi-quantitative or quantitative probability estimation
- Risk analysis – assessing the effectiveness of any existing controls
- Risk evaluation
- Communication and consultation, and monitoring and review
Each step has described in detail on ISO 31010. Compare to M_O_R and then M_O_R is much extensive application, which provides a detailed guidance on how to implement risk management.
M_O_R stands for Management of Risk. It is a framework for the management of risk at different levels of of an organization such as Strategic, programme, project and operational level. It includes all the activities required to identify and control the risks, both negative and positive, which may have an impact on the achievement of an organization’s objectives [M_O_R].It is also a framework for how to make informed decisions about risks respectively strategic, program, project and operational level in order to identify, assess and manage the key risks in order to deliver the expected advantages [M_O_R].
It describes deeply both what needs to be done through some principles, activities and roles and how to begin the activities. In some ways, ISO31000 and M_O_R are very similar and use some common definition and methods. M_O_R is designed for practical application of risk management techniques and based on 4 core concepts: principles, approach, process and embedding and review, while ISO31000 is designed more to assess how completely the risk management techniques have been applied [Best Management Practice], The difference is that ISO3100O based on framework, principles and process. It prescribe how an organization should implement risk management and manage the risk by using any tools, that suits its goal and organization, while M_O_R allows it to customize its approach within the guidelines to suit its operating environment and process. Both are useful tools and can be used for managing the risks. Further information about M_O_R and ISO 31000:2009 is available in Michael Dallas report 
The Tabel as taken from Michael Dallas report, which shows a direct comparison of M_O_R with ISO 31000 against categories that are common to both framework.
Risk Management in Practice
To identify the projects risk, you can start with brainstorming, the first step is to list the main categories such as technologies, goal, stakeholder, communication, cost, environmental, resources, reliability, which is indicated with blue color in below figure. The next is to identify the risks, which is associated to the main categories. By brainstorm the risks, you can find 50-100 risks, depending to the projects size, therefore the third step is to estimate what the potential impact could be by using the Risk Matrix. Each high priority or high impact risk should be assigned to a group member after their experience and skills, so they could study and evaluate the risks. Cost risks might for example assign to someone in the finance department than one from IT- department. The new technology might assign to someone from IT- department. The project manager should be assign for all the risks process, the most important part of risk process is the schedule with deadline and the risks list, which should only edit, added, re-prioritized and control by the project manager during the project. To reduce the risks, the project manager should communicate the risks list to all the project stakeholders regularly, at least once a week. All the changes should be registered to the risk map and at the end of the project the results can be used to do a retrospective. What did you learn from it, what should be different in next project and how to control the risks from the beginning?
This example is more general and very simple; you can maybe use it for a very small project. You can visit Risk_analysis which is described more in detail. I will not go in too details in this reports, because another one is writing. By defining risk management processes for your company, you get closer to success by minimizing or completely eliminating any kind of risks that could have a negative impact on the the project. This lets you to fulfill the targets within the allowed budget and time deadlines. If the risk management strategies are not defined properly then the project could be more prone to deficiencies and failures. Effective risk management strategies helps to overcome the extra expenses that do not produce a return on investment and it also helps to maximize the profits. Through detailed analysis, clever leaders prioritize the on going work based on the results produced, despite the odds.
Assessing and managing risks is the best weapon you have against project's deficiencies. By identifying the risk management within the projects plan and strategies, you will improve your chances for a successful project even if the project is not a perfect project. Risk management is a way of success if you manage it in a correct way by making use of the correct framework and identifying all the risks that could have a negative impact on your project.
You can always use your projects result to the next project that what should be better on next project and which phases you should put more attention. An effective risks management will always help you to minimize the negative impacts of activities that could be a big problem for your projects and your organization.
 Why projects fail: Avoiding the Classic Pitfall, An Oracle White Paper, October 2011 and Calleam Consulting LTD 2014: Why Projects Fail. And Tom Carlos, PMP: Reasons Why Projects Fail.
 Oehmen et. al.2012 and Zwikael and Ahn 2011, Oehmen, J., et al., Analysis of the effect of risk management practices on the performance of new product development programs. Technovation (2014),
 Oxford English Dictionary
 Innovation and Product Management 2009: A holistic and Practial Approach to Uncertainty Reduction,Kurt Gaubinger, Michael Rabl Scott Swan, Thomas Werani
 Frank Knight 1921: Risk, Uncertainty and profit, Imperfect competition through Risk and Uncertainty, Part III, Chapter VII
 Ariane Chapelle: The three levels of Operational risk management, May 2012
 Risikosamfundet: 1997, Tara Duggan, Demand Media: Why Is Risk Management Important to Project Success?
 Luce's Paradigm for Decision under Uncertainty, Luce and Raiffa, 1957
 Risk Management, concepts and methods: Club De La Securite De L’information Francais
 Best Management Practice: Management of Risk.Guidance for practitioners and the international standard on risk management, ISO 31000:2009 of Michael Dallas, Dictor, APM Group Ltd.
 Best Management Practice: Management of Risk.Guidance for practitioners and the international standard on risk management, ISO 31000:2009 of Michael Dallas, Dictor, APM Group Ltd.
 Jacob and Kwak (2003) and Raz et al.2002
 Article: Overview of risk management Henrik K. Søndergaard
. Power in projects & portfolio of Mette Lindegaard, and John Ryding Olsson