Risk is the exposure to events that can harm our project. A given risk factor relates to a particular example of such an exposure. Risk does not concern itself with problems we know nothing about as there is no defence against such problems. Risk is usually about familiar problems which have an unfortunate property - their behaviour is simply difficult to predict. For example, the weather is clearly a well known phenomenon - we simply don't know how it will behave.
Risk management has become an area of primary focus project management. This is due to the increasing awareness by both researchers and practitioners alike that the ultimate health of the project is to a large degree subject to uncertainty.
We begin our defence against the threat of risk with a process of 'Assessment', a comprehensive attempt to identify those areas of the project that offer some potential for danger. We simply wish to respond to the questions, "What can go wrong, how and how badly?"
One way of dealing with this question is to draw up a risk assessment table with columns shown as below.
In the factor column, list all of the risks that you are concerned about. It might be useful to separate them into categories such as finance, resources, stakeholders, technical, client etc. This could be achieved by using rows in the table for headings.
Now for each risk factor you identify, try to assess how likely this is to occur. You can use a quantitative scoring method such as 1 (lowest risk) to 5 (highest risk). Alternatively, you might simply use a qualitative approach, confining yourself to 'High', 'medium' and 'Low' system.
Whichever you choose, use the same method to assess the impact on the project should the risk be realised. For true risk assessment requires both of these dimensions to be considered. Ultimately, we will be looking for risks which are 'severe' in the danger to which they expose us. These are given by combinations in which both dimensions are scored at the higher levels, presenting a risk that is compelling in its demand for our attention.
The notes reference column is often too small to offer us any useful opportunity to record much in the table itself. However, use it to refer to another sheet, where you can lay out paragraphs of text explaining your concerns or your evaluations of both likelihood and impact. Simply label the paragraphs clearly and use the label as a reference in the 'Notes' column.
Finally, none of this is worth anything if we are not going to do something about the risk. In the strategy column, write down an idea for a response to the danger you see. Again, you may need to refer to another area where you can be more expansive in your ideas as to what to do in the face of the perceived risk.
The table is a dynamic one, changing and evolving as the project proceeds. Risk assessment is never complete, for while some risks expire, others emerge continually. This then represents a tool to support our ongoing vigil against the uncertainties that plague all projects that run for any length of time or involve any complexity whatsoever.
There are other ways of capturing assessment information. A graphical version, sometimes known as a 'PI' diagram (P for probability - I for Impact), can be used. This contains a pair of axes relating respectively to the two dimensions, and simply locates different risks according to their perceived scores against them.
In future articles, we will examine the other steps that make up a risk management process. These will include the development of responses, the incorporation of these into a plan and their effective monitoring to ensure that they provide the protection expected of them.