Risk Management

Risk Management


Risk Management is a technique used as a way of formally monitoring things that can cause a project to fail. It is an essential tool for any project manager but I seem to finding time and time again that engineers and scientists seem to have a very different interpretation of what risk is. Many people I talk to assume risk is simply a part of a product that may harm or kill someone. This is not what the discipline risk management has been designed for to monitor. This section gives an overview of Risk Management from a Project Managers perspective.

1 Introduction

Risk is all around us. In small projects we are normally aware of the risks involved and deal with problems as they occur. As projects become larger and more complex it can become difficult to understand the implications of certain events and severity of certain risks. This increase in complexity results in the need for a structured and logical approach to allow a project team to understand which risks are the most “risky”. This assignment looks at the general processes used within risk management and then looks in more detail at particular technique for individual assessment. Finally it concludes by looking at how these techniques are utilised to reduce the overall risk within a project.

2 Risk Management Techniques

A risk is defined as any event or non event which if it were to occur would be detrimental to a project. Correct management of the risks involved is the key to success. There are countless tools and techniques available for project managers (PM) to capture and organise risk, each claiming to be better than the rest. In truth it does not really matter which individual tool you use, as long as a logical structured process is followed. Risk management is all about properly understanding the risk involved and using a system to directly compare them to inform decisions on priorities.
There are some fundamental aspects of all risk management techniques.

2.1 Risk Identification

Identifying the risks is the first step. This can be done by gathering together all stake holders and having an open discussion about the potential risks that could occur during the course of the project. All risks should be formally captured and kept in a centralised document known as a risk register. A complete risk register should certainly include HSE but should also include:

  • Financial Risks i.e. the fact that certain things may cost more than expected.
  • Time Risks i.e. certain things may not be available when needed or may take longer to complete.
  • Requirements Risks i.e. the end user changes there mind or wants just a little bit more (commonly known as requirements creep).
  • Resource Risk i.e. you may not have enough resources, human or other, to complete a task.
  • Health, Safety and Environmental i.e. potential hazards to users

This process has a tendency to become over focused on health, safety and environmental (HSE) risk as these can be easier to visualise. It is good practice to produce a separate risk register for HSE issues.

2.2 Risk Probability

Now we have identified the risks we need to estimate the likelihood that they could occur. This can be a very tricky process especially with some of the more obscure risks. They can either be classified in groups such as Frequent, Probable, Occasional, Remote, Improbable and Incredible or assigned a numerical value. Sometimes you will just have to go with your best judgment and the confidence in our assumptions can be included in the analysis by stating our probabilities as ranges or distributions.

2.3 Risk Severity

We must ascertain the severity of the risk and the impact on the overall project. For HSE risks this can be directly linked to the effect on life. These can be broken in groups such as Catastrophic, Critical, Marginal and Negligible. Alternatively a numerical value could be assigned to represent the severity.

2.4 Risk Classification

Assigning a classification to an individual risk allows cross comparison. The matrix below shows how we can use the severity and probability values to generate our risk classification.

Risk Table.png

We can then assign Acceptance criteria to these classifications as shown below.

Risk classification.png

If the previous analysis had been done numerically you could multiply the probability by the severity and use this final value as a measure of the risk class.

2.5 Triggers and Early Warnings

It is useful to have in place a set of early warning signs which can be used to indicate that a risk may be occurring. By spending time thinking about this in advance it will be a lot easier to spot when things are starting to go wrong and thus make the necessary adjustments before it is too late.

2.6 Risk Response

There are four potential courses of action to take when responding to a risk.

2.6.1 Avoidance

By sticking with what you already know and not trying anything new, innovative and risky. You can choose to avoid risk entirely. This response is very defensive and the course of a project is chosen to ensure minimal contact with any potentially risky situations.

2.6.2 Transfer

Here the risk still exists except the responsibility for the risk does not lie with you. The risk could be underwritten by third party as is the case with insurance.

2.6.3 Acceptance

Here we simply put our hands up and take the hit be it financial or otherwise. No actions are taken to avoid the risk. We simply keep our head down and plough straight through. Sometimes this tactic can work quite well especially if you are a paranoid person. By over thinking a risk you may put too much precedence on its effects and the reality may not be as bad as expected.

2.6.4 Mitigation

Mitigation is normally the accepted response to risk. Here we clearly define exactly what we propose to do to ensure the risk will not occur and if it does what we shall do in response. We can have a number of mitigation plans depending on the level of assurance we wish to have that the risk will not occur. We will be able to identify plans that will reduce the severity of a risk, reduce the likelihood of occurrence or both. This will allows us to attribute a hypothetical classification to a risk. The Post Mitigation Risk Classification can be a very useful tool for the PM to see which mitigation plans result in the best outcome and therefore prioritise.

2.7 Risk Ownership

Finally we must identify someone to take full ownership of each risk. This person is now responsible for monitoring, understanding the mitigation plans and implementing them if needs be.

3 Risk Assessment Techniques

Assessing the nature of a specific risk is a difficult process. Understanding how it fits into our system and the implications of its occurrence can be quite complex. A number of techniques exist which help us to expand our knowledge of a risk and thus direct our mitigation efforts. In this section we shall discuss three such techniques.

3.1 Event Trees

Event trees are an inductive method which visually show the stages involved in the occurrence of an event. It shows a network of events stating the probability of particular outcomes. Using basic probability mathematics we are able to calculate the final probability of a particular occurrence. An example of an Event Tree Diagram for a catastrophic failure at an industrial plant is shown below:

Event Trees.png
(P. Goodwin, G. Wright, 2004, pp291)

Note that each possible scenario is represented by a different path within this tree.

This technique can be very useful for helping to split a specific scenario into smaller events. It is normally a lot easier to calculate the probability of occurrence of these smaller events often using historical data. With these figures an overall probability can be calculated and used to generate a reliable risk classification.

Here we are forced to tale a systems approach considering the interactions between all parts. This may allow the identification of new risks. By considering every single eventually and its effects on all other sub-systems unseen outcomes may be uncovered.

3.2 Fault Tree Analysis

A fault tree works in reverse to an event tree starting with an undesired outcome and working backwards. It looks at the events that need to occur in order for this to happen. An example for a passenger being injured by an elevator is shown below:

Fault Tree.png

http://www.probabilistic-risk-assessment.com/images/ft_example.gif

As with Event Trees we can assign probabilities to the individual events and use the addition and multiplication rules of probability analysis to calculate an overall probability. Some probabilities will be impossible to assess such as events dictated by human error or deliberate sabotage. (P. Goodwin, G. Wright, 2004, pp291).

3.3 Failure Modes and Effects Analysis

Failure modes and effects analysis (FMEA) is a technique produced for use in the US armed forces and was adopted by the Ford Motor Company in the 70s to improve production and design (United States Military Procedure, 1949). It allows a PM to assess certain aspects of a risk individually and produce a numerical value to order the priority. It is a simple technique that takes three key areas; severity, occurrence and detection. The user then assigns a number between 1 and 10 concentrating on directly comparing the risks. Each of these numbers are then multiplied together to generate a Risk Priority Number.

FMEA table.png

A typical blank FMEA worksheet

The severity and occurrence ratings are the same as those we covered in the Risk Management section. The detection rating is a new concept. Here we assign a value to how well we are able to detect this risk as it occurs. A high number indicates it is likely that the risk will escape detection.

Although quite a crude technique it does allow a PM to compare different risks directly and as long as we bear in mind that these values are subjective it can be very helpful.

This technique can be very useful when considering risks which have probabilities that are hard to quantify. The fact that we are simply assigning a score out of 10 removes the need for complex calculations. The scoring system is designed to represent comparison of risks and therefore can sometimes be more effective than maths intensive techniques.

4 Risk Minimisation

All the techniques discussed so far have helped us to understand the nature of risk. The overall goal from this is to reduce the overall risk within the project and increase the chance of success. By careful organisation and strict adherence to the structured processes described this can be achieved. The four key areas that allow risk minimisation are:

4.1 Identification

A risk register is incomplete until it has all possible risks within it. The process of identifying the risks should be exhaustive and engage all stakeholders. Third party people may prove useful as they can often see risks that may have been overlooked by experts.

4.2 Assessment

The techniques discussed in the previous section are essential for minimising risks. A lot of the time a risk may be identified but its true implications may not be understood. By breaking it into smaller parts we can start to understand how it may occur and where best to intervene.

A robust assessment of the risks allows direct comparison and prioritisation. Resources can be allocated accordingly.

4.3 Monitoring

When a project is underway it is essential that the risks are monitored closely and the risk register is kept up to date. As the project progresses new risks may occur so it is important that risk identification meetings are scheduled regularly and the same process of capture is followed.

4.4 Mitigation

Finally sensible mitigation should be employed to stop a risk from ever occurring. Strong mitigation is the key to overall risk minimisation and will vastly improve a projects chance of success.

5 Conclusion

It is often said that successful projects rely on good risk management. If this is done correctly then a project will proceed with no disruptions and the desired outcome will be achieved. This assignment has looked at a number of aspects of risk management and specific techniques used to assess the nature of an individual risk. Understanding the risk can be a tricky process as its implications may not be immediately obvious. Techniques such as event tree and fault tree analysis can help break a risk into smaller segments and identify the stages that cause a risk to occur.

Many different techniques are successfully utilized to assess risks all with there strengths and weaknesses. Much of the time the specific technique is not that important, the important thing is that all the risks are identified and analysed in the same way. Consistency is key to risk minimisation and as long as the process is strictly adhered to the chance of success is vastly increased. Resources

Resource Name Description Resource Type
Risk Management This is the main page from this wiki.,

There is no such thing as a risk free project, especially when it comes to R&D. Understanding the risk and effectively monitoring should decrease the chance that a showstopper will become a reality. || M2i wiki page