Introduction to Project Risk Management:
Part 1 - Planning for project risk management
____________________________________
Jurie Steyn
January 2018
This article is the first of a two-part series of articles on the basics of project risk
management. The two parts are as follows:
• Part 1: Planning for project risk management; and
• Part 2: Identify, analyse, action and monitor project risks.
Part 1 deals with the first step of the project risk management process, namely the
planning step. Part 2, to be published next month, deals with the implementation of
the project risk management plan.
Introduction
Life is uncertain, and projects are unique, complex in nature, based on assumptions
and done by people. Projects are therefore subject to a plethora of uncertainties, i.e.
risks and opportunities, that can affect the project and business objectives.
Although the activity is normally referred to as project risk management, it covers both
risk and opportunity management. Potential positive and negative outcomes deserve
equal attention. Therefore, the objectives of project risk management are to increase
the probability and/or impact of opportunities and to decrease the probability and/or
impact of risks, to improve the likelihood of project success. Risks and opportunities
represent two sides of the same coin, but with a very different impact. The definitions
of risks and opportunities should emphasise the differences and similarities, as follows:
• Risks are defined as uncertain future events or conditions that, if it occurs, could
negatively influence the achievement of business, or project, objectives.
• Opportunities are defined as uncertain future events or conditions that, if it
occurs, could positively influence the achievement of business, or project,
objectives.
�This introduction to project risk management is aligned with the PMI Global Standard
for project management, namely the PMBOK Guide, 6th edition, which incorporates
ANSI/PMI 99-001-2017 (PMI, 2017).
Overview of Project Risk Management
Project risk management covers all the activities and processes of planning for risk
management, identification and analysis of project risks, response planning and
implementation, and risk monitoring on a project. There are seven project risk
management steps, as illustrated in Figure 1.
Figure 1: Project risk management overview
The seven steps are as follows:
• Step 1 - Plan Risk Management: The involves finalising the methodology to be
used for risk management on a project. Details can differ from project to project;
• Step 2 - Identify risks and opportunities: The process of identifying individual
project risks and opportunities in a manner which makes analysis possible;
• Step 3 - Perform qualitative risk analysis: The process of assessing and
prioritising individual project risks and opportunities for further analysis or action,
based on their probability of occurrence and potential consequences;
• Step 4 - Perform quantitative risk analysis: The process of performing
numerical analysis to determine the most likely outcome of identified high priority
risks and opportunities;
2
�• Step 5 - Plan risk responses: The development of risk reduction options,
strategy selection, and agreement on preventive and contingency actions to
reduce overall project risk exposure;
• Step 6 - Implement risk responses: The process of implementing agreed-
upon risk response plans by the risk owner, according to the agreed upon
timeline; and
• Step 7 - Monitor risks: Monitoring the progress with the implementation of
agreed-upon risk response plans, identifying and analysing new risks, and
evaluating risk process effectiveness throughout the project.
Unmanaged risks may result in problems such as schedule and/or cost overruns,
performance shortfall, or loss of reputation. Opportunities that are exploited can lead
to benefits such as schedule and/or cost reductions, improved overall project
performance, or reputation enhancement.
The remainder of this article focuses on the first of these seven steps. The remaining
six steps are covered in a follow-up article, to be published next month.
Step 1: Plan risk management
System requirements
Effective risk management requires a conducive company culture, as well as the
necessary risk management processes, structures and budget to identify, assess and
address potential opportunities and adverse effects.
In the planning step, the risk management methodology, assessment tools,
responsible parties and timing of risk management activities are fixed. This implies
that the typical risk and opportunity categories are defined, the processes to be used
for identifying risks are identified and risk assessment tools, such as a project specific
risk matrix, are finalised. Responsible parties for driving the overall risk management
process are identified and the timing and frequency for risk management activities are
scheduled.
As a minimum, the risk management planning step should include management
commitment, defined roles and responsibilities, clear risk statements, pre-determined
risk categories, a custom risk matrix and a risk register. It should also allow for risk
prevention and the reporting of residual risk. These are discussed in more detail in the
following sections.
Risk roles and responsibilities
Risk management is the responsibility of the most senior member of a business or a
project team, assisted by one or more risk management professionals. For a business
it is the chief executive officer and for a project it is the project manager. However,
3
�every member of a business or project team has a duty to manage risks in their areas
of responsibility.
For a typical project, risk management roles and responsibilities are as follows:
• Project sponsor: The sponsor has overall accountability for all project
execution and business risks. The sponsor owns the integrated risk
management process;
• Project manager: The project manager is responsible for implementing an
integrated risk management process for the project;
• Project track leaders: Responsible for risk identification, risk assessment,
development of preventive and contingency actions and implementation of
allocated risk actions within their areas of responsibility;
• Risk management professional: Oversees the risk management process,
provides guidance and direction, and helps facilitate the process, and;
• Functional managers: They provide input into the risk management process
at functional level and ensure that technical integrity is maintained
Risk statements
It is always beneficial to start with a SWOT analysis of a business or project to identify
potential risks and opportunities. Weaknesses and Threats give rise to risks and
Strengths and Opportunities lead to opportunities for achieving the objectives.
Risk statements need to be structured descriptions of the risks which separate cause,
risk and consequence. For example: Because of (1) an existing condition, an (2)
uncertain event may occur, which would lead to (3) an effect on the project
objectives. In this case, the numbering refers to:
1. The Cause;
2. The Risk or uncertain event, and;
3. The Consequence.
Writing risk statements in this manner makes the risk assessment process much
simpler. To force the writing of risk statements in this format, use a table with three
columns entitled Cause, Risk and Consequence.
Risk categories
There are many different types of risks, or impacts, that can affect the sustainability of
a business. Similarly, there are different risks that can affect the viability of a
project. Although it is not essential to group risks according to predefined risk
categories, it does make sense to keep like risks together. The biggest benefit of having
risk categories, is the fact that it triggers the risk management professionals when
4
�identifying risks and opportunities for a business or project. This ensures that all types
of risks are covered.
In our consultancy, we use nine risk categories when grouping risks and opportunities
and we use the acronym STEEPCOIL as an aide memoire to remember them, as
shown in Figure 2.
Figure 2: Risk categories
These risk categories are described in more detail below:
• Social risks: Social risks cover the well-being of the workforce and the
community. The includes the health and safety of these stakeholders. It also
addresses matters like relocation, skills shortages, corporate social investment
and training;
• Technical risks: This addresses the risk that the selected process
technologies will not meet the business or project objectives, i.e. product quality
and plant availability issues. First-of-a-kind technologies and large scale-ups of
proven technologies are normally problematic;
• Economic risks: Economic and financial risks cover the profitability of the
venture. It includes issues like equipment cost, feedstock and product prices,
logistics cost, effect of project cost overruns, effect of schedule slip, etc.;
• Environmental risks: This covers potential impacts on air, water and
groundwater, as well as smells, noise and visual impacts on
stakeholders. Included are compliance and reporting risks to the responsible
authorities, in line with the environmental management plan for the facility;
• Political risks: This addresses the likelihood of political instability and strikes
in the country and region where a facility is being planned or operated. Will the
5
� process facility be a high-profile target in case of instability? Will political risks
influence the supply chains?
• Commercial risks: Commercial risks include potential problems associated
with contractual agreements which can lead to delays, cost overruns or
counterclaims. Here we include risks associated with the marketing of final
products and the governance thereof;
• Organisational risks: Organisational risks cover the structure and ownership
of the company responsible for the establishment and operation of a process
facility. What are the risks that a specific partner brings to the deal? It also
addresses the issue of having a lean organisation structure and suitably
qualified and experienced personnel in key positions;
• IT risks: Information technology risks are shown separate from the technical
risks due to the unique character thereof. Chemical plants require process
control systems, communication systems and business systems to interact and
function seamlessly, and;
• Legal risks: These are risks associated with the specific legal framework within
which the business must operate. Are carbon taxes applicable? What is the
likelihood of it becoming a reality? What legislation is in the pipeline that can
impact on the sustainability of a venture.
Risk matrix
Risk assessments can be qualitative or quantitative. Stochastic modelling is required
for quantitative analysis and is considered optional. Qualitative analysis is always
required.
Qualitative analysis is performed using a two-dimensional risk matrix, with the
probability of an occurrence along one axis and the consequence of the occurrence
along the other axis. A group of assessors weighs up each risk statement and scores
it in terms of probability and consequence, i.e. plots the risk on the matrix.
Risk matrices can anything from a simplistic 2x2 matrix to a very complex 7x7
matrix. Risks with a low probability and insignificant consequences do not warrant
further investigation. However, high probability risks with significant impacts require
attention. We normally use a 5X5 matrix, which affords sufficient resolution for most
applications, for our projects. An example of a 5X5 matrix is shown in Figure 3, with
definitions for a variety of categories. The numbers in the coloured squares represent
the product of the probability and consequence ratings.
The squares of the matrix are colour coded as follows:
• Green: Low risk;
• Yellow: Medium risk;
6
�• Orange: Significant risk; and
• Red: High risk.
Figure 3: Illustrative 5X5 risk matrix
The company’s level of risk tolerance determines the placement of the colour squares
and which risks will be further addressed. Companies, or projects, with a high appetite
for risk will have a smaller area covered by red and orange squares than those who
are risk averse. Typically, risks falling in the red and orange squares necessitate
further action. The risk matrix must be finalised, and agreed to, before proceeding to
later steps in the risk management process.
Risk register
The risk register is a live, structured document where risks are captured and
managed. Each risk is assigned a specific risk owner who is the person responsible
for the risk reduction actions.
The risk register has provision for a unique risk number, risk category, risk description,
and the current risk assessment. For those risks where further action is required
(orange and red risks), provision is made for preventive actions, which reduce the
probability of an occurrence, and contingency actions, which reduce the consequence
of an occurrence. On completion of the actions a residual risk assessment is
performed to determine if a risk has been adequately addressed.
7
�We prefer to maintain separate risk registers for the project implementation phase and
for the operations phase. Although there will certainly be much duplication, it helps to
maintain focus where it is necessary.
Project risk management plan
The output of the planning for risk management step is captured in a project risk
management plan. The risk management plan describes how risk management
activities will be structured and performed for a specific project. The risk management
plan may include some or all the following elements, most of which have been
discussed in detail in the preceding paragraphs:
• Risk philosophy: Describes the generic approach to risk management on a
project. Highlight differences from the norm, if any;
• Methodology: The risk management procedures, tools (including the approved
risk matrix) and sources of data that will be used;
• Roles and responsibilities: Who is responsible to lead and support the
different risk management activities;
• Funding: Identify funding required for risk management activities and establish
protocols for application of funds;
• Timing: Specify the timing of the different risk management activities along the
project timeline and the frequency of meetings;
• Risk categories: Use the STEEPCOIL example or any other preferred risk
breakdown structure;
• Definitions of risk probability and impacts: These must be specific to the
project context, and reflect the risk appetite of the organisation and
stakeholders;
• Reporting format: Here we define how the outcomes of the project risk
management process will be documented, analysed, reported and
communicated; and
• Tracking and auditing: Risk audits may be used to consider the effectiveness
of the risk management process.
Concluding remarks
A detailed project risk management plan, as described above, is the desired outcome
of the planning for risk management step. However, this is only the first of seven steps
in the project risk management process. Part 2, covering the remaining steps, will be
published on the 1st of February 2018.
8
�References
PMI (Project Management Institute, Inc.), 2017, A guide to the project management
body of knowledge (PMBOK Guide), 6th ed. PMI Book Service Center, Atlanta.
