Risk management

Risk management is the structured process of identifying, analysing, and responding to the risks that could affect a project. Where risk analysis computes specific numbers (expected values, sensitivities, break-even points), risk management is the broader management activity of recognising that any project can hit trouble and planning systematically for what to do about it.

The basic equation:

$\text{Risk}=(\text{Probability of event})\cdot (\text{Impact of event}).$

A risk with high probability and low impact (frequent paper jams) is different from one with low probability and high impact (catastrophic equipment failure). Both have similar “risk” by the multiplication, but they call for different responses.

Four-stage process

A standard project-risk-management framework:

1. Identification — determine which risks could affect the project; document each risk’s characteristics.
2. Analysis of probability and impact — evaluate each risk, possibly in interaction with others, to assess the range of possible project outcomes.
3. Mitigation strategies — define how to respond to each risk: accept, reduce probability, reduce impact, transfer, or share.
4. Control and documentation — track risks through the project life, respond to changes, build a knowledge base for future projects.

The process is cyclical — risks evolve, new risks emerge, mitigations succeed or fail, and the cycle re-runs throughout the project.

Sources of risk

Common categories:

• Software / technology risks (will the new system work?).
• Scope risks (will we discover we need more work than we estimated?).
• Quality risks (will the delivered work meet specs?).
• Time risks (will we finish on schedule?).
• Cost risks (will we stay within budget?).
• Procurement risks (will suppliers deliver on time and to spec?).
• Human-resources risks (will the right people be available and competent?).
• Communications risks (will information flow appropriately?).
• Project-integration risks (will the pieces fit together?).

For each, the project-management discipline is to ask: what is likely to happen? what can be done to reduce probability or impact? what’s the warning signal that things are going wrong? what’s the planned response?

Mitigation strategies

Four standard responses:

• Accept. The risk is small enough (low probability, low impact) that no action is justified. The “do nothing” response is itself a reasoned response if the cost of mitigation exceeds the expected loss.
• Minimise. Reduce the probability or impact of the risk through specific actions: better quality control, redundancy, training, monitoring.
• Share. Spread the risk contractually across parties — joint venture, insurance, partnership agreements.
• Transfer. Push the risk to a party better equipped to bear it — typically through insurance, contracts, or outsourcing.

The choice depends on the risk type and on relationships with stakeholders. Some risks (force majeure) can’t easily be reduced, only transferred. Others (process risks) are best minimised through direct management action.

Risk characteristics

A few honest observations from practice:

• Risks are situational. There’s no textbook answer that fits all projects — each context generates its own risks.
• Risks are interdependent. One risk’s occurrence often triggers others. Schedule slip → cost overrun → quality compromise → scope reduction.
• Risk tolerance varies. It depends on the organisation’s corporate values, which depend in turn on personal values of leadership. The same risk that’s acceptable at one firm is intolerable at another.
• Reward correlates with risk. Higher returns generally require accepting higher risk. The portfolio question is which risks fit the firm’s risk appetite.

Project life cycle and risk

Risk profiles shift across the project life cycle. Early phases (concept, feasibility) have high uncertainty (we don’t yet know what we’re doing) but low cost-to-date. Later phases (execution, deployment) have low uncertainty (the project is well-defined) but high cost-to-date. The relationship — risk falls as cost-incurred rises — has practical implications: it’s much cheaper to identify and mitigate risks early than late.

For the underlying analysis techniques, see Sensitivity analysis, Break-even analysis, decision tree, Expected value (engineering economics). For the broader topic see Risk and uncertainty.