As Glen Alleman often quotes, 'risk management is how adults do projects'. But how to do risk management?
I'm reasonably familiar with the typical approaches taken in business and the project world here in Australia, and I'm also reasonably familiar with what has been written both on the Internet, and between hard covers ('books', for GenY and younger): it ranges from nonsense to good practice, of course.
It seems to be universal that risk events are identified, then categorised as to effect (or 'impact', as if they are meteors), and probability of occurence.
I had a look at an explanation on wiki answers and got the all too familiar twaddle about multiplying the effect rating by the probability of occurrence, in the misbelief that this produces something meaningful; in matrix fashion.
But even getting past this, whence the list of risk events?
I've been in countless 'workshops' where the collective wise heads dream up a list of risks, and assign the two ratings to each, in long tedious hours. And that's about it.
There is a more structured way.
Start with the project work breakdown structure, at whatever level it has been developed to; one hopes at least three of four levels; and examine each identified work element or package for risks to schedule (what could prevent this being completed on time), budget (will the budget fund the performance or capability needed) and technical performance (what would stop the deliverable form performing as required by the project).
The risks will come from a number of sources; in building projects, it will include adequacy of programming/briefing, owner engagement with the project, materials supply and labour/contractor delivery, design adequacy, sub-surface conditions (foundation conditions, in-ground services, presence of rock), and so on.
Risks occur as interuptions to dependencies: so what does a particular work package depend upon for completion (including for commencement). For instance, footing construction completion depends on adequate footing design. A major risk is foundation conditions: is sub-soil marsh or rock? What is the market like to supply expertise for either type of foundation condition and consequent footing design? How do we manage (mitigate) the risk? In this case, we get a drill rig on site and drill core samples to see just what is under ground. We also retain geotechnical engineers to conduct a fulsom examination of the site conditions, including relevant usage history.
For a well known type of project in a well known location, there should be some record of risk events and their frequency and effect: this produces real probabilty numbers to work with.
Thus, a more structured basis to develop an appreciation of risks than sitting in a circle dreaming in a workshop.
But...I've never experienced such a structured approach, or one that sought historic data, or even attempted reasoned cost ranges for effects! And they want to call project management a profession!!
By the way, for some helpful discussion on project risk, check out the relevant tags at Herding Cats and Eight to Late as a starter (see the blog list to the right); for a useful critique of the faulty practices that seem to be dominant at the moment, at least in Australia, I suggest a click on The Limitations of Scoring Methods.