What Are The 4 Steps of the Risk Management Process?

What is the Risk Management Process?

In every project management plan, there is always the chance that something unexpected will happen. An unexpected event is always a risk; its impact can be negative or positive. Project and portfolio managers responsible for risk assessment use the risk management process to better identify the implications of a given change and the impact on project health.

The Importance of the Risk Management Process

There are many versions of the quote “Prior preparation prevents poor performance,” and they all ring true. Risk process management helps managers anticipate challenges and manage proactively. The downstream effect of this is better resource allocation, smoother decision-making, and improved collaboration.

Most critically, using a risk assessment process in project management leads to higher project success rates and the process improvements that are key to growing and scaling your PMO. Risk mitigation should be part of your project governance and built into regular communications so that every stakeholder in the project has a chance to surface and address potential risks.

Stages of Risk Management

The established process for managing risks is broken down into stages. The four stages of risk management are: identify, assess, respond, and monitor & report on potential risks to understand the health of a project. Risk management is vital for the success of a project and the process should be enhanced with every new project.

Identify

Identifying potential risks is the first of the four steps in the risk management process. It is accomplished during the planning phase of a project and should be part of every project management workflow. The purpose of this stage is to explicitly define all possible events that may impact a project to prepare adequate responses. In addition to identifying risks, project teams should also look for opportunities to offset risk or improve delivery.

Compiling a list of identified risks starts by  bringing together different forms of information that might include:

• • Brainstorming sessions with teams and stakeholders is a good way to capture a wide range of potential risk factors
  • Executive interviews are useful for getting context into certain scenarios and also mitigation strategies
  • Prior documentation will also help, be certain to gather lessons learned from similar projects and analyze industry studies. Checklists or questionnaires are great sources of information
  • Performing a SWOT analysis helps to identify risks but also opportunities, enabling you to understand where risk is greater, or where upside is present
    

Assess

Once risks have been identified, the next step is to assess their impact. By determining risk type and impact, managers can prioritize the responses based on the probability and criticality of the risks. Assessing risk impacts also allows a team to be financially prepared for additional costs not anticipated in the project budget.

Qualitative risk assessment is a non-numerical way to estimate risk. Useful in cases where data is lacking, or time and expertise are limited, a qualitative approach can be effective for addressing routine tasks or where quantifying risk will be costly or might result in poor measurements. Some examples of qualitative risk assessment include:

• Developing a risk matrix including analysis around probability to happen and impact
• A risk ranking scale can order risks based on your risk matrix or a single measure such as impact or likelihood
• Risk narratives and “what if” scenarios help to provide additional color around process for escalation and remediation
• Probability charts and risk heat maps are used to visually depict risks, often surfacing problems that a simple prioritized list cannot

Quantitative risk assessment takes an objective approach to establish the financial implications of risks and benefits, should they occur. As with any risk assessment, a well-rounded team will include key stakeholders, the project manager, and possibly other executives who oversee budget and financials. This team will be responsible for determining:

• • • How the project scope and resource plan translate into hours and dollars
    • Whether there are additional costs not accounted for in the plan, these might include hard costs like contractors or travel or soft costs such as training

Respond

Next, a response plan is formulated to prevent or mitigate project risks. A solid response plan will include steps to address the issue and what to monitor to measure success. In this stage, the objectives are to reduce the impact or chance that a negative risk will happen or increase these factors with a positive risk.

There are 4 techniques for responding to risk:

• Avoid: Getting ahead of project risk but changing project scope or approach, clarifying project requirements, adding additional resources or upskilling the team, and improving communication are all ways to avoid potential risks.
• Transfer: Transferring risk means moving the risk out of the project itself and putting the burden on a third party. An example of transferring risk in software development might be ensuring third-party resources are contractually bound to performance delivery measures.
• Mitigate: Not all risk can be avoided, understanding what you can do to lessen the impact or increase the benefit, involves mitigating risks through quality controls, contingency plans, and adding redundancy.
• Accept: There is no scenario where risk can be completely eliminated, thus the need to accept a certain amount of uncertainty. All project stakeholders should agree to an acceptable level of risk tolerance, ideally documenting their acceptance and establishing contingency reserves as needed.

A comprehensive action plan for risk management uses all of these techniques. In software development, this blend might include:

• • • • Infrastructure protection
      • 3rd party security controls and performance warranties
      • Development process responses for code quality and rollbacks
      • Enforcing documentation and avoiding documentation drift

Monitor & Report

The last of the four stages of risk management is to monitor and report project risks and execute response strategies. Continued monitoring during a project allows you to add new risks as they come up. Risk registries are tools built into many projected portfolio tools, and allow tracking of risk across multiple projects.

Rick logs capture and report on project risks across the portfolio, allowing a holistic risk assessment

Identifying and tracking Key Risk Indicators (KRIs) provides a framework for a unified understanding of risks across a program or portfolio of projects. Each department involved should establish the KRIs that matter most to them, then all KRIs should feed into a unified view. This bottom-up approach ensures ownership for action plans, root-cause analysis, and continual improvement reside in the department or departments most able to manage the risk.

Communicating risks proactively and as they come up is key to realizing the desired outcome of any project. Every project team, the PMO, and stakeholders and executives should have visibility into status and health across the project portfolio.

• Regular status reporting is effective for real-time visibility into projects and project health but doesn’t get to a true understanding of all in-flight projects
• Reporting at a portfolio level is critical for surfacing inter-dependencies among projects and understanding the portfolio-wide impacts of certain risk responses.
• Creating and communicating “what if” scenarios help inform resource managers and executives better understand the impact of a given response to risk and whether it is worth doing
• Performing risk audits are also essential for understanding response effectiveness, ensuring process compliance, assessing controls, and keeping documentation complete

Improving your risk management processes over time is key to better results and to maturing your PMO. It is important to establish feedback loops that allow collection, documentation and analysis that will inform and de-risk future projects.

Of course, keeping all project participants informed and getting feedback is easier with software designed for project risk management. A PPM tool like Prism PPM, built for structured project management and portfolio optimization, can quickly and easily compile status reports, populate executive-level dashes in real-time, alert PMs and stakeholders to KRIs, and keep everyone informed with the data that is most important to them.

Summing Up Risk Management

Risk can take many forms on a project:

• Communication Risks
• Cost Risks
• External Hazard Risks
• Market Risks
• Operational Risks
• Performance Risks
• Resource Risks
• Scope Risks or Scope Creep
• Technology Risks
• Time Risks

If risk is not managed, the results can be project overruns, extended timelines, lack of benefits realization, higher resource demand, and scope creep. And managing risk across multiple projects just grows in complexity as the PMO takes on more work.

Having an appreciation for the nuances of risk management and a set of tools to identify, assess, respond and report on risk is essential to better project management. Establishing a system for managing risk and establishing processes that can mature and improve all projects is the goal, and it starts with the simple steps outlined here.

About Prism PPM

Prism PPM is the leading Project Portfolio Management tool used by successful organizations to strategically manage project risk, mature their Project Management Office, and ensure strategic alignment with high-level organizational objectives.

Since our founding in 1998, we’ve built Prism PPM to follow best practices for project management while being flexible enough to work the way project teams need to work. As a tool purpose-built for portfolio management, we focus on helping our customers build strategy, insight, and resilience into their project portfolio, enabling them to risk less and realize more.

We’re here to answer your questions or provide a demo of our PPM software at any time.