Overview
What follows is a simple statement about Risk Management, acknowledging that this is a discipline area where specialists should be utilised in order to adequately manage risks.
Each aspect presented in the sections below has a relationship to the others. Risk Management is a dynamic function that requires practitioners and stakeholders to continually consider all aspects in an iterative manner. This is best illustrated by reference to a diagram taken from the international standard ISO 31000:2009 Risk Management – Principles and Guidelines.
Risk Context
It is important that the scope of any risk assessment is unambiguous, otherwise:
- The risk assessment may be incomplete and therefore omit critical risks
- Spurious risks may be introduced that are irrelevant
Hence it is important that stakeholders agree upon the context in which they consider a range of relevant risks for assessment and subsequent risk treatment.
Risk Categories
Risk Categories provide a basis for ensuring that the scope of risks assessed is relevant. Risk Categories for a useful checklist for consideration during Risk Identification workshops. Examples of Risk Categories for the delivery of Programs and Projects are:
- Project Delivery Capability (within all stakeholder groups)
- Governance and Management (within Programs and Projects)
- Engineering and Technical Capability
- Financial Capability to Fund the Programs and Projects)
- Stakeholder Engagement (within all stakeholder groups)
- Business Environment (political and regulatory aspects)
Risk Identification
A risk is most meaningful when expressed in terms of ‘cause and effect’. It is often more useful to consider realistic worse case scenarios. A useful structure takes a tabular form (as shown below with examples). Tables should be prepared for each of the Risk Categories – this has the effect of ensuring that the set of risks is complete.
| Root Cause | Likely Effects |
| The budget appears to be too low for a project of this scope and complexity |
|
| Project resources have insufficient experience in similar projects of this scope and complexity |
|
| Etc. | Etc. |
Risk Analysis and Evaluation
Thorough Risk Identification workshops will invariably identify a large list of risks at varying degrees of importance and severity. The beauty of brainstorming is that it places no limits on ideas/contributions, but it also results in ‘a lot of chaff, as well as some valuable wheat’. Sifting through risks, in order to identify those with possible/probable adverse impacts, is a critical exercise.
Risk Treatment
The most important part of Risk Management is to take actions that:
- Minimise the occurrence of risks that manifest as serious issues/problems
- Minimise the impacts of risks when they do manifest as issues/problems
The key options for Risk Treatment are:
- Treat the risk, which will generally effect the scope, cost, time and/or quality of the Program/Project
- Monitor the risk, but only treat the risk when/if it poses a more significant threat to the Program/Project
- Accept the risk and do nothing
It is essential that all Risk Treatments be reflected in a Project Schedule, in order that effective planning and control takes place. This is a reflection that Risk Management is an essential component of governance and management.
Contingency Management
Contingency Management is a discipline where the prudent utilisation of a Contingency Budget is managed.
A special type of Risk Treatment is one where it has not been reflected in a Program or Project Schedule, so has no attributable costs or timeframe. It has often been identified but will only be triggered if certin circumstance arise.
This scenario should be handled through the definition of Program and Project Contingencies (costs and time). A Contingency Budget should be comprised of allocation for the various Risk Categories, rather than simply being identified as a ‘big bucket’ of money and time.
Cinergi Systems 