PROJECT

QUALITY

3. RISK AND RISK MANAGEMENT

After having seen all the aspects related to quality in order to successfully manage our
project, it is vitally important to talk about risk and its management, since, like the
previous criterion, it is also crucial for the success or failure of our company or project.

We face all kinds of risks every day that need to be dealt with in order to continue our
activity and achieve our objectives. Response capacity in dealing with problems is
critical to the success of the project, so it must be as fast and accurate as possible. Its
achievement would require good risk management, which involves identifying
potential risks and problems, and establishing preventive actions to avoid them or
corrective actions to overcome them.

This third chapter will deal with risk, types of risks, integrated risk management, the
process for good risk management. We will also briefly introduce the ISO standard
31000 in order to address the main legal considerations regarding risk management.

3.1 RISK AND TYPES OF RISK

Risk is defined as “a probability or threat of damage, injury, liability, loss, or any other
negative occurrence that is caused by external or internal vulnerabilities, and that may
be avoided through pre-emptive action”.

There are two concepts strictly linked to this definition of risk, which are vulnerability
and threat.

Vulnerability refers to being exposed to a hostile agent or factor, while threat

indicates an approaching menace.

In short, the three concepts refer to the possibility of suffering some kind of damage,
hence, the need to establish a management system.

Page 55


PROJECT QUALITY

When it comes to business risk types, we can differentiate three large groups.

The first type is pure risk, also called absolute risk. It is a category of threat that is
beyond human control and loss is its only possible outcome. It includes incidents such
as fire, natural disasters, technical failures, etc.

The second type is speculative risk. Unlike pure risk, speculative risk has the possibility
for loss or gain and requires considering all potential risks before choosing an action.
Businesses purchase new equipment, venture into new markets or diversify existing
product lines, but the opportunity for loss is always present.

The third type is a combination of the previous two and it is related to inter-company
credit since it directly depends on the management strategies and the uncertainty
about the customer capacity to meet their payments.

Based on these three types, we should also consider both internal and external risks.

Internal risks are:

- Strategy; considering aspects such as customer and market

segmentation and diversification of activities. Example: Targeting a
wrong customer segment implies that our product will not reach the
customer who is really interested.

- Organisation: taking into account the staff renewal, organisational

changes, mergers and acquisitions, corporate governance and corporate
social responsibility. Example: lack or excess of staff, or non-
environmentally friendly actions.

- Operational factors: such as production and distribution, research,

development and innovation, intellectual capital, information systems
and waste management. Example: a failure of the production system
that causes a significant delay.

Page 56


PROJECT QUALITY

- Human capital: considering aspects such as legal compliance,
managerial responsibility, job security, disloyal employees, productivity
and talent retention. Example: risks attached to workers’ security when
performing certain activities.

External risks are:

- Legal factors, such as local, national and international legislation.

Example: breach of a law.

- Natural factors, such as natural disasters, climate change, pollution and

waste management. Example: pollution of a river or destruction caused
by strong winds.

- Political factors. Example: changes in regulations.

- Economic factors, such as interest rates, exchange rates, credit policies

and price fluctuations. Example: higher taxes.

- Market, considering both current and potential competitors, and

changes in consumer behaviour. Example: drop in demand as a result of
a new substitute product.

- Macroeconomic factors. Example: changes in exchange rates.

- Demographic factors, such as rate of population growth, relative

ageing, migration policies and emigration. Example: customers who
purchased our products are no longer in the region where we operate.

In relation to internal and external risks, we should mention that we can face
predictable risks that can be prevented or predictable risks that cannot be prevented,
but can be corrected.

Page 57


PROJECT QUALITY

For example, machinery failure is a predictable risk that can be prevented. To do so,
we should check our machinery in order to detect any deterioration, so that we can
prevent the machine from breaking completely.

We also have an example of a predictable risk that cannot be prevented, but can be
corrected. If one of our production plants is in an area where natural disasters such as
heavy storms are common, we cannot prevent them from happening, but we can
assess the damage that a strong storm can do and develop a reparation and correction
plan. In addition, actions can be taken to minimise the damage.

3.2. RISK MANAGEMENT

Every element that may imply some danger or harm to the company will be considered
a risk, therefore, it is essential to identify such elements so we can prevent a crisis. To
do so, the company will:

- Identify risks and assess the severity of their potential impact and their
probability of occurrence in order to prioritise.

- Identify ways to reduce and manage those risks. To do so, companies

can use several strategies:

Avoid the risk: Sometimes, a risk will be so serious that you simply want to eliminate it,
for example, by avoiding the activity altogether, or using a completely different
approach. By stopping the activity that is causing the potential problems, you
eliminate the chance of incurring losses.

Reduce the risk: Risk reduction or "optimisation" involves reducing the severity of the
loss or the likelihood of the loss from occurring. If you do not want to abandon the
activity altogether, a common approach is to reduce the risk associated with it. Take
steps to make the negative outcome less likely to occur, or to minimise its impact
when it does occur.

Page 58


PROJECT QUALITY

Share the risk: sharing with another party the burden of loss or the benefit of gain,
from a risk, and the measures to reduce a risk. ‘Risk transfer' is often used in place of
risk sharing in the mistaken belief that you can transfer a risk to a third party through
insurance or outsourcing. In practice, if the insurance company or contractor go
bankrupt or end up in court, the original risk is likely to still revert to the first party.

Accept the risk: it involves accepting the loss from a risk when it occurs. Risk
management comes at a price. Avoiding a risk means constricting your company’s
activities and missing out on potential benefits. Reducing a risk can involve costly new
systems or processes and controls. So in the case of minor risks, it may be best simply
to accept them. There is no sense investing in a whole new suite of expensive software
just to mitigate a risk that would not have had a very big impact anyway.

Depending on the severity and probability of the risk, and its costs, one of the
strategies would be chosen.

Before moving on to risk management and its process, it is important to mention that,
as in quality management, risk management must be continuous. We should not worry
about the risks only when starting the project, but during the whole process, as
additional risks may appear.

We have also seen that risks can come from very different areas, so we should
therefore continuously assess all areas in order to detect any risk or problem that may
negatively affect us.

3.2.1. Integrated risk management

Integrated risk management addresses risks across a variety of levels in the

organisation in order to establish strategies to prevent risks and to turn them into
opportunities.

Identifying risks adds value to the company, since the following benefits are achieved:

Page 59


PROJECT QUALITY

- Identifying and assessing risks strategically minimises our effort, as we
have to work only on those aspects that really need monitoring and
management.

- Generally, monitoring those processes that may pose a greater risk to

the company or the project results in significant savings in terms of
financial resources, time and burnout.

- Identifying risks facilitates the definition of organisational strategies and

decision making. Preparing ourselves to deal with risks means that we
should define specific action plans in order to counter, reduce or
eliminate any event that may affect the development of the company or
project.

Obviously, not all the risks we face can be turned into an opportunity. As we have
seen, some risks such as natural disasters cannot be prevented, since they do not
depend on us. In contrast, we can control some risks and try to turn them into
opportunities. For example, if we have a new strong competitor, we can lose
customers and, consequently, benefits. However, we can take this risk to innovate our
products to provide a much better product than our competitors and, in return,
increase our market share.

Good integrated risk management involves finding a balance between costs and
benefits for the company. For successful management, the balance must be present in
the following elements:

- Risk and reward: Taking risks is a challenge for the company. A

company that does not take risks will never grow, as it will stay as it is.
However, not taking risks is a risk, since this means not growing. Thus,
the company should take risks and look for new business opportunities.
The old adage, “nothing ventured, nothing gained” applies here.

- Art and science: here, science is understood based on research,

definition and use of proven methods of risk management, while art

Page 60


PROJECT QUALITY

refers to the use of these methods by human talent, which makes
productivity, dynamism and people involvement increase. In other
words, there must be a balance between methods and their
interpretation and execution.

- People and processes: integrated risk management is focused on

increasing productivity of people in processes and making their work
easier. The aim is to implement a series of permanent processes to
improve productivity and the welfare of workers.

3.2.2. Risk management process

Risk management involves identification, analysis, response planning and monitoring

and control of results in order to increase probabilities and the impact of positive
events, and reduce or eliminate those impacts and negative events.

The process consists of five steps:

- Risk management planning

- Identifying risks

- Qualitative and quantitative risk analysis

- Risk response planning

- Risk monitoring and control

Before addressing these steps, we should consider that risks are always future events
or conditions that negatively impact the achievement of the objectives of the company
or project and affect elements such as scope, schedule, cost and quality. It is very
important to measure negative effects to order and classify risks according to the
degree of their impact.

Page 61


PROJECT QUALITY

As we said, risk management not only refers to identifying risks and actions to
eliminate or alleviate them, but also to other aspects that should be addressed, such
as the analysis and assessment of their impact as well as their causes.

Taking this into consideration, we are going to address the steps of the process:

▪ Risk management planning

The first step is defining how actions related to risk management will be undertaken.

This first stage will help us to:

- Improve the probability of success of the following steps.

- Ensure that the level, type and visibility of risk management are
consistent with both the risks and the importance of the project to the
organisation.

- Provide sufficient resources and time for risk management activities and
to establish an agreed basis for the assessment and analysis of risks.

▪ Identifying risks

Risks should be continuously identified from the beginning of the project. As we have
already mentioned, risk management should be a continuous process, since some
factors may pose a risk at the beginning of the project but not during its development
or, on the contrary, they may not pose a risk at the beginning but may end up being a
risk later. As the project moves forward, new risks need to be identified and managed.

Although it may seem easy, it is actually truly complex since it involves assessing all the
elements related to the company or project and identifying those that may have a
negative impact. To this end, not only one person should bear responsibility on this
stage. Usually the project director, project team members, risk management team,
customers, external experts, end users, interested parties and experts in risk
management take part in this process.

Page 62


PROJECT QUALITY

In addition to identifying risks, it is important to establish their origin. The first section
of this chapter explained that risks may be both internal and external, so it is
particularly important to identify where risks come from for their analysis and
assessment.

Although risk may originate from many different areas, these are the most common:

- Scope

- Cost

- Quality

- People

- Competitors

- Communication

- Integration

Some of the tools that can be used to identify risks are:

- Cause and effect diagram

- Flowchart

- SWOT analysis

- Influence diagram

▪ Qualitative and quantitative risk analysis

Once risks and their origin are identified, we should determine the likelihood and
consequence of each risk. This is a very important stage, since it will help us to
measure the impact and importance of the risks, enabling us to prioritise actions to
undertake.

Page 63


PROJECT QUALITY

Qualitative analysis

Qualitative risk analysis evaluates the probability and consequences of the risk using
established qualitative-analysis methods and tools.

It prioritises the identified project risks using a pre-defined rating scale. Risks will be
scored based on their probability or likelihood of occurring and the impact on project
objectives if they occur.

Probability/likelihood is commonly ranked on a zero to one scale (for example, .4

equating to a 40% probability of the risk event occurring).

The impact scale is organisationally defined (for example, a one to five scale, with five
being the highest impact on project objectives such as budget, schedule or quality).

Quantitative analysis

A quantitative risk analysis is a further analysis of the risks requiring most attention.
Although qualitative risk analysis is broadly used, whether enough data are available,
the risk assessment can be performed through a quantitative risk analysis.

A quantitative analysis quantifies the possible outcomes for the project and
determines the probability of achieving specific project objectives. It also provides a
quantitative approach to making decisions when there is uncertainty and creates
realistic and achievable cost, schedule or scope targets.

▪ Risk response planning

Having undertaken the analysis and evaluation described in the previous chapter, we
should now address risk mitigation by taking appropriate actions to achieve the project
objectives through revision of the project’s schedule, budget, scope or quality. Risk
management should, therefore, be regarded as an integral part of project
management and not as an extra.

Page 64


PROJECT QUALITY

This phase of risk management involves determining ways to reduce or eliminate any
threats to the project, and also the opportunities to increase their impact. We should
work to eliminate the threats before they occur and to ensure that opportunities
occur. Likewise, we are also responsible for decreasing the probability and impact of
threats and increasing the probability and impact of opportunities. For threats that
cannot be mitigated, action plans to manage the risks should be established.

As we have seen, actions to these risks may be based on different strategies:

- Avoid the risk

- Reduce the risk

- Share the risk

- Accept the risk

▪ Risk monitoring and control

Risk monitoring and control is the process for:

- Executing risk response plans

- Tracking identified risks

- Monitoring residual risks

- Identifying new risks

- Evaluating their effectiveness throughout the project life cycle

It is important to understand that risk monitoring is intended to be a daily, on-going

process across the entire project lifecycle. We should be vigilant in looking for risk
symptoms, as well as for new project risks. Newly identified risks and symptoms of
previously identified risks should be communicated immediately for evaluation and/or
action.

Page 65


PROJECT QUALITY

3.3. ISO 31000

To conclude on the subject of risk management, we will give an overview of the ISO
31000 risk management standard.

The ISO 31000 Risk Management standard is relatively new, since it was created and
published in 2009 by the International Organisation for Standardisation. It provides
companies with principles, a framework and a process for managing risk.

▪ Basic principles

- It creates value.

- It is integrated in the processes.

- It is part of the decision-making process.

- Specifically addresses uncertainty.

- It is systematic, structured and adequate.

- It is based on the most accurate information.

- It is made to measure.

- It considers human and cultural factors.

- It is transparent and inclusive.

- It is dynamic, interactive and adaptable.

- Its objective is to facilitate continuous improvement in the organisation.

Page 66


PROJECT QUALITY

▪ Objectives

Its implementation intends to achieve the following objectives:

- Increasing the possibility of achieving objectives

- Promoting proactive management

- Awareness of the need to identify and treat risks throughout the

organisation

- Improving the process of identifying threats and opportunities

- Complying with legal and regulatory requirements, as well as with

international standards

- Improving financial reports

- Improving governance

- Improving investor confidence

- Establishing a reliable basis for decision making and results planning

- Improving control processes

- Assigning and using resources efficiently

- Improving operational efficiency and effectiveness

- Improving health and safety, as well as environmental protection

- Preventing losses and incidents

- Improving organisational learning

- Improving organisational resilience

Page 67


PROJECT QUALITY

▪ Structure

The standard has three clearly differentiated areas:

- Risk management basic principles

- Framework

- Risk management process

For further information, you can find a link to the complete text of the standard in the
bibliography.

Page 68