People often use the term “risk” as a purely negative word, but as explained earlier, it’s really defined as “effect of uncertainty on objectives”. This means that it encapsulates both positive and negative potential effects. As such, two different terms are used to qualify the term risk to differentiate between positive and negative uncertainties:
• Opportunities are those risks with potential to impact positively on a project’s objectives.
• Threats are those risks with potential to impact negatively on a project’s objectives.
For effective risk management, it is important that similar effort be devoted to the identification and management of opportunities and threats to maximise value to the project.
After risk type, the definition of a risk is critically important; it sets the context for the rest of the attributes that follow. When people are browsing through a risk register, they will typically be looking at the risk name and its positioning within the register. Therefore, it’s important that the risk name concisely defines the full nature of the risk including its cause and effects.
One way of ensuring that this happens is to use risk meta-language: a structured risk naming technique that clearly separates the cause-risk-effect aspects of a potential threat or opportunity to succinctly express the full nature of the risk. Risk meta-language usually follows a structure similar to “Due to , there is a risk that may happen, resulting in .”
If a risk can’t be expressed in this format, it’s likely that it lacks definition or perhaps isn’t even really a risk!
At this point, the different emphases of Qualitative and Quantitative Risk Analysis become relevant.
For Qualitative Risk Analysis, risks are often grouped into Areas of Risk, whereby a common Risk Event may be triggered by a range of causes and may cause another range of consequences. Treatments and controls are then listed, divided into Proactive or Causal, affecting the causes on the one hand and Reactive, Consequential or Adaptive, affecting or dealing with the Consequences on the other hand.
For Qualitative Risk Analysis it makes sense to construct so-called “Bow Tie Diagrams” with the various causes directed at the single Risk Event and the various Consequences flowing from the Risk Event. The Bow Tie diagram can show the Causal Controls in between the Causes and the Risk Event and the Consequential Controls between the Risk Event and the various Consequences.
It is possible to develop Semi-Quantitative Risk Analysis Bow Tie Diagrams, combining features of Fault Trees and Event Trees.
The following Bow Tie Diagram was included in a paper “Combining EA techniques with Bow-Tie Diagrams to enhance European Port Security” by Nikolaos Papas of BMT Hi-Q Sigma Ltd., Basingstoke, UK (
For Quantitative Risk Analysis using the Monte Carlo Method, each cause of the risk event is treated as a separate risk definition, with the consequences for that causal risk included in the risk definition, whether singular or multiple. This enables applicable treatments for that causal risk event to be associated with it and for Pre- and Post-treatment Risk Assessments to be determined for the applicable risks. It also enables analysis and comparison of combinations of proposed treatments for a given risk to select the best cost/benefit combination of treatments.
Risk Registers for Quantitative Risk Analysis are likely to include higher numbers of separately defined and more precise risks than Risk Registers for Qualitative Risk Analysis. But the Qualitative Risk Register based on Bow Tie Risks is more suitable for managing groups of related risks and treatments.
Each threat and opportunity within a register must be assessed for Likelihood. A risk’s likelihood is an expression of the chance that the risk will occur. Likelihood can be expressed qualitatively using terms for levels such as “Rare”, “Unlikely”, “Possible”, “Likely”, and “Almost Certain”, or quantitatively using a percentage scale from >0% to <100%, when it is referred to as Probability.
A risk is only a risk insofar as it has potential to produce an impact on a project’s objectives. However, a risk with a probability of 0% could be considered to not be a risk at all as it will never occur. A risk with a probability of 100% is defined in projects as an Issue and should appear in an Issues Register instead of the Risk Register if it is a Threat and has a negative impact on one or more Project Objectives such that the Objective(s) cannot be achieved.
ISO 31000 defines Consequence as the outcome of an event affecting objectives. In the context of project risk management, the event may be taken as a risk event. The consequences may be certain or uncertain and may be expressible qualitatively or quantitatively. When expressed quantitatively, it is normally defined as an Impact.
Risk consequence is an expression of the effect of the risk should it occur. A risk can have multiple categories of consequence such as; Safety, Cost, Environmental, Schedule, & Reputational.
Consequences can be expressed qualitatively using terms for levels such as “Insignificant”, “Minor”, “Moderate”, “Major”, & “Catastrophic”. Alternately, where appropriate, consequences can be expressed quantitatively using increments of an appropriate unit, in which case they are referred to as impacts.
Each quantifiable impact type may be assigned an impact distribution to define the range of uncertainty in understanding of the risk’s effect. This is useful because often risks may not be definable with precisely quantifiable outcomes. Take for example the risk of a flood. Historical weather data may show that a flood occurs, say, every 5 years in a particular region, so we may be able to define the probability in any one year as 20%. What is not definable is the extent of the flooding should it occur. It could range from heavy rain causing minor localised flooding, through to moderate or even major flooding throughout a region. In these situations an impact distribution range may be required to define the time delay for project activities affected by the flood and/or the costs of recovery from damage caused by the flood.
An impact distribution range can be characterised by a minimum, most likely, and maximum impact value for each quantifiable impact type. Such ranges are known as impact probability distributions.
A risk’s magnitude or exposure refers to the combined effect of its probability and impact assessments. A low probability risk with a low impact assessment may be considered to affect the project objectives negligibly or to have a low risk exposure, whereas a high probability risk with a high impact assessment would be considered to affect project objectives with high or even extreme risk exposure.
A risk may be able to be expressed with a range of probabilities and impacts representing in some cases a continuum of risk exposures from Low Impact/High Probability through Moderate Impact/Moderate Probability to High Impact/Low Probability. An example may be the risk of an adverse weather event. These may range from regular occurrences of high rainfall in a 24 hour period causing cessation of work on parts of the affected project, through unusually high rainfall causing minor flooding through a major cyclonic event directly striking the project site and causing substantial damage taking weeks to reinstate. As the impact severity increases, the frequency or probability in any given period decreases.
In some Risk Registers one, two or all three of these descriptions may be included as separately identifiable and treatable risks, each with a separate probability and impact range (as described under Consequence / Impact) and possible set of treatments.
For quantitative risk analysis, there are typically three different types of exposure rating associated with any given risk:
• Pre-treatment exposure refers to the combined effect of the original probability and impact assessment. This is the magnitude of the risk if nothing is done about it.
• Post-treatment exposure refers to the combined effect of the probability and impact assessments of the risk after applying all accepted or implemented treatments. This is the magnitude of the risk if all accepted treatments are successfully implemented.
• Target exposure refers to the expected probability and impact of the risk after implementation of all accepted treatments. There should be some auditable basis for expecting that the Target Exposure is achievable if all accepted treatments are implemented, preferably based on realistic assessments of the effects on probability and impact of the risk by each accepted treatment. If this cannot be demonstrated, the validity of the Target Exposure may be open to question.
It is not uncommon in qualitative risk analysis for Target Exposure ratings to have no audit trail to prove their validity.
To manage the risks in the register effectively, a helpful feature is that of the risk status, to focus attention where it is most needed. Typically, risks are assigned one of three statuses:
• Inactive risks are those that have been identified but not accepted as actively applicable in the risk register. Inactive risks may be awaiting further information to better define them before being accepted or may have been rejected, either as being invalid or as of negligible or too low magnitude to warrant being made active. Inactive risks need to be regularly reviewed and converted to “active” status if justifiable or discarded from further consideration and transferred to a discarded risk register.
• Active risks are those that are currently recognised as open threats to or opportunities for the project. Active risks need to be regularly monitored and fully assessed by the project team to ensure that they are treated as necessary. Active risks need to be regularly reviewed, the status of agreed treatments reported against planned implementation commitments and dates and action taken to ensure revised dates are agreed where planned dates have not been met.
• Past risks are those that have been assessed to no longer pose a threat or opportunity to the project’s objectives. This usually occurs through change of project phase or through the passage of time. Risks should only be assessed as “past” when they genuinely can no longer have an impact on a project’s objectives. Where risks are no longer applicable, they should be converted to “past” status as appropriate and recommendations made regarding any time or cost contingency allocated against them.
Each risk should be assigned a risk owner. The risk owner is the person accountable for all necessary steps required to manage the risk including its treatments. That person may be responsible for the day to day monitoring and management of the risk or may delegate that responsibility to someone else, in which case that responsible person reports regularly to the Risk Owner. The risk owner should be someone with a full technical understanding of the risk and its implications. Additionally, the risk should only be assigned to an owner who has the authority to ensure that all necessary steps required to manage the risk are enacted. Assigning risk responsibility without authority ultimately results in the inability to effectively manage the risk.
For a brief introduction to this section refer to section
A risk’s treatment strategy refers to the overall combination of treatments that best capitalises on the opportunity or minimise its threat. Each risk should be assigned a combination of treatments that best suits both the risk itself and an organisation’s ability to influence the factors contributing to and the outcomes associated with the risk. Broadly speaking, there are eight different types of treatments for dealing with risks: four for threats, and four for opportunities.
Threats:
• Avoid – Avoidance refers to the general strategy of eliminating the uncertainty associated with a threat by preventing it from occurring. Naturally, only some threats can be avoided, and this usually involves a change in strategy or similar to eliminate the possibility of the risk occurring.
• Transfer / Share – Through insurances, effective contracting strategy, or other similar means, it may be possible to transfer some or (rarely) all of the risk associated with a particular threat to a third party. This is known as threat transfer. Threat transfer is one of the most commonly practiced forms of risk treatment, but it usually indirectly or directly involves the payment of fees to the party assuming responsibility for the risk in order to compensate them for the additional threat exposure. For Project Owners, it is rare to be able to transfer a risk entirely; it is more realistic to consider this to be risk sharing.
• Reduce – In some instances, it is possible to reduce the overall threat exposure by either reducing (but not eliminating) the probability of occurrence and/or impact level. Reduction strategies are only effective in instances where an organization has the ability to directly affect the factors contributing to or outcomes associated with the risk. This form of treatment is usually known as risk mitigation and is what many think of when considering risk treatments.
• Accept – Organizations may choose to simply accept that a threat may or may not occur on a project and choose to do nothing about it. This is known as accepting a threat. There are many reasons for accepting a threat, but some common explanations are:
▪ The threat is of little consequence to the project’s objectives;
▪ No other mitigation strategy is possible; or
▪ The cost of mitigating the threat does not provide a good pay-off in risk exposure reduction.
▪ An extreme example may be to accept the threat of the project site being struck by a meteorite.
Opportunities:
• Exploit – The polar opposite of avoidance strategies, opportunity exploitation refers to the process of ensuring that an opportunity eventuates (converting its probability to 100% certain).
• Share – An organization may choose to share an opportunity to create mutual benefit between itself and another stakeholder involved in a project to increase the risk exposure.
• Enhance – As opposed to reduction strategies for threats, enhancement strategies for opportunities seek to maximise the probability of an opportunity occurring or to maximise the positive impact on the project’s objectives should it occur.
• Ignore – If an opportunity is of little consequence, beyond influence, or too difficult / costly to treat in any other way to increase its likelihood or consequence, an organization may choose to simply ignore it. In doing so, they accept that the opportunity may or may not arise and their potential benefit from it will be limited to the inherent characteristics of the opportunity as originally identified.
Having decided on a general strategy for risk treatment, it is important to clearly identify how this is to be achieved. The first step in doing this is to clearly name and describe all of the various strategies that could be employed to modify the risk exposure. Similar to the strategies described for naming risks, we can also use a meta-language approach for naming treatments. An example of this might be; “By <performing action>, <describe outcome>, resulting in <effect on probability and/or impact of risk>”.
Similar to the assignment of an owner to each accepted risk, each accepted risk treatment must be assigned an Owner. This treatment Owner is accountable to the Risk Owner for the management and successful implementation of the treatment, must know how each step of the agreed treatment is to be implemented and have the authority to make decisions about their implementation. The Treatment Owner may delegate responsibility for day-to-day actions in implementing the treatment but remains accountable for the successful implementation of the treatment.
There may be multiple treatments implemented for individual risks and a different Treatment Owner for each treatment. The Treatment Owner and the Risk Owner may also be the same person.
The implementation of the risk treatment is an essential step in the risk management process, as without assignment of treatment accountability and subsequent implementation, treatment identification is a theoretical exercise only.
Treatment status refers to a progressive system of classifications for managing risk treatments through their lifecycle. There are five different statuses for risk treatments:
• Potential treatments are those that have been identified but not approved for further action.
• Accepted treatments are those that have been approved for further action including analysis of their effects on the risk, but the plan for implementation has not been started..
• Started treatments are those that have begun to be implemented, but are not yet completed.
• Applied treatments are those that have been fully implemented.
It is important to ensure that risk treatment statuses are accurately maintained and reported to ensure that all necessary actions are taken for the treatments to be effective in a timely way.
Until agreed treatments are fully implemented, risk management is not effectively applied to that risk.