A five step risk management model

Risk management is a systematic process of identifying, analysing and responding to project risk.’ This
may be broken down into a number of sub-processes are used as the basis for the five-stage model in this
guide:

1. Risk identification
2. Qualitative risk analysis
3. Quantitative risk assessment
4. Risk response planning
5. Risk monitoring and control

Identifying risk

Risk identification is of course the first step in managing risk. Risk identification and analysis should be
ongoing throughout the project but particularly at project start-up and stage boundaries. You are likely to
start looking for risks relating to:

 The project plan

You should understand the importance of the critical path through the plan (the shortest time needed to
complete the project) and the nature of task interdependencies. the following are areas which are likely to
have associated risks:

 Tasks that rely on the completion of other work before they can begin
 Tasks that none of the project team has ever done before
 Use of unfamiliar technologies
 Tasks that involve third parties
 Migration of data from one system to another

 Stakeholders

In any undertaking involving a substantial amount of change there will undoubtedly be people who
are adversely affected or who fear they will be disadvantaged by the change. These people can be
termed adverse stakeholders and they may present a risk to your project. The risk may be in terms of
direct opposition to the project at the initiation stage or a ‘war of attrition’ during the course of the
project.

The external environment

 Risks associated with the organizational environment may be general or specific. General risks relate
to the organizational culture.The organizational environment. Here are some typical examples of
circumstances that may cause risk to your project:

 A similar project has failed in the past

 The organisation is being restructured whilst the project is in progress

Qualitative risk analysis

Having identified a range of risks we now need to consider which are the most serious in order to
determine where to focus our attention and resources

In deciding how serious a risk is we tend to look at two parameters:

 Probability – the likelihood of the risk occurring

 Impact – the consequences if the risk does occur.

Impact can be assessed in terms of its effect on:

 Time
 Cost
 Quality.

Use enough categories so that you can be specific but not so many that you waste time arguing about
details that won’t actually affect your actions

Scale Probability Impact

Very low Unlikely to occur Negligible impact

Low May occur Minor impact on time, cost, or

occasionally quality

Medium Is as likely as not to Substantial impact on time, cost or

occur quality

High Is likely to occur Substantial impact on time, cost or

 quality

Very Is almost certain to Threatens the success of the project

high occur

Assigning numeric scales

To move from qualitative to quantitative risk assessment, you can assign a numeric scale and, by using a
‘traffic light’ system – assigning red, amber or green against pre-determined value range – break the risks
into groups requiring different response strategies. The red, amber, green designation is known as a ‘RAG
statuses and was referred to in the risk log section.

This table uses the same linear scale for both axes

Quantitative risk assessment

What do we mean by a medium risk? If a risk is likely to cause a five-week delay to your project or cost
you 1million where does that sit on the scale of ‘very low’ to ‘very high’ in relation to your particular
project? You must do these threshold definitions and understand what are high cost and time implications
for your project before you can assess risks in a meaningful way.

The following table suggests a general measure of impact in the education environment.

Impact Cost Time Quality

Very Variations Slight slippage Slight reduction in

low manageable by against internal quality/scope with no
virement targets overall impact on
against internal usability/standards
budget headings

Low Requires some Slight slippage Failure to include

additional against key certain ‘nice to have’
funding from milestones or elements or ‘bells and
organisation published whistles’ promised to
targets stakeholders

Medium Requires Delay affects Significant elements

significant key of scope or
additional stakeholders functionality will be
funding from and causes loss unavailable
organisation of confidence
in the project

High Requires Failure to meet Failure to meet the

significant key deadlines needs of a large
reallocation of in relation to proportion of
organisation the academic stakeholders
funds (or year or
borrowing) to strategic plan
meet project
objectives

Very Increases Delay Project outcomes

high threaten jeopardises effectively unusable
viability of viability of
project project
Risk response planning
Having identified ‘green’ and ‘red’ risks you now need to look at what your response will be to each of
the red risks. There are a number of fairly standard definitions of response types that can be summed up
as follows:
Response and Description
Risk avoidance
Also known as risk removal and risk
prevention. Altering the plan so that
the circumstances which may give rise
to the risk no longer exist.
Risk mitigation
Also known as risk reduction.
Reducing the probability or impact of
the risk.
Risk transference
Moving the impact (and ownership) of
the risk to a third party.
Risk deferral
Deferring aspects of the plan to a date
when the risk is less likely to occur.
Risk acceptance
Examples
Risk: You plan to build a new
apartment on a green field site but
there is a risk that the council will
refuse planning permission and
delay the project.
Response: You decide to build on
brown field site on a former
industrial estate. This incurs
additional cost in terms of
demolishing old buildings and
removing hazardous waste.
Risk: You won’t be able to attract
technical staff for the project.
Response: Offer a salary
supplement to project staff.
Risk:You are aware that colleges
are the target of an organised gang
stealing hardware.
Response: You decide to
outsource some of your servers to
a hosting company.
Dealing with the risk via
contingency rather than altering
the plan.
Risk monitoring and control

You need to keep track of the identified risks, monitor the effectiveness of your risk responses and
identify new or changed risks. This means having effective reporting mechanisms in place and ensuring
that risk is covered in all key reports and reviews. Effective monitoring and control also involves creating
the right conditions for openness and transparency in the project. A key role of the project managers is
also to communicate risk to the stakeholders. Senior managers hate surprises so you need to keep
reminding them ‘these are the top five risks we are facing at the moment…’ so that when one of the risks
occurs they are prepared for it. Risk analysis and management is an important part of assessing whether
the business case for a project really stacks up. Your risk identification may show more serious risks than
had been anticipated – this means the business case must be reviewed.
TYPICAL RISK MANAGEMENT MODEL FIG 1

 Generally , risk is inherent and unavoidable.Risk management simply aids in better decision-
makings by running projects in the ‘real’ world. Plans usually are formulated to meet ideal
situations assuming everything will be perfect.
 This results in senior managers pushing project managers to have a more ‘can do’ attitude. If the
latter undertakes an analysis and comes up with a realistic estimate of timescale and costs then
one or other is cut, the senior manager responsible must bear the blame when the project cost
budget is surpassed. Senior managers should take responsibility for project failure.
TYPES OF RISK MODELS

 Risk modeling uses a variety of techniques including market risk, value at risk (VaR), historical

simulation (HS), or extreme value theory (EVT) in order to analyze a portfolio and make
forecasts of the likely losses that would be incurred for a variety of risks. Such risks are typically
grouped into credit risk, market risk, model risk, liquidity risk, and operational risk categories.

 Big financial intermediary firms use risk modeling to help portfolio managers assess the amount
of capital reserves to maintain, and to help guide their purchases and sales of various classes
of financial assets.
FACTORS TO CONSIDER IN RISK MANAGEMENT.
This involves to:
1. Identify
2. Measure
3. Manage
4. Monitor
5. Report

REFERENCES
o https://www.jisc.ac.uk/guides/risk-management/five-step-model
o 1 Benoît Mandelbrot and Richard L. Hudson (2006). The Misbehavior of Markets: A
Fractal View of Financial Turbulence. Basic Books. ISBN 978-0-465-04357-6.

^ Alan Greenspan (2008-03-17). "We will never have a perfect model of risk". Financial

Times Retrieved 2009-07-18.
o ^ "Financial economics: Efficiency and beyond". The Economist. 2009-07-16.
Retrieved 2009-07-18. From The Economist print edition.