Project Risk Analysis Guide
2. Process Stages
The process of project risk analysis is complicated enough and consists of a range of subtle and diverse steps. Experienced project managers recognize this fact, and for simplification purposes they often divide the process into two consistent stages. This way of simplification allows other project personnel to understand the analysis process at a glance and start participating in the process.
In this Guide we follow the same concept and present the project risk analysis as a two-stage process, including:
The Assessment Stage
The first stage of the analysis process focuses on the identification and further assessment of project risks. This stage can be divided into two sub-stages, as follows:
- Qualitative Analysis
- Quantitative Analysis
Qualitative Analysis. This sub-stage identifies the main sources of risks. It involves using a range of techniques, some of which are brainstorming, checklists, interviews, surveys, questionnaires. The point here is that a qualitative risk analysis requires undertaking a subjective assessment of risks and their impacts. Responders must answer certain questions and express their own viewpoints on the number and impact of uncertainties that threaten project success.
The qualitative analysis sub-stage can be achieved through:
- Interviewing key members of the project team
- Brainstorming project stakeholders and other interested parties
- Reviewing appraisal records and lessons learned from previous projects
- Using personal experience in risk identification
The sub-stage results in creating a risk profile or risk log that describes the types and expected impact of risks and uncertainties that have been identified through the subjective assessment. The risk profile should then be explored deeper through quantitative research.
Quantitative Analysis. The second sub-stage often involves more sophisticated tools and techniques and usually requires a kind of risk management software for risk modelling. With specialized computer software, a project manager is able to:
- Review and edit the risk profile
- Estimate each identified risk by cost, time and performance impact
- Determine probabilistic combinations of individual risks
A quantitative analysis is essential as it brings a clear understanding of the project and its probable problems. It highlights possibilities for risk mitigation, e.g. the development of an action plan for treating a specific issue.
The main parameters against which individual risks as well as any combination thereof are to be measured are as follows:
- Time. The Time parameter determines the impact of an individual risk or a series of individual risks on the time constraints of a project. It explores whether the project’s completion date will be changed (extended or shortened) and for how many hours/weeks/days
- Cost. The Cost parameter measures how much money is likely to be spent on responding to individual risks or any combination thereof. It determines the necessary changes to be made to project budget
- Performance. The Performance measure shows what objectives and expectations are affected by the risks and how seriously.
There are several main techniques of the quantitative analysis, including:
- Sensitivity Analysis. It is often regarded as the simplest technique of analyzing project risks. Essentially, it determines the total project effect of changing one risk variable, such as cost of materials or delays in plan development.
The key benefit of sensitivity analysis is that it allows for measuring how the effect of a single change of one risk variable can cause a difference in project outcome.
A sensitivity analysis is usually applied to all identified risks in order to identify which of the risks has the greatest impact on the cost, time or performance of a project. It determines how much the project environment is sensible or responsible to the risk. The technique allows building a sensitivity chart that visualizes the impact of various risks on the final result.
- Probabilistic Analysis. It determines a probability distribution for each risk and then measures the impact of all risks in combination to the project. This technique appears to be the most commonly used and represents a general way of how people usually consider the risk analysis process.
- Monte Carlo Simulation (MCS) is the most popular form of the probabilistic analysis. MCS means creating a model of risks on the basis of historical and current data. The simulation process begins with performing thousands and millions computations around the model, each time injecting random numbers to come up with a range of project outcomes with reference to the possible risks.
MCS proposes a path of events and a number of the most probable project outcomes to be produced under the portion of risk.
- Decision Trees. This method offers another way of using structuring models in project risk analysis and management. It allows creating a tree-diagram that visualizes the optimum course of action for situations when a project has several possible outcomes. For each of the outcomes a probability value should be given.
The project manager can use the tree-diagram to figure out what outcomes have the highest probability of success, with reference to existing uncertainties and possible risks.
When both the qualitative analysis and quantitative analysis are carried out and therefore the risks are identified, described and measured, the project manager needs to initiate procedures for decision making. A series of meetings with the team and stakeholders should be arranged to discuss the findings and develop a strategy for risk treatment. This will be the second stage of the risk analysis process.
This stage involves the formulation and approval of management responses to the main risks, after the assessment stage is completed. It should be noted that sometimes the treatment stage begins during the qualitative analysis sub-stage when the need to react to critical risks and uncertainties is urgent and the solution is fairly obvious. Therefore, the interaction between both the assessment stage and the treatment stage of the risk analysis process is quite possible.
The purpose of the treatment stage is to develop and approve a mitigation strategy that could respond to the identified risks and eliminate or at least reduce their effect on a project. The stage can involve:
- Elaborating preventive actions to avoid a risk or/and to mitigate its impact
- Developing contingency plans to manage risks
- Performing further investigations to minimize risk exposure through better information management
- Considering the treatment strategies, including risk allocation in contracts and risk transfer to insurers
- Establishing contingencies in cost estimates, float in working schedules and tolerances in performance objectives
A risk mitigation strategy includes two types of responses to an identified risk, including:
- Immediate response, which involves an alteration to the project plan
- Contingency response, which determines a course of action to be take in case an identified risk materializes
A project manager needs to describe what types of risk responses to use in a given situation within the project. Then this person determines how to implement those responses. There are five techniques of doing a risk response:
- Removal – an identified risk can be eliminated from the project environment, and therefore it will have no more impact on the project outcomes
- Reduction – the impact of certain risks can be mitigated through immediately applying a range of corrective actions
- Avoidance – some risks can be reduced by taking contingency and preventive actions
- Transfer – a risk can passed on to other projects or parties and therefore the current project will no more suffer from this risk
- Acceptance – a risk may produce a kind of benefits that should be assessed in order to reach balance with the penalties
The risk treatment stage often begins immediately after the qualitative analysis sub-stage is complete. It is a continuous process that lasts through the complete life-cycle of a project.