Key principles of risk management
Risk management strategy
Any organisation embarking on a programme of risk management should take time to determine what they are trying to achieve and what they hope the outcomes will be. Risk management should not be viewed as an add-on to the project management process but should be embedded into it. It is more effective when it is used in the early stages as opportunities for making changes reduce as the project develops. The diagram below sets out the principles, framework and process for a typical risk management system.
The important part is the process on the right-hand side as this can be applied to any project and the central activities of identification, analysis and evaluation, followed by risk treatment are enough to have a significant impact on the project outcomes. Communication and monitoring are sensible to ensure the control of risk is kept up-to-date and remains relevant.
The framework is a wrapper that allows the process to be improved over time and is useful for organisations that have a continuing need.The principles are there to guide the outputs from the process and to drive the benefit.
Setting out the approach to any activity is advisable and risk management is no different. There are so many approaches, methodologies, applications, timescales and reporting that can be followed that it is worthwhile setting out a strategy, plan or terms of reference of what you are trying to do. The level of detail at which risk management is applied should vary depending on the size and complexity of the project. This does not have to onerous but should contain a few basic elements such as:
- detail the risk appetite of the client;
- define who is responsible for risk management within the organisation;
- describe how risk is integrated into the project and how it interfaces with other project disciplines;
- outline the governance structure and any delegations relevant to risk approvals;
- outline the operating model for risk including the key roles and interfaces;
- set out a RACI chart for risk;
- describe the risk organisation and the capabilities and experience of its key members;
- describe how risks will be identified, analysed (qualitatively/quantitatively), managed and reviewed and the analytical techniques to be applied;
- determine the frequency of risk review meetings;
- stipulate the software tools to be used including a repository for risk information and any analytical tools to be used;
- identify the reporting requirements including forms to be used, structures of reporting and frequency; and
- identify and report on trends, if required, provide appropriate mitigation actions and advise of required decisions.
In embedding a risk management approach you should:
- understand the link between corporate and project requirements;
- identify current maturity level and any gaps;
- develop the risk approach that may include training and specific tools;
- implement the risk management process; and
- improve process and monitor effectiveness.
The level of detail at which risk management is applied should vary depending on the size and complexity of the project.
Risk maturity model
A risk maturity model can be used to assess existing risk management capability for a project and to identify a desired level of risk maturity.
The following table shows an example of a risk maturity model.
| Level | Title | Description |
| 5 | Optimised | Risk adjusted corporate performance |
| 4 | Embedded/ managed | Risk management driving the decision making process |
| 3 | Established/ defined | Consistent compliance communication & accountability |
| 2 | Formalised/ repeatable | Basic compliance audit and risk awareness |
| 1 | Undeveloped | Basic non-compliance audit failure, risk silos |
Risk appetite and tolerance
It can be useful to identify an organisations tolerance of or appetite for risk as this can be instructive in determining how much effort and resources should be expended in managing risk. The client and project team would assess the amount of risk they are prepared to tolerate in given circumstances at given times which should be in agreement with the organisations culture and policies. This should reflect its perception of the importance of particular aspects of the project and will help to achieve a balance between risk and the cost of mitigation.
In reality, this is a difficult thing to achieve as setting levels for some types of risk can be difficult and the measures often qualitative and difficult to justify. It also takes some effort so should be approached sensibly.
The diagram below is an example of a risk management process flow chart. It sets out the steps that can be taken as part of a risk management process. It is important that risk processes are defined so that they fit the host organisations working practices. Risk management is a core process that sits alongside cost management, estimating, scheduling and change control so it must fit with these other processes. While risk management can be applied in isolation, and frequently is, how the outputs are to be used must be determined up front, particularly where quantification is applied.
Figure 2: An example of a risk management process flow chart.