Key Steps for Resolving Risks

Have you ever been assigned a risk and tasked with mitigating it, but were unsure where to begin? Are you familiar with the risk management process but uncertain about which tools or techniques to use for assessing and mitigating risks? It may seem daunting, but risk management is not complex. You can assess and mitigate risks effectively by applying your existing knowledge and techniques. This article aims to explain the essential steps involved in risk management and provide an overview of various methodologies and techniques that can be used to assess and mitigate risks.

Risk management is a critical component of project management. It encompasses the processes of identifying, assessing, and prioritizing risks, followed by proactively implementing strategies to mitigate or minimize the probability and impact of adverse events. 

To mitigate a risk effectively, two prerequisites must be met. First, an established risk management process is required to identify and assign risks appropriately. Second, regular risk review meetings must be conducted to examine the risk analysis, prioritize actions, and approve mitigation strategies. 

Visit www.ganttpost.com for more information on risk management.

Identifying Risks

As a project manager, you are accountable for identifying project risks. This task is not a one-time event, but rather a recurring activity throughout the duration of the project. For structured risk identification events, projects can implement industry best practices, such as Agile Scrum or Deming PDCA (Plan-Do-Check-Act) methodologies, to identify risks systematically within the continuous improvement process. It is also advisable to document risks identified in informal settings such as status meetings, project reviews, and ad hoc team feedback sessions.

There are various tools and techniques used for the identification of risks. By leveraging a combination of these approaches, organizations can gain a thorough understanding of potential risks and implement proactive measures to mitigate them.  Some tools and techniques include:

• Stakeholder Interviews: Gathering input and feedback from stakeholders to identify potential adverse events and their expected probability and impact.  Stakeholders include project team, delivery team, customers, and leadership.

• Delphi Technique: A structured group collaboration process used to collect input and feedback from subject matter experts to reach consensus on complex issues, often through multiple rounds of surveys and feedback.

• Brainstorming: A collaborative activity among group members which encourages the free exchange of thoughts, opinions, and suggestions without any criticism or judgment. The objective is to produce a multitude of ideas without concerns regarding their quality, feasibility, or relevance.

• SWOT Analysis: A structured method aimed at providing a realistic, fact-based, and data-driven assessment of Strengths, Weaknesses, Opportunities, and Threats to identify potential risks. 

• Assumption Analysis: A process involving reviewing the assumptions established during the project planning phase to examine their validity and identify potential risks that may emerge if these assumptions are incorrect or have changed.

• Decision Tree Analysis: A method that involves building a graphical representation like a tree structure. It begins with a question node and branches into different decision paths, ultimately leading to various outcomes and the potential risks related to each outcome.

• Flowcharting: Provides a visual representation of a process and its workflow steps, aiding in the identification of bottlenecks, inefficiencies, and gaps to pinpoint potential risks at various stages of the process. 

• Monte Carlo analysis: A statistical method that integrates uncertainty by applying probability distributions for variables and conducting multiple simulations to produce a range of possible outcomes, assessing their effect on business costs and project completion dates.

• Fault Tree Analysis (FTA) and Failure Modes and Effects Analysis (FMEA): These are analytical techniques used to identify potential causes of system failure through structured diagrams. Failure modes refer to the specific ways in which a process can fail, while effects denote the impact these failures have on the overall outcome.

Risk statements should adhere to the following format: "if this event occurs, then that outcome will impact the project." Each statement must include the type of impact and the trigger date. Key impact types consist of cost, schedule, quality, regulatory compliance, security, stakeholder approval, mission operations, and customer perception. The trigger date specifies when the risk will become an issue if left unresolved.

Steps to Mitigate a Risk

The project manager should advocate for the risk management process and ensure adherence to its steps, thereby assuring that risks are mitigated and resolved effectively and efficiently. When a risk is identified and assigned, the project manager and the risk assignee/owner should take proactive measures to minimize or prevent its probability and impact.  Follow the steps below to analyze and mitigate the risk through closure.

Analyze the Risks

Once a risk is identified and assigned for action, the next step involves analyzing the risk in terms of its expected probability and potential impact. This process necessitates conducting both qualitative and quantitative analyses to assess the risk comprehensively. Building on the tools and techniques used for risk identification, the process of analyzing risk involves determining and calculating both the probability and impact of risks. Subsequently, using a risk matrix, these calculated probabilities and impacts are used to determine the rank of each risk.  Ranks are classified either quantitatively, ranging from 1 to 5, or qualitatively, from Very Low to Very High.

Determine the Mitigation Strategy

Risk mitigation should be prioritized according to their rank. High ranking risks demand prompt attention and implementation of mitigation strategies. Prioritization enables effective allocation of resources and mitigates the most critical risks accordingly.

Mitigation strategies are designed to reduce the probability and impact of risks. As such, the process of selecting a risk mitigation strategy begins with evaluating the probability and impact of the risk and weighing them against the cost of mitigating the risk. While the cost to mitigate is a significant factor in determining the appropriate strategy, projects should also consider the potential effects on customer perception and social responsibility. For instance, although the risk of an accident on high-speed rail might be low and the cost to mitigate might be high, accepting the risk may need further evaluation in terms of social responsibility.

PMBOK guide recommended mitigation strategies include:

• Avoidance: This strategy involves modifying plans to circumvent potential risks. It includes eliminating or avoiding activities or situations that may lead to adverse outcomes. For instance, selecting a vendor with a shorter lead time rather than one with a longer lead time, while ensuring minimal negative impact on cost and quality.

• Mitigate: Also referred to as Risk Reduction, this strategy involves implementing measures to minimize risks by focusing on reducing the probability or impact of a risk. For example, a company might implement more stringent security protocols to reduce the risk of a data breach.

• Transfer: This method involves shifting responsibility for potential risks to another party, often through insurance or contractual agreements. For instance, a business could outsource functions such as training, helpdesk, customer service, or field support, thereby transferring the associated risks to the service provider.  

• Acceptance: This strategy involves acknowledging the risk and accepting the potential consequences. It is typically used when the risk is considered low, or the cost of mitigation is too high. For example, an investor who allocates a portion of their portfolio to a new business is assuming the risk of potential losses if the business fails.  

Develop and Implement the Mitigation and Contingency Plans

Following the selection of the appropriate risk mitigation strategy, it is essential to define and document the plan to mitigate the identified risks. The risk mitigation plan should provide a comprehensive cost-benefit analysis, establish key milestones and dates, outline planned actions and tasks, identify participating resources, and specify key trigger indicators. The risk mitigation plan must be developed collaboratively with the project team, the delivery team, key stakeholders, and leadership. It is imperative that the plan undergoes review during risk review meetings and receives approval from key stakeholders and leadership, ensuring their commitment to allocate necessary resources and resolve the risk effectively. Upon approval, the project manager must ensure that risk mitigation measures are executed efficiently and timely.

It is recommended to have a contingency plan for all risks. However, it is imperative that risks with a strategy to mitigate or accept the risk have a contingency plan. Contingency plans ensure a comprehensive action plan is in place in the event the risk materializes and becomes an issue. The contingency plan should provide a detailed outline that establishes key milestones and dates, outlines planned actions and tasks, identifies participating resources, and specifies closure criteria. Like risk mitigation planning, contingency planning is a collaborative effort and must be approved by stakeholders and leadership. Implementation occurs only if and when the risk materializes and becomes an issue.

Monitor and Control the Risk

Continuous monitoring and review are essential to the success of a risk management plan. This involves consistently reviewing the status of the identified risks, assessing any changes to probability and impact, evaluating the effectiveness of mitigation strategies, and making necessary adjustments until the risk is resolved.

Regular risk reviews are essential for maintaining the relevance and effectiveness of mitigation strategies and plans. They help establish accountability for addressing risks and ensure that mitigation plans are implemented as intended. Continuous monitoring provides valuable data for informed decision-making regarding risk management strategies, resource allocation, and overall project planning. Furthermore, consistent risk monitoring and reporting fosters transparency and trust with stakeholders, demonstrating a strong commitment to effective risk management.  

Close the risk

On the risk realization date, risks are considered mitigated or realized and can be closed in the risk register. Mitigated risks are classified as avoided, mitigated, or transferred and are closed with an appropriate indicator, requiring no further actions. Risks that materialize and become issues should be moved from the risk register to the issue tracker and be classified as realized. These issues should be monitored and controlled through the issue resolution process until closure. 

Conclusion

Establishing a risk management plan is a critical component of successful project management and organizational strategy. By identifying, analyzing, and prioritizing risks, and developing robust mitigation strategies, projects can minimize the impact of potential threats and enhance their ability to achieve their objectives.

Mitigating risks involves the collaborative efforts of the project team and stakeholders to address and resolve risks through to closure. If you are new to the risk management process or are unfamiliar with the steps required to mitigate a risk, numerous tools and techniques can be used to manage and resolve risks effectively. Although risk mitigation may initially appear daunting, it is not inherently complex. By leveraging your existing knowledge and applying appropriate techniques, you can effectively assess and mitigate risks. Follow the steps outlined in this article to successfully address and resolve risks through to closure.