There are many national and international standards, codes of practice, and guidance documents related to risk management and all of them are slightly different. However, what links them all is that all of these documents are based upon a shared concept of the risk management process or cycle. Once we understand this process or cycle, it is possible to make sense of the approach taken by these different documents, and we can appreciate how they have used the process as a starting point. Risk identification is always the first step in the risk management process. This is the most important step. If a risk is not identified, it cannot be considered in any part of the process. Therefore, it is best to identify as many potential risks as possible and to eliminate the more trivial risks during the process. There are a number of techniques that can be used to assist in the risk identification process. One of these is brainstorming. Brainstorming involves getting representatives at all levels of the project together, to try to identify as many risks related to the project as possible. At this stage, no risk should be rejected or criticised, and sometimes, a list of several hundred risks may be compiled. Checklists can either be prepared by industry sector organisations based on an analysis of the risks occurring at a large number of similar projects over recent time. Although in principle, this is a useful way of identifying risks, because these similar projects are historic, the risks listed may not take into consideration new developments associated with the proposed project. An organisation might also consider case histories, either from external organisations or internal cases. This is a useful way to consider risk, but it is important to be careful when only considering case studies from a single project or small numbers of projects for two reasons. Firstly, all cases are, by definition, historic and things may have changed in the meantime. And secondly, just because a risk occurred in one case does not necessarily mean that it's likely to occur again. Another option would be for the organisation to consider an expert in the field for their analysis, often referred to as Delphi Analysis. An expert use and provides very detailed analysis, but they are sometimes overoptimistic, and may downplay any risks. Therefore, it is important to consult a number of experts independently to derive a better understanding. It is not a question of choosing which of the options to use, but more a question of using all of them, or as many of them as is possible, in order to identify as many risks as is practical. A further approach to identifying risk would involve breaking the project down into sections. One way of classifying risk is to make an initial division between global risks and elemental risks. Global risks are those risks which, were it possible for them to be controlled, would be controlled by government. We might divide these global risks into subdivisions such as political, legal, environmental and commercial. Elemental risks are those risks which could be controlled by the parties involved in carrying out the project. We could then divide these elemental risks into subdivisions such as technical, operational, financial and revenue risks. The global and elemental risks will be considered separately, and risks in each subdivision would be identified. Risk assessment is the next stage of the risk process. Once the risks have been identified, the list of risks needs to be reduced in order to begin assessing the impact of the risk event. In order to do this, we need to consider the probability or likelihood of a risk occurring, and consider the impact of the risk in terms of its adverse effect on the project. A simple way of reducing the list of risks is to use a 2 by 2 matrix impact against probability. Probability is expressed as being either high or low, as is the potential impact associated with the listed risk. The risk identified as low impact to low probability are classified as trivial and can be ignored. The low impact high probability risks are labelled an expected risk, and will have already been taken into account. The high impact low probability risks are classified as hazards, and, although potentially severe, the probability of these occurring is remote. Therefore, when taking risk forward into the assessment stage we're dealing with the high probability, high impact risks. There are many methods of risk assessment but they can be classified in three main types of assessment: elemental, sensitivity or probabilistic. Let's look first at the elemental methods. These are sometimes known as hurdle methods, and are the easiest to apply, but are not rigorous. Usually a single criteria is adopted as a decision point to determine whether the project is viable. This is often a financial criterion, for example, a return above minimum bank rate. Next, let's consider the sensitivity analysis. This assessment method requires a model of the project. This could be done by hand, but is more frequently done on the computer, and this uses either a critical path network model or a financial spreadsheet model. Changes to individual variables or risks are made on this model to see the likely effect on the project, and then this is recorded. The more sensitive the risk, the greater the management attention should be given. Here, we can see a sensitivity analysis for a small power project. The closer the variable line to the vertical, the more sensitive the variable is. So, variable five is the most sensitive. The closer to the horizontal the line is, the least sensitive the variable, so variable seven and eight are the least sensitive. Sensitivity analysis is a useful method for identifying the most important risks, and is very easy to understand. However, it is flawed, in that it assumes a change to one variable has no effect on any other variable. It assumes the variable can change without constraint, and it assumes that if this level of change occurred, the project structure would not change. Nevertheless, sensitivity analysis is still widely used. Finally, let's consider probabilistic analysis. This requires the use of a computer. There are many approaches, but the most popular assessment method is the Monte Carlo analysis. Initially, a mathematical model of the project is prepared using either a spreadsheet or a critical path model. The key variables in the model are identified, and a range of values is made with a distribution from optimistic to pessimistic. Based on the random number generator, a large number of iterations are run 10,000 to 200,000, considering all risk variables in combination. A cumulative frequency distribution is then plotted, which indicates the profitability, and the range of outcome. Whichever risk assessment method you use, risk management is based on the fundamental principle that risk should only be given to a party who is able to manage or control that risk. It may be possible for something to be changed at this stage, which may eliminate a risk. Ideally, this should have been done prior to this stage, but it does sometimes happen. Risk transfer would only be done if the party receiving the risk was able to manage, control, or mitigate that risk. Actions might be available to reduce the adverse consequences of the risk. All remaining risk, the residual risk, is retained, and has to be managed. As a project progresses, potential sources of risk are removed. It is only the live activity and the future activity which can cause risk. So as the project proceeds, risk management is concerned with the reducing scope of the project. Some intervention in live activities may be possible, but it is in the future activities that the most scope for managing risk lies. The process should be regularly reviewed to ensure any new risks are identified, and that assumptions remain valid. The risk management cycle is a simplified way of demonstrating the key principles of risk management and provides the basic understanding and context necessary to study strategic risk management.
