What are the five steps in risk management process?

There are four steps in the risk management process. These include:

1. Identifying the risks

2. Assessing the risks

3. Prioritizing the risks

4. Mitigating the risks

What are common project risks?

Project risk management is a process of managing risks associated with projects. It involves identifying,
assessing, and mitigating risks.

Some of the common types of project risk are:

- Project scope change

- Budget change

- Schedule changes

- Technology changes

- Resource availability changes

What is risk management within project management?

Risk management is the process of identifying, assessing, and controlling risks. Risk management is the
practice of implementing measures to reduce or eliminate the impact of a risk.

Risk management can be applied to any project that has uncertainty and risk involved. Every project has
risks associated with it that are unique to its nature and size. Risk management is an important part of
project planning and execution to ensure that risks are minimized as much as possible.

What is Risk Management in Project Management?

Risk management is a process of identifying, evaluating, and controlling the risks that are associated
with a project. Risk management is important for project managers to ensure that all stakeholders are
satisfied with the project.

The role of risk management in a company can vary depending on its size and industry. For example, in
smaller companies risk might not be managed by one person. Instead, it might be shared across
departments like marketing or operations. In larger companies, risk management might involve an entire
department dedicated to managing risks such as human resources or legal departments.
Risk management can be done in many different ways. Risk exposure is the process of determining the
highest risk. After risk exposure has been identified, there are four main strategies for dealing with
project management risks.

 Risk assessment

 Risk mitigation

 Risk avoidance

 Transferring risk

Risks can be divided into two categories: project-related risks and organizational-related risks. Project-
related risks are those that are specific to a particular project, while organizational-related risks are those
that are common to all projects but specific to the organization.

While risk management is important, it should not be seen as an obstacle in the progress of a project but
rather as an opportunity for improvement. Risk management is important as it helps in reducing or
eliminating all risks that could potentially affect the success of a project. It also helps in minimizing any
negative consequences due to unforeseen events.

Types of Project Risk

Project risk is the potential of a project to fail. There are three main types of project risks: cost, schedule,
and performance.

Cost: The cost can be a financial cost or even a time-based one. A risk could be due to the budget being
too tight or the project taking too long to complete.

Schedule: The schedule is an important factor that affects the project's success. A risk could be due to
the lack of resources, a lack of quality work, or even miscommunication between parties involved in the
project.

Performance: Performance issues are what keep projects from being successful. Performance includes
everything from how well it performs in terms of speed and accuracy to how well it's received by its
target audience.

Project Risk Management Examples

Risk response strategies are a way to reduce the risk of project failure. There are four types of risk
response strategies: transferring, accepting, mitigating and avoiding.

Risk Response Planning—Current Practice

Most risk management guidelines recognize at least four types of strategy in responding to identified
risks. Hillson (1999a, 1999b) defines risk response strategy types as:
• Avoid—seeking to eliminate uncertainty

• Transfer—passing ownership and/or liability to a third party

• Mitigate—reducing the probability and/or severity of the risk below a threshold of acceptability

• Accept—recognizing residual risks and devising responses to control and monitor them

The commonly used risk standards and guidelines adopt identical or similar sets of strategies, with minor
variations in terminology (APM-BoK, 2000; Australian/New Zealand Standard AS/NZS 4360, 1999; Simon
et al., 1997; Institution of Civil Engineers et al., 1998; Project Management Institute, 2000). The intention
is to provide a strategic framework of response types, allowing a suitable response strategy to be
selected for each identified risk, which can then be developed into actions for dealing with the risk
proactively.

Since similar approaches to risk response planning are widely promulgated in risk management
standards and guidelines (Australian/New Zealand Standard AS/NZS 4360,1999; Simon et al., 1997;
Institution of Civil Engineers et al., 1998; Project Management Institute, 2000), it represents current
practice in terms of risk response planning. It is clear however that if the risk management process is to
encompass management of opportunities, then the traditional approach to risk response planning is
inadequate, since it is mainly targeted at threats. Clearly no project manager would wish to avoid an
opportunity, neither is it usually considered appropriate to transfer a potential benefit to a third party.
Mitigating an opportunity to make it smaller is also the wrong approach, and passively to accept that an
opportunity might happen seems unwise.

Given that the Risk Response Planning phase has the most direct influence over risk exposure, one might
expect this phase to be the part of the risk management process, which most clearly targets both
opportunities as well as threats. However some modification is required to the standard risk response
strategies to make them suitable for handling opportunities.

Opportunity Response Strategies

Exploit

The aim of this risk response strategy is to eliminate the uncertainty associated with a particular upside
risk. An opportunity-risk is defined as an uncertainty that if it occurs would have a positive effect on
achievement of project objectives. The exploit response seeks to eliminate the uncertainty by making
the opportunity definitely happen. Whereas the threat-risk equivalent strategy of avoid aims to reduce
probability of occurrence to zero, the goal of the exploit strategy for opportunities is to raise the
probability to 100%—in both cases the uncertainty is removed. This is the most aggressive of the
response strategies, and should usually be reserved for those “golden opportunities” with high
probability and potentially high positive impact, which the project or organization cannot afford to miss.

In the same way that risk avoidance for threats can be achieved either directly or indirectly (see Hillson
1999a, 1999b), there are also direct and indirect approaches for exploiting opportunities. Direct
responses include making positive decisions to include an opportunity in the project scope or baseline,
removing the uncertainty over whether or not it might be achieved by ensuring that the potential
opportunity is definitely locked into the project, rather than leaving it to chance.
Indirect exploitation responses involve doing the project in a different way in order to allow the
opportunity to be achieved while still meeting the project objectives, for example by changing the
selected methodology or technology. Where avoidance goes round a threat so that it cannot affect the
project, exploitation stands in the way of the opportunity to make sure that it is not missed, in effect
making it unavoidable.

Share

One common objective of the Risk Response Planning phase is to ensure that ownership of the risk
response is allocated to the person or party best able to manage the risk effectively. For a
threat, transferring it passes to a third party both liability should the threat occur and responsibility for
its management. Similarly, sharing an opportunity involves allocating ownership to a third party who is
best able to handle it, both in terms of maximizing the probability of occurrence, and in increasing
potential benefits should the opportunity occur. In the same way that those to whom threats are
transferred are liable for the negative impact should the threat occur, those who are asked to manage an
opportunity should share in its potential benefits.

Clearly it is sensible to consider project stakeholders as potential owners of this type of response, since
they already have a declared vested interest in the project, and are therefore likely to be prepared to
take responsibility for managing identified opportunities proactively.

A number of contractual mechanisms can be used to transfer threats between different parties, and
similar approaches can be used for sharing opportunities. Risk-sharing partnerships, teams, special-
purpose companies or joint ventures can be established with the express purpose of managing
opportunities. The risk-reward arrangements in such situations must ensure equitable division of the
benefits arising from any opportunities that may be realized. The target-cost-incentivization type of
contract is also suitable for both threats and opportunities, since it provides a mechanism for distributing
either profit or loss.

It is important that risk sharing does not become mere abdication of responsibility on the part of the
project manager, who should retain an active involvement in the management of all risks that could
affect project objectives.
Enhance

For risks that cannot be avoided/exploited or transferred/shared, the third type of response strategy
aims to modify the “size” of the risk to make it more acceptable. In the case of threats, the aim is
to mitigate the risk to reduce probability of occurrence and/or severity of impact on project objectives.
In the same way, opportunities can be enhanced by increasing probability and/or impact, by identifying
and maximizing key risk drivers.

The probability of an opportunity occurring might be increased by seeking to facilitate or strengthen the
cause of the risk, proactively targeting, and reinforcing any trigger conditions that may have been
identified. (Of course if probability is increased to 100%, then this is effectively an exploit response.)
Impact drivers that influence the extent of the positive effect can also be targeted, seeking to increase
the project's susceptibility to the opportunity, and hence maximize the benefits should it occur.

Where several opportunity-risks have been identified as arising from a common cause, it may be
particularly cost-effective to look for generic enhancement actions that target the common cause. If
these actions are successful they will influence more than one opportunity, and could result in a
significant increase in benefits to the project.

Risk enhancement responses are likely to be specific to the individual opportunity-risk identified, since
they address the particular causes of the risk and its unique effects on project objectives. It is therefore
not possible to provide a comprehensive list of actions under this strategy, and a considerable variety of
actions are to be expected.

Ignore

Residual risks are those that remain after avoid/exploit, transfer/share, and mitigate/enhance responses
have been exhausted. They also include those minor risks where any response is not likely to be cost-
effective, as well as uncontrollable risks where positive action is not possible. The common terminology
adopted for threats in these categories is to accept the risk, with application of contingency where
appropriate, and ongoing reviews to monitor and control risk exposure.

Opportunities that cannot be actively addressed through exploiting, sharing or enhancing can perhaps
be ignored, with no special measures being taken to address them. In the same way
as accepting threats, ignoring opportunities involves taking the risk and hoping to “get lucky”—whereas
for a threat this would mean hoping that the risk will not occur, for an opportunity one hopes that it will.
The ignore strategy might appear to mean taking no action at all, but a better phrase would be “Do
nothing, but …”

One way in which opportunities can be included in the project baseline without taking special action to
address them is by appropriate contingency planning. As for threats, this involves determining what
actions will be taken should the opportunity occur, preparing plans to be implemented in the
eventuality. Funds could be set aside to be spent on emerging opportunities, or resources and facilities
nominated to be used if necessary.

It is also important for the project team to remain risk-aware, monitoring the status of identified
opportunities alongside threats to ensure that no unexpected changes arise, and the use of an
integrated risk process to manage both threats and opportunities together will assist in achieving this
goal (Hillson, 2001).

Risk Response Effectiveness

Seven criteria have been defined (Hillson, 1999a) against which the effectiveness of risk responses can
be assessed, summarized as:

• Appropriate—the correct level of response must be determined, based on the “size” of the risk. This
ranges from a crisis response where the project cannot proceed without the risk being addressed,
through to a “do nothing” response for minor risks.

• Affordable—the cost-effectiveness of responses must be determined, so that the amount of time,

effort and money spent on addressing the risk does not exceed the available budget or the degree of risk
exposure. Each risk response should have an agreed budget.

• Actionable—an action window should be determined within which responses need to be completed in
order to address the risk. Some risks require immediate action, while others can be safely left until later.

• Achievable—there is no point in describing responses which are not realistically achievable or feasible,
either technically or within the scope of the respondent's capability and responsibility.

• Assessed—all proposed responses must work! This is best determined by making a “post-response risk
assessment” of the size of the risk assuming effective implementation of the response.

• Agreed—the consensus and commitment of stakeholders should be obtained before agreeing

responses.

• Allocated and accepted—each response should be owned and accepted to ensure a single point of
responsibility and accountability for implementing the response.

These criteria were originally outlined in relation to the types of risk response commonly implemented
to deal with threats. However the same criteria apply equally to opportunity responses, which must also
be appropriate, affordable, actionable, achievable, assessed, agreed, allocated, and accepted. The two-
stage approach should also be applied for opportunities as for threats (Hillson, 1999a), namely selecting
a response strategy first (which is appropriate/affordable/etc…), then developing tactics to implement
the chosen strategy. This strategic approach to risk response planning should be followed for each
identified risk, whether it is a threat or an opportunity.