Skip to content

Implementing risk based thinking to your projects, programmes and portfolio

Added to your CPD log

View or edit this activity in your CPD log.

Go to My CPD
Only APM members have access to CPD features Become a member Already added to CPD log

View or edit this activity in your CPD log.

Go to My CPD
Added to your Saved Content Go to my Saved Content
Shutterstock 562442005

Risk management principles, tools and methodologies are effectively applied in all industries and fields and are integrated parts of the business functions. One of the most significant concerns for anyone responsible for implementing, deploying, or maintaining a quality management system is the integration of risk-based thinking.

While the concept of risk management is not new, previous practice on projects were more reactionary, primarily focusing on after events resolutions using extended tools such as root cause analysis, corrective actions, and preventing recurrence of the failure. Our contemporaries are considering identifying risks up front; focusing on and emphasising prevention using a solid approach to address risk in planning, managing and driving actions.

Risks affecting portfolio, programme and project can have consequences in terms of performance and reputation, as well as environmental, safety and societal outcomes. Therefore, managing risk effectively assists the projects to perform better in an environment full of uncertainty.

Uncertainty is due to a combination of incomplete knowledge about a process and its expected or unexpected variability. Typical sources of uncertainty include gaps in knowledge, gaps in process understanding, sources of harm (e.g. failure modes of a process, sources of variability), and the probability of detection of problems.

The importance of implementing procedures at all levels by using tools and methods already available cannot be enough overemphasized. Best practice includes providing rationale for the projects and determining the use of risk management tools and activities as a foundation for success.

As you may know, risk arises in connection with a threat to an asset or desired goal, and risk management starts at strategic level by identifying gaps in the portfolio, programme or projects in the framework. It is linked to one of the strategic planning techniques used to help the project to identify strengths, weaknesses, opportunities, and threats related to business competition or project planning.

Many studies have shown that in assessing risk, we give more weight to our emotional attitude rather than the objective evidence of probability. We likely apprehend risks and their potential outcome; therefore, the more this make us nervous, the more likely we overestimate its probability. However, on projects each stakeholder might perceive different potentials of threats and opportunities. Each have a vision and place a different probability and attribute different severities of occurrence on each identified risk or opportunities.

A good way of avoiding pitfalls in risk management is to follow a reliable standard. ISO 31000 is one of them and provides principles, framework and a process for managing risk. It can be used by any project or organisation regardless of its size, activity or sector. Using ISO 31000 can help organisations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment.

ISO 31000: 2018 Risk management defines the risk management process as a systematic application of management policies, procedures, and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring, and reviewing risk. The purpose of ISO 31000:2018 is to provide principles and generic guidelines on risk management and it seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes.

Decision makers might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control. Risk control might focus on the following questions:

  • Is the risk above an acceptable level?
  • What can be done to reduce or eliminate risks?
  • What is the appropriate balance among benefits, risks, and resources?
  • Are new risks introduced as a result of the identified risks being controlled?

Some of the simple techniques for risk management facilitation methods commonly used to structure risk management by organising data and facilitating decision making are:

  • Flowcharts
  • Check sheets
  • Process mapping
  • Cause and effect diagrams (also called an Ishikawa diagram or fishbone diagram)
  • Failure mode effects analysis

Risk reduction meetings will assist in finding mitigations or result in avoidance of the risk. This will depend on the appetite of the projects and stakeholders involved in the process. Measures taken to reduce the risk severity and probability of consequences may also increase the significance of other existing risks or create new risks. Hence, it might be appropriate to review the risk register on a regular basis to identify and revaluate any possible change in the risks listed after implementing a risk reduction process.

Statistical tools can support and facilitate risk management. They can enable effective data assessment, support in determining the significance of output of the datasets, and enable reliable decision making. For some, the consequences of delivering a non-conforming product are minor; for others the consequence can be fatal. Hence, risk-based thinking means considering risk quantitatively as well as qualitatively, depending on the business context. Communication is always key and sharing the information about risk and risk management between the decision makers and others is an important part of the governance.

Risk-based thinking is something we all do automatically and often subconsciously to get the best result. The outputs from successful risk management include compliance, assurance and enhanced decision making.

You may also be interested in


Join the conversation!

Log in to post a comment, or create an account if you don't have one already.

  1. Scott Crittell
    Scott Crittell 23 February 2021, 12:03 PM

    Hi Estelle, I couldn't agree with you more the assessment of risk and its mitigation often equals project sucess whereas the reactionary approach means failure and stakeholder intervention. The difficulty is often bringing risk and its mitigation to the centreground so its understood and visible to stakeholders as an essential component part of project success. I agree, its something all PM's do naturally, but actually promoting that thinking is often the difficulty as the tendency is to move on to solving the next problem as oppossed to recording, raising and ensuring the risk mitigation is understood by all.