5 Key Elements of Risk Management Implementation

29 September 2021

Home
Blog
Risk Management
Risk Management Implementation

In Project Risk Management, we looked at what risk management is and why it’s important in project management. In this article, we review the key elements necessary for implementing risk management into your organization. Together, these concepts build the foundation for effective risk management and setting your organization up for success.

Risk and Opportunity Management Plan

A risk management strategy should be defined during the project planning phase while drafting the Project Management Plan. In fact, when launching the project, it is possible for the project team to identify a large number of potential risks, depending on your risk culture.

The Project Management Plan (also called PMP, and not to be confused with the PMP certification) consists of several parts, including the Risk Management Plan.

A Risk and Opportunity Management Plan, or ROMP, is a comprehensive description of the processes in place to manage a project’s Risks and Opportunities (R&O). It includes the role of the various project stakeholders, steering, and decision-making bodies; tools used; interfaces to be considered; planned reporting; etc.

The ROMP should evolve throughout the life cycle of the project as it will be used as a reference for the project. Newcomers to the project as well as existing team members can refer to it to understand the operating model and raise questions they may have.

For the ROMP to be relevant, the project must first have:

Clearly defined objectives,
An identified master schedule, as well as
A preliminary cost estimate for completion.

These elements will then make it possible to define the different levels of risk based on clear criteria.

It is recommended to start the implementation of risk management by defining a risk matrix (or a risk assessment matrix). This tool, defined in more detail below, allows risks and opportunities to be assessed objectively and consistently. The impact criteria are then based on the objectives of the project; the most common of which are cost, time, and quality.

Risk Matrix

The Risk Matrix must objectively define each criterion – probability of occurrence and severity of impact – with differing levels. While we would typically define risk impact by high, medium and low, we at MI-GSO | PCUBED actually recommend completing a quantitative risk analysis, defining risk impact and occurrence with numerical levels.

By quantifying these otherwise qualitative attributes to risks and opportunities, organizations can better place risks on the criticality scale and prioritize them. This also allows for more flexibility in visualizing risks on your risk reporting dashboard, but we are getting ahead of ourselves here. We’ll explain this more in the Risk Management Process.

For example: for the cost impact, it is common to use % of cost at completion; while for the impact to the timeline or schedule, one would use the ability to achieve milestones to define the different levels.

Regarding the probability of risks occurring, conventional percentages can be used such as 5%, 25%, 50% or 75%. Note: associating words with these probabilities will sometimes help managers for whom a number alone may be too abstract. For example: 5% very unlikely vs. 25% not to be ruled out, vs. 75% quite likely. Or even using numbers based on chance: 1 in 2 chance.

Note: Be Careful! Depending on the company, the rating meaning may vary: either 1 represents the least serious impact and probability, because it is very small; or 1 represents the most important level so that it represents priority #1. So be vigilant and remember to refer to the ROMP and the defined risk matrix to know what situation you are in!

A risk matrix can have several configurations:

4 x 4: 4 levels of impact, 4 levels of probability. Ideal since there is no neutral position.
4 x 5: 4 levels of impact, 5 levels of probability. It is sometimes useful to be able to have a greater scale of probability and to be able to estimate 1 in 2 chances.
5 x 5: 5 levels of impact, 5 levels of probability.

Risk Breakdown Structure

Once the risk matrix has been defined, it is interesting to think about the characteristics of risks and opportunities: what types of risk will be present in the project?

To achieve this, the Risk Breakdown Structure, commonly called RBS, is used. This is a document listing all the different types of risks and opportunities possible. It organizes them into a hierarchy with each descending level providing greater detail.

This document is useful for two reasons:

First to guide risk identification, the RBS gives a framework to follow and prevents missing any important risks.
It also allows for identified risks to be categorized during analysis and reporting, which helps in identifying the root causes of the risk.

Risk Register

Once the risk matrix has been defined and the RBS validated, the Risk and Opportunity Register must be set up. The risk register is a table capturing all the key information about each risk or opportunity. This can be an Excel table or even a specialized software tool (Planisware, Primavera, etc.).

Risk Reporting Dashboard

In order to best manage project risks, a dashboard with relevant indicators is critical. Here are some examples of useful indicators for managing risks:

A heat matrix: to visualize the distribution of risks in relation to their criticality
The distribution of major/medium/minor risks by number: simple and effective indicators allow for a global vision of the project
Risks by business case or work package: allows for an understanding of the distribution of project risks and also ensures that the process has been defined for all the project work packages
Monitoring the evolution of risks: stable, improvement, degradation, resolved, new: allows for the monitoring of the risk management process
Distribution and monitoring of the budget: provides an overall view of the project budget and the ability to identify the work package / area containing the greatest financial risks.
Risks with mitigation plans
Late actions for mitigation
Delayed risks in review

In the next article we will identify the four step risk management process for project management.

This article was written by: Marie BELGODERE, Jérémie CLAUSTRE, Capucine COMTE, Alioune DIALLO, Emmanuel LATGE, Jessy MIGNOT, Ingrid NGOBAY, Pierre PETILLON, Louann SUGDEN, Chris WAMAL.