Project managers are used to managing risks in their projects; it is what we do. Project management methods also have risk management built in to their processes, but unless they are directly involved in the business continuity industry, we are less likely to have input into disaster threat treatment except in specific areas related to project deliverables.
As a project manager, we know there is a risk that the building may burn down, but we have a sprinkler system, a fire brigade on standby, emergency escape exits, regular backups with offsite storage, fire drills and an insurance policy, so we don’t manage it. That is left to threat management and our disaster recovery people.
Even if we have treated risks, they may still occur, and what will be the impact on our project if they do? While we can never have a risk-free environment, how do we decide if we have done enough risk management and disaster recovery in our organisation, and whether it is value for money?
Risk management and disaster recovery both use the same equation:
IF <risk> THEN <consequence>
In a project, the consequences are normally an impact on the delivery of outputs, which result in benefit we expect. But is it so simple for threats? Let’s look at the differences.
While there is a fundamental difference in the treatment of risks and threats in terms of the type, impact and time frame, we still aim to reduce probability and impact.
Risk management in projects is about balancing the impact of the risk and level of uncertainty, the risk tolerance or appetite of the organisation. This requires some valid, repeatable way of determining the risk level we will accept, then giving this a value to the organisation.
One method is to develop a probability impact grid or similar tool, overlaid with the risk appetite. The following is an example.
Each risk should be rated in terms of its probability of occurrence and impact on the project. These figures should be multiplied together to determine an individual rating for each risk as a percentage.
Probability x Impact x 100 = Risk Percentage
We then decide the level of risk we will accept, based on a percentage figure. In the table above, the cut-off points were <5% (green), >5% to <15% (yellow) or >15% (red) but these are decided by the business.
Red sector risks require proactive management (mitigation) to bring them to a lower risk level, the yellow or green sectors. Risks with an initial or residual rating in the yellow sector require reactive management (contingency) applied to reduce their overall risk rating. Green sector risks should be monitored, but have no proactive or reactive treatment applied (acceptance).