Once a risk has been analysed, you must implement risk controls to minimise the risks in your project. In this topic, you will learn how to document risks, tools and techniques for controlling risks and risk treatment options.
By the end of this topic, you will understand:
- how to identify and document existing risk controls
- how to analyse risk treatment options using agreed consultative methods
- how to record and implement agreed risk treatments
- how to update risk plans and allocate risk responsibilities to project team members
Project risks should be documented in a risk register, which includes:
- a list of all of the identified risks,
- their root causes and
- categories and responses.
The risk register must be updated continuously throughout the lifetime of the project.
The key advantage of controlling risk using tools such as risk registers is to minimise risk and improve efficiency throughout the entire project lifecycle. The inputs, tools and techniques, plus the outputs of this process, are depicted in the following figure (Project Management Institute).
Input | Tools and techniques | Outputs |
---|---|---|
|
|
|
Control Risks: Tools and Techniques
The following tools and techniques are practical and popular methods for controlling risks:
- Risk reassessment - Risk assessment includes the identification of risks, assessment of current risks and closing risks that are outdated. Project risk reassessments should be regularly scheduled.
- Risk audits - Risk audits examine and document the effectiveness of risk handling processes. The project manager ensures that risk audits are performed, as defined within the project’s risk management plan.
- Technical Performance Measurement - This compares technical accomplishments during project execution to the project schedule. Technical performance measurement requires the definition of objective and measurement of performance with actual results compared against targets.
- Meetings - Project risk management should be an agenda item at periodic status meetings. The amount of time required to discuss risks will depend upon the type of risk, priority and difficulty of response.
Control risks: outputs
As described in the PMBOK Guide (Fifth Edition), the outputs for controlling risks are:
- Change requests - Change requests are prepared and submitted to document changes within the project. Implementing contingency plans or workarounds will sometimes lead to a change request.
- Recommended corrective actions - These are activities that realign the performance of the project work with the project management plan. One type of corrective action is workarounds, and Workarounds are planned responses to deal with emerging risks that were previously unidentified or dismissed.
- Recommended preventive actions - These are activities that ensure that the project work's future performance is aligned with the project management plan.
- Project Management Plan updates - Project Management Plans are revised and reissued to reflect approved changes.
Once risks are identified, analysed and evaluated, the appropriate risk treatment should be applied. An organisation might prefer to retain a risk if it is inevitable, unavoidable or lies within the accepted risk tolerance level. The risk tolerance and risk appetite of an organisation will therefore have an impact on the risk treatment.
Risk treatment involves a range of processes, including:
- The formulation and selection of risk treatments
- The implementation of the required action for each risk
- An assessment of residual risk
- Determining further controls if the residual risk is still too high
- Assessing the effectiveness of the risk treatment in the long term.
Risk treatment process
Risk treatment is a step within the risk management process that follows the risk assessment step—within the risk assessment, all the risks have to be identified, and risks that are not acceptable must be selected. The main task within the risk treatment step is to select one or more options for treating each unacceptable risk, i.e. decide how to mitigate all these risks.
Risk treatment plan
The risk treatment plan is the point at which theory ends, and reality begins. A good risk assessment and risk treatment process will produce a very usable action plan for the project that addresses risk.
Resource: Read the following article about risk assessment, treatment and management: the complete guide by Dejan Kasutic to learn more about the risk treatment process and treatment plans.
Consultative process
Interview stakeholders to discuss the risks and treatment options. Stakeholders know the business best and can provide valuable insight into the best treatment options. Stakeholders can provide feedback about optimistic best-case scenarios and pessimistic high-risk scenarios.
Planned risk responses must be:
- appropriate to the importance of the risk
- cost-effective in meeting the challenge
- realistic within the project context
- approved by all parties involved
- owned by a responsible person
Handling threats or negative risks
There are four possible strategies for handling threats or risks:
Avoid
The Avoid strategy involves acting to either reduce the probability of the risk and/or its impact to zero. This enables the risk to be removed entirely.
Example
CBSA has hired a supplier to provide 200 computers for a client’s new office renovation. They must determine if the supplier can access a large amount of stock. CBSA has a preferred local supplier that they use to upgrade their current office. What process should be put in place to avoid this risk? Can they use their local supplier, or should they engage a larger supplier?
Transfer
The Transfer strategy involves transferring the risk to a third party. This strategy does not eliminate the risk; it simply transfers the liability to another person.
This can be done by:
- Taking out insurance (the insurance firm is now liable) or
- Having the work done under a fixed-price contract (the contractor is now liable).
Mitigate
The Mitigate strategy involves taking early action to address the probability of a risk occurring. This process is put in place when it is more effective to address the risk than to try to repair the damage after it has happened.
Accept
The most common strategy, Accept, involves accepting that risk is apparent and determining a contingency to handle the risk. This contingency may include time and money. Acceptance of risk is typically chosen because the risk is low in terms of impact or probability, or the cost and effort of taking the necessary actions are out of proportion to the risk itself.
Ways to control project risks
Planned risk responses that are included within the project plan are executed during the lifecycle of the project. Still, the project work should be continuously monitored for new, changing and outdated risks. Several techniques may be used to control risks.
Reassessment
Project risk reassessments should be regularly scheduled to keep the risk register updated. The amount and detail of repetition that is appropriate depends on how the project progresses relative to its objectives, as well as which risks (if any) actually manifest themselves (Project Management Institute).
Audits
These should be scheduled within the risk plan and examine the effectiveness of risk responses in handling identified risks and their root causes. The objectives should be clearly defined beforehand, and therefore, the audit may form a part of the routine project review meetings or could also be run separately, each producing its own project audit report.
Performance measurement
This is often designed to indicate the degree of technical risk faced by a project, with deliverables measured against the plans in a quantitative way, e.g. response times, the number of defects, etc. This can predict the degree of success in achieving the technical aims of the project (Project Management Institute).
After a treatment option has been chosen for a specific risk, an action plan is often developed to implement the treatment option. This action plan should state at a minimum:
- What the risk event is
- What actions are required
- Who is responsible for the various actions
- Timelines for execution
- Monitoring processes.
As with any business process, the implementation of the treatment plan should include:
- Identifying stakeholders
- Identifying key personnel
- Developing timelines
- Training and communication processes
- Collection of data and formation of baselines
- Development of performance outcomes measures
- Examination of outcomes
- Feedback
The risk management plan informs the project team about how risks will be managed. The risk management plan includes risk assessment, who is responsible for managing and monitoring the risk and the frequency of risk planning.
Allocate risk responsibilities for each of the identified risks. Most organisations distribute the documented risk management plan and allocate responsibilities through project management software.
Keep a log of who has received a copy of the risk management plan.
The log should contain a minimum of:
- Person’s name
- Title
- Department
- Phone number
- Office location