It is becoming increasingly recognised that the effect of uncertainty should be considered in everything we do, and that people and organisations should be aware of the risks they face. Risk is an inherent part of progress. However, we are not always seeking to eliminate risk but to control and manage it.
Failure to do so is viewed at best as inadequacy, and at worst as bad practice. Risk management is a collection of techniques and methodologies to help identify the uncertainties (whether threats or opportunities) that could impact on business, programme or project objectives. The intended outcome of risk management is to increase benefits from opportunities or to mitigate or eliminate negative impacts from threats.
By definition, a risk must have the potential to impact the project or business objectives. These are typically cost and time; however, other impacts can include quality, security, reputation and more. Any impacts to the objectives are relevant and should be measured and, importantly, managed.
Risks should be identified, analysed, managed and reviewed through all phases of a programme or project, and in all areas. Projects, particularly mega-projects, have become more common and more complicated over the last 20 years, and have increased the need to understand that complexity and the uncertainty that sits around it.
It is necessary to quantify risk and to try to understand the impact that uncertainty plays in complex projects on cost and time. Indeed, the International Cost Management Standard (ICMS) and the RICS New rules of measurement (NRM) require an assessment of risk as part of the cost estimation of projects. However, this has driven the industry to focus on quantification that, while useful, is not the only output from a well-run, robust risk management approach.
Risk management has developed into a global industry that has reached into every area of enterprise, and has developed techniques and methodologies to fit most situations. There is a lot of research and expertise in the market that can be tapped into to inform most scenarios, but the basic problem and solution remain essentially the same. The law of diminishing returns definitely applies to risk management, so always be mindful that more is not necessarily better. The trend is to combine analysis and management, but large risk registers do not make for good risk models, or useful forecasting tools. Consider the following tips:
- Apply the basics well. The most benefit will be from identifying, assessing and attempting to mitigate the risk, even in the simplest terms.
- Always apply clarity, consistency and simplicity.
- Bear in mind the task is to make a complex concept like ‘risk’ easy to understand so don’t overcomplicate – turn any complicated analysis into simple conclusions.
- Take the time to communicate – any efforts will be wasted if the target audience does not understand the threats and, more importantly, how to act on them.
- Measure success by the activity that is set in motion.
- Finally, be resilient. Risk management is not always considered helpful.