Project management header
products page

Risk management - Organise - risks and responses

The Risk Management process

Organise prioritise risks and responsesOrganise prioritise risks and responses

ORGANISE (prioritise risks and responses)

In this stage the risks and responses are given further consideration.
It is dangerous to assume that all of the risks identified are independent of each other. Given a period of reflection the current list of risks may need to be refined and clarified further.

As well as looking for links between the risks and responses the underlying causes require a good understanding.
These additional investigations may result in a modification of the schedule in terms of the order of activity dependence.

At the end a priority listing of the risks based upon the impact on the project and any secondary risks is formed.

Step 1

The ‘initial’ or ‘reference’ plan is used to consider the relationships between the tasks.
The links between the key activities (as at this stage you will be looking at a summary plan without too much detail) must be challenged in terms of ‘why’.
Can any assumptions that you use concerning one activity apply to another?

At this stage you should review any software being used to make sure that all activities are integrated correctly including any modelling software used by the risk analysis teams.

Step 2

We mentioned earlier the ‘general’ response to a risk of ‘do nothing and accept the risk’. There may be others that embody particular or groups of risks.

In general you wish to distinguish between general and activity specific responses.
You then need to ‘order’ these responses in relation to the impacts including secondary responses.
Then you need to check for possible links with other activities.

The general response of ‘do nothing and accept the risk’ is not necessarily an ‘easy way out’ but allows a degree of flexibility.

Some assessments of risk and their responses and their value may be based upon little evidence initially. This is likely to change as more data becomes available to ratify or deny the viability of particular responses.

The most straightforward system for looking at impact will involve the project schedule and the affect on the timelines of other activities.

Some of the responses may be such that the effects elsewhere are unsupportable. For example, a piece of equipment may have to bear increased and over use which causes unforeseen breakdowns.
It is quite common to think that if task ‘A’ takes an extra 1 month then task ‘B’ will not be affected and remain at, say, 6 weeks. However, there may be an underlying cause that links these two activities. For example:

  • The resource is identical for both tasks e.g. contractors or general labour.
  • The same equipment is being used in both tasks.
  • Estimation of the times involved for each task was based upon similar assumptions or persons generating the information.

Step3

The risk, responses and underlying causes need to be presented in some fashion. This can be done in a diagrammatic form.

Simple diagram

Primary risks can be identified leading to responses and the potential secondary risks. Primary risks, secondary risks and responses can be identified in different forms as boxes, squares, triangles etc to make it visually easier to see.

Fault tree

Here you work backwards from a particular risk event and try to find all of the actions / events that might lead to this risk event. This is very similar to the fishbone diagram or Ishikawa approach looking at problem solving techniques.

Event tree

Here you need to identify the sequence of actions / events that lead to the identified risk.

In general all of these become cause and effect diagrams.

Step 4

The risks that can be managed by ‘general responses’ are identified.

The remaining risks are by definition major. These will need to be prioritised in some fashion.
In general, it is usually appropriate to group high impact risks together and low impact risks in another group. These two groups may be dealt with by general responses.
Any intermediate impact risks should be managed with specific responses.

In the earlier part of identifying risks it may have been considered prudent to completely omit some risks on the grounds that they were ‘minor’.
They should be included and acted upon here by labelling them under the ‘general response’ and thus eliminating them as ‘major’ risks.

There are advantages in doing this:

  • This audit trail reduces blame at a later time for any ‘missed’ risks that might come to fruition.