Risk Management Process - Basic Steps

In high stake projects, when dealing with heavy equipment, millions of dollars in budget, and large teams in potentially dangerous situations, Risk Management is taken very seriously. In fact there are entire companies whose whole business structure is designed around facilitating risk conversations.

But Risk isn't strictly about large dollar, high stakes projects. Every project will experience risks (both negative and positive) throughout the Project Life Cycle. As the leader, you need to be ready for them, and as we all know, Failing to Plan is Planning to Fail. After working on several of the high value projects with lots of heavy machinery and construction, I've become very familiar with the Risk Management Strategy. In the coming weeks, we will explore the components of the Risk Management Strategy, culminating in a Morey's Law.

But first, the basic process:

1. Establish a day (sometimes week, depending on the complexity of the project) to perform the Risk Management Meeting(s).
1. Preferably early in the project for the initial meeting
2. Invite Key Subject Matter Experts (SMEs, i.e. people with specialized knowledge or experience in similar events / projects) for the event, including upper management, and if pertinent, customer experts as well. 
1. When inviting SMEs you also should identify the areas that will and won't be covered in the time period of the meeting. Sometimes projects are not far enough along to cover the entire project scope in a single Risk Management Event. 
2. Include in the invitation any material that attendees should review in order to be educated on the topics of the meeting.
3. Prepare appropriate supporting documents 
1. PowerPoint slides of key points, expected Risk Matrix / Risk Register, Rules, specific information for the areas considered etc.
2. In the case of the review of a physical structure like an oil rig or manufacturing facility, then it may be worthwhile to have drafting design layouts and walk-throughs of the appropriate areas in order to ensure complete understanding.
3. Handouts of the rules, expected Risk Register, Risk Matrix, and Agenda.
4. During the meeting set specific ground rules in order to ensure strong forward progress:
1. The Facilitator (usually the Project Manger, but can be an outside specialist, or an agreed party)
2. No interruptions except for emergencies.
3. Publish a schedule of breaks so that people know when attendees will be available. 
4. One person will talk at a time, as recognized by the Facilitator (this almost never happens, but if you can get agreement, it becomes easier to manage disagreements, and enthusiastic conversations).
5. Define how the Risk Register and Risk Matrix will be used.
6. You cannot express Risk Double Jeapordy.
1. What this means is that during the meeting you cannot identify a risk of "cascade failure." As an example, at one meeting, I witnessed a SME explain how an entire oil rig could become a fire-ball if a particular sequence of valves didn't work, with a specific sensor malfunctioning in conjunction as part of a completely different system.
2. The reason for this rule is that each of these items could be addressed individually as Risks, but it would be too easy to proceed down a "dogs and cats living together, mass hysteria! (Ghostbusters)" scenario that would destroy a project or require triple+ redundancy at extreme expense!
7. Each Identified Risk will be managed by one of these solutions:
1. Avoid: Change the plan in such a way as the risk no longer exists. For example, if the heat from a pump motor is likely to cause issues with a nearby electrical panel, then look at moving the panel or the pump.
2. Accept: Accept that the risk exists, but that there is no preferred method to handling / preventing that risk, so if the event happens, then it will be dealt with as it happens.
3. Mitigate: Before the risk happens, the team will identify ways to prevent the risk from happening. Perhaps it means designing redundancy into a system, or ensuring that there is enough spare capacity to allow for the issue (i.e. What happens if one of the 3 existing power generators onsite goes down? It might be beneficial to add a 4th as redundancy, but also so that one generator can be taken out of service for maintenance without impacting work). 
4. Transfer: This is typically the transfer of the financial burden to another party / entity, such as purchasing insurance against fire, flooding, or other cases of loss. 
8. No risk will be allowed to remain at a rating of High or Extreme (Very High) without Mitigation, Avoidance, or Transfer. 
9. Each identified risk and management technique to address the risk should be maintained in a Risk Register for future reference and distribution.
10. If a risk management solution is identified, then a responsible person should be identified in order to ensure that the technique is properly implemented.
11. All attendees should sign off on the Risk Register for the meeting, in order to ensure that there is agreement and that people cannot say "I wasn't there." or "I didn't agree to that!"
5. After the meeting, the Risk Register should be distributed to all team members, not just meeting attendees. 
1. This ensures that the team is aware of the identified risks and the proposed actions. 
2. There should also be a window for the team to comment in case they have an idea of an easier way to manage the risk, or if they identify a risk that isn't identified in the matrix.
6. Periodic reviews of the Risk Register and follow-up Risk Management Meetings should be scheduled throughout the life of the project, to determine if any new Risks need to be added, if management of the risks need to be adjusted, or if risks can be closed out from the register because they are no longer a possibility. 

This sounds like a lot, but it is just the tip of the iceberg. Next week, we'll explore the Risk Matrix, followed by the Risk Register the week after, and then starting the month of September with a Morey's Law. Stay tuned!