Risk Analysis in Project Management

In project management, risk analysis is conducted to screen the risks and uncertainties that may affect the project and its components. This is done in the early stages of a project; usually after an initial feasibility study process. The primary reason for analyzing project risks at this stage is to prevent them from becoming significant at a later stage.

In this article, we look at how to perform risk analysis in project management. We will take into consideration risks that may affect a project and its components; those that may financially impact the project and those that may cause delays in the completion of a project. We will also consider which risks can be managed effectively.

What is a Risk?

In the context of a project, a risk is represented by one or more potential negative events which an individual or organization seeks to avoid – at all costs – to achieve their intended objectives. It is therefore important that these potential negative events are identified as well as their impact on the overall project.

In project management, a risk is described as a combination of the following elements:

Risk = Potential Negative Event + Impact + Probability of Occurrence

The probability of risk occurrence ranges from 0% to 100%. It is important to note that risk probabilities are not fixed and can change at any time throughout the project life-cycle.

Factors that affect the probability of occurrence include:

• The experience and skills of the project team
• The complexity of the task
• The existence of similar tasks in the past
• Change control procedures
• External variables

Risks that are analyzed, recorded and monitored for changes in probability are known as ‘active’ risks; those that are not are ‘inactive’ risks.

Remember, a risk is an event with an uncertain outcome. In most cases, the degree or extent that a given risk affects a project varies from one project to another. This is where risk analysis comes into play.

What is Risk Analysis in Project Management?

Risk analysis in project management refers to an important aspect of the feasibility study wherein various risks and uncertainties are identified in order to evaluate them, rank them in terms of priority and identify the areas where they are most likely to occur.

Risk Analysis is a series of activities to quantify the impact of uncertainty on a project. These activities are risk identification, probability assessment, and impact estimation. Risk analysis creates the foundation for running the risk management process throughout the project lifecycle.

There are three types of risk analysis in project management as follows below:

1. Qualitative Risk Analysis. It is a subjective analysis by the project team where risks are identified and assessed based on their probability of occurrence. The risk analysis table lists the risks in terms of their probability of occurrence, impact and its control strategies.
2. Quantitative Risk Analysis. It is an objective analysis wherein risks are classified according to their probability of occurrence, using the standard deviation to determine its level. This technique is useful for determining the impact of risk events to project objectives and for identifying the possible courses of action and methods for controlling and mitigating risks.
   PERT.
3. Technical Risk Analysis. it is a dynamic analysis that requires the project manager to use various tools and techniques in order to identify, rank and evaluate risks. For example, the Delphi method requires the project manager to present the risks to a group of experts in the field and ask them to rate or rank each risk in terms of its probability.

Risk Analysis Management

The goal of risk analysis management is to identify and estimate the value of potential threats and then choose what approaches to apply to respond to identified risks. Risk analysis management consists of three coherent activities: 1) Identify threats, 2) Assess probability of their occurrence, and 3) Estimate their impact on the project in terms of working hours.

For this purpose, it is convenient to develop a risk analysis checklist that describes a range of tasks to complete each of the activities. Let’s review items (tasks) of the checklist (see below).

1. Threats Identification. This activity is about identifying all potential events that seem to be risky for the project. The next tasks characterize this activity:
   • Conduct workshops and use brainstorming to determine types of the risks surrounding your project. There could be Strategic risks, Operational risks, Compliance risks, Staff management risks, Financial risks, Knowledge risks, etc.
   • List all the types of risks affecting the project (create a project risks list sorted by types).
2. Probability Assessment. Once the potential threats have been identified, the next activity is to measure the probability of those threats for occurrence. The goal is to estimate the probability of each event happening during the project.
   • Investigate each of the identified risks to create a detailed description of the risks.
   • Use the project risk description to make an evaluation on how the risks may cause a project failure considering Budget, Completion Dates, and Performance Objectives.
   • Apply analysis methods and techniques (e.g. PERT – Program Evaluation and Review Technique) to identify the probability of risk occurrence and assess potential deviations of project characteristics from the baseline.
3. Impact Estimation. One of the best approaches to estimating risk impact is to multiply the probability of risk occurrence by the amount of costs required for setting things right if risks happen. The result will give a value for the identified risks. Following this concept, the next tasks should be completed:
   • Use the formula ∑ (Events * Probability * Consequences) to estimate the impact of the risks affecting your project.
   • Develop a risk analysis table that includes such columns as Risk Event, Probability, Impact, Score, and Risk Mitigation Plan. The table demonstrates results of the risk analysis management process with details on risk characteristics and mitigation plans. An example of the risk analysis table is shown below.

Note that the sample risk analysis table gives the impact in working hours, yet it can be estimated in other units, for example in dollars.

Once the value of project risks has been identified and estimated, the analysis management process should be targeted at finding ways to managing the risks. This is made by using cost-effective approaches because such approaches allow comparing risk elimination expenses with the cost of the risk event if it happen. Cost effective approaches for project risk analysis management will help determine the necessity for either mitigating a risk or accepting it, because there can be cases when it’s better to access a risk rather than invest excessive resources to eliminate it.

Considering this, managing of project risk analysis can be performed by using:

• Available assets. Any project has resources available for solving risk issues. Such resources can be used to make improvements to existing methodologies and systems, reassign roles and responsibilities, delegate tasks, improve internal controls and supervision, etc.
• Contingency planning. This involves the development of a contingency plan. Contingency planning assumes acceptance of a risk with further implementation of a contingency plan to minimize or eliminate the negative impact of the risk (once it happens).
• External resources. The process of managing project analysis sometimes requires additional resources when existing assets are not enough for solving project issues. In this case, investments will help counter risks. Often project risk insuring is used to carry part of the risks. Project risk insuring is an effective way to increase solvency of the performing organization.

Project Risk Management Plan

An analysis of project risks at the initiation phase is the starting point for the development of a risk management plan. By following the steps and accomplishing activities of the project risk analysis template, the project manager can create the foundation of implementing risk management strategies throughout the project life cycle.

Once the analysis is completed and potential risks are identified and estimated, the project manager should also work on building of a risk management team which will take responsibilities for treating the risks and implementing mitigation strategies.

What is a Risk Management Plan?

A risk management plan provides a framework for performing project risk analysis. It requires that you define certain terms, methods and procedures that will be used to perform the tasks of the analysis.

The main components of a project risk management plan are:

• Definition of the business processes of your project.
• Selection of risks’ types, including which ones are most important to pay attention to.
• A list of the potential risks, probability and impact assessment based on already-made risk analysis.
• The identification and prioritization of mitigation strategy options for each identified risk, that is to say, what actions need to be carried out in order to prevent that risk coming into existence or reduce its extent.
• The list of the main risks’ sources.
• The definition of the control actions intended to reduce the number of risks, their frequency or impact assessment.
• The definition of mechanisms for monitoring and reporting on the status of risks, including reporting frequency and distribution channels.
• Procedures for information exchange between all stakeholders involved in risk management.

Common Questions and Answers about Project Risk Analysis

1. What is a risk register?
   The risk register is a document, or spreadsheet, by which all project risks are recorded. It contains the information about the risks, how they are being managed and their priorities.
2. What is risk analysis in software project management?
   Risk analysis is a fast and effective method of identifying and evaluating project risks. This can be a useful aid to decision making in software projects, but it is not a substitute for the more detailed control of technical risks. A risk assessment is a more elaborate form of risk analysis, where additional information on risk type, severity and probability is included.
3. What is a contingency plan?
   A contingency plan is a formal document for addressing risks such as labour shortages, equipment failures and software bugs. Contingency plans ensure successful delivery of services and products. A contingency plan can be developed either as part of a risk management strategy or as part of response to an identified risk.
4. What is the difference between risk register and change control register?
   Risk registers, unlike change control registers, are normally concerned with items which could affect the successful completion of the project as a whole, not just parts of it. For this reason the risks normally go beyond those already specified in the change control register.

Every project manager knows that there are some risks inherent in every project – some foreseeable, some not-so-foreseeable. The question is how to best deal with them on time? One better approach is to use the risk management technique, which has been adopted by many companies worldwide in their everyday business activities. By properly managing risks, a company can ensure successful completion of the project and minimize the negative impact of any risks that occur in a structured manner through timely actions.

---