“You have to take the maximum risks with the maximum precautions“
Rudyard Kipling
General Culture: The Notion of Risk
According to ISO Guide 73, revised during the development of ISO 31000:2009, risk is defined as “the effect of uncertainty on objectives”.
An additional note clarifies that risk is often defined in terms of potential events and consequences, or a combination of both.
Care should be taken to distinguish the concept of risk from other related concepts:- Unforeseen : unidentifiable virtual event,
- Contingency : identifiable but non-quantifiable virtual event,
- Risk : identifiable and quantifiable virtual event,
- Problem: Virtual event already completed.
Agility:
What is risk in project management?
A risk is an event or situation that is likely to impact at least one project objective, such as schedule, cost, quality, product performance, compliance with specifications, customer satisfaction, or the company’s image. A risk essentially implies a potential deviation from forecasts, having a significant impact that is difficult to accept.
It takes the form of probable, identified and measurable losses , such as:
- The application of late penalties in the event of non-compliance with the schedule.
- The loss of margin on the project, or even a net loss, if the budget is exceeded.
- Customer dissatisfaction can lead to disputes in the event of a quality defect.
- User complaints about non-compliance
When to manage risk?
Risk management is a constant concern throughout the life cycle of a project, from its initial commercial phase to its accounting close.
It is of structuring importance from the pre-sales phase, as it determines the provisions for risks, and during the launch of the project (initialization or Sprint #0).
During execution, constant monitoring is essential.
Who manages the risks?
The project manager, project manager or project /program director , is on the front line to ensure visibility into risks and, as much as possible, prevent them from turning into problems.
However, all project collaborators have a shared responsibility in identifying and managing risks operationally.
How to manage risks?
The risk management process is structured around four main steps:
- Risk identification
- Risk assessment ,
- Risk management ,
- Risk monitoring and reporting .
Risk identification
The first step in the risk management process is to identify events that could potentially negatively impact project objectives. This step is crucial from the pre-sales phase to assess the risks. It is essential to involve all project stakeholders in order to spot potential problems and address all types of risks. Examples of questions to consider:- Functional risks : Is understanding the client’s needs and requirements sufficient to clearly define the scope of the project and estimate costs accurately?
- Organizational risks : do we have the adequate and competent human resources to manage the project according to the client’s constraints?
- Technological risks : Is the required technology well mastered and experienced to ensure the success of the project?
- Financial risks : Is the customer solvent? Are penalty clauses acceptable?
- Security risks : Does the project require enhanced security measures? Is the customer exposed to significant security risks?
- External risks : Are there any dependencies with unknown third parties or regulations that could affect the project?
- analysis of the documentation,
- interviews with internal and external stakeholders,
- brainstorming sessions,
- feedback on similar projects, and the use of checklists or questionnaires.
In addition to identifying them, it is also necessary to detail the risks. To be considered valid, a risk must include the following:
- Description of risk
- Causes of the risk
- Consequences of risk
- Risk Driver
- Risk assessment (qualitative and quantitative)
- Risk-related treatment plan
It is important to produce a sufficiently detailed list of risks, to clearly distinguish between risks and problems, and not to confuse the two.
Risk assessment
Assessing risks helps determine their consequences if they arise as problems.
This assessment is based on two main axes: the impact of the risk if it materializes and its probability of occurrence. These two variables are used to define the severity of the risk.
The impact of a risk
should be considered in four aspects: cost, time, quality, and compliance with requirements.
For each project, it is necessary to define a specific scale in order to homogenize and make the qualitative risk assessment more reliable. Using a matrix can make this easier, for example:
Determining the probability of a risk occurring is equivalent to estimating the probability that the risk will occur, on the day of risk identification, on a scale of 1 to 4:
Severity, also known as criticality, is defined by the product of the impact of the risk and its probability of occurrence:
S = P x I
The severity is materialized in the form of a crossover table, on which the risks identified and assessed can be positioned:
Risk management
Zoom: the provision for risks
The operational risk contingency is a budgetary reserve to cover the costs associated with the implementation of a risk reduction strategy.
It is crucial if the risks identified in a project are realized.
In concrete terms, it represents a percentage of the total project load, based on the average daily rate of the project.
This percentage depends on the level of risk estimated in the pre-sales phase and validated in Deal Review, covering the identified risks and a proportion of random risks.
The recommended percentage ranges from 5% to 15%, depending on the risk level of the project.
Contingency is financially isolated and is only used when the criticality of a risk increases or when the risk materializes.
If it is not used, it is reintegrated into the turnover at the end of the project, to improve the margin.
The provision for risks is strictly confidential vis-à-vis the client.
Risk monitoring and reporting
The project manager continuously monitors the risks, in collaboration with the stakeholders, to ensure that they are controlled.
Existing risks are regularly updated in the risk register, during recurring governance meetings or at key project milestones.
Action plans are adjusted according to the severity of the risks.
The consumption of the risk provision is also assessed at these times, with the prior approval of management if it has been committed.
Any new risk identified is recorded in the register as soon as it is identified, under the responsibility of the project manager.
Reporting is carried out during internal project committees, with a complete list of identified risks.
It is also carried out with the client during the steering committees, mentioning only the risks that are relevant to the client and avoiding those relating to the internal functioning of the company or that could be perceived as interference with the client.
Zoom: Opportunities
The SWOT matrix, which analyzes Strengths, Weaknesses, Opportunities, and Threats, is divided into two external areas: threats and opportunities.
In this analysis, threats are equivalent to risks, representing events or situations that can negatively impact the project.
Opportunities, on the other hand, are unforeseen items, such as events, initiatives, or ideas, that could have a positive impact on the project.
Thus, effective project management requires equal attention to risks and opportunities. Every opportunity identified must be recorded and qualified, integrated into the risk monitoring register.
An in-depth analysis of each opportunity can be carried out to objectively assess its relevance, and if necessary, it can be the subject of a specific action plan for its operational implementation.
0 Comments