risk manager - ITM Platform | Projects Programs Portfolio

Risk management has a specific place in protocols and risk management models. In this article we will discuss the six steps to controlling risk for risk managers, as broken down in the PMBOK: planning, identification, qualitative analysis, quantitative analysis, response planning and monitoring.

In short, a risk manager should take the reins of the risk control process with a detailed plan; find out what the risks are that may affect team members and various units of the organization, assess risks from the perspective of the whole organization; create action plans to respond to each of the risks if they occur; and continuously monitor in order to improve the plan.

Risk management planning

Like any other aspect of project management, risk prevention and response in the case of risk occurrence should be subject to strict planning. Risk management is iterative, implying that the planning phase will be reviewed after each cycle.

More specifically, planning involves a series of essential decisions that will affect the following five steps. Choosing methodologies, assigning responsibilities, defining types and categories and risks, as well as allocating resources are some of the main areas of focus at this moment.

Risk identification

This step is to identify the risks that may affect the development of the project and understand their characteristics. It is essential to identify all risks that may potentially influence the project so that the necessary precautions can be taken and disaster can be avoided. Therefore, planning for all risks is essential. Do not ignore them but instead control them.

For the identification of risks, multiple systems can be used.

One of them is to use similar backgrounds, both in our company and in other companies that resemble by their activity or reach.

Another possibility is to use specific analyzing tools (Ishikawa diagram, flowchart or other types of specialized diagram systems) or other standardized analysis systems, such as SWOT analysis (Strengths, Weaknesses, Opportunities, Threats).

Finally, if the first two possibilities are not feasible, you can resort to expert judgment.

After identification, it is important to proceed to classify risks that have been detected (Technical, external, organizational, management, etc.). Their influence on the project (mild, moderate or severe impact on the project), or the probability of the risk arising (low, intermediate or high probability).

Qualitative analysis

This analysis is used initially to filter risks and prioritize them in order of importance and severity. Although this analysis may not be the best in terms of accuracy and speed.

This type of analysis is also used for risks which need immediate attention. The urgency leads to an analysis that, despite not being the best in absolute terms, is most appropriate for the time available.

The results of this analysis should reflect in a risk assessment matrix.

Quantitative analysis

This is a more comprehensive systems analysis, but also the most complex and time consuming.

To perform a quantitative analysis, specific quantitative risk analysis systems should be used, such as mathematical simulations e.g. Monte Carlo.

A simpler option is to use a decision tree with which you can numerically illustrate the parameters derived for each choice.

If it is not possible to quantify the risks, you can turn to experts in the field to conduct an assessment.

Ideally, experts should be external to the project in order to prevent conflicts of interest. In addition, to avoid bias, the evaluation should be conducted blindly without knowing the outcome of assessments made by the other experts.

There are differences between this point and the assessment of experts in qualitative analysis. While in the former case, experts estimate the relative importance between different types of risks in order to focus on the most important, in the quantitative case experts, despite not having actual data, provide estimates as accurate as possible based on their experience and the results of other projects that they have led previously.

Risk response planning

When a threat is verified, the response must be preplanned and follow the correct procedure. Action plans must be drawn up when risk in the project is present in order to prevent its occurrence. This may include transferring it to an external agent or mitigating their effects, in the event that the risk occurs. Where risks cannot be avoided, in the event of circumstances beyond our control or scope, contingency plans should be developed that allow for coordinated and appropriate action.

Risk monitoring

To predict whether or not risks may occur it is necessary to know warning signs so that it can be anticipated. If this is not possible, monitoring mechanisms should be in place so that a risk in a project can be detected the moment it presents itself.

The purpose of these systems is to instil the attitudes of anticipating risks and having contingency plans in place, before the risk has significantly influenced the project.

In addition, self-monitoring the reaction to the risks and the occurrence of them can improve prevention measures, and thus reduce time and increase the efficiency of the reaction.

Here are some recommended articles:

Our new Risk Assessment Matrix is online

Keys to becoming a good risk manager

Risk management… The what, the why and the what to do

Juan Delgado

Blogger ITM Platform

If you want to become a risk manager, you will have to combine two types of training.

On the one hand, you must be a specialist in a particular field. For example, if you want to be a risk manager in the field of medicine or pharmaceuticals, you’ll need medical training, or hospital management training.

On the other hand, you need to acquire specialist training in risk management. Several institutions offer specific degrees in these areas.

Where to find risk management training

These are some of the major international institutions offering specific training in risk management.

Institute of Risk Management. Founded in 1986 in the UK with the aim of facilitating training and certification in risk management, it has international prestige and is one of the first institutions to grant degrees in this area. The diplomas offered are: the International Certificate in Enterprise Risk Management, the International Diploma in Enterprise Risk Management and Certificate in Risk Management in Financial Services. The price is around £1,000 for non-members.

Project Management Institute. The international reference for project management also has a specific course on risk management: the PMI Risk Management Professional (PMI-RMP). The certificate costs $670 (or $520 if a member of a PMI institute), and is obtained after a multiple choice test based on the PMI-RMP manual, which is available for free in this pdf.

The Chartered Insurance Institute. Also based in the UK, it is a comprised of approximately 120,000 members in societies in over 150 countries. It is the world's largest professional association in the field of financial planning and insurance. Although not dedicated solely to risk management, it provides accreditation in this and other areas.

If you’re hot for the more academic part of the issue, a host of Higher Education Institutions in the US offer Risk Management courses, from Stanford’s strategic decision and risk management courses to the PhD programs offered by Columbia University’s (Decision, risk and operations) or the University of Pennsylvania’s insurance and risk management. As you can imagine, this is the kind of PhD program that can be at least as rewarding careerwise as the most expensive MBA.

Of course, big firms and multinational corporations also have their say. If you’re interested in in-company training tailored to the needs of your organization and in implementing international standards like ISO 31000:2009, you can look up BSI’s risk management training courses or ASQs’ risk management essentials and implementation strategies.

Risk Doctor. Under the slogan "Exploiting Uncertainty Future", this website is the initiative of David Hillson, a celebrity in the field who calls himself the "Risk Doctor". It specializes in training for risk managers. Their slogan makes reference to precisely one of the functions of risk and project management: to turn adversity into strengths. On the page you can find plenty of resources, from books and scholarly articles to specialized webinars and videos of Hillsons’ conferences.

Constant Change

Even with good training and certification, risk management, like any other discipline, is subject to constant change and evolution. A professional who wants to stay up to date must constantly be looking for new sources of training and information. To do this, the internet is your best ally.

We recommend periodically visiting our blog where you can find up to date risk management and project items.