The lifecycle of a project risk
Dr. David Hillson, The Risk Doctor Partnership
As we manage individual project risks, they pass through a lifecycle which can be described using a set of status values. These can help us to understand where each risk is in its lifecycle, so that we can determine what we should do next. The following set of standard status values might be useful:
- Unknown: A risk that has not yet been identified.
- Draft: A proposed risk that has not yet been validated.
- Rejected: A Draft risk that is not valid.
- Escalated: A Draft risk that is outside the scope of the project and that should be managed at program level or elsewhere in the organisation.
- Active: A valid risk with a probability of occurrence greater than zero and that will impact one or more project objective if it occurs. An Active threat can affect the project negatively, while an Active opportunity has a potential positive effect.
- Deleted: A risk that is no longer valid, perhaps resulting from a change in the project's strategy, environment, objectives, or scope.
- Expired: The time window in which the risk could have occurred has passed, so the risk no longer needs to be considered.
- Closed: A risk (threat) for which the response has been fully effective and the risk can no longer affect the project.
- Occurred: The risk has happened and the impact is being experienced.
Using these status values, we can describe the lifecycle of a typical individual project risk, as detailed below, and illustrated in the figure:
- All risks start as Unknown. When they are identified, they become Draft risks which need to be reviewed and validated. A Draft risk can be Rejected if it is not considered valid, or it can be Escalated if it is outside the scope of the project. If the project manager decides to Escalate a risk, he or she determines who should be notified about the risk, and then communicates the details to that person or party. Draft risks that are considered valid and in scope for the project become Active.
- Active risks need to be assessed, and appropriate responses should be developed and implemented. The status of Active risks should be monitored regularly, and they may remain Active for some time. Alternatively, Active risks might be marked as Deleted or Expired if they can no longer affect the project due to changes in the project context (Deleted) or if the time of their potential impact has passed (Expired). We might be pleased that a threat has Expired since it can no longer have a negative effect, but we might regret an Expired opportunity where the positive impact is no longer possible.
- When an Active threat is successfully managed so that it can no longer affect the project, it is marked as Closed. Opportunities cannot be Closed, as they remain Active until they have either Occurred, Expired, or been Deleted.
- If and when a risk actually happens, it is marked as Occurred. It is good for an opportunity to occur, and bad for a threat to occur. A risk might occur if the response to a threat proved ineffective or the response to an opportunity was successful (or perhaps it was due to chance or luck!). When a threat has Occurred, it is converted to an issue or problem and managed accordingly. When an opportunity has Occurred, the additional benefits must be recognised and managed.
Status values should be recorded in the risk register and used to monitor the effectiveness of the risk process. For example, as the project progresses, we can measure how many Draft risks become Active (indicating how well we identify real risks), and how many Active risks actually Occur or are Closed (showing how good our risk responses are). This should help us improve performance in future projects, and allow us to take the right risks safely in our projects.
About Dr. David Hillson
In addition to growing his "retirement beard", David is still working with a small number of key clients, as well as speaking at events around the world.
Following a three-week vacation in South Africa with his wife to celebrate their 40th wedding anniversary, David will be travelling to some interesting places in the coming months. These include Denmark, Colombia, USA, Cyprus and Oman.
In addition, he's speaking at various conferences in the UK, including an after-dinner speech on "The joys and perils of lifelong risk-taking", and an event held in the Arsenal soccer stadium in London (Arsenal are the great rivals of David's team, Tottenham Hotspur, and he's not sure how he feels about entering their lair!).
David's activities and events are detailed on the Risk Doctor website. If you want to invite David to speak at your event, just get in touch. Some of the most popular topics are listed in the Speaking section of the website.
© Copyright August 2018, Dr. David Hillson/The Risk Doctor Partnership
Breaking News »