CCD 1104: Intro to

Project Management
Mbiri MS
St. Paul’s University, Nairobi
Campus
Social Science, Community
Development
Week 4: Risk management

• Project risk
• Definition and description of term
• Risks associated with project management
Introduction to Risk Management

• Risk management is the process of identifying, assessing, and

planning for possible risks associated with activities and events.
• The purpose is to generate ideas and practices to limit uncertainties,
potential dangers, and loss for your organization or group.
Describing Risk Management

• Risk management involves identifying and assessing project risks to

establish the probability that they will occur and the consequences
for the project if that risk does arise.
• You should make plans to avoid, manage or deal with likely risks if or
when they arise.
What is the Risk Management
process?

The Risk Management Process consists of

a series of steps that, when undertaken in
sequence, enable continual improvement in
decision-making.

5
 Steps of the Risk Management
Process?
Step 1. Communicate and consult.
Step 2. Establish the context.
Step 3. Identify the risks.
Step 4. Analyze the risks.
Step 5. Evaluate the risks.
Step 6. Treat the risks.
Step 7. Monitor and review.

6
7
Step 1.Communicate and consult

-Communication and consultation aims to

identify who should be involved in
assessment of risk (including
identification,analysis and evaluation) and it
should engage those who will be involved in
the treatment, monitoring and review of risk.

8
-As such, communication and consultation will be
reflected in each step of the process described here.

-As an initial step, there are two main aspects that should
be identified in order to establish the requirements for
the remainder of the process.

-These are communication and consultation aimed at:

A- Eliciting risk information
B-Managing stakeholder perceptions for
management of risk.

9
A- Eliciting risk information

-Communication and consultation may occur within the

organization or between the organization and its
stakeholders.

-It is very rare that only one person will hold all the
information needed to identify the risks to a
business or even to an activity or project.

-It therefore important to identify the range of

stakeholders who will assist in making this
information complete.

10
B-Managing stakeholder perceptions for
management of risk

11
Tips for effective communication and consultation

• Determine at the outset whether a communication

strategy and/or plan is required

• Determine the best method or media for

communication and consultation

• The significance or complexity of the issue or activity

in question can be used as a guide as to how much
communication and consultation is required: the more
complex and significant to the organization, the more
detailed and comprehensive the requirement.

12
Step 2. Establish the context

provides a five-step process to assist

with establishing the context
within which risk will be identified.
1-Establish the internal context
2-Establish the external context
3-Establish the risk management
context
4- Develop risk criteria
5- Define the structure for risk analysis

13
1- Establish the internal context

-As previously discussed, risk is the chance of something

happening that will impact on objectives.
As such, the objectives and goals of a business, project
or activity must first be identified to ensure that all
significant risks are understood.
This ensures that risk decisions always support the
broader goals and objectives of the business. This
approach encourages long-term and strategic
thinking.

14
• In establishing the internal context, the business
owner may also ask themselves the following
questions:

- Is there an internal culture that needs to be

considered? For example, are staff Resistant to
change? Is there a professional culture that might
create unnecessary risks for the business?
- What staff groups are present?
- What capabilities does the business have in terms of
people, systems, processes, equipment and other
resources?

15
2. Establish the external context

• This step defines the overall environment in which a

business operates and includes an understanding of
the clients’ or customers’ perceptions of the business.
An analysis of these factors will identify the strengths,
weaknesses, opportunities and threats to the business
in the external environment.

16
• A businessowner may ask the following questions
when determining the external context:
• What regulations and legislation must the business
comply with?
• Are there any other requirements the business needs
to comply with?
• What is the market within which the business
operates? Who are the competitors?
• Are there any social, cultural or political issues that
need to be considered?

17
• Tips for establishing internal and external contexts

-Determine the significance of the activity in achieving

the organization's goals and objectives
- Define the operating environment
- Identify internal and external stakeholders and
determine their involvement in the risk management
process.

18
3- Establish the risk management context

- Before beginning a risk identification exercise, it is

important to define the limits, objectives and scope of
the activity or issue under examination.

- For example, in conducting a risk analysis for a new

project, such as the introduction of a new piece of
equipment or a new product line, it is important to
clearly identify the parameters for this activity to
ensure that all significant risks are identified.

19
• Tips for establishing the risk management context
• Define the objectives of the activity, task or function
• Identify any legislation, regulations, policies,
standards and operating procedures that need to be
complied with
• Decide on the depth of analysis required and allocate
resources accordingly
• Decide what the output of the process will be, e.g. a
risk assessment, job safety analysis or a board
presentation. The output will determine the most
appropriate structure and type of documentation.

20
4. Develop risk criteria

Risk criteria allow a business to clearly define

unacceptable levels of risk. Conversely, risk criteria
may include the acceptable level of risk for a specific
activity or event.
In this step the risk criteria may be broadly defined and
then further refined later in the risk management
process.

21
• Tips for developing risk criteria

• Decide or define the acceptable level of risk for each activity

• Determine what is unacceptable
• Clearly identify who is responsible for accepting risk and at what level.

22
5. Define the structure for risk analysis

• Isolate the categories of risk that you want to manage. This will provide
greater depth and accuracy in identifying significant risks.
• The chosen structure for risk analysis will depend upon the type of
activity or issue,
its complexity and the context of the risks.

23
Step 3. Identify the risks

• Risk cannot be managed unless it is first

identified. Once the context of the business
has been defined, the next step is to utilize
the information to identify as many risks as
possible.

24
• The aim of risk identification is to identify possible
risks that may affect, either negatively or positively,
the objectives of the business and the activity under
analysis. Answering the following questions identifies
the risk:

25
• There are two main ways to identify risk:
1- Identifying retrospective risks

Retrospective risks are those that have previously

occurred, such as incidents or accidents. Retrospective
risk identification is often the most common way to
identify risk, and the easiest. It’s easier to believe
something if it has happened before. It is also easier
to quantify its impact and to see the damage it has
caused.

26
• There are many sources of information about retrospective risk. These
include:

• Hazard or incident logs or registers

• Audit reports
• Customer complaints
• Accreditation documents and reports
• Past staff or client surveys
• Newspapers or professional media, such as journals
or websites.

27
2-Identifying prospective risks

• Prospective risks are often harder to identify. These

are things that have not yet happened, but might
happen some time in the future.

• Identification should include all risks, whether or not

they are currently being managed. The rationale here
is to record all significant risks and monitor or review
the effectiveness of their control.

28
• Methods for identifying prospective risks include:

• Brainstorming with staff or external stakeholders

• Researching the economic, political, legislative and
operating environment
• Conducting interviews with relevant people and/or
organizations
• Undertaking surveys of staff or clients to identify
anticipated issues or problems
• Flow charting a process
• Reviewing system design or preparing system
analysis techniques.

29
Tips for effective risk identification

• Select a risk identification methodology appropriate to

the type of risk and the nature of the activity
• Involve the right people in risk identification activities
• Take a life cycle approach to risk identification and
determine how risks change and evolve throughout
this cycle.

30
Step 4. Analyze the risks
• During the risk identification step, a
business owner may have identified many
risks and it is often not possible to try to
address all those identified.
• The risk analysis step will assist in
determining which risks have a greater
consequence or impact than others.

31
• What is risk analysis?

• Risk analysis involves combining the possible

consequences, or impact, of an event,

• with the likelihood of that event occurring. The result

is a ‘level of risk’. That is:

Risk = consequence x likelihood

32
• Elements of risk analysis
The elements of risk analysis are as follows:

1. Identify existing strategies and controls that act to

minimize negative risk and enhance opportunities.
2. Determine the consequences of a negative
impact or an opportunity (these may be positive or
negative).
3. Determine the likelihood of a negative
consequence or an opportunity.
4. Estimate the level of risk by combining consequence
and likelihood.
5. Consider and identify any uncertainties in the
estimates.
33
• Types of analysis
Three categories or types of analysis can be used to
determine level of risk:
• Qualitative
• Semi-quantitative
• Quantitative.

- The most common type of risk analysis is the qualitative

method. The type of analysis chosen will be based upon
the area of risk being analyzed.

34
• Tips for effective risk analysis

• Risk analysis is usually done in the context of existing

controls – take the time to identify them
• The risk analysis methodology selected should, where
possible, be comparable to the significance and
complexity of the risk being analyzed, i.e. the higher
the potential consequence the more rigorous the
methodology
• Risk analysis tools are designed to help rank or
priorities risks. To do this they must be designed for
the specific context and the risk dimension under
analysis.

35
Step 5. Evaluate the risks

• Risk evaluation involves comparing the

level of risk found during the analysis
process with previously established risk
criteria, and deciding whether these risks
require treatment.
• The result of a risk evaluation is a
prioritized list of risks that require further
action.
• This step is about deciding whether risks
are acceptable or need treatment.

36
• Risk acceptance
A risk may be accepted for the following reasons:

• The cost of treatment far exceeds the benefit, so that

acceptance is the only option (applies particularly to
lower ranked risks)
• The level of the risk is so low that specific treatment
is not appropriate with available resources
• The opportunities presented outweigh the threats
to such a degree that the risks justified
• The risk is such that there is no treatment available,
for example the risk that the business may suffer
storm damage.

37
Step 6. Treat the risks

• Risk treatment is about considering

options for treating risks that were not
considered acceptable or tolerable at
Step 5.

• Risk treatment involves identifying

options for treating or controlling risk,
in order to either reduce or eliminate
negative consequences, or to reduce
the likelihood of an adverse
occurrence. Risk treatment should also
aim to enhance positive outcomes.

38
• Options for risk treatment:

identifies the following options that may assist in the

minimization of negative risk or an increase in the
impact of positive risk.
1- Avoid the risk
2- Change the likelihood of the occurrence
3- Change the consequences
4- Share the risk
5- Retain the risk

39
• Tips for implementing risk treatments

• The key to managing risk is in implementing effective

treatment options
• When implementing the risk treatment plan, ensure
that adequate resources are available, and define a
timeframe, responsibilities and a method for
monitoring progress against the plan
• Physically check that the treatment implemented
reduces the residual risk level
• In order of priority, undertake remedial measures to
reduce the risk.

40
Step 7. Monitor and review
• Monitor and review is an essential and integral
step in the risk management process.
• A business owner must monitor risks and review
the effectiveness of the treatment plan,
strategies and management system that have
been set up to effectively manage risk.

41
• Risks need to be monitored periodically to ensure
changing circumstances do not alter the risk priorities.
Very few risks will remain static, therefore the risk
management process needs to be regularly repeated,
so that new risks are captured in the process and
effectively managed.
• A risk management plan at a business level should be
reviewed at least on an annual basis. An effective way
to ensure that this occurs is to combine risk planning
or risk review with annual business planning.

42
Summary of risk management steps

43
Risk Management Planning
• Identify risks and potential obstacles to the project
that:
• could significantly impact on its completion
• are reasonably likely to occur
• Incorporate steps in plan to mitigate risk and avoid
obstacles
• Monitor the risks you've identified and watch for new
risks that may arise
Some Risks & Assumptions

• Risk: that potential participants might be deterred by the

amount of work involved. Strategy: provide breakdown of
tasks in manageable chunks, sample documents explaining
every step in the process; and hand-holding by the project
manager (always an email or phone call away)

• Risk: possible long, critical delays getting project approval from

local research ethics board (REB) for the project. Strategy:
provide examples of successful REB submissions.

• Risk: that libraries would not know how to make effective use
of their survey data. Strategy: provide two workshops and
supporting documentation on the web site.