The first challenge in understanding risk analysis in project management is to nail the definition of risk analysis. International standards like ISO 31000 notwithstanding, there are various definitions in circulation. We’ll stick here with the definition of risk analysis as the identification of the most probable threats, and the analysis of the related vulnerabilities of a project to these threats. Risk assessment as the evaluation of project security and controls, and their adequacy vis-à-vis the threats.
Image source: securityresearch.at
Trends in project risk analysis
The field is still developing with at least two project risk analysis (PRA) approaches. The first has its roots in safety and process hazards analysis. You ‘walk’ through the steps of the process to identify any unwanted events that could arise. This can also be considered the decision tree version. The second is an evolution of systems analysis that uses a mathematical model to forecasts outcomes of important project performance criteria. In this approach, risks are ranked according to their degree of influence on the end result. When larger numbers of factors are involved, the model rapidly has to become a simulation in order to handle the complexity. So here we have a stochastic model with sensitivity analysis.
Image source: apm.org.uk
Getting to grips with risk factors
There’s no shortage of things that might go wrong – or that might go right more than you dared hope for! Bearing in mind that risk can be positive as well as negative, examples of project risk factors include:
- Human resources: can’t hire staff soon enough; shortage of required skills; departure of key project team member
- Organization: lack of commitment; lack of support; withdrawal of organizational partner
- Technical: methodology does not work; equipment is late; costs are bigger than projected
- External suppliers: vendor relationship problems; late on execution; supplier financial failure
- Legal: copyright or patent holders won’t play ball; legal agreements take longer than planned; legal issues with data protection or IPR
The ability to prioritize risk
Image source: massey.ac.nz
While risk factor identification and modeling for a project are both important, so is the ability to prioritize. The long lists of potential risks that some tools or methods generate are not always the best basis for modeling the most important or most likely consequences. Competent project managers know that a risk should only be labeled ‘Critical’ or ‘High” if this is a realistic scenario (significant loss is occurring or will occur). Otherwise an ‘over-enthusiastic’ model can lead to an organization burning out resources uselessly.
Risk registers are simply records of risks that could significantly impact the performance of a project or that could simply prevent a project from being completed. A document like a project plan can list and describe such risks; so can an influence diagram in Analytica, which also allows the risks to then be connected to a model to show possible outcomes for project performance criteria such as quality, cost or timeliness. Certain organizations hold national risk registers for project managers who want to know if they’ve missed anything in their planning.
If you’d like to know how Analytica, the modeling software from Lumina, can help you analyze risk in different types of project, then try the free trial of Analytica to see what it can do for you.