Risk Management Process
Risk Management Process Diagram
The risk management process as defined in ISO 31000 is presented below:
Establishing the Context
Establishing the context of a project is an important first step to any risk analysis. Without establishing the context in which the risks are to be framed, it is impossible to determine the significance of any given uncertain event. Establishing the Context consists of 5 main components:
Identifying Key Project Information
It is important to gather and specify key project information such as project name and description, key dates and budgets, as this provides crucial insight into the context of the risks that may follow. It is impossible to complete the sections that follow without at least a basic understanding of this information.
If available, the “Project Execution Plan” (PEP, sometimes called the Project Management Plan) is usually a good source of this data.
It is also important to note the key stakeholders involved in the project, as this can also influence other aspects of the context settings, especially the Project Significance.
Rating the Project's Significance
The significance of the project to the stakeholder conducting the risk management process is dependent on both the magnitude of the investment (in terms of time and money) and the expected returns of the project, relative to the monetary capital of the stakeholder or the significance of the project to the strategic goals of the stakeholder. What one company considers to be a small investment could be “make or break” for another. Project significance can also extend beyond cost and schedule to reputation, environmental, or other types of significance.
Project significance guides the level of effort to be invested in risk management by the stakeholder, as risk management, like quality management, can devour as much of the stakeholder’s resources and capital as the stakeholder is prepared to invest. The higher the significance of the project, the more the stakeholder can justify investing in risk management.
The key reason for defining the project goals is that risks only apply to a project if they threaten or enhance the project goals. If the goals have not been defined, there would be doubt on whether a risk is relevant.
Is the aim to establish the project for:
- Maximum operating efficiency?
- Minimum cost?
- In minimum time?
- For minimum environmental impact?
A goal can be anything provided it applies to the project.
Identifying the Approach to Risk Management
For risk management, it is also important to identify and agree on the approach that is to be taken to risk management. This includes the frequency with which the Risk Identification, Risk Analysis, Risk Evaluation, & Risk Treatment cycle is to be performed or reviewed. Whether a qualitative and/or quantitative analysis approach is to be used at each major phase boundary of the project is also of importance as this establishes a plan and affects the budget for execution of risk management services.
Evaluating Risk Management Performance to Date
For mature projects organisations, a further consideration when reviewing risk management performance is to evaluate the risk management performance to date. This helps to identify the strengths and weaknesses of what has been done to date, and whether it has helped to identify and treat risks that might have otherwise affected the project’s objectives. If the risk management performance to date has been poor, alternative risk management approaches and strategies need to be examined to improve this.