The Risk Management Process: 4 Essential Steps (2024)

Table of Contents

1. Identify the risk.
2. Assess the risk.
3. Treat the risk.
4. Monitor and Report on the risk.

The first step in the risk management process is to identify all the events that can negatively (risk) or positively (opportunity) affect the objectives of the project:

• Project milestones
• Financial trajectory of the project
• Project scope

These events can be listed in the risk matrix and later captured in the risk register.

A risk (or opportunity) is characterized by its description, causes and consequences, qualitative assessment, quantitative assessment and mitigation plan. It can also be characterized by who is responsible for its action. Each of these characteristics are necessary for a risk (or opportunity) to be valid.

In order to be managed effectively, the Risks and Opportunities (R&O) identified must be as precise and specific as possible. The title of the risk or opportunity must be succinct, self-explanatory and clearly defined.

All members of the project can and should identify R&O, and the content of these is the responsibility of the Risk (or Opportunity) Owners. Risk Managers are responsible for ensuring that a formal process for identifying risks and developing response plans are conducted through exchanges with risk owners. We will explain each of these roles in further detail in our next article on Risk Management Team Roles.

Below are examples of tools to help identify R&O:

• Analysis of existing documentation
• Interviews with experts
• Conducting brainstorming meetings
• Using the approaches of standard methodologies – such as Failure Modes, Effects and Criticality Analysis (FMECA), cause trees, etc.
• Considering the lessons learned from R&Os encountered in previous projects
• Using pre-established checklists or questionnaires covering the different areas of the project (Risk Breakdown Structure or RBS).

The Risk Owner and the Risk Manager will rank and prioritize each identified risk and opportunity by occurrence probability and impact severity, according to the project’s criticality scales.

Evaluating occurrence probability (P):

This is determined preferably based on experience, the progress of the project, or else by speaking to a risk expert, and is on a scale of 1 to 99%.

For example, suppose the risk that: “the inability of supplier X to conduct studies on a modification Y by the end of 2025” is 50% probable. This could be determined from feedback and analysis of the supplier’s workload.

Evaluating impacts severity (I):

To assess the overall impact, it is necessary to estimate the severity of each of the impacts defined at the project level. A scale is used to classify the different impacts and their severities. This ensures that the assessment of the risk and opportunity is standardized and reliable.

The criticality level of a risk or opportunity is obtained by the equation: Criticality = P x I

The purpose of the qualitative assessment is to ensure that the risk management team prioritizes the response on critical items first.

In most projects, the objective of the quantitative assessment is to establish a financial evaluation of a risk’s impact or an opportunity’s benefit, should it occur. This step is carried out by the Risk Owner, the Risk Manager (with support of those responsible for estimates and figures), or the management controller depending on the organizational set up in the company. These amounts represent a potential additional cost (or a potential profit if we are talking about an opportunity) not anticipated in the project budget.

For this, it is therefore necessary:

• To evaluate the additional costs incurred by financially reviewing:
  • Hours of internal engineering
  • Hours of subcontracting
  • Additional work to do
  • Amendments and/or claims made to contracts
  • Etc.
• To calculate the cost of the undesired event’s consequences by adding these values.

This step will make it possible to estimate the need for additional budget for risks and opportunities of the project.

• Accept: Do not initiate any action but continue to monitor.
• Mitigate/Enhance: Reduce (for a risk) or increase (for an opportunity) the probability of occurrence and/or the severity of impact.
• Transfer/Share: Transfer responsibility of a risk to a third party who would bear the consequences of the problem (share the benefits of a realized opportunity).
• Avoid/Exploit: Entirely eliminate uncertainty / take advantage of the opportunity.

Monitoring the progress of the treatment plan is the responsibility of the risk owner. They must report regularly to the risk manager, who must keep the risk register up to date.

Note: The cost of a risk mitigation plan must be integrated into the budget of the project.

When defining a treatment plan:

• Each action begins with an action verb and has a clear purpose.
• Each action has an actionee and a deadline.
• Actions that could generate costs must be tracked and considered in the project.
• For example: to reduce the risk of my car breaking down, a treatment plan could be to have it checked annually by a repair shop.

In the previous article we identified the Risk and Opportunity Management Plan or ROMP as one of the five essential elements of Project Risk Management. It should include not only the project stakeholders and steering members, but the governance cadence for monitoring and reporting on risks and opportunities. How this is organized and governed is defined by the Risk Manager in conjunction with the Project Manager.

We will go over both of these roles as well as additional roles within the Risk Management Team in more detail in our next article.