Risk
analysis is essential for effective management of risk. It comprises three
activities:
|
Risk identification,
which determines the potential risks that could be faced by the project |
|
Risk estimation, which
determines how important each risk is, based on an assessment of its
likelihood and consequences to the project and business |
|
Risk evaluation, which
decides whether the level of each risk is acceptable or not and, if not, what
actions can be taken to make it more acceptable. |
The
actions break into broadly five types:
|
Prevention, where
countermeasures are put in place which either stop the threat or problem from
occurring, or prevent it having any impact on the project or business |
|
Reduction, where the
actions either reduce the likelihood of the risk developing, or limit the
impact on the project to acceptable levels |
|
Transference, which is a
specialist form of risk reduction where the impact of the risk is passed to a
third party via, for instance, an insurance policy or penalty clause |
|
Contingency, where
actions are planned and organised to come into force as and when the risk
occurs |
|
Acceptance, where the
Project Board decides to go ahead and accept the possibility that the risk
might occur (believing that either the risk will not occur or the
countermeasures are too expensive). |
Any
given risk could have appropriate actions in any or all of the above
categories. Alternatively, there may be no cost-effective actions available to
deal with a risk, in which case the risk must be accepted, or the justification
for the project re-visited, i.e. is the project too risky?
The
results of the risk analysis activities are documented in the Risk
Log. If the
project is part of a programme, project risks should be examined for any impact
on the programme (and vice versa). Where any cross-impact is found the risk
should be added to the other Risk Log.
Risk
analysis activities are overlapping, with possibly many iterations involved.
Risk analysis is a process that will be conducted continuously throughout the
project as information becomes available, and as circumstances change. However,
there is a need to carry out a major risk analysis at the start of the project
as part of the processes:
Project
risks may, in turn, impact the Business
Case. There must also be at least an
assessment of all risks during Stage
Transitioning. Depending on the individual
project, there may be a need to re-assess risks on a more frequent basis. The
Project Manager and Project Board must constantly be on the lookout for new or
changed risks in the business and project environment, which will render the
project (as currently planned) wasteful or useless.