4-Step Risk Management Process (2024)

Risks are inevitable in the world of project management and can pose significant problems to project objectives. Being able to perceive these risks in advance and devise a strategy to deal with them is what ensures a project’s success.

In this article, we explore the four steps of the Risk Management Process, including how to identify and assess potential project-related risks and opportunities, as well as how to respond to them efficiently. Let’s uncover how this strategic process can lead to a more resilient project management.

1. Identify the risk.
2. Assess the risk.
3. Treat the risk.
4. Monitor and Report on the risk.

The first step in the risk management process is to identify all the events that can negatively (risk) or positively (opportunity) affect the objectives of the project:

• Project milestones
• Financial trajectory of the project
• Project scope

These events can be listed in the risk matrix and later captured in the risk register.

A risk (or opportunity) is characterized by its description, causes and consequences, qualitative assessment, quantitative assessment, and mitigation plan. It can also be characterized by who is responsible for its action. Each of these characteristics are necessary for a risk (or opportunity) to be valid.

To be managed effectively, the Risks and Opportunities (R&O) identified must be as precise and specific as possible. The title of the risk or opportunity must be succinct, self-explanatory, and clearly defined.

All members of the project can and should identify R&O, and once they’ve been identified, the content of them is the responsibility of the Risk Owners. Risk Managers are responsible for ensuring that a formal process for identifying risks and developing response plans are conducted through exchanges with Risk Owners.

Below are examples of tools to help identify R&O:

• Analysis of existing documentation
• Interviews with experts
• Conducting brainstorming meetings
• Using the approaches of standard methodologies – such as Failure Modes, Effects and Criticality Analysis (FMECA), Cause Trees, etc.
• Considering the lessons learned from R&Os encountered in previous projects
• Using pre-established checklists or questionnaires covering the different areas of the project (Risk Breakdown Structure or RBS)

The Risk Owner and the Risk Manager will rank and prioritize each identified risk and opportunity byoccurrenceprobabilityandimpact severity, according to the project’s criticality scales.

Evaluating Probability of Occurrence (P):

This is usually on a scale of 1 to 99% and is determined based on experience, the progress of the project, or by speaking to a risk expert.

For example, suppose the risk that:“the inability of supplier X to conduct studies on a modification Y by the end of 2025” is 50% probable. This could be determined from feedback and analysis of the supplier’s workload.

Evaluating Impact Severity (I):

To assess the overall impact, it is necessary to estimate the severity of each of the impacts defined at the project level. A scale is used to classify the different impacts and their severities. This ensures that the assessment of each risk or opportunity is standardized and reliable.

The criticality level of a risk or opportunity is obtained by the equation: Criticality=PxI

The purpose of the qualitative assessment is to ensure that the risk management team prioritizes the response on critical items first. Keep in mind, the assessment of each risk’s probability or impact severity is what makes this “qualitative”; however, assigning a numerical value to this evaluation allows us to objectively prioritize them.

In most projects,the objective of the quantitative assessment is to establish a financial evaluation of a risk’s impact or an opportunity’s benefit, should it occur. This step is carried out by the Risk Owner, the Risk Manager (with support of those responsible for estimates and figures), or the management controller depending on the company’s organizational set up. These amounts represent a potential additional cost (or a potential profit if we are talking about an opportunity) that was not anticipated in the project budget.

For this, it is therefore necessary to evaluate any additional costs incurred by the risk (or undesired event). Then, the cost of the risk’s consequences is calculated by adding these values.

Evaluating any potential costs incurred means to financially review:

• Hours of internal engineering
• Hours of subcontracting
• Additional work to do
• Amendments and/or claims made to contracts
• Etc.

This step allows us to estimate the need for additional budget for risks and opportunities of the project.

In order to treat risks, an organization must first identify their strategies for doing so by developing a treatment plan. The objective of the risk treatment plan is to reduce the probability of the risk occurring (preventive action) and/or to reduce the impact of the risk (mitigation action).

For an opportunity, the objective of the treatment plan is to increase the likelihood of the opportunity occurring and/or to increase its benefits. Depending on the nature of the risk or opportunity, a response strategy is defined for the project. The following 7 strategies are possible:

• Accept: Do not initiate any action but continue to monitor.
• Mitigate/Enhance: Reduce (for a risk) or increase (for an opportunity) the probability of occurrence and/or the severity of impact.
• Transfer/Share:Transfer responsibility of a risk to a third party who would bear the consequences of the problem (share the benefits of a realized opportunity).
• Avoid/Exploit:Eliminate the risk entirely / take advantage of the opportunity.

Monitoring the progress of the treatment plan is the responsibility of the Risk Owner. They must report regularly to the Risk Manager, who must keep the Risk Register up to date.

Note: The cost of a risk mitigation plan must be integrated into the budget of the project.

When defining a treatment plan:

• Each action begins with an action verb and has a clear purpose.
• Each action has an actionee (who is responsible) and a deadline.
• Actions that could generate costs must be tracked and considered in the project.
• For example: to reduce the risk of your car breaking down, a treatment plan could be to have it checked annually by a repair shop.

Risks and opportunities and their treatment plans need to be monitored and reported on. The frequency of this will depend on the risk criticality. Developing a monitoring and reporting structure will ensure there are appropriate forums for escalation and that appropriate risk responses are being actioned on.

Recall that the Risk and Opportunity Management Plan, or ROMP, is one of thefive essential elements of Project Risk Management.It should include not only the project stakeholders and steering members, but the governance cadence for monitoring and reporting on risks and opportunities. How this is organized and governed is defined by the Risk Manager in conjunction with the Project Manager.

Understanding the complex nature of risk management is a significant step towards enhancing your project outcomes. By understanding each step of the risk management process, you will have a comprehensive toolkit to identify, assess, and respond to possible risks and opportunities. The next goal is to formalize this process across your organization and ensure it is followed consistently.

This not only gives you more control over your project’s direction, but it also encourages growth and development within your organization. Remember, every member of your team has a role to play in identifying risks and opportunities. So, embrace the process, learn from previous experiences, and advance towards a future filled with potential.

Thank you for the contributions of Marie BELGODERE, Jérémie CLAUSTRE, Capucine COMTE, Alioune DIALLO, Emmanuel LATGE, Jessy MIGNOT, Ingrid NGOBAY, Pierre PETILLON, Louann SUGDEN, Chris WAMAL, and the MIGSO-PCUBED Risk Management Community of Practice.