How To Identify, Analyse, Mitigate and Manage Risks and Issues for the Project Manager

At any point during a project there will be events, either potential or already happened, that will affect the outcome of the project. These are risks and issues.

When you ask many people "what is risk?" they will say something like "something that may happen that will have a negative effect on the outcome of the project", although this is a popular response it is not actually correct. I have worked with many project managers and am surprised by the amount who still give me a response like that.

Risk is essentially any uncertainty that will affect the outcome of the project, it does not necessarily need to be negative. Risks can either be:

• Threats - an uncertain event that may negatively affect the project (what most people think are risks); or
• Opportunities - an uncertain event that could affect your project positively.

Issues are events that have already occurred. These can be unforeseen occurrences that weren't planned for or risks that haven't been mitigated or avoided and have actually happened, these will covered in a separate hub.

Effective identification, analysis, mitigation and management of risks and issues are key for a successful project and are a fundamental element of project management. A good understanding of risk and issue management will prepare you well for a life as a project manager.

The risk management process has 4 basic stages:

• Identify
• Assess
• Plan
• Implement

Identify

To identify the risks of a project you must use as much information about the project as possible. This should include:

• Objectives;
• Scope;
• Any assumptions;
• Any gaps in the information;
• Who are the key stakeholders;
• How important is this project in the bigger picture.
• Anything else that may affect the project.
• Risks and Issues that have affected similar projects

From this information you should be able to identify what threats could happen that may prevent you from achieving your project objectives. You may also be able to identify opportunities that may help you deliver your project for less money or within a shorter timescale.

Threats come in many forms but here are some example areas:

• People – lack of skills, going off sick, training courses.
• Operations – supplies, process failures, broken down lorries.
• Political – changes in government, legal changes, etc.
• Reputation – bad press, getting bad feedback
• Technical – jumps in technology, mechanical failure, etc.
• Procedures – internal systems and controls, fraud, organization failure etc.
• Project – running over budget, delivering work too slowly, poor quality work, etc.
• Finance – stock market drops, interest rate changes, inflation, unemployment etc.
• Natural – bad weather, earthquakes, accidents, force majeure etc.
• Others

Look through this list of possible threats and think if any of these may affect your project. Write these down and you should have a decent list of threats for the identification stage.

You should now assess the risks in terms of probability (how likely the risk is to occur) and impact (if the risk does occur how big will the impact be). A score between 1 and 5 should be given to each threat for probability and impact, 5 being a very likely risk with a high impact.

Now that you have estimated the value of your threats you can evaluate the effect on your project should the threat occur. The effect should be measured in terms that are most important to the project, for instance if it is most important that the project finishes by a certain date it should be measured in terms of delay to the delivery of the project. If it is most important that the project finishes under budget it should be measured in terms of cost. You can also show the value in terms of effect on quality.

The planning stage involves preparing responses to the threats identified.

You have 4 options when responding to a risk:

• Avoid the risk - do something to eliminate the threat, for instance buy a new car if there is a risk your car will break down;
• Transfer the risk - pass the responsibility to someone else, for instance take out full car insurance;
• Mitigate the risk - do something to reduce the impact or probability of the occurance, such as get your car serviced;
• Accept the risk - you can't afford to take out insurance so if your car breaks down you'll just have to deal with it;

This process ensures that planned actions are put into place and monitored to maximise their effectiveness. Corrective actions can also be put into place if the planning actions aren't working. Roles and responsibilities are key at this stage. Each risk should have an:

• owner - a named person who has responsibility to manage and control their risks. They will monitor status and report on the progress.
• actionee - the person best placed to deliver the action plan, they will perform the work.

This is not a distinct stage in itself but is a key characteristic of good risk management that should be carried out throughout the process. New risks should be identified throughout a project and statuses of risks that change should be communicated to all key stakeholders.

I'd be interested to hear your thoughts so please leave me a comment.