Before we start working on becoming a risk management guru, let us first understand what it exactly means by risk. Risk is nothing but a quantifiable likelihood of loss or less than expected gains. Examples of risk can be credit risk, financial risk, income risk, event risk etc.
The process of accessing and quantifying business risks and taking measures to control or reduce them is termed as risk management. Risk management is a very critical part of planning for businesses. Risk can be managed for a project, a department or an organization as an entity. Irrespective of the entity type, the basic risk management process remains conceptually the same.
Preparing for PMP® Certification? Take this test to know where you stand!
Risk management is defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative. The risk management process start with the identification of the acceptable risk level of the entity in question. A risk and threat analysis needs to be done to know the legal and regulatory requirements, drivers and objectives of the entity.
It is observed that a good risk management process with a strong project management practice decreases risk by 80 to 90 percent. To do a risk and threat analysis, first list down all potential risk items. Now assess the probability or likelihood and impact of each risk item in the list. This can be done by assessing the risk on a scale of 1 to 5 and the impact of that risk. Prioritize the risk list to identify what is more critical. It is now time to identify measures to counter calculated risks. Identify the root cause and the downstream effect of all the high risk items in the list.
Overall threat of risk = Probability * Impact
Focus on the high threat risks. A cost benefit analysis is now done to decide on what to do with those risks:
- Mitigate: Risk mitigation involves performing actions and activities ahead of time to either prevent a risk from occurring or minimizing its impact.
- Avoid: Avoidance is to prevent from taking actions that increase threat too must to justify the benefit.
- Accept: All risks that are accepted must be monitored periodically to assess any change in impact or probability which might require attention.
- Transfer: Transfer keeps the risk intact but transfers responsibility elsewhere. Insurance is a very common way of doing it.
It is very important to do risk contingency planning. Contingency planning involves creating fallback plans in case efforts to prevent a risk fail.
Risks must be tracked and monitored on periodic basis to evaluate the effectiveness of risk handling actions against calculated metrics of its probability and impact. Risk and issue tracker helps reduce the adverse effects proactively. The risk management plan thus helps with response plans to mitigate risks at any point of time. Time frames for review of risks must be mentioned as a part of the risk management plan. Learning from the risk management process must be shared with the quality assurance team to capture knowledge and best practices as a part of the risk knowledge base for the future.
The Risk Management Framework thus is a step by step process of categorizing, selecting, implementing, assessing, authorizing and monitoring risks & their controls. Creating and following a framework for risk management defines the overall approach for decision making.
I hope you know enough about risk management to be able to understand the importance of identification, assessment, prioritization and managing risk.
PMP is a registered trademark of the Project Management Institute, Inc.