PM Course - The Ultimate Guide to Creating a Risk Management Strategy

Why You Should Create a Risk Management Strategy

Our lives are full of uncertainty. Be it in big business decisions or in everyday situations, we can hardly ever be certain that an event will happen. We can think about several examples:

When you are outsourcing a part of your project to subcontractors, how can you be sure that they will deliver the product or service with the expected quality and within the schedule?
How can you create better cost estimations when you are not entirely certain of which parts and tasks will be involved in your project?
How can you be sure that your project team will be available throughout the life of the project and will be able to execute their tasks properly?
How can you be sure that an economic crisis will not affect your industry in the middle of the project and make it completely unattainable?
How can you be sure that there will be no traffic jam (or at least there will be “normal” traffic jam) when you are on your way to that important meeting with your customers?

You get the point… There are many, many things we cannot control, and we need a plan to deal with these uncertain events. Risk management is all about building this plan, including relevant variables and possible events, and establishing contingencies to handle them in the best possible way. In risk management we want to create a systematic approach, a disciplined strategy, to control and reduce risks.

When we talk about risk management, we must first understand what is a risky or uncertain event. Technically they are not the same: risky events have known probabilities for the possible outcomes, while uncertain events do not have definite probabilities (although we can estimate them). However, we can simplify our life by seeing them as very closely related and, most of the times, the same thing (because we hardly ever have definite probabilities for the outcomes and almost everything ends up being an estimation). There are two types of risks:

Those that you know might happen: these are the potential problems we clearly identify while planning the project. Maybe the weather will not cooperate with our construction project, or maybe the government will issue a law that will increase the regulatory costs for our company. We don’t know what exactly will happen, but we know what could happen. This allows us to create strategies to deal with the risky events should they become true.
Those that you don’t know might happen: these problems come unexpectedly. I’m sorry to break the news, but we simply cannot predict and control everything. We also cannot identify every single possible uncertainty of a project. However, we should expect the unexpected: it always happens at some point of our project. What we can (and should) do is to try to identify (put under the “known unknowns”) all the critical risks of our project and try to make sure that the impact of the unknown unknowns will hardly ever be critical.

Unfortunately it might be the case that you think risk management is of secondary importance: “I should focus on what will happen for sure and I shouldn’t spend that much effort on shielding my project against uncertain events.” However, if you think hard enough about the topic (assuming that, just like me, you like to think), you will inevitably reach the conclusion that risk management is the primary task of a project manager. Here is the argument: when you plan your project, you write down the things you want to happen in the order you want them to happen and with the budget you want them to happen. Apart from executing the work itself, this is pretty much all the focus you can give to certain events: write them down and include them in your planning. If only certain events happen, there is absolutely no space for problems. And yet, innumerable problems seem to arise in every project. Delayed schedule, overrun budget, low-quality suppliers, you name it. Just one of these events can be enough to completely invalidate your initial planning (if there is absolutely no flexibility in it). So very well, you can focus solely on certain events, but the resulting plan will be extremely sensitive to risky situations. This is why the primary task of the project manager is to study in details the potential impact of each relevant uncertain situation and design a plan that has enough flexibility to deal with them. It follows more or less the same principle of designing a building resistant to earthquakes: you may say that earthquakes will not happen at all and design a rigid building that will immediately collapse if any minor tremor happens; or you can design a building with some flexibility to stand earthquakes up to a certain intensity level. However, just as extremely strong earthquakes might destroy even flexible buildings, extremely significant uncertain events might crash your project plan no matter how flexible it is.

All the techniques we discuss in this course are, in a certain way, risk management techniques: how to account for variations in personnel availability, how to use different cost estimation processes to create a more precise budget, how to build a schedule that includes some flexibility in the tasks without strongly affecting the final deadline, etc.

Risk Management and the Project Plan

We already covered the topics of schedule and budget estimation. Now we will start studying how risk management relates to different parts of the project plan. We will discuss three moments when risk management interacts with the project plan.

The definition of the project

When we first conceive the project, we lay down the goals for costs, schedule, scope, etc. Remember our discussion about assumptions of a project when we talked about developing our project charter? By analyzing these assumptions we can identify which ones represent real threats for our project and document them as risks.

The planning of the project

The planning of any project can be divided into two main parts: the risk management and the schedule and budget development. They interact with each other, and we must keep in mind that risk management happens repeatedly throughout the project. As we look with a critical eye to all the stakeholders of our project, we are able to estimate their “weaknesses” and determine strategies to reduce or, if possible, completely neutralize them.

The control of the project

As we monitor the developments of our project, we are able to identify new risks and to assess whether our risk strategies are effective. We might want to come back to the project plan to remove irrelevant risks and include new ones. This will require us to update several sections of our plan (the statement of work, the budget estimations, the work breakdown structure, etc), but this shouldn’t discourage you from updating the risks of your project!

The Framework for Your Risk Management Strategy

Now we know why and where risk management is important. But how to conduct it? The problem is… risks vary drastically from industry to industry, from company to company, even from year to year within the same company. So instead of presenting an exhaustive list of defined risks for you with a strict strategy for each of them, the best way is to present a framework of how to conduct a risk management analysis. Then you will be able to look at the specific risks of your company and perform a structured evaluation of them to generate a valid strategy.

Have a look at the figure below. It shows the standard framework of the risk management process.

Framework for the Risk Management Process

As you can see, there are four major steps involved in building your risk management plan. Let’s discuss them one by one in details.

Step 01: Identifying the Risks

Identifying the risks is the process of finding all the elements that could threaten the objectives and the goals of the project. There are four basic strategies for identifying the risks of a project.

Talking To Stakeholders To Gather Information

This is as simple as it sounds: go to your stakeholders and discuss which risks are involved in their activities in the project. Some of the stakeholders are internal personnel and some are external contractors. For both of them, there are two main approaches for gathering information:

Brainstorming

Brainstorming is more effective with internal personnel. Brainstorming is not simply stuffing everyone inside a room with a flipchart and writing down everything that comes to your heads. There are ways of improving the efficiency of brainstorming and focusing it on the issue at hand. First, make sure that the people present in the meeting are aware of the subject. Did you send them the project plan? Did they read it? How will they be involved in the project? Second, set a determined duration for the brainstorming session. “What? But… We shouldn’t limit the brainstorming! We should go for as long as it is necessary…” you might say. I agree with the “shouldn’t limit” part, but I strongly disagree with the “as long as necessary” part. Maybe you found yourself in this situation as well: trying to solve a math exercise for hours without success and, while taking a break (a shower, a coffee, the toilet, whatever), magically coming up with the solution. Why does this happen? When we focus for too long on the same issue, we end up trying different variations of a very narrow set of tools to try to solve it. When we allow our brains to change the focus, it drops this narrow set and expands the perception of the problem, usually coming up with a nice solution. So how can we apply the principle to brainstorming? Simply split the process into two or three sessions in consecutive days. Instead of sitting three hours in a room (with a very productive first hours and two amazingly unproductive subsequent hours) in one day, sit one hour for three days. The break will allow not only you but also your team to come up with more and better ideas.

By using this process, generate a list of potential risks. Don’t look at how the risks looks like: “an apocalyptic thunderstorm will hit our construction site” is as good as “our suppliers will delay the delivery of raw material”. No value judgments here; let the group be as creative as possible. Then, at the end of each meeting, have a quick look through the risks, group similar ones and discard very unlikely ones. You may also want to order them, but it is better to do it in the last meeting once you will not focus on generating ideas anymore.

Interviewing

Interviewing is more effective when dealing with external stakeholders. It requires a more structure approach and is not as open to creativity as brainstorming. One suggestion is to use some ideas from the brainstorming sessions to create a specific set of questions to ask the person being interviews.

The Murphy’s Law

We all have heard of it: “If anything can go wrong, it will go wrong.” or something like that. Although notably pessimistic, this approach is the preferred one during the phase of identifying risks because it prevents you from crossing out risks that might be relevant for your project. Once you start creating solid response strategies you have the permission to be more optimistic and disconsider some risks.

Assume a Thorough Approach to Perspectives

When I write “stakeholder” without specifically defining the term I do it for a purpose: each and every stakeholder is important during the initial phase of risk management. Functional managers, team members, suppliers, customers, shareholders, etc. all have different perspectives and expectations about the project, and you should open your ears and listen to each of them.

Creating a Risk Profile

A risk profile is a way of applying the lessons from previous projects to the current one. A risk profile is nothing more than a list of specific questions that address common risky topics of a project. Once more, a risk profile is created continuously by incorporating the lessons learned from each project and each phase within a project. In order to ensure the quality of your risk profile, you might want to follow basic guidelines:

Focus on your industry and develop questions specific to it;
Be more specific and focus on your company or department instead of the entire industry;
Consider both the risks involved in developing a new product, service or technology and the risks related to management activities (team management, for example);
Present some measurement (no need to be super specific and precise) of the magnitude of the risks. Maybe simply writing “low-moderate-high impact” next to each risk is everything you can by now (before gathering more information), but as you carry your risk management processes, you should try to refine the impact of each risk on your project.

Using Your Historical Records

You already know this… I repeated it several times during the article that is mandatory to use past information (if it exists) while identifying your risks. You can look at the previous records to try to get a lot of different information:

What were the unknown uncertainties that happened in previous projects? How did people deal with them?
What was the difference between the planned and the actual budget and schedule? What caused this difference?
What lessons were learned from previous projects?
How is the general stakeholder satisfaction with the project? What was good and what was bad?

Prioritizing the Risks

Now that you have a thorough list of risks, what you want to do is to order them and prioritize the most important ones. It might be the case you will drop several risks because of low impact or low probability, so it is important to spend some effort to focus on the relevant uncertainties. The outcome of the first step, identifying the risks, should be a list of known and relevant risks that will be considered in more details.

Step 02: Creating a Response Strategy

Once the risks are identified, it is time to detail the impact of each risk and their likelihood in order to create strategies to reduce uncertainty in the project. By systematically identifying the extension and the likelihood of risks, you will be able to focus on the areas that are more significant for your project. A response strategy has three components: defining the risk, assessing its probability and developing the response strategy based on the magnitude and probability of the risk.

Defining the Risk

How would you describe the risks involved in your project? A simple yet effective way is to describe two dimensions: the condition, or the situation that is causing you concern or uncertainty, and the consequence, or the possible negative outcomes that might result from the condition. Be sure to describe the condition clearly, as it is essential for an accurate estimation of its impact.

Once the condition is defined, it is time to assess the cost, schedule and material consequences (likely damages) that the realization of the risk might bring to the project. Let’s imagine how we would define the condition and the consequences. For that, imagine that we are a construction company working on a new building.

Condition: the soil conditions for the foundation require a special bulldozer with which the company has little experience.

Consequence: operating the bulldozer incorrectly will damage it and the current state of the construction. The total costs of repairing the bulldozer and the construction site may vary from $40,000.00 to $150,000.00 and it might take anything between 3 and 5 weeks for the repairs to be completed.

Since we have a range for the cost and for the schedule of the repair, we will have to estimate some probabilities and calculate the expected cost of our risk. While the safest approach would be to simply attribute a 100% change for the highest cost and the longest schedule delay, this could lead to unrealistic forecasts and to sensible increases in cost and schedule estimation, resulting in an infeasible project. So let’s revise a bit of probability theory (I assume you already know it, but if you don’t… what we will see here is very basic, so you should be able to understand it) and incorporate it to our example.

How Probability Theory Improves Risk Management

Probability theory works with determining, based on information we already have, what are is the probability of the realization of an event. If you throw a dice, the probability of obtaining a 6 is simply 1/6. If you throw the dice twice, the probability of getting a 6 and a 4, in this order, is just 1/6 times 1/6. Of course our estimations of probabilities will be pretty hard to make, specially because there are infinitely many things that could go wrong with the bulldozer and each one of them has a different likelihood of happening (unlike a fair dice, which has the same probability for each face).

In any case, we will have to come up with some numbers and probabilities if we want to quantify the expected impact of a risk on our project. I would recommend reading the golden rules of estimation before continuing here, as they describe several ways of obtaining reliable data for your estimations. One of them is the analysis of historical data; in our case, however, this is not really useful because, as stated in the condition, we have little experience with the bulldozer (so there is little historical data on what could go wrong). What exists, and we should look at it, is historical data about other equipments that were new at some point in our company (this is why it is important to keep a record of your risks, so you can come back to them later and learn from them), and we can look at the high and low estimations of costs to compare them with the real figures. However, assessing the probabilities of a risk will always require a lot of creativity and intuition. Your historical data might give you some clues, but there will always be something new that will require an innovative approach: probability assignment is both art and science.

Probabilities of risks help you to calculate their consequences. The expected value of the risk is given by the product between the probability of the risk and the impact it will cause:

Imagine that the analysis of the risk gave us the following set of probabilities:

25% probability of $40,000.00 damage;
10% probability of $150,000.00 damage;
65% probability of no damage.

So our expected value of the risk is

We can then consider a strategy to deal with the problem: hire one person who is a specialist in dealing with the bulldozer for the job. Hiring the person costs $12,000.00 and it reduces the probabilities of damage to:

5% probability of $40,000.00 damage;
2% probability of $150,000.00 damage;
93% probability of no damage.

The new expected value of the risk is

And the total cost of the strategy is

Which is clearly less than our initial expected value of the risk. Therefore, our strategy seems to be cost efficient and we would choose to hire this specialist to work with the bulldozer.

If there is absolutely no hard data for you to work with, you can still assess probabilities based on subjective methods. Let’s consider one process that relies on subjective judgments from the team members. Have a look at the figure below:

Probability vs. Impact Matrix

How does this method work? It’s fairly simple: you ask your team to think about one specific risk and to assign to values to it:

From 1 to 5 (5 being the worst), the impact of the risk;
From 1 to 5 (5 being the most likely), the probability of the risk.

Then you multiply these two numbers and obtain a score for the risk. If this score is above the specified threshold (say, 7), the risk must be analyzed further. Pretty simple, huh? Just one remark: make sure to use the same matrix throughout the project, since the likelihood and impact of the risk are both subjective measures and should be done always with respect to the same reference point. If you want, you can also use more or less numbers for the scale, but you shouldn’t use too many as this will make the entire process very confusing (if you use a scale from 1 to 20, what is exactly the difference between an impact of 13 and one of 14?)

Probability assessment is done for a very simple reason: it allows you to order the risks and treat the most relevant ones first. By combining subjective and objective methods, you can rank them and focus first on the risks at the top and later on the risks at the bottom.

Reducing the Risks of the Project

Ok, so far we have focused on identifying and defining the risks. Once this is done, we still have to develop the strategy to deal with them. So how can we reduce the risk of an event? We can either reduce the probability of its realization or we can reduce the impact of the uncertain event (or we can do both). In our previous example, hiring the bulldozer operator reduces the probability of damaging the machine, but it doesn’t change the impact of the risk if it happens. For an example of reducing the impact of the risk, imagine that we hire an insurance for the bulldozer: we pay $20,000.00 for the insurance and it will cover any costs should the machine be damaged. This reduces the impact of the risk, but it doesn’t change the probabilities. Which one is the best strategy? That’s up to you to decide.

There are five basic types of risk response strategies that reduce either the probability or the impact (or both) of the risk.

Strategy 01: Accepting the Risk

When you accept the risk you are saying: “Ok, I understand the extension of the impacts of the risk, as well as its probability, and I choose to do nothing about it now.” That’s a common approach for low probabilities or impacts (i.e. for less relevant risks). If the uncertain event becomes true, you will react to it accordingly and bear the costs.

Strategy 02: Avoiding the Risk

You will not have to deal with flat tires if you don’t have a car. Avoiding the risk is simply bypassing the part of the project that could result in that specific risk. This, however, will very likely change the scope of the project and reduce its profitability. The trade-off between risk and return is almost always inevitable: to get higher returns you must face higher risks. Completely avoiding risks will bring you very inexpressive returns, and people (specially the stakeholders of your project) usually don’t like small returns.

Strategy 03: Monitoring the Risk and Creating Contingency Strategies

Monitoring the risk means watching the project closely as it approaches the moment of (probable) realization of the risk. In order to have a successful strategy, you should not only keep an eye out for the uncertainty, but also have a contingency plan in place. Contingency plans are nothing more than alternatives established before the risky event occurs. Although there are different contingency plans which vary based on the risk management strategy, there are a few common “classes” of contingency plans. The two examples that come to my mind right now are the money reserve (set aside and used when uncertain events happen) and the development of alternative product or service versions or designs.

When you are using the monitoring strategy, you will want to define the following two factors in your risk response plan:

How to detect the risk (detectability). How will your team detect the risk in time to respond to it? You and your team should discuss how difficult it is to detect a risk and adjust your response based on it. If a risk is hard to detect and has a low impact on the project, you might not want to spend much effort on monitoring and responding to it. If a risk, however, is hard to detect but has a great impact on the project, you will want to monitor it closely and spend more resources on your contingency plan.
When to stop monitoring and start acting (trigger events). Think about your weekend barbecue in the park. The sky is mildly cloudy, and you saw on the weather forecast a slight probability of rain. In the middle of the barbecue, you feel a few drops of water on your face; how long should you wait before packing everything and going home? The trigger event is what defines the threshold between monitoring and acting (i.e. implementing your contingency plan). Think about the trigger events for your risk. An example: say our uncertain event will cause a regular increase in the cash outflow of our project for the next few weeks. We have two risk response strategies: a contingency fund and an alternative design for our product. You observe the extra cash amount paid every week and you make the following decision: “I will use the contingency fund and not change the design if the extra costs do not exceed X per week and do not show an increasing trend; otherwise, I will change the design of the product.” This specifies two trigger events: one is the threshold X for our weekly extra cost, the other one is the presence of an increasing trend in the expenses.

Strategy 04: Transferring the Risk

Transferring the risk means, wait for it, making someone else deal with it or pay for it. Naturally, this is usually not free of charge. Insurances are the best example of risk transfer that I can think of: you pay a certain amount and if the risk becomes true the insurance will deal with the costs. You might be asking: how much such I pay for the insurance? While this is a complex question, I always keep two principles in mind. The expected cost of the risk has two components: the probabilistic monetary component and the psychological component. Humans usually don’t like risks and are willing to pay a certain amount to avoid them (what we call Risk Premium in finance). So you should consider these two aspects when hiring an insurance (it might be the case that the cost of the insurance slightly exceeds the expected monetary cost of the risk but you are still willing to pay for it simply to eliminate the risk altogether).

Another way to transfer the risk is to hire an expert to do the job. Our previous example with the construction company does exactly this: it hires someone to do the job in order to reduce the risk of damaging the bulldozer.

A third way of transferring the risk is the use of outsourcing or external contracts. While the flexible-price contract is effective in transferring risks, it is the fixed-price contract that offers the most reliable situation. Why? Because in the flexible contract you will still have to pay a higher amount if the contractor runs into some trouble while doing the job. In a fixed-price contract the amount paid will not change, so it’s the sole responsibility of the contractor to deal with the risks and uncertain events.

Strategy 05: Mitigating the Risk

Mitigating the risk is basically working harder in order to try to reduce the risk. In our example of the bulldozer, we could provide training to our employees before they used the equipment. This would require more effort from both sides, but it would likely reduce the risk.

Keep a Record of the Risk Management Strategies

We already saw how important historical data can be when dealing with uncertain events. The starting point for collecting historical data is recording the risk management strategies properly. You may want to keep a table or an excel sheet with the information.

When filling the risk log, make sure that each and every risk has a responsible person and rank the risks based on impact and probability (the most important ones should be listed at the top).

Step 03: Developing Contingency and Reserve Funds

This step is fairly straightforward: since there is risk and uncertainty in your project, you should create reserves and funds to be used in case a risk occurs. For the known uncertainties it is possible to create a more detailed contingency plan (based on your risk log). Since we know the extent of the possible damage, we know that some money should be set aside for it. But how much? Assessing the amount is sometimes difficult, so here are a few steps to follow in order to create a better estimation for the contingency fund:

For each risk that has a “contingency plan” strategy, estimate the additional amount of cash required to execute this contingency plan. Then use the expected value formula to derive the expected cost of each risk.
Add the individual expected costs up and you will obtain a final estimation for the contingency funds. And everybody will hate it, because the number will be quite high if you consider every single cost in your risk log. That’s the moment when you start negotiating with top management.
There is no hero or villain when negotiating. The problem is: we don’t know the actual amount of money we will need. If we set too much money aside, we might run short of funds on other projects; if we set too little, we might not be able to pay for the response strategy if the risk becomes true.

While reserves for known risks are usually the focus of contingency plans, they are not the only reserves you should worry with. You should also set some money aside as a “general reserve” for unknown risks. The amount you will set aside will be defined mostly based on experience, but a common practice is to calculate it as a percentage of the budget based on the work breakdown structure.

Step 04: Implementing Risk Management Continuously

Remember what we discussed about phased estimation in our cost estimation article? In phased estimation, we would take the information from the previous phase and use it to improve our future forecasts. Continuous risk management follows the same principle: at the beginning we have a rough idea of the most relevant risks, but as the project goes on we have to revise our initial plans to integrate new data. Continuous risk management also means monitoring the risk strategies for their efficiency and updating them accordingly. You want to be in touch with stakeholders in order to identify which risks are still relevant and whether there are new uncertainties that should be considered. Here are a few things to keep in mind:

Update the risk log regularly to include the most recent information about the risks.
Discuss possible new risks during the meetings with your stakeholders. You will not spend as much time as the first meeting when you thought about all the risks, but you should approach the matter regularly in order to identify new risks.
Perform the main activities related to risk identification at predefined moments within the project.
Remove from the risk log the risks that didn’t materialize and are not relevant anymore. This relieves your reserves and allows reallocation of contingency funds.

Final Words

Now that you know almost everything related to risk management, you will definitely want to check our article about how to control and monitor project risks. The knowledge from these two sources is very useful not only for your company or work-related activities but also for your personal life. Make best use of it and see you in the next article!