It is becoming increasingly recognised that the effect of uncertainty should be considered in everything we do and that people and organisations should be aware of the risks they face. Failure to do so is viewed, at best, as inadequacy and at worst bad practice. Risk management is a collection of techniques and methodologies to help identify the uncertainties (whether threats or opportunities) that could impact on business, programme or project objectives. The intended outcome of risk management is to increase benefits from opportunities or to mitigate or eliminate negative impacts from threats.
Note that risk is an inherent part of progress and that we are not always seeking to eliminate risk but to control and manage it. Furthermore, risk can have multiple impacts. People commonly think of an increase in cost or perhaps time but quality, security and reputation are all relevant and can all be measured, and, importantly, managed.
Risks should be identified, analysed, managed and reviewed through all phases of a programme or project and in all areas. Projects, particularly so called mega-projects or major programmes and portfolios have become more common and more complicated over the last 20 years and have increased the need to understand that complexity and the uncertainty that sits around it.
The standard approach today is to quantify risk and to try to understand the impact that uncertainty plays in complex projects on cost and time. This has driven the industry to focus on quantification that while useful is not the only output from a well-run, robust risk management approach.
The following chapters set out the basics to risk management and some approaches that might be followed.