Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective. A risk has a cause and if it occurs a consequence. In order to maximize the probability and consequences of positive events and minimize the probability and consequences of adverse events to project objectives, risk management processes must be established.
During the Project Initiation Phase, the risks that might affect the project must be identified and their characteristics must be documented in the Risk Log. The Risk Log is a document that needs to be created during the preparation of Project Fiche and be refined at the next phases of the Project Management Cycle. The Risk Log is a control tool for the Project Manager providing a quick reference to the key risks facing the project, what monitoring activities should be taking place and by whom.
A template of Risk Log is presented in Annex 1-6. In this template except of the suggested structure, guidance is also provided. Furthermore, in the same Annex a completed Risk Log14 [ This example refers to existing Cypriot Project that has been funded by EU Transition Funds. ] is presented in order to facilitate the understanding on how each section should be completed.
When Project Owner studies the Project Fiche, also examines the Risk Log and must decide whether project initiation can be justified or whether there are serious threats for the project’s success. Pragmatically, the Project design team (or the Project Manager if he/she has been appointed) should have discussed informally with the representatives of the Project Owner any known risks that seem to threaten the project’s viability.
Risk identification is an iterative process. The risks identified and registered in the Risk Log during the preparation of Project Fiche, are evident, normally concerning availability of resources, impending or mooted legislation, dependencies with other projects and their results. These risks should be refined during the Planning Phase when the Project Plan is being created. Generally, there should be a check for any new risks every time the Risk Log is reviewed, at least at the end of each stage. The Project Steering Committee has the responsibility to continually check external events for external risks.
Risks Identification
Techniques to be used for the identification of possible risks during the Project Initiation Phase are being presented below:
| ● | Performing structured review of the Business Case Document as well as the project’s approach recorded in the Project Fiche |
| ● | Performing brainstorming. The project design team usually performs brainstorming, although a multidisciplinary set of experts can also perform this technique. Under the leadership of a person who plays the role of the facilitator, these people generate ideas about possible project risks. |
| ● | Risks can be identified by interviews of experienced project managers or subject –matter experts. The appropriate individuals have to be identified, the design team briefs them on the project and the interviewees based on their experience identify risks |
| ● | The design team uses as a guide an almost standard checklist of possible risks, which is usually developed based on historical information and knowledge that has been accumulated from the implementation of different scale and type projects. Since it is impossible to build an exhaustive list of risks, care should be taken to explore items that do not appear at a standard checklist if they seem relevant to the specific project. |
The Checklist presented below has been developed for PRINCE2 Methodology and could be used as a starting point for identifying the main areas of risks for projects implemented using in sourcing or outsourcing.
Checklist 1-4: Risk identification
Strategic/ Commercial risks |
|
Under performance to specification |
|
Management will under-perform against expectations |
|
Collapse of contractors |
|
Insolvency of Funding Source (applicable only in case of Private contribution in the funding) |
|
Failure of suppliers to meet contractual commitments, this could be in terms of quality, quantity, timescales or their own exposure to risk |
|
Insufficient capital revenues |
|
Market fluctuations |
|
Fraud/ theft |
|
Partnerships failing to deliver the desired outcome |
|
The situation being non insurable (or cost of insurance outweighs the benefit) |
|
Lack of availability of capital investment |
|
Economic/ financial/ market |
|
Exchange rate fluctuation |
|
Interest rate instability |
|
Inflation |
|
Shortage of working capital |
|
Market developments will adversely affect plans |
|
Legal and regulatory |
|
New or changed legislation may invalidate assumptions upon which the activity is based |
|
Failure to obtain appropriate approval, e.g. planning consent |
|
Unforeseen inclusion of contingent liabilities |
|
Failure to achieve satisfactory contractual arrangements |
|
Unexpected regulatory controls or licensing requirements |
|
Changes in tax structure |
|
Organisation/ Management/ Human factors |
|
Management incompetence |
|
Inadequate corporate policies |
|
Inadequate adoption of management practices |
|
Poor leadership |
|
Key personnel have inadequate authority to fulfil their roles |
|
Key personnel have inadequate time to deal with the project due to heavy workload |
|
Poor staff selection procedures |
|
Lack of clarity over roles and responsibilities |
|
Vested interests creating conflict and compromising the overall aims |
|
Group interests given unwarranted priority |
|
Indecision or inappropriate decision making |
|
Lack of operational support |
|
Inadequate or inaccurate information |
|
Health and safety constraints |
|
Political |
|
Change of governmental policy (national or international) |
|
Change of government |
|
War or disorder |
|
Adverse public opinion/ media intervention |
|
Environmental |
|
Natural disasters |
|
Storms, flooding, tempests |
|
Pollution incidents |
|
Transport problems, including aircraft/vehicle collisions |
|
Ecosystem (flora, fauna) disturbance |
|
Technical/ Operational/ Infrastructure |
|
Inadequate design |
|
Professional negligence |
|
Human error/ incompetence |
|
Infrastructure failure |
|
Operation lifetime lower than expected |
|
Residual value of assets lower than expected |
|
Increased dismantling/ decommissioning costs |
|
Safety being compromised |
|
Performance failure |
|
Residual maintenance problems |
|
Scope “creep” |
|
Unclear expectations |
|
Breaches in security/ information security |
|
Lack of inadequacy of business continuity |
|
Risk Assessment
Risk assessment is the process of assessing the impact and probability of identified risks.
Risk Probability is the likelihood that a risk will occur. Risk impact is the effect on project elements if the risk event occurs. For example, major damage to a building is relatively unlikely to happen (low probability), but would have enormous impact on business continuity. Conversely, occasional personal computer system failure is fairly likely to happen (high probability), but would not usually have a major impact on the business.
Impact should be considered under the elements of:
| ● | Scope |
| ● | Timescale |
| ● | Quality of deliverables |
| ● | Benefit |
| ● | People/ resources |
When considering a risk’s probability, another aspect is when the risk might occur. Some risks will be predicted to occur further away in time than others, so attention has to be paid on the more immediate ones.
In order to increase the visibility of risks and assist management decision making, the probability/ impact risk rating matrix (or Risk Profile – as it is called in PRINCE2 Methodology) can be used. It is a graphical representation of information normally found in Risk Logs. An example of a completed Risk Rating Matrix is presented in the figure below (Tool 1-7).
The horizontal axe represents the risk’s impact and its scale reflects the severity of its effect on the project. Impacts can be ordinal or cardinal, depending on the culture of the organization conducting the analysis. Ordinal scales are simply rank ordered values, such as very low, low, medium, high and very high. Cardinal scales assign values to these impacts. These values could be linear or nonlinear (e.g. 0,1 – 0,3 – 0,5 – 0,7 – 0,9). Both approaches intend to assign a relative value to the impact if the risk in question occurs. However, the ordinal scales are the ones most in use.
The vertical axe represents the risk’s probability. Assessing risk probability may be difficult and expertise of individuals, who have managed similar projects in the past, may be needed. An ordinal scale, representing relative probability values such as: very low (= very unlikely), low, medium, high, very high (= almost certain), could be used. Alternatively, specific probabilities could be assigned by using a general scale like 0,1 – 0,3 – 0,5 – 0, 7 – 0,9.
The thick black line represents the “risk tolerance line”. This line is defined for a specific project by agreement between the Executive and Project Manager and indicates how much risk the Project Steering Committee is prepared to take. It may be prepared to take comparatively large risks in some areas and none at all in others, depending on the characteristics of the project, as well as the general policy of the organisation regarding the risk tolerance. For example in case of an EU funded project, the Project Steering Committee may have very little financial risk tolerance, but allow for more risk tolerance in terms of political changes. When setting the risk tolerance line, it is important to find the optimum balance of accepting a risk’s occurrence against the cost of limiting that risk. In any case, the risk tolerance line should reflect not only the acceptance or not of individual (specific) risks, but also the organisation’s overall tolerance of exposure to risk.
Risks with high probability and high impact are positioned above and right of the “risk tolerance line” and usually need more thorough examination and aggressive formal risk management.
Probability |
|
|
|
|
|
Very High |
|
|
|
|
|
High |
|
2* |
4* |
|
|
Medium |
1* |
|
3* |
5* |
|
Low |
|
|
|
|
|
Very Low |
|
|
|
|
|
Impact |
Very Low |
Low |
Medium |
High |
Very High |
* The numbers in the cells represent the ID numbers of the identified risks of a certain project.