This is the second post in a five-part series from an article I wrote on this subject for the June 2016 issue of MultiLingual magazine. It is reproduced here with their permission.
The first part already published presented general definitions on the issue of risk, while this and the next deal with the generic frameworks provided by the Project Management Institute (PMI) and the ISO 31000 standard .
The Project Management Institute’s approach
The Project Management Institute (PMI) is, in its own words, “the world’s largest not-for-profit membership association for the project management profession, with more than 700,000 members, credential holders and volunteers in nearly every country in the world”.
PMI’s Project Management Body of Knowledge (PMBOK®) is widely recognized in the project management profession. It provides guidelines, best practices and a comprehensive methodology based on five process groups: (1) initiating, (2) planning, (3) executing, (4) monitoring and controlling and (5) closing.
These processes are further grouped into ten separate Knowledge Areas, defined as a set of concepts, terms and activities that make up a professional field, project management field or area of specialization.
Since project risk management is one of these ten areas, any implementation based on the PMBOK® Guide should take into account the whole picture, although that greatly exceeds the scope of this note.
The PMI identifies the six high-level risk management processes presented in the figure 1, where the first 5 belong to the planning group and the last one is a monitoring and controlling process.
Note that the processes are represented as a flow, from first to last, due to the fact that projects always have a beginning and an end. The more generic ISO 31000, in contrast, has a “closed loop” topology typically associated with processes.
Plan Risk Management is the process of defining how to conduct risk management activities for a project, including methodology, roles, criteria for prioritizing risks and communication policies. Its output is a project risk management plan. This process ensures that risk management efforts are commensurable with both the risks and the importance of the project to the organization.
Identify Risks is the process of determining which risks may affect the project and documenting their characteristics, thus providing the knowledge and the ability needed to anticipate events. This is an iterative process, as the risk information may evolve during the project. Its main output is the initial entry into the risk register, a document that will also receive the results of risk analysis and risk response planning.
Qualitative Risk Analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact, usually in a matrix as the one presented in Fig. 2. This helps identify the risks that should be actively managed, and it is usually a quick and cost-effective means for the planning of risk responses.
Quantitative Risk Analysis is the process of numerically analyzing the effect of identified risks on overall project objectives. Tools may include sensitivity analysis, expected monetary value (EMV) analysis, modeling and simulation. It may not be cost- or time-effective in small projects, where the qualitative analysis may be enough.
Plan Risk Responses is the process of developing options and actions to enhance opportunities and to reduce threads to project objectives. The PMBOK® Guide identifies four strategies for responding to threats:
Avoid: to eliminate the threat or protect the project from its impact usually by modifying the project plan to eliminate the threat entirely, isolating the objectives from the risk impact or changing the compromised objectives.
Transfer: to shift the impact of a thread to a third party, together with ownership of the response. Classic examples are insurance and outsourcing.
Mitigate: to reduce the probability of occurrence or impact of the risk, for example by adopting simpler processes, conducting more tests or by choosing more reliable suppliers.
Accept: to acknowledge the risk without taking any action unless it occurs. It can involve the establishment of a contingency reserve (time, money or resources) to handle the risk.
Control Risks is the process of implementing risk response plans, tracking identified risks and identifying new ones, monitoring residual risks and evaluating risk process effectiveness.
This article first appeared in the June 2016 issue of MultiLingual magazine. Reproduced with permission.
NEXT: READ PART THREE >>