Project Risk Analysis Guide

The Project Risk Analysis Guide provides general recommendations and guidelines regarding the decisions and processes involved in risk analysis. It presents a simple yet practical approach to help project managers, analysts and other personnel in getting started with identifying and managing risks affecting their projects.

The Guide does not provide a definitive explanation of all the methods, techniques and tools that can be utilized in complete risk analysis and management. But this document highlights an approach that covers the fundamentals for implementing an effective risk analysis. This approach can be used in most projects for analyzing and responding to most types of risk.

Download Project Risk Analysis Guide
(PDF file, 350Kb)

When beginning to work on the development of this Guide, we wanted to create a risk analysis document that could help any project manager in managing any type of project. We tried to combine best practices of risk analysis and management into this Guide. Hopefully our work will be really helpful for you.

When to Use the Guide

This Guide can be applied to most types of project. Meanwhile, for a certain range of projects the Guide will be more beneficial. Same examples of the projects are as follows:

• Innovative and technology projects
• Projects with precise and predetermined requirements, incl. legal, insurance or contractual
• Projects requiring fast tracking capabilities
• Projects with large capital outlay or investment
• Environmental projects with sensitive issues
• Projects significantly dependent on socioeconomic, political and financial determinants

The risks of any project to be managed under the listed below circumstances can be analyzed and treated with this Guide,

• There are specific targets that must be hit at project completion
• There is a need to manage the project at points of change in the life-cycle
• There is an anticipated new phase in the project

The Guide can be used by any people involved in project risk analysis and management. These people are likely to perform the role of a project manager or project analyst. Other roles assigned to the members of the project management team are also involved.

1. What Is Project Risk Analysis?

Definition

Project Risk Analysis is a consistent and often iterative process which enables the systematic examination and evaluation of information on the risks associated with a particular project. It aims to determine what kinds of risk affect the project and how to respond to those risks in an effective manner. If properly undertaken, the analysis process will increase the likelihood of successful completion of the project, in line with time, cost and performance expectations.

Any project is unique, and therefore there is no the same portion of risks and uncertainties affecting different or even similar projects. Sometimes there are common risks to separate projects, so that these risks can be assessed statistically using ample data available. But this way of risk analysis is not comprehensive and complete because of too many assumptions and hypotheses associated.

The manner of dealing with risks in projects therefore depends on situations where there is sufficient data to adopt a feasible and applicable analysis approach. And because most projects are invariably affected by strategic, technical, innovative, economical, human or/and engineering factors, a systematic and consistent process to risk analysis should be developed and utilized. In this context, the project risk analysis has been defined to address this primary requirement.

Purpose

The purpose of the project risk analysis process is to uncover, describe and assess risks and uncertainties within a project, thus providing a basis for effective problem solving and decision making. People involved in risk analysis and management will benefit from a clear understanding of what threats should be managed and how.

The risk analysis process is continuous and can be started at almost any stage in the lifecycle of a project. Meanwhile, the effectiveness of using the process tends to reduce as the project progresses and comes to an end. There are therefore certain benefits at certain project stages.

Here are the most critical stages during which the project risk analysis process provides the greatest benefits to the management team and stakeholders as well:

• Feasibility Assessment. At this stage, the project is assessed for technical, operational and financial feasibility. Through the feasibility assessment, project risks can be reduced at a relatively low cost. The risk analysis process helps identify and select the most feasible and cost-effective solution for the project.
• Approval. During the approval stage, the project is submitted to the customer (and also sponsor) for review and sanction. The customer can use the findings of a quantitative risk analysis to get a better understanding of the project environment and understand the chance of project success. Risk analysis enables to figure out whether or not the proposed project can be done on time, cost, and performance.
• Negotiations. At this stage, the project along with its solution is to be discussed with the contractor to establish a framework for further contractual relationships. The findings of risk analysis allow ensuring that all risks are identified and appropriate strategies are outlined, so the contractor is able to set risk contingency or determine risk exposure.
• Implementation. The risk analysis process helps to measure the likelihood of project success and improve project performance. The constraints of time, cost and quality can be effectively managed through responding to identified risks as they occur.

Risk Occurrence

The very first step a project manager needs to do in undertaking an effective risk analysis is to gain the right understand that any risk occurs as a consequence of uncertainty. In other words, if there are some uncertain circumstances surrounding a given project, a kind of risk will occur and then affect the project.

Through carrying out a risk analysis, uncertainties within a project can be analyzed and then quantified into the potential for loss that might occur as a result of some event or activity.

Here is an example of uncertainties and risks of various types affecting a particular project:

• The organizational structure and the financial authority are not yet established, or are too complicated and unclear
• There is an increased likelihood of supplier relationships problems
• The implementation methodology is not reviewed and sanctioned yet
• Allocated project resources seem to be insufficient at the required level

There are three key areas of a project that are affected by risks and uncertainties. With improper risk analysis and management, a project can be failed in terms of:

• Budget (allocated financial resources which correlate with cost estimates)
• Time (project due date or completion date)
• Performance (the accomplishment of project tasks measured against preset known standards and objectives)

The risk analysis process is intended to minimize the likelihood of risk occurrence through eliminating uncertainties that may threaten the achievement of a project on time, within budget and as per performance objectives.

The process should be implemented as an integral part of project management, but not just as a series of standalone tools, techniques and actions. It is the matter of project integration management to embed the risk analysis process into the project management framework.

2. Process Stages

The process of project risk analysis is complicated enough and consists of a range of subtle and diverse steps. Experienced project managers recognize this fact, and for simplification purposes they often divide the process into two consistent stages. This way of simplification allows other project personnel to understand the analysis process at a glance and start participating in the process.

In this Guide we follow the same concept and present the project risk analysis as a two-stage process, including:

• Risk Assessment
• Risk Treatment

The Assessment Stage

The first stage of the analysis process focuses on the identification and further assessment of project risks. This stage can be divided into two sub-stages, as follows:

• Qualitative Analysis
• Quantitative Analysis

Qualitative Analysis. This sub-stage identifies the main sources of risks. It involves using a range of techniques, some of which are brainstorming, checklists, interviews, surveys, questionnaires. The point here is that a qualitative risk analysis requires undertaking a subjective assessment of risks and their impacts. Responders must answer certain questions and express their own viewpoints on the number and impact of uncertainties that threaten project success.

The qualitative analysis sub-stage can be achieved through:

• Interviewing key members of the project team
• Brainstorming project stakeholders and other interested parties
• Reviewing appraisal records and lessons learned from previous projects
• Using personal experience in risk identification

The sub-stage results in creating a risk profile or risk log that describes the types and expected impact of risks and uncertainties that have been identified through the subjective assessment. The risk profile should then be explored deeper through quantitative research.

Quantitative Analysis. The second sub-stage often involves more sophisticated tools and techniques and usually requires a kind of risk management software for risk modelling. With specialized computer software, a project manager is able to:

• Review and edit the risk profile
• Estimate each identified risk by cost, time and performance impact
• Determine probabilistic combinations of individual risks

A quantitative analysis is essential as it brings a clear understanding of the project and its probable problems. It highlights possibilities for risk mitigation, e.g. the development of an action plan for treating a specific issue.

The main parameters against which individual risks as well as any combination thereof are to be measured are as follows:

• Time. The Time parameter determines the impact of an individual risk or a series of individual risks on the time constraints of a project. It explores whether the project’s completion date will be changed (extended or shortened) and for how many hours/weeks/days
• Cost. The Cost parameter measures how much money is likely to be spent on responding to individual risks or any combination thereof. It determines the necessary changes to be made to project budget
• Performance. The Performance measure shows what objectives and expectations are affected by the risks and how seriously.

There are several main techniques of the quantitative analysis, including:

• Sensitivity Analysis. It is often regarded as the simplest technique of analyzing project risks. Essentially, it determines the total project effect of changing one risk variable, such as cost of materials or delays in plan development.

The key benefit of sensitivity analysis is that it allows for measuring how the effect of a single change of one risk variable can cause a difference in project outcome.

A sensitivity analysis is usually applied to all identified risks in order to identify which of the risks has the greatest impact on the cost, time or performance of a project. It determines how much the project environment is sensible or responsible to the risk. The technique allows building a sensitivity chart that visualizes the impact of various risks on the final result.

• Probabilistic Analysis. It determines a probability distribution for each risk and then measures the impact of all risks in combination to the project. This technique appears to be the most commonly used and represents a general way of how people usually consider the risk analysis process.
• Monte Carlo Simulation (MCS) is the most popular form of the probabilistic analysis. MCS means creating a model of risks on the basis of historical and current data. The simulation process begins with performing thousands and millions computations around the model, each time injecting random numbers to come up with a range of project outcomes with reference to the possible risks.

  MCS proposes a path of events and a number of the most probable project outcomes to be produced under the portion of risk.

• Decision Trees. This method offers another way of using structuring models in project risk analysis and management. It allows creating a tree-diagram that visualizes the optimum course of action for situations when a project has several possible outcomes. For each of the outcomes a probability value should be given.

The project manager can use the tree-diagram to figure out what outcomes have the highest probability of success, with reference to existing uncertainties and possible risks.

When both the qualitative analysis and quantitative analysis are carried out and therefore the risks are identified, described and measured, the project manager needs to initiate procedures for decision making. A series of meetings with the team and stakeholders should be arranged to discuss the findings and develop a strategy for risk treatment. This will be the second stage of the risk analysis process.

Treatment Stage

This stage involves the formulation and approval of management responses to the main risks, after the assessment stage is completed. It should be noted that sometimes the treatment stage begins during the qualitative analysis sub-stage when the need to react to critical risks and uncertainties is urgent and the solution is fairly obvious. Therefore, the interaction between both the assessment stage and the treatment stage of the risk analysis process is quite possible.

The purpose of the treatment stage is to develop and approve a mitigation strategy that could respond to the identified risks and eliminate or at least reduce their effect on a project. The stage can involve:

• Elaborating preventive actions to avoid a risk or/and to mitigate its impact
• Developing contingency plans to manage risks
• Performing further investigations to minimize risk exposure through better information management
• Considering the treatment strategies, including risk allocation in contracts and risk transfer to insurers
• Establishing contingencies in cost estimates, float in working schedules and tolerances in performance objectives

A risk mitigation strategy includes two types of responses to an identified risk, including:

• Immediate response, which involves an alteration to the project plan
• Contingency response, which determines a course of action to be take in case an identified risk materializes

A project manager needs to describe what types of risk responses to use in a given situation within the project. Then this person determines how to implement those responses. There are five techniques of doing a risk response:

• Removal – an identified risk can be eliminated from the project environment, and therefore it will have no more impact on the project outcomes
• Reduction  – the impact of certain risks can be mitigated through immediately applying a range of corrective actions
• Avoidance – some risks can be reduced by taking contingency and preventive actions
• Transfer – a risk can passed on to other projects or parties and therefore the current project will no more suffer from this risk
• Acceptance – a risk may produce a kind of benefits that should be assessed in order to reach balance with the penalties

The risk treatment stage often begins immediately after the qualitative analysis sub-stage is complete. It is a continuous process that lasts through the complete life-cycle of a project.