Risk assessment, monitoring and reporting are done to identify risks in executing a project and to plan for contingencies and mitigate unexpected road blocks during the project life cycle. Based on the risk assessment report, a risk management process is put in place.
In order to prepare a Risk Assessment Report, the following details are required.
- List of project assets prone to risk (Software / Cables / Printers / PCs / Storage devices)
- Threat Sources and system vulnerability (Fire / Power Failure / Resource unavailable / Flood / Theft / Virus / Telecommunication failure)
- Threat Types (Environmental / Human / Technology / Natural)
The following attributes of the risk are documented in the report.
- Risk category – Could be project specific, based on budget / capability / data conversion / staffing etc.
- Status – Active / Resolved / Dormant (and any other project specific status)
- Trigger – Event which triggers the risk
- Life Cycle stage – At which point of the project life cycle is the risk likely to occur.
- Potential damage if risk occurs – suspension of service / loss of data integrity / destruction or undesirable or un-authorized alteration of project assets / disclosure of confidential information
- Risk Impact – Low / Medium / High or percentage based impact assessment or additional cost based impact
- Schedule, effort, scope and cost variance (i.e. deviation from original estimate) for the risk
- Probability – Likelihood of risk occurrence
- Plan – Plans / Controls implemented to counter or mitigate the risk
- Contingency plan – Actions to be taken when the risk happens
- Responsibility – Project member responsible for monitoring and managing the risk
When these factors are identified and documented as a report, the project team can formulate a strategy for risk response. The Risk Assessment Report must be available to all key project members.
The mitigation strategy for each risk identified in the Risk Assessment Report might be of one of these types – Deflection (i.e. transferring the risk to an external entity), Control (i.e. reducing the impact), Retention (i.e. allowing the risk and accepting its effect) or Avoidance.
It is good practice to identify and start monitoring risks during the project initiation stage. The project team should also have a mechanism to progressively identify and manage risks during each stage of the project.
Desirable features of a Risk Assessment Report
- The information should be easy to grasp
- All relevant details about a risk should be grouped together
- The risk status should be easily available You should not have to scan through multiple documents and perform elaborate calculations to find out the status
- Potential precursors to a risk should be identified proactively in the report
- Use color coding (such as Red / Amber / Green) to show the risk status. Colors are easier to notice rather than numerical or percentile coding.
The Risk Assessment Report identifies potential “single point of failure” items as well as indicates fail-safe and recovery mechanisms. The report also identifies if there is any key person in the project on whom the project schedule and delivery depends heavily. Dependencies on external applications / interfaces should also be documented. The report informs the customer / project sponsor / other stake holders about potential events and conditions that may cause delays or additional costs in the project.