Risk Management is fundamental to both project management and programme management, however it does not need to be complicated. This is an introductory guide to risk management for people who want to start to manage risk effectively. This guide is targeted at people who are new to project management, PMO offices or risk management.
What is a risk?
To put it simply, a risk is something which may or may not happen and which could cause an impact.
Simple example: There is a risk that I could be late to work if the bus is late.
This may seem counter-intuitive but risks can also be positive. When a risk is positive, it is considered an opportunity.
Simple example: There is a risk that I could be early to work if the bus comes more quickly than expected.
Fundamentals of a risk
At its most basic, a risk has 2 key elements:
- Probability - the chance that it happens
- Impact - what occurs if it happens
If you can express these two things then you have identified a risk.
The probability of something happening is often expressed as a percentage. When you look at the weather, the chance of rain is often shown as a percentage. This is an example of a risk with a defined probability.
Simple example: There is a 40% risk that it will rain at 10pm.
The impact is what will occur if the risk happens. In project management, we often work to identify the financial impact of the risk (to provide a costed risk).
Simple Example: I have a job where I am paid hourly (we will use £10 per hour to keep things simple) and do not get paid if off work ill. There is a risk that I cannot work as I am ill.
Impact (as a cost) if I am ill for 1 day would be £80 (one 8 hour shift * £10 per hour).
Risk Exposure (Probability * Impact)
It is worth thinking of probability and impact as axis on the same graph:
Probability vs Impact
This is because the true exposure of the risk cannot be calculated using just one of these two factors. You need both to identify the exposure of any given risk.
Note in terminology... Risk Exposure here is referring to the calculated value of each individual risk (as this is a beginners guide). Risk Exposure is also known as factored risk or calculated risk in some organisations. Additionally, businesses often look at their total Risk Exposure which is the sum of Exposure across all open risks.
Some examples of risks with different probabilities (%) and impacts (using 8 hour days at £10 per hour):
- Risk A - There is a 50% chance that it rains and I catch a cold. If I catch a cold I will be off work for one day (£80). Risk Exposure is £40 (50% chance of £80 impact).
- Risk B - There is a 10% chance that it rains and I catch pneumonia. If I catch pneumonia I will be off work for 5 days (£400). Risk Exposure is £40 (10% chance of £400 impact).
- Risk C - There is a 10% chance that it rains and I catch a cold. If I catch a cold I will be off work for one day (£80). Risk Exposure is £8 (10% chance of £80 impact).
- Risk D - There is a 40% chance that it rains and I catch pneumonia. If I catch pneumonia I will be off work for 5 days (£400). Risk Exposure is £160 (40% chance of £400 impact).
These risks can be plot onto the graph to show which risks have a higher exposure and which should be higher priority.
Probability vs Impact with examples
Risks in the top right part of the graph are the highest priority risks. Using our examples above, Risk D falls into the high exposure category (£160), Risks A and B had Moderate Exposure (£80 each) and Risk C had low exposure (£8).
How do we capture risks?
Generally, risks on projects are captured on a Risk Register or within a RAID log (which contains a Risk Register). This is a list of all known risks with some information, including the probability and impact.
An example of a very simple risk register is shown below. There are many more pieces of information which would be captured which we will cover in another more advanced guide.
You may have spot 2 additional fields that we have not discussed so far:
- Owner - This is the person who is accountable for monitoring the risk and trying to make sure it doesn't happen (or if it is an opportunity, a positive risk, making sure it does)
- Status - This is the status showing if the risk is still valid. Some risks are either able to be closed, such as our in bus example, you may buy a car to travel to work and so that risk would be closed or are time bound, such as the famous millennium bug where there was a risk that all computers would break on the year 2000.
When you think of a risk, always think of 2 things, what is the chance of it happening (probability) and what will happen if it occurs (impact). These two things will help you to clearly express your risks.
In our next risk article 'Intermediate Guide to Risk Management' we will cover topics such as:
- Risk Mitigation
- Risk Lifecycle
- Risk Context
Daniel Wright founded Monochrome Consultancy, specialising in Digital Transformation, IT Transformation and Project & Programme Delivery.
With his background in IT and InfoSec Dan is a techie at heart.
For more on Dan and/or Monochrome visit: www.monochromeconsultancy.co.uk