Risk management process
Developed by Bjarni Jakob Gunnarsson
Risk management process (RMP) is a concept or a framework to manage risk both internal and external in all industries. It is a concept that has been coming popular for project managers to improve performance and increase the profit. This concept helps management teams to construct a strong and systematic approach to the whole risk analysis process. With risk process and strong project management practice the problems in a project can by decreased. Furthermore, it could also help to resolve problems that occur later on in projects.
Risk vary in projects because of the uniqueness of every project. Identification of a risk, understanding and managing critical risk that can harm the project, a concept needs to be followed. RMP is a very robust approach that can be followed by risk managers and management teams.
Risk management in project should be throughout the project life cycle. In some cases the risk management is primarily done in the design phase of the project, but should be also manage in the construction phase. The RMP is a five step process that is as follows: .
- Step 1 – Establish the context
- Step 2 – Identify the risk
- Step 3 – Analyse the risk
- Step 4 – Evaluate the risk
- Step 5 – Treat the risk
The RMP is essential to manage those risk that can occur in projects and to be able to mitigate those risks. Studies have shown that the changes of risk event occurring are in the idea, planning and the start-up phase of each project. As represented in Figure 1, the total cost impact is less if the risk event will occur earlier and therefore it is very important to use that period to minimize or mitigate around a potential risk. Moreover, as it goes further into the project phase the increase in cost is very steep .
This wiki article aims to go through those steps mention above with few techniques and methods that are well known in risk management and a case example where to apply them in the RMP. Furthermore, the background of risk management, advantages and RMP limitation will also be discussed.
The risk management term has a history in America from the early 1950's and it has been developing since then around the world. It was not until 1963 “The Journal of Risk and Insurance” published nine articles regarding risk management. From the year 1963 and until 1967 an increase in academic interest was shown. It was not until early seventies that the risk management awareness increase in Europe and that is due to the expansion that happened in the United States in early years . With the awareness of risk around us, the expansion of the subject has aroused and is coming mainstream in businesses today.
What is risk, risk management and what purpose/value does risk management process have?
Risk is the likelihood and impact of a certain event with potential to effect the goal or the objective of the project. To avoid these unexpected risk events that the future has, risk management process is a concept to follow throughout the project life cycle and to be able to maximize the efficiency and the effectiveness .
Risk management investigates the future and the uncertainty that it has. Uncertainty can both be good and could also be bad. With examination of the uncertainty that the future has, could lead us to avoid the threats and steer and aim us towards the opportunities . Even though risk management is not just avoiding risk or taking one, it is a development that has to have complete understanding of the risk that are relevant to the project .
The basic RMP principle should always be included when dealing with risk in projects because it helps the management team to efficiently understand and manage unwanted risk. The following main phases of RMP are: Establish the context, identify the risk, analyse the risk, evaluate the risk and treat the risk .
Application of risk management process
The RMP is not a standalone concept that can be implemented into project or organization. To be able to manage risk effectively through the RMP a well define risk management framework has to be clear. The framework will provide the foundation for success risk management. The RMP at each step will communicate with the risk management framework, as can be seen in Figure 2, and therefore establish a holistic approach to risk management.
RMP can be seen in Figure 3, the five steps in the RMP are well defined and easy to follow with good management practice. In this section the five RMP steps will be explain further and how it can be applied to managing risk. In those five steps that is within the RMP is the risk assessment. Risk assessment is an over group of the 3 steps, identify risk, analyse risk and evaluate risk. Inside these subgroups of risk assessment are few methodologies that are used to help the management team to establish the right outcome of the RMP. These methodologies will be mention briefly to explain what is used in practice today.
Even though the communication, consult, monitoring and review is not part of the five steps, it is key element of risk management. It is essential to communicate and consult with stakeholders, from early stage, in the value chain during all five steps of the RMP. Stakeholders have to understand the basis in decisions and why action is needed for specific risk. This is done by effective communication both internally and externally with stakeholders within and outside the organization.
Establish the context (Step 1)
The first step in the RMP is to establish the context and is the key to effective and great risk management. The context will act like a guardian to make sure that all activities will remain relevant throughout the process. There are various context that needs to be taken into account and to articulate the objective of the project or organization. Establishing the context can be found with ., by identify strengths, weakness, opportunities and threats, see Figure 4. The context can be divide into external and internal. One other analysis method that is also used is the PESTEL analysis, which can identify the political, economic, social and technological, environmental and legal condition of the context. Furthermore, the context will set the scope for the risk criteria for later processes and should be establish each time it is implemented
Risk identification (Step 2)
How to identify risks?
Risk identification is the second step in the RMP. This step is a critical step in risk management where the project manager assembles a team with stakeholders that have the relevant experience. The team tries to produce a list of possible risk that could affect the project from the get-go and through the project life cycle.
The team usually use brainstorming technique to find possible risk events. When using the brainstorming technique the team members have to have open mind and try to come up with as many possible risk events that could occur. Furthermore, team members have to consider the project that is in front of them and also try to learn from mistakes that had occur in other projects that are in the past. In the risk identification process a common mistake is often done, that is to focus primarily on objectives rather than events that could produce consequences. For example, focusing on objectives like failing cost estimation or time schedule instead of thinking what event could cause these events to happen . There are two methods that focus on both the objective and the event that causes risk. and or FMECA where the "C" stands for Critical, are very effective ways of identify the risk in projects. In the HazOp method, the system or project is split up into parts which has a single function or design that can be identified. The FMEA is a bottom-up method which focus on components in the system or project. Working from the lowest level of e.g component in the system up to the higher levels. The analysis will continue until the root of the problem is found. incorporated with is an effective method to help management teams to identify risk events from the objectives. Breaking down these objectives into macro risk helps the team to check specific areas that are interesting.
This identification process of risk should involve more than the core team inside the organization. All stakeholders in the value chain, for example, customers, sponsors, subcontractors and vendors should have some input into the identification process because it makes them more committed to the project .
Risk analysis (Step 3) and risk evaluation (Step 4)
Step 3 and 4 are the risk analysis and evaluation of the events that where produced in step 2, risk identification. Even though the name risk can be a threat, not all risk events need further inspection. Some of the risk in projects can be ignored while others need more attention because they pose threat to the project. Managers need to screen out these events that pose no threat to the project and try to focus on other risk events that have more potential to harm the project in any way..
For analyzing risk, two categories of methods have been developed – qualitative and quantitative. Within qualitative and quantitative are few methods that can be used to determine risk and its value, but choosing the right method for each project could be difficult. Qualitative methods are used when the risk can be placed on a detailed scale from low to high. The quantitative methods are based on numeric estimations and are used to determine the impact and the likelihood of the risk event. When choosing the right method for risk analysis, the size of the project needs to be evaluated e.g. small project sometimes need only identification and what action needs to be taken regarding risk, when larger projects need more work and depth in analysis. 
To be able to perform quantitative analysis a lot of work is needed. Quantitative methods are more used in larger project due to the complexity and it required often software tool and skilled employee. Methods that could be used is the Monte Carlo simulation, sensitivity analysis and diagram techniques.
is based on statistics from previous projects and the information that is collected is sometimes variables of cost and schedule for a project. It is often divided into pessimistic, most likely and optimistic scenarios.
Sensitivity analysis is based on which risk event has the most impact or value. The impact and the value are compared to the objectives of the project and if the event is very critical to the project it is the most sensitive and action needs to be taken. This method have the most beneficial for the project if the analysis is done in the beginning of the project. This method, like Monte Carlo, needs software tool to analyze the data .
Diagramming technique are very often used and when it comes to time and cost. .and are the two types of technique that are used to determine the impact that risk could have on the project. FTA is used to identify risk events that can bring out or cause failure of an event. FTA is drawn up like a tree, see Figure 5, and the branches represent the cause of the problem and on the top of the tree is the risk event that could occur. The branches in the tree have all different and possible outcomes. For each risk event that could occur in a project a FTA is done. The analysis of the risk event gets more detailed if the branches are many and therefor it could lead to better conclusion what is the real cause for that top event to happen. ETA is very similar in structure as the FTA, it is built like tree but the outcome is different. The ETA branches represent the impact if it is ether success or failure event. This technique should be applied early in the stage and therefore mitigate or avoid the risk. The goal of the ETA is to find the likelihood of negative outcomes that can cause damage to the system from the initial risk event
For analyzing risk, scenario analysis is most commonly used method. Scenario analysis is a method that team members have to analyze and assess the severity of each risk event that has been conducted in step 2 in terms of, likelihood of the event happening and the impact of the event.
Risk event that have the greatest effect on the project should receive highest priority. The best way to analyze the risk events is to have a scale ranging from “Rare” to “Almost certain” or have more precise scale with probabilities ranging from for example 0.1, 0.3, 0.5 … 1.5. The scale needs to be evaluated depending on the project nature. Impact scale is also needed to assess the consequences that event has on the project. The scale is often defined in numbers from 1-5, 1-10 or rank-order such as ”Negligible”, “ Minor”, “Moderate”, “Major” and “Catastrophic”. The likelihood and the impact scale can be seen in Table 1 and Table 2 respectively.  .
||ALMOST CERTAIN: Could occur several times per year|
||LIKELY: Likely to arise once per year|
||POSSIBLE: Likelihood that it may arise over a five-year period|
||UNLIKELY: Could occur over a five to ten year period|
||RARE: Very unlikely but not impossible, unlikely over a ten year period|
||CATASTROPHIC:Most objectives may not be achieved|
||MAJOR: Most objectives threatened|
||MODERATE: Some objectives affected|
||MINOR: Easily remedied, with some effort the objectives can be achieved|
||NEGLIGIBLE: Very small impact|
These two scales, likelihood and impact, are combined into risk matrix as seen in Figure 6. The risk matrix is divided into four categories green, blue, yellow and red. The green category is representing minor risk, blue is representing medium risk, yellow is representing major risk and red category is representing extreme risk. To place each risk event in the risk matrix a light calculation is needed. The formula for risk value is:
The step 4 is the evaluation of the risk event. Risk value is a number that can be evaluate and therefore be placed into the risk matrix. After the placement of each risk event in the matrix that was consider in the beginning of the RMP the evaluation of risk event expectant is formed. As can be seen in Figure 7, if the risk event falls into the red zone the event needs an urgent attention and needs treatment, but if the risk event falls into the green zone, which is the save zone, the risk can be accepted or accepted with minor treatment. Categories for yellow and blue can be treated with attention or investigation.
There is one other option that is available and it is widely used, that is technique. By adding detection into the Risk value formula gives the analysis a clearer view how difficult is to detect the risk event that could be a head of us. The detection scale would also be in the same scale as the probability and the impact. If a risk event would get a 5, it cannot be detected until it is too late, but if an event would receive 1, it would be very easy to detect the risk. The event that receives the highest score from the calculation will have the highest impact .
Risk treatment/response (Step 5)
Risk treatment and response is the final and the fifth step in the RMP. The treatment of risk events involves project manager and team members to identify the range of options to treat the risk event, evaluate those options, and make a plan for the treatment and the implementation. The most appropriate method that the team members find to achieve the wanted outcome is chosen. Risk response can be classified as follows: 
It is up to the project manager and the team to choose which risk strategy they will go for. If the risk event is inside the red zone in the risk matrix, like in Figure 6, the project manager needs to pay attention to those risk. Following the guidance in Figure 7, will help the managers and the team to treat and evaluate what to do in next steps.
When mitigating risk the team members try usually to reduce one of the two option, likelihood or the impact. Reducing the likelihood of particular event to happen is the first option of every team in the business because if it is successful, the team could eliminate the next option of reducing the impact which could lead to higher cost in the end. It is essential to take an early action to reduce the likelihood of an event to happen because as was mention in the beginning the cost will rapidly increase if the project is started and is well ahead in the project life cycle. Furthermore, it is more effective to take early action than try to repair the damage after the risk has occurred. This part of the process may require many resources or time, but in the end it is very effective way of reducing cost .
This strategy is very important and should always be the first to consider in a project. Sometimes avoiding risk or eliminate it is not an option because it can be too expansive or it could be time consuming. Avoiding risk is done by removing the cause or executing the project phase in a different way than it was planned. Even though we decide to avoid the risk the project objectives needs to be achieved. If the situation comes up that we cannot eliminate the risk that occur in the project, we try to eliminate that risk before the project starts  .
Risk event could be in full or in part transferred. This strategy involves another stakeholder who is willing to take responsibility and the liability if the risk event happen. Transferring risk to another stakeholder is very common because in practice the aim is to ensure the risk event is in the hand of the stakeholder that is willing and is in the best position to deal with it effectively. Passing risk to another stakeholder in the value chain will always be expensive. Therefore, management team needs to evaluate if it is more valuable to adopt the strategy to another stakeholder or keep it and try to avoid or mitigate the risk .
The least strategy that is use is to accept a risk event to happen, but sometimes project manager or teams need to accept the risk event can occur, because it could be that it is too expensive or too large to transfer or reduce the event. Project managers should be well aware of the risk events that could occur and sometimes they have to take conscious decision to accept the risk knowing it is very slim changes of that event occurring. When acceptance of any risk, project managers and teams are acknowledging to take on the risk when it occurs .
Risk monitoring is not part of the five step process that are in RMP concept. Risk monitoring is not a step that has to be done or be taken. Monitoring risk should be throughout the life cycle of a project and done at each step in the RMP, because that ensures new and changing risk events will be detected and manage before it occurs by implementing risk response action. To be able to monitor all risk events, meetings should be held regularly to maintain, update old and inform if there is a new threat. To identify new threat the project manager and the team need to go through the steps that are in the process and repeat them until the project life cycle is over because there are not many risk that remain static .
To explain the RMP even better a case for electrical installation for street lighting and distribution is used. This project was done for Statens vegvesen (SVV) in Norway and is rather large, but in this article the project is minimized. The RMP for this project in Norway was done by me and other specialist within electrical sector.
Step 1: Establish the context
This is rather straight forward in this case because this is minimized example from practice. Using SWOT analysis or other method is not relevant for this case. Context: Technological context
Step 2: Identify the risk involved
In the beginning of the process a few relevant specialist used brainstorming and came up with few objectives. These objectives/top events are:
- Electrical shock
- High voltage
- Thermal effects
- Damage due to external influence
- Lack of EMC
In this case Electrical shock will be the top event. The top event is broken down into smaller risk events with risk breakdown structure.
||Grounding failure in light pole|
||Grounding failure in the electrical cabinet|
||Electrical contact danger with reinforcing mesh|
Step 3: Risk analysis and Step 4: Risk evaluation
In this project qualitative method was used to analyze and evaluate the risk. Table 1 and Table 2 in this article represent the likelihood and the impact that was also used in this project for SVV. The likelihood, impact and the risk value can be seen in Figure 8. The risk value is found with the formula "Risk value = probability x impact".
After finding the risk value, the management team places the risk events into the risk matrix. The outcome of the risk analysis, evaluation and explanation can be seen in Figure 9 below. The event I and III are in a major threat category (yellow box), with a risk value equal to 9 and therefore need urgent attention or investigation. Same goes for the event II, the event have risk value of 15 and therefore is placed in the extreme category (red box) and needs also urgent attention.
Step 5: Risk treatment/response
The project team for this project tried to mitigate the risk that could cause electrical shock by implementing barriers. Barriers for risk events I, II, III decreased significantly the values for probability/likelihood and impact, as can be seen in Figure 10.
After the barrier implementation and the response that the team suggested the risk can be place in the risk matrix again. As can be seen in Figure 11, the status of the risk for all risk events are minor (green box) and the events need routine procedures to avoid further risk.
Advantages of RMP is the result in the end where projects and other objectives of the organization will be delivered in time and under cost. This process will maximize the efficiency of risk management and how it is built the risk will be discovered throughout the project life cycle. This process is just one of the things risk managers and teams need to think about. This process will only help the risk management team to increase the level of control, by going through those five steps. Furthermore, if the risk management framework is clear and the relationship with the RMP, there is higher likelihood of a great success in the project.
The limitations of this process can be few. The process does not monitor how well the risk management team will work and what methodologies they use in the five steps. It is also up to the risk manager to decide the experts that are going to be within the team. It can be difficult to choose the right team and the right employees that can work to gather in an efficient way. Furthermore, the risk management team has to decide what technique/methods or tool to discover the risk, the process will not help the team to choose between.
References used in the Wiki-article:
- Lark, J.(2015). ISO 31000, Risk management ..
- Independent, non-governmental standard. Great practical guide to follow when addressing risk. The standard ISO 31000 is a risk management standard that shows guidance when implementing risk management in a small to medium size enterprise. This is an assistant for decision makers and it goes through the five steps for risk management. The steps are essential to implement and be effective in risk management. The structure of the standard is aligned to support continuous improvement in the risk management implementation. The risk management process is the same regardless of the risk, here are the five steps, establish the context, Identifying risk, analyze risk, evaluate risk and treat the risk. Monitoring and review is also a big part of this standard.
- Larson, E. W. and Gray, C.F (2010) Project Management, The Managerial Process (5th ed.).McGraw - Hill/Irwin, NY.
- Book about project management, it goes through modern project management. Practical information about risk and the process how to handle different kind of risk depending on size of the project. Shows various method to managing risk and have snapshots from practice to get the audience to participate. The risk process is well explained with steps. From WBS in the identification chapter, into scenario analysis where probability and impact of an event is introduced and from that point into risk matrix and how to calculate risk and place them and evaluate them into the risk severity matrix in the risk assessment chapter. Going from risk assessment into the last step of the process is the risk response part, it plays essential part of the process, how to mitigate risk, avoid risk, transfer risk or retaining risk.
- Risk Management Task Group (2012) Project Risk Management Handbook: A Scalable Approach .
- Handbook that gives a great overview of the risk management process and the qualitative and quantitative methods that can be used. This handbook gives also a great overview of the steps that needs to be taken in the risk management process. Furthermore, it gives examples of method or technique that can be used in the process steps. Showing great figures that is related to the material and it gives an explanation to the reader how it should be done in the right way. More detail descriptions can also be found on how to use probability analysis and software.
- ↑ 1.0 1.1 1.2 1.3 1.4 1.5 1.6 Lark, J.(2015) ISO 31000, Risk management.
- ↑ 2.00 2.01 2.02 2.03 2.04 2.05 2.06 2.07 2.08 2.09 2.10 2.11 2.12 Larson, E. W. and Gray, C.F (2010) Project Management, The Managerial Process (5th ed.).McGraw - Hill/Irwin, NY
- ↑ Neil, G.C.(1982) The Bibliography and History of Risk Management: Some Preliminary Observations, 7(23),169-179
- ↑ Smith. N.J., Merna, T. and Jobling P.,(2006) Managing Risk in Construction Projects
- ↑ Kozin. I.,(2015) Course 42172: Risk and decision making
- ↑ Gajewska. E. and Ropel. M.,(2011) Risk Management Practices in a Construction Project – a case study.
- ↑ 7.0 7.1 7.2 7.3 Heldman, K. (2005) Project Manager´s Spotlight on Risk Management. California: SYBEX Inc.
- ↑ Duijm, N.D. (2015) Recommendations on the use and design of risk matrices
- ↑ 9.0 9.1 9.2 9.3 9.4 9.5 9.6 Risk Management Task Group (2012) Project Risk Management Handbook: A Scalable Approach