What is risk analysis?
In project management, a risk is defined as a situation or an event that can negatively impact the success of your projet.
Several kinds of risk can be identified:
- External stakeholders-related risks: customers, consumers, suppliers…
- Internal risks: project team members, top-management…
- Project-related risks: technological or logistic risks…
- Event-related risks: economic (e.g. financial crisis), sociopolitical (e.g. embargo…)
Instead of reacting to such events, risk management is intended to forecast these situations in order to identify strategies that decreases their likelihood: you’ll be able to better understand those risks and their consequences on the project, and you’ll identify those who will have the greatest impact on your project.
Most of the time, this method involves all the stakeholders of the project, especially the project team, the customers, and the providers.
Risk analysis is intended to be used regularly during the whole project lifecycle. The first step implies identifying global risks of the project and relative management strategies to avoid them. You’ll then have to use this method at the beginning of each new phase of your project or whenever you start a new project.
The steps of risk analysis
A good way to analyse risks follows several steps to help you clearly identify the risks and the management strategies you need to avoid them.
The steps are the following:
- Elaborate a risk management plan to identify management process, each stakeholder's role in the project...
- Identify global risks for the whole project
- Analyse risks to determine which ones are the most important
- Elaborate strategies to handle the most important risks effectively
- Estimate costs and benefits of the strategies to determine if they're viable
- Implement the strategies
- Assess the results and document them to increase the level of knowledge for these risks
How to use the risk analysis matrix
The risk matrix let you order risks according their likelihood and level of impact on the project. Both these factors are evaluated using a scale from 1 to 5 (5 being the highest score).
Likelihood refers to the probability an event occurs in your project:
- Level 1: risk has a virtually zero probability to arise (less than 1% chance)
- Level 2: the event is very unlikely to happen for this project (between 1 and 25%)
- Level 3: the risk can happen because it occured in similar projects in the past (between 25 and 50%)
- Level 4: the situation is most likely to happen (between 50 and 75%)
- Level 5: we consider the risk is certain (more than 75%)
The level of impact refers to the importance of the consequences over the project success criteria, such as objectives accomplishement, final product or service perceived quality, project schedule and associated costs.
- Level 1: the risk will have almost no consequences on the project
- Level 2: some of your projects activities may be delayed, you'll face a small increase in costs
- Level 3: your objectives will be partially accomplished, quality of your product or service will be decreased
- Level 4: some of your objectives won't be met, the whole project will be delayed
- Level 5: the project delivery will be very late and cost you far more than expected, the final product or service is useless
A smart and realistic assessment of these factors will greatly depend on your level of knowledge for each risk, which depends mostly on the quality, quantity, and reliability of the information you have about it.
Once you've entered your data on the matrix, you'll be able to identify three types of risks:
- High-level risks (red spot): you'll have to handle these risks first as they have a high probability and/or major consequences for your project.
- Medium-level risks (yellow spot): these risks can be handle if you have a good level of knowledge.
- Low-level risks (green spot): these risks are kind of insignificant as they are unlikely to occur and/or their consequences will have minimum impact on your project.
Conducting the risk analysis
Analyzing your risks implies paying special attention to the top risks, i.e. those with an important likelihood and level of impact on your project.
Once you've identified them, you'll have to choose between the following strategies to handle them:
- Accept the risk: You don't pay any attention to this risk. You think the likelihood is too low and/or you'll be able to easily handle the consequences of this risk on the project.
- Avoid the risk: You'll try to reduce the probabilty of the risk happening (e.g. avoid a possible partner that isn't considered as reliable).
- Transfer the risk to a third-party (e.g. using insurance or a warranty).
- Use preventive actions to reduce the likelihood of the event or the consequences on the project.
Finalising the project risk analysis
The last step is to evaluate the strategies you want to set up to determine whether they are reliable in terms of relative costs and benefits. A good strategy implies implementation costs that don't exceed the financial costs associated with the consequences of the risk that is mitigated.
A best practice in risk management is to list all the strategies in a global plan that will be used to establish documentation about the top risks identified and the strategies you'll use to handle each of them. Best practices suggest using this plan on a monthly basis to improve your level of knowledge for each risk listed.
Below you will find an Excel template to download to help you build your own risk mitigation strategic plan.