hygiene zone
quality tools
quality techniques
human issues
quality awards
quality extra
visitor tools


Stay Informed
Sign up below to receive our Occasional Newsletter.

We Respect Your Privacy!

Web SaferPak
SaferPak: Food Packaging Safety, Food Safety, Business Improvement and Quality Management
       Home     About     Contact

Risk Management in Projects: 17 Steps to Success
By Jeff Crump

Theoretically, every decision on a project should be subjected to some form of risk analysis. However, to repeat a formal assessment is impractical for all but significant project events and changes. In other circumstances it is sufficient for the project manager to have a “risk awareness” of any changes taking place. The effective management of risk includes both this informal awareness and a structured approach.

Within a project, there are 17 steps that can be taken to help manage risk. These steps can be grouped into four major categories:

Planning: Identifying the type of response appropriate for each risk; developing a detailed plan of action; confirming its desirability and objectives; and obtaining management approval.
Resourcing: Identifying and assigning the people and other resources (e.g. money and equipment) necessary to do the work; also confirming that the plan is feasible.
Controlling: Making sure that events on the plan are really happening.
Monitoring: Making sure that execution of the plan is having the desired effect on the risks identified. Also ensuring that the management of risk processes is applied effectively.

The extent to which these activities need to be addressed depends upon the size and nature of the particular project under review. Also, these activities are not necessarily carried out sequentially. This paper will walk clients through the 17 steps and actions involved in risk management on a project basis.

The basis of risk management is in the “action plan”, which is developed in steps 1 – 7. It’s important to note that inadequate attention to some of the early steps may waste time and effort later.

Step 1: Determine risk indicators and pass information to risk evaluation. The level of acceptability of a risk or group of risks needs to be decided as part of the planning process prior to its use in the evaluation activity of risk analysis.

Step 2: Using the ordered set of risks, assess each against its indicators. When risk estimation is finished during the risk analysis phase, all the identified risks are placed into an order of importance based on their likelihood and potential consequences. It is now necessary to superimpose upon this list the risk indicators that have been defined.

Step 3: Select the most appropriate means of reducing each risk. No further action, other than monitoring, is required for risks that are below their risk indicator. Actions on risks, which are above their defined level of acceptability, may also be deemed undesirable. If the cost of such action is not justified then either the risk indicator needs to be adjusted or the project must be halted.

Step 4: If the risk is to be accepted without trying to avert it, go to Step 6. If risk is to be eliminated, its likelihood or consequences reduced, or its consequences mitigated, then design an appropriate course of action. If a risk is to be accepted without any reduction measures taken, then it need only be monitored. It is important, however, that the approach to monitoring is planned. If the elimination of risks, or reduction of their likelihood or consequence is selected, some proactive action is implied.

Step 5: Ensure that the course of action selected does not produce any unintended consequences. Part of the planning process is to ensure that whatever means are selected to deal with the risks identified, these new actions themselves will not make things worse.

Step 6: Create a preliminary risk management plan and define the initial monitoring requirements. A detailed risk management plan is created as a result of the planning process, to implement the risk reduction measures decided upon. The risk management plan summarizes the risk analysis conducted, as well as recommends courses of management based upon the level and types of risk present.

Step 7: Present plan to management for authority to proceed. Execution of the risk management plan must not begin until senior management has formally approved the plan. This step is undertaken to ensure that staff or cost commitments are fully appreciated, and that the approach being proposed for risk management is in line with the overall strategy of the organization.

To undertake the identified tasks, resources must be allocated to each task and final adjustments to plans made. These plans must reflect skills, experience and availability of the identified resources.

Step 8: Allocate resources to risk management plan. The allocation of resources to risk reduction is one of the critical activities of the risk management phase, and can proceed in parallel with Step 6 of the planning activity. The risk planning process must concentrate on ensuring that the highest priority risks are attended to first.

Step 9: Assign responsibility for the activities identified in the risk management plan. As part of the resourcing activity, authority for risk management activities is delegated and responsibility assigned throughout the organization to individuals and groups.

Step 10: Ensure the risk management plan is feasible, and perform re-analysis of risks if necessary. Having allocated resources to the plan it is necessary to make a final judgment concerning feasibility of the plan. Aspects to consider at this stage primarily concern appropriateness of resource allocation and whether this allocation has implications for planned cost and time.

Step 11: Finalize the risk management plan and begin its execution. Although the elimination of risks is the aim of management of risk, generally this is not plausible or practical due to the scarcity of resources available for risk reduction, the unacceptably high cost of any action, which would be effective, or the nature of the risk. Thus, a combination of acceptance, elimination, reduction and mitigation measures must be put into place.

Once the risk management plan has been finalized and execution begins, then the activities defined within the plan must be undertaken with suitable control being exercised.

Step 12: Ensure progress against the risk management plan is within resource limits. Control activities concentrate on ensuring that the risk management activities specified in the project plan are being properly executed.

Step 13: Coordinate the execution of the risk management plan with existing organizational activities. Communication makes up a large part of the control activities. All risk reduction activities have to be coordinated with each other and with other activities, notably those concerned with the development of the project itself. Specific action may be necessary to harmonize the implementation of both risk reduction and project work.

Step 14: Resolve any conflicts over resource allocation. Resource conflicts must be addressed before they compromise the implementation of the risk management plan or the project development activities. There must be no hesitation in using the escalation procedure if the problem cannot be resolved at the project manager level.

Having planned and then controlled the activities on the project, it is necessary to monitor progress against the plan and assess whether everything is proceeding healthily. Project progress is specifically assessed at the control points, such as end-stage and mid-stage assessments.

Step 15:
Capture lessons learned on the effectiveness of risk reduction measures. As project plans are executed, they must be monitored to ensure that their objectives are achieved as intended. It should be recognized that, in a high-risk environment, the one thing that can be expected is that not everything will happen according to plan. What is important is that an understanding of what needs to be done develops during the planning and monitoring processes.

Step 16: Check that the risk indicators are not being exceeded, and that reduction efforts are effective. At regular periods, the progress should be checked against the plan to ensure that:

Risks identified earlier are still valid, and the risk indicators have not changed
Any changes of risk significance are understood and communicated to those who need to know
Implemented responses have been effective and lessons learned are captured
The risk reduction measures can be considered a success (or if they are failing then identify new measures that need to be put into place)
Residual risks are acceptable, or are subject o continuing action on the plan; in this event the monitoring must continue
No other risks have materialized over time

Step 17: Discover the reason(s) for change in the risk status. If minor corrective action is required, return to Step 14. It is, of course, possible that the risk reduction measures are not working as well as had been expected, and thus that corrective action is required. If the corrective action required is significant in terms of cost and time, especially if it involves several risks (a highly likely situation), a new risk analysis may be required.

In summary, helping to identify the possible options is central to risk analysis; choosing between such options is central to risk management. The effort expended on analyzing and managing risk depends upon several factors, including:

• Project size, length
• Criticality of project to the business
• Experience of the project team

The effort expended on managing risk should be reasonable enough to keep risk exposure to acceptable levels within the overall constraints of the project.

Note: The fundamental content for this paper was taken directly from the Management of Risk Library, An Introduction to Managing Project Risk, © Crown 1995, Introduction to the Management of Risk, © Crown 1994, and Management of Project Risk, © Crown 1994. Some paraphrasing and consolidation has occurred to achieve intended results.


Jeff Crump is a tech-savvy leader with nearly 20 years of information technology experience including enterprise change management, ChangeMan consulting, project management, customer relationship management, sales and business development, managing international professional services groups, and delivery efforts for high-tech commercial and government customers. Jeff is a Director of EnterpriseCM, Inc. (ECMI), a collaboration of powerful technology, process improvement expertise, and veteran change management professionals. ECMI brings together Enterprise Change Management thought leadership and real-world implementation experience to offer customers educated, informed and seasoned consultation services. Jeff can be contacted Toll Free: +1.866.788.5383, Direct: +1.480.710.0953, E-mail: JCrump@EnterpriseCM.com, Web: www.EnterpriseCM.com.





Back to previous page







top of page

home :: about :: contact :: terms

© 2006 SaferPak Ltd.