The process of controlling risks involves identifying new risks, updating previously identified risks and monitoring the risk prevention and risk mitigation plans that were established to deal with risks on an ongoing basis throughout the project. The level of impact of the risks assessed may change due to proactive risk mitigation action taken or indirect changes either external or internal to the project. Additionally, new risks that should be managed may arise.
Risks are controlled in dedicated, periodic meetings and, on an ongoing basis, by the responsible person for each risk category as defined in the risk management plan. Risks are monitored based on several criteria:
The project manager should focus on risks with a higher exposure level. These are the obvious risks since they involve both a high level of potential damage and a high likelihood of materializing.
Some risks would incur damage so great if they are realized and become problems that it is best to deal with them ahead of time even if the chances of them materializing are very low.
For example, deliberate sabotage of the electrical infrastructure of a hospital is a risk with potentially catastrophic damage, even if the chances of it occurring are very small. It is, therefore, important to monitor such risks and to define appropriate counter-measures based on the potential level of damage alone.
Risks that are likely to materialize should be dealt with simply because it is reasonable to assume they will turn into problems at some point down the road.
For example, a delay in client approvals is a risk with a high realization probability, even if the damage such a problem will cause is unlikely to be great. Nonetheless, based on the high likelihood of this risk occurring, it is a good idea to prepare appropriate responses to deal with it before it becomes a greater problem.
More immediate risks should be dealt with before risks that may be relevant later in the project, even if the likelihood of realization is not particularly high nor are the damages inherent in those risks particularly severe.
For example, cancellation of the project due to its budget being withdrawn is an immediate risk. Once the budget has been approved, this risk is no longer relevant and no longer needs to be considered.
This refers to immediate risks with a high exposure level.
This refers to immediate risks that are likely to cause the most damage should they materialize.
This refers to immediate risks that are highly likely to materialize.
It is also important to control the tendency of risk development during the project; a consistent increase in the severity of risks is an indication of a high-risk project or problems with its management. An unchanging risk tendency may point to risks that are not being managed rather than a positive risk state.
Risk tendency in a project can be represented in a trend graph where risks that maintain their level of exposure will appear in the tendency graph as a straight, horizontal line. Risks with an increasing exposure level will appear as an upward line while risks with a diminishing exposure level will appear as a downward line.
The risk control system employed by project management must work to identify and evaluate potential risks on the one hand and come up with appropriate responses to the risks on the other. A risk, when it comes right down to it, is an event that has not occurred yet and may never occur. So the clearest case to be made for making an investment to deal with a risk is when the threat is imminent, has a high likelihood of materializing, will cause severe damage to the project if it materializes and will not cost a lot to alleviate. The tough decisions relate to risks that are unlikely to materialize, are not imminent, are expensive to alleviate but will cause severe damage if the risk is realized. Deciding how to deal with these risks depends largely on the methods of communication about risks throughout the project.
Deciding to take additional action in the project as a response to risks requires proper budgetary preparation to allow for necessary resources, as well as updating the project’s plan. Tasks relating to risk mitigation that have not yet been approved can be created as ‘inactive tasks’ in the project’s work plan until such time as they may be required.