Beginners Guide to Risk Management

Published 14/07/23

Risk Management is fundamental to both project management and programme management, however it does not need to be complicated. This is an introductory guide to risk management for people who want to start to manage risk effectively. This guide is targeted at people who are new to project management, PMO offices or risk management.

What is a Risk?

To put it simply, a risk is something which may or may not happen and which could cause an impact.

Simple example: There is a risk that I could be late to work if the bus is late.

This may seem counter-intuitive but risks can also be positive. When a risk is positive, it is considered an opportunity.

Simple example: There is a risk that I could be early to work if the bus comes more quickly than expected.

 

Fundamentals of a Risk

At its most basic, a risk has 2 key elements:

1. Probability – the chance that it happens
2. Impact – what occurs if it happens

If you can express these two things then you have identified a risk.

Probability

The probability of something happening is often expressed as a percentage. When you look at the weather, the chance of rain is often shown as a percentage. This is an example of a risk with a defined probability.

Simple example: There is a 40% risk that it will rain at 10pm.

Impact

The impact is what will occur if the risk happens. In project management we often work to identify the financial impact of the risk (to provide a costed risk).

Simple Example: I have a job where I am paid hourly (we will use £10 per hour to keep things simple) and do not get paid if off work ill. There is a risk that I cannot work as I am ill.

Impact (as a cost) if I am ill for 1 day would be £80 (one 8-hour shift * £10 per hour).

Risk Exposure (Probability * Impact)

It is worth thinking of probability and impact as axis on the same graph:

This is because the true exposure of the risk cannot be calculated using just one of these two factors. You need both to identify the exposure of any given risk.

Note in terminology… Risk Exposure here is referring to the calculated value of each individual risk (as this is a beginners guide). Risk Exposure is also known as factored risk or calculated risk in some organisations. Additionally, businesses often look at their total Risk Exposure which is the sum of Exposure across all open risks.

Some examples of risks with different probabilities (%) and impacts (using 8 hour days at £10 per hour):

• Risk A – There is a 50% chance that it rains and I catch a cold. If I catch a cold I will be off work for one day (£80). Risk Exposure is £40 (50% chance of £80 impact).
• Risk B – There is a 10% chance that it rains and I catch pneumonia. If I catch pneumonia I will be off work for 5 days (£400). Risk Exposure is £40 (10% chance of £400 impact).
• Risk C – There is a 10% chance that it rains and I catch a cold. If I catch a cold I will be off work for one day (£80). Risk Exposure is £8 (10% chance of £80 impact).
• Risk D – There is a 40% chance that it rains and I catch pneumonia. If I catch pneumonia I will be off work for 5 days (£400). Risk Exposure is £160 (40% chance of £400 impact).

These risks can be plot onto the graph to show which risks have a higher exposure and which should be higher priority.

Probability vs Impact with examples

Risks in the top right part of the graph are the highest priority risks. Using our examples above, Risk D falls into the high exposure category (£160), Risks A and B had Moderate Exposure (£80 each) and Risk C had low exposure (£8).

How do we capture risks?

Generally risks on projects are captured on a Risk Register or within a RAID log (which contains a Risk Register). This is a list of all known risks with some information, including the probability and impact.

An example of a very simple risk register is shown below. There are many more pieces of information which would be captured which we will cover in another more advanced guide.

You may have spot 2 additional fields that we have not discussed so far:

• Owner – This is the person who is accountable for monitoring the risk and trying to make sure it doesn’t happen (or if it is an opportunity, a positive risk, making sure it does)
• Status – This is the status showing if the risk is still valid. Some risks are either able to be closed, such as our in bus example, you may buy a car to travel to work and so that risk would be closed or are time bound, such as the famous millennium bug where there was a risk that all computers would break on the year 2000.

Summary

When you think of a risk, always think of 2 things, what is the chance of it happening (probability) and what will happen if it occurs (impact). These two things will help you to clearly express your risks. If you have any questions, please don’t hesitate to contact us.