Project risk is unavoidable, but how do you prepare for it? Knowing all the possible risks is one step towards knowing what to do when risk becomes reality.
Anyone in a managerial position should already be familiar with risk. After all, the Australian working environment demands that we comply with all manner of occupational health and safety laws, which involves assessing and managing workplace risk. In this context, risk is the possibility of a negative event occurring.
Assessing project risk is therefore about weighing up probabilities, and about weighing up the consequences of those probable events in relation to a project. However, argues UK-based certified risk manager Dr David Hillson, risk is not always negative.
“We have to remember that in the project risk management world, we’re looking for positive risks as well as negative risks. The scope of the risk process includes finding threats which could delay us, cost us money, destroy performance, destroy value, but the risk process also scopes opportunities to enhance value, save time, save money, improve performance.”
Risk is therefore better defined as uncertainty that may influence a project’s objective—positively or negatively—says Hillson, better known in project management circles as the Risk Doctor for his comprehensive understanding of risk, its diagnosis and treatment. ‘Treatment’ is the key word, not mitigation.
“Mitigation implies making something smaller, so ‘risk mitigation’ is no longer appropriate. ‘Risk treatment’ has been deliberately chosen because it’s neutral. You can treat a threat by mitigating it: you treat an opportunity by enhancing it,” he explains. “The challenge when you’re looking at risk is to find the worst threats and the best opportunities, and knowing which ones to tackle first and how to do that.”
The first thing a project manager needs to be comfortable with is the idea that you can never identify every risk that may affect a project. While you can rack up all the knowable risks in a project, there are always going to be unknowable risks, says Hillson.
“Unknowable risk arrives from three things: there are inherently unknowable things that you just cannot and will not ever perceive in advance; there are emergent risks which appear with time, so at early parts of the project you can’t see the risks that might appear later; the third is dependent risks, risks that we introduce into the project by our earlier activities, for example some of our earlier design choices introduce implementation risks,” he describes.
The existence of unknowable risks means that project managers need to make the risk management process cyclical, and therefore reassess a project as it progresses to take care of the emergent and dependent risks.
Hillson’s advice to project managers is to look beyond your comfort zone. “Technical people tend to look for technical risks and forget the other sources of uncertainty. Don’t limit your view of risks to things that you’re comfortable with,” he says.
Using a framework such as a risk breakdown structure (RBS), will help to identify a broad range of risk types by prompting project managers to think outside their area of familiarity. Some industries, such as IT, have developed an RBS specific to their sector, but risk practitioners often have RBS material available for general use, which can be tailored to specific projects once placed in context. The RBS is hierarchical, describing all potential sources of risk via categories.
“We have four major sources of risks: technical risk, management risk, commercial risk and external risks,” says Hillson. “Under those headings we describe a number of subheadings. Sources of technical risks, for example, might include process requirements. Sources of management risk might be resources, information, communication and organisation. Sources of commercial risk might be terms and conditions of contract, liabilities, procurements, and sources of external risk might be weather and competition and exchange rates and regulatory framework, for example.”