5
Managing risk
Events rarely happen in the way we expect them to, so there will always be
risks associated with a project. As a project takes place in a wider environ-
ment, there are the risks normally associated with day-to-day work in that
setting, including health and safety risks, for example. There are also risks to
the project that exist only because the project exists, for example, the risk that
the project will not achieve its objectives. In this chapter we consider how to
identify areas of risk and what can be done to reduce the likelihood of damage
to the project.
RISK AND CONTINGENCY PLANNING
Risk is the chance that something will happen that will damage the project.
Many risks can be predicted and you may feel that some aspects of risk man-
agement are simply common sense. For example, if you will not be able to
start work until essential supplies have been delivered, you may think of
phoning the supplier to ensure that the delivery is still planned to be on time.
You may also have thought well in advance and selected suppliers that you
know to be reliable. Unfortunately, we do not always think this through
carefully and some risks are not so easy to foresee.
A ‘risk management’ approach requires a different kind of thinking to our
normal everyday approaches. It may seem rather negative and discouraging
because it requires us to think about all the things that could go wrong rather
than to think in positive ways about how it will look if everything flows to
plan. Risk management is, however, fundamental to project management,
because it enables you to plan realistically to avoid disruption by building in
ways of responding to the most likely and most damaging risks if they are
not preventable. As this consideration of risk informs how you plan, partic-
ularly in terms of scheduling time, effort and budgets, it needs to be done
before the planning stage. Risks arise both from within the project and from
the context or environment of the project.
Example 5.1

Internal and external risks to a project
An HR manager whose role was to implement and monitor perfor-
mance standards was concerned about a number of complaints that
had been received about the quality of cleaning. She set up a project
to develop a quality monitoring system, and identified some stan-
dards and performance indicators by interviewing other managers
and team leaders in each of the different areas of the organization. The
cleaning contracts were due to be retendered and the timing was im-
portant because the new contractors would probably need to know
the performance indicators when they applied to deliver the service.
She was also worried about how the new standards would be
monitored.
This project had a number of internal risks. There was a risk that
the cleaning specifications would not be developed to reflect all of the
requirements that were necessary because they had not been fully
identified. There were risks associated with the rewriting of contracts
and liabilities. Although the contractors were external to the organi-
zation , the standard of performance was definitely part of this project
and so needed to be considered as an ‘internal’ risk. The manager
decided to address risks associated with rewriting contracts by agree-
ing performance standards with those who won the contracts. She
would need to identify a member of staff to monitor the standards.
There were no obvious external risks to this project, but some were
identified when this was carefully considered. There was a risk that
existing contractors would not be able to achieve higher standards of
cleanliness within the existing contract parameters and that there
would be expensive legal proceedings to terminate existing contracts
60
Managing projects in human resources
before new contractors could be appointed. Another external risk

might be that some standards related to cleanliness might be set na-
tionally in connection with legislation governing workplace condi-
tions for employees. The organization would then have to conform,
although this project would have put it in a good position to comply
with any new requirements.
In order to manage risks we need to identify them and to decide how likely
it is that they will happen. It can be reassuring to consider the probability as
it reduces some of the uncertainty in a project. Another way to reduce uncer-
tainty is to consider the amount of information that is necessary in order to
proceed with confidence. For example, quality is often difficult to describe in
exact terms, and there may be a risk that the quality of the project outcomes
will not meet the expectations of the key stakeholders. This risk can be
reduced by communicating with those stakeholders both before the project
and as it progresses to ensure that sufficient understanding is developed and
that there is time to make changes if it is necessary.
Consideration of risk in a project is usually limited to the possibility of
different hazards impacting on the project and its purpose, not risk in any
form in which it might affect the organization in which the project is located.
Therefore the only external risks that would normally be considered are those
that might impact on the project. For example, a risk assessment for a project
that involves relocating an office would be likely to be affected by local
changes in public transport routes, but a project that was developing stan-
dards for office procedures probably would not.
PREPARING TO MANAGE RISKS
There are four stages to risk management:
1.
Identifying the risk – identifying which hazards are likely to affect the
project and documenting the characteristics of each risk.
2.
Impact assessment – evaluating the risk to assess the range of possible

outcomes in relation to the project and the potential impact of each of
these.
Managing risk
61
3.
Developing plans to have in reserve to reduce the impact of the most
likely risks and to ensure that these plans are implemented when
necessary.
4.
Ensuring that the risks are kept under review and that appropriate
plans are developed to meet any changes in the type or probability of
adverse impact.
In many projects, these stages are considered almost simultaneously, but in
large-scale projects attention should be given to each separate stage.
Risks arise from many different sources. These can be grouped as:
࿖
physical – loss of or damage to people, equipment, stored information or
buildings as a result of an accident, fire or natural disaster;
࿖
technical – equipment or systems that do not work or do not work well
enough to do the job intended, or that breakdown frequently;
࿖
labour – key people unable to contribute to the project because of, for
example, illness, career change or too much other work;
࿖
political/social – for example, support for the project may be withdrawn
as a result of a policy change by government or senior management, or
because of protests from the community, the media, customers or staff;
࿖
liability – legal action or the threat of it because some aspect of the project

is discovered to be illegal or because there may be fears of compensation
claims if something goes wrong.
This list can help in identifying the risks to any project. In addition, it is very
helpful to discuss the project ideas with all the stakeholder groups that you
can identify, because each may see the project differently and be able to iden-
tify different hazards that might be encountered.
One way to approach risk identification is to consider risks to the project
as a whole but also to identify risks to each of the main stages of the project.
If you think of the project as a whole, risks might include the possibility of
some change to the key objectives being required. If you think of each stage,
risks will be more detailed and the potential impact of hazards may change.
For example, staff might be allocated to the project and may take part in the
planning stage but be called to deal with unforeseen emergencies in other
areas of work when they are scheduled to be implementing the project.
The whole point of identifying areas of risk is so that you can reduce the
negative impact on the project if the worst happens. If you can anticipate a
risk you can prepare a plan, often called a contingency plan, so that you are
prepared to take action to reduce the potential damage.
62
Managing projects in human resources
PAUSE FOR THOUGHT
Imagine that you are managing a project that relies on services pro-
vided by one contractor who will work with you over a period of six
months. List the possible risks associated with that contractor.
Your list of risks might include contractor sickness or absence, lack
of promised knowledge or skills or capability. Perhaps you consid-
ered costs and whether the contractor might present higher expenses
or fees than had been anticipated. You might also have noted that the
contractor might work more slowly than had been scheduled or fail
to achieve the quality of work required.

Organizations are usually careful when contracting to include con-
ditions about quality, timescale and costs. However, this does not
always guarantee that the service provided will be exactly what was
expected, and things can go wrong. It is not unusual for estimates to
be insufficient for the work that needs to be done or for the time that
work will take to be underestimated. In either case, there can be prob-
lems if staff have been contracted for too little time or at too low a cost.
RISK ASSESSMENT AND IMPACT ANALYSIS
Risk assessment goes further than identifying a potential risk. To assess the
risk you need to estimate how probable it is that a risk will become a reality.
Impact analysis then builds on the assessment by considering how much dam-
age might be caused to the project if a risk materializes.
The key questions to ask are:
࿖
What is the risk – how will I recognize it if it becomes a reality?
࿖
What is the probability of it happening – high, medium or low?
࿖
How serious a threat does it pose to the project – high, medium or low?
࿖
What are the signals or indicators that we should be looking out for?
As you assess each risk it is usual to write them into a table, as in Table 5.1.
If you have identified a number of risks to assess, this table may have to be
set out on a large sheet of paper or board so that you can put each risk into
one of the cells. All those written into the top right-hand cell are those most
dangerous to the project, because they are very likely to happen and will
Managing risk
63