| Risk management has historically been viewed by | | | | the size and complexity of the project and the |
| many organisations as something of a "chore". | | | | overall risk appetite (See above). |
| However, with an increasing number of high profile | | | | For each risk that has been identified, a decision |
| project failures, more and more companies and | | | | should be made as to whether to transfer the risk |
| government agencies are realising the importance of | | | | (e.g. through insurance, to a sub-contractor etc.), |
| risk management. By managing risk more effectively | | | | mitigate it through specific actions to reduce its |
| organisations can gain a competitive advantage | | | | probability and impact, monitor the risk more closely |
| through such things as:o Improved product qualityo | | | | or ignore it entirely due to a small impact or low |
| Increased ability to deliver on timeo Improved Asset | | | | probability of occurrence. |
| Efficiency due to fewer breakdownso Reduced costs | | | | All risks should be assigned an owner, a trigger date |
| by limiting legal action or preventing breakageso | | | | and the frequency it needs to be reviewed. Specific |
| Improved reliability leading to an enhanced reputation | | | | action steps should be determined in order to reduce |
| Risk Management Techniques | | | | the probability or impact of the risks where |
| The key to effective risk management is the | | | | appropriate and contingency plans developed to |
| application of best practice techniques to a specific | | | | come into force once a risk has crystallised. These |
| situation. The principles of effective risk management | | | | reduce the impact of the risk or return to business |
| remain constant, but they must be flexed to take | | | | as usual at the earliest opportunity (e.g. Disaster |
| account of the size, shape and complexity of the | | | | Recovery Plans). Of course, all risk actions should |
| project. A formal risk committee reporting once a | | | | have an owner and be integrated within the overall |
| month would not be appropriate for a DIY project at | | | | Project Management Plans |
| home but may be necessary for a project as large | | | | Step 4: Management & Control |
| and complicated as rebuilding Wembley. | | | | During the Management and Control phase, the |
| Step 1: Set up Risk Management Structureo | | | | mitigating actions to reduce the probability and impact |
| Determine Risk Appetite: Understand the acceptable | | | | of each risk must be initiated and managed together |
| level of risk that can be absorbed by the | | | | with the wider project action steps. |
| organisation, department, project or programme. The | | | | Exposure to avoidable risks should be reduced at the |
| costs of avoiding risks beyond this risk appetite | | | | earliest opportunity, but some risk can never be |
| (often called risk tolerance) mean that it is no longer | | | | avoided entirely. Hence the contingency plans |
| beneficial to attempt to avoid them.o Develop Risk | | | | developed above may need to be deployed when a |
| Language: From a change management perspective, | | | | risk does materialise. |
| it is imperative that people within the organisation | | | | A risk register or risk matrix should be populated and |
| understand each other. Developing a common risk | | | | updated regularly throughout the duration of the |
| language or "risk glossary" is a vital step to avoid | | | | project. A risk management software tool can often |
| misunderstanding and to ensure a consistent | | | | be a cost effective way of maintaining your risk |
| approach.o Implement Organisational Structure: In | | | | register as it can reduce the manual workload and |
| order to manage risk effectively, the organisation or | | | | help prioritise risk management activity. |
| project must set up an appropriate organisational | | | | More advanced tools can also quantify risk exposure |
| structure. Individuals and groups should be set up | | | | using techniques such as Monte Carlo analysis. In this |
| with clearly defined roles and responsibilities, together | | | | way, the relative benefit of reducing the exposure of |
| with an appropriate reporting structure and meeting | | | | the project to the residual risks it faces can be |
| schedule.o The structure clearly varies according to | | | | weighed against the cost of the risk mitigating |
| the size and complexity of an organisation or project, | | | | actions that are required. |
| ranging from a series of overlapping risk | | | | Step 5: Management Reporting: |
| sub-committees through to no more than a part-time | | | | Once risks have been identified and plans to reduce |
| risk manager. In all cases, however, the objectives, | | | | them put in place, it is imperative that they are |
| responsibilities and respective authority of each group | | | | reviewed regularly. The internal and external project |
| and individual should be clearly demarcated. | | | | environment is continually changing (e.g. in the case of |
| Step 2: Identify Risks & Issues | | | | Wembley the rising price of steel, or the changing |
| Using experienced risk managers and a structured | | | | attitude of the FA). Some risks will fall away, others |
| approach can save a fortune in downstream costs | | | | will arise that could never have been envisaged at |
| for a project. Regardless of whether such specialist | | | | the outset. |
| resources are available, it is important to first | | | | The risk register must therefore be continually |
| understand and validate the objectives and success | | | | updated and reports generated at regular and |
| criteria of the project to determine what is at risk. | | | | frequent intervals. Management reports should |
| During the risk identification process, each of the | | | | provide clear visibility on the risks faced, enable |
| various types of risks (Strategic Risk, Operational | | | | prioritisation of the activity and facilitate decision |
| Risk, Legal Risk, etc) that the project is exposed to | | | | making. |
| must be reviewed. Specific risk areas, such as the | | | | A risk aware culture should be embedded throughout |
| risk to the environment, to the technology | | | | the organisation,. This will increase sensitivity to |
| infrastructure, to the workforce and supplier reliability | | | | warning signals and ensures continual improvement in |
| must be considered. The potential impact of each risk | | | | the identification, assessment and management of |
| on the timescales, cost and performance or quality of | | | | risk. |
| the project is evaluated, along with the probability of | | | | Using this framework, organisations can plan |
| the risk manifesting itself | | | | appropriate strategies well in advance of any risk |
| All key stakeholders involved in the project should be | | | | occurring. The probability of a risk occurring is |
| involved at the identification stage, not only to | | | | therefore reduced, or its impact minimised should it |
| increase the number of risks identified but also to | | | | manifest itself. Through increased awareness of |
| ensure responsibility can be assigned and buy-in is | | | | problems across the organisation or project, |
| generated throughout. | | | | companies and government agencies can generate |
| Step 3: Evaluate & Plan | | | | enormous value and process improvements through |
| First of all an overall risk reduction strategy and | | | | effective risk management. |
| approach should be developed that is appropriate for | | | | |