RISK MANAGEMENT

RISK MANAGEMENT PROCESS IN PROJECTS

Introduction
The project is characterized as a single specific action; it consists of a logical sequence
of activities and coordinated and controlled components; it is conducted in a
methodical and progressively organized manner, with con- straints of time, resources
and cost, to meet the defined objectives (Croitoru, 2015).

Any business and any project have distortions, challenges, and chang- es due to the
influence of external factors, which are continually changing or internal ones, which are
due to the different changes that occur during the activity. These influences lead to the
emergence of risks and uncertainty.

When carrying out projects, account must be taken of the risks that may arise
throughout them. These risks should not be ignored or hidden but they should be
treated responsibly by the project manager and his entire team. A project manager is
not able to solve every risk that appears in a project, so every person in his team has to
do something about risks (Boide, 2014, p. 620).

John Cocke of IBM Research in Yorktown, New York, created the risk concept in 1974,
proving that about 20% of the instructions on a com- puter did 80% of the work.

The literature presents the project risk in general (Wideman, 1992; Hill- son, 2002; Raz
et al., 2002; Ward and Chapman, 2003; Radovic, 2008; Zwik- ael, 2011). Also, different
authors present their opinions on risk management in different fields of projects (Clark
et al., 1990; Akintoye and Macleod, 1997; Ropponne and Lyytinen, 2000; Modarres,
2006; Bakker et al., 2010).

In the age of computer development, a new concept for rapid risk man- agement is
RISC-V (pronounced "risk five"). This is a calculation architecture based on the
calculation principles of the reduced instruction set. It represents a significant step
forward in processing the data at the required speed for all "heavy" applications that
can be used daily (Preimesberger, 2019).

However, until the computerized or online use of risk analyses, of the main aspects of
project risk, project management is outlined in this paper, and also, a risk management
process consisting of four main stages are presented.

MECHATRONICS ENGINEERING
RISK MANAGEMENT

1. General aspects regarding risk and risk management

1.1. Risk in projects
The risk is the possibility of loss or injury (Merriam-Webster Online, 2009). Project risk
is an uncertain event or condition that, if it occurs, af- fects at least one project
objective (PMBOK Guide, 2008, p. 273).

The risk deals with the uncertainty of the events that could affect the project. Some
potential negative events of the project are highly likely to occur on specific projects.
Examples are (Wiley et al., 2012):

• Safety risks are common for construction projects;

• Changes in the value of local currency during a project affect the purchasing
power and budgets of projects with large international components;

MECHATRONICS ENGINEERING
RISK MANAGEMENT

• Weather-dependent projects, such as road construction or coastal projects,

risk delays due to exceptionally wet or windy weather.

Any successful contemporary business based on, inter alia, project management is not
possible without risk estimation, quantification, control and management (Radovic,
2008).

The risks of the project are separated from the organizational risks that are associated
with the business purpose of the project. The main differences of the project risk with
the dangers of the organization are (Wiley et al., 2012):

• The risk of the project is the possibility that the project events will not take
place as planned or that unplanned events will occur that will have a
negative impact on the project.

• Known risks can be identified prior to their occurrence, while un-

known risks are unforeseen.

• Organizational risks are associated with the business purpose of the project
and assumed by the client when deciding to do the project.

Projects by their nature are risky, so the project manager has a key role in identifying,
planning, and managing risks.

There are five ways to address project risks (Hobbs, 2015, p. 43):

Prevention: eliminating risks by doing things differently. This is not always a realistic
possibility.

Avoidance (the backup plan): consists of following another plan that will lead to the
same results but through a different route.

Reduction: measures are taken to reduce the likelihood of occurrence or reduce the risk
impact.

Transfer: refers to the spread or division of risk so that its consequences will be
significantly reduced (for example, with an insurance company).

Acceptance: there are a number of risks that are considered acceptable because their
reduction costs more than the benefits that can be obtained if the necessary measures
are not taken.

MECHATRONICS ENGINEERING
RISK MANAGEMENT

• Cost risk, usually escalating project costs due to low accuracy costs
estimation and scope increase.

• Program risk (calendar), the risk that the activities will take longer
than expected. The reductions of the program usually increase the costs and also delay
the receipt of the benefits of the project, with a possible loss of the competitive
advantage.

• Performance risk, the risk that the project will not produce results
in accordance with the project specifications.

• Governance risk refers to the performance of the administration re- garding

the company's ethics and reputation.

• Strategic risks result from errors in strategy, such as choosing a technology

that cannot be operated.

• Operational risk includes risks due to poor implementation and

process problems, such as procurement, production, and distribu- tion.

• Market risks include competition, foreign exchange, commodity

markets, and interest rate risk, as well as liquidity and credit risks.

• Legal risks arise from legal and regulatory obligations, including contractual
risks and litigation against the organization.

• Risks associated with external hazards, including storms, floods

and earthquakes; vandalism, sabotage and terrorism; labour strikes; and civil unrest.

As indicated in these examples, project risks include both internal risks associated with
the successful completion of each stage of the project, plus dangers that are beyond
the control of the project team.

These latter types include external risks that arise from outside the or- ganization but
affect the final value to be derived from the project. In all cases, the severity of the risk
depends on the nature and extent of the possi- ble final consequences and their
probabilities.

MECHATRONICS ENGINEERING
RISK MANAGEMENT

In addition to project risk, the risk of project deferral may be signifi- cant. The risk of
delaying the project refers to the risks associated with the failure to carry out a project.
As with project risk, the risk of project deferral may arise from any of the sources of the
risk presented above. The risk of delaying the project may also arise if there is only a
limited range of oppor- tunities for project management; if the project is not done now,
there may be a risk that it will never be possible to carry it out later.

MECHATRONICS ENGINEERING
RISK MANAGEMENT

Most environmental risk assessment methods are based on scoring and comparing with
the average of the variables considered. Depending on the analysis indications, each
method has applicability in a particular geograph- ical area or country (Negulescu,
2015, p.194).

Often, external risks contribute more to portfolio risk, as they impact on several projects
simultaneously. For example, the research and develop- ment project of a
pharmaceutical company is affected by the uncertain re- sults around the specific
compound involved, but many projects could be affected by a change in regulations.

Similarly, the exploration project of an oil company depends on the uncertainty about
the presence of oil in the given location, but the uncertain- ties regarding the market
price of oil affect many projects. Also, a construc- tion company could have many
projects threatened by the external risk of rising steel or commodity prices.

1.2. Risk management in projects

Risk management focuses on identifying and evaluating risks for the project and
managing their chances to minimize the impact on the project. There are no projects
without risks because there is an infinite number of events that can have a negative
effect on theproject. Risk management does not refer to the elimination of risk, but the
identification, evaluation, and management of risk.

Raz et al. (2002) studied risk management practices in hundreds of projects in a variety
of industries. The results of this study suggested the following about risk management
practices:

• Risk management is not widely used;

• The projects that most likely had a risk management plan were those that
were perceived to be high risk;

• When the risk management practices were applied to the projects,

they seemed to be positive concerning the success of the project;

• The risk management approach influenced the programs and objec- tives of
the project costs, but exerted a smaller influence on the quality of the
project products;

• Proper risk management increases the likelihood of a successful project.

MECHATRONICS ENGINEERING
RISK MANAGEMENT

2. The risk management process

The manager and members of the project team at different levels iden- tify and manage
risks in various forms (Lavanya&Malarvizhi, 2008). But this will be inefficient without a
structured risk management framework, as this leads to incomplete impact assessment,
which results in the loss of:

Knowledge of the overall impact on the project objectives, such as

scope, time, cost and quality;

Identification of secondary or new risks resulting from the risks al- ready
identified;

Lack of transparency and a communication gap within and outside the

team.

According to the authors, it is very important for any project organiza- tion to establish
an effective risk management framework. The establish- ment of such a practice as a
culture of the project team ensures:

Identifying and managing conscious and concentrated risk;

The progress of the project as desired, with the least amount of de- viations
or surprises, and in accordance with the objectives of the organization and
the project;

Early and effective communication of project problems with pro-

ject organizations and stakeholders;

An efficient team-building tool, as the acquisition and acceptance of the

team, is ensured.

Risk management is an iterative process, and each facet of risk man-

agement should be planned and followed in each phase of the project. This process
comprises four steps: risk identification, risks analysis or assessment, risks
management, and risk control (figure 1).

MECHATRONICS ENGINEERING
RISK MANAGEMENT

Risks management plan

The organization's risk management framework is reviewed and adapted to define the
project risk management plan at project initiation. The risks management plan includes
the following guidelines:

List of possible sources and categories of risk;

Impact and probability matrix;

Risk reduction and action plan;

Intervention plan;

Threshold and risk values;

MECHATRONICS ENGINEERING
RISK MANAGEMENT

Identifying risks;

Risk analysis;

Risk management;

Risk control;

Feedback.

Figure no. 1. The risk management process Source: upon Lavanya&Malarvizhi, 2008

Step 1 – Identification of risks

Risks should be identified and addressed as early as possible in the project. Risk
identification is made throughout the life cycle of the project, with a particular focus on
the key stages.

Risk identification is one of the critical topics in the normal state of the project and in
reporting sessions. Some risks may be readily apparent to the project team (known
risks); others will have more rigors to be discov- ered, but they are still predictable.

MECHATRONICS ENGINEERING
RISK MANAGEMENT

Risk repertoire: list of risks from history (other projects);

List of possible risks;

Expert judgment, using brainstorming;

The status of the project, which includes progress reports;

Classifying risks by categories.

The risk category provides a list of areas prone to risk events. The or- ganization
recommends standard categories at the high level, which should be extended according
to the type of project, for example, technical, organi- zational, project management,
and external factors.

Step 2-Risk analyses

Risk analysis or assessment involves examining how the project's re- sults and
objectives may change due to the impact of the risk event.

After identifying the risks, they are analysed to identify the qualitative and quantitative
impact of the risk on the project, so that appropriate measures can be taken to mitigate
them. The following guidelines are used to analyse risks: the likelihood of risk
occurrence, the impact of the risk, the exposure to risk or risk score, and the period of
occurrence of the risk.

1. Likelihood of risk occurrence

• High probability: (80% ≤ x ≤ 100%)

• Medium-high probability: (60% ≤ x <80%)

• Medium-low probability: (30% ≤ x <60%)

• Low probability: (0% <x <30%)

2. The impact of the risk

• High – Catastrophic (rating A – 100)

• Medium – Critical (rating B – 50)

• Low – marginal (rating C – 10)

MECHATRONICS ENGINEERING
RISK MANAGEMENT

3. Exposure to risk or risk score

The risk exposure or risk score is the value determined by multiplying the impact rating
with the risk probability, as shown in figure 2.

The urgency of risk response planning can be marked with different colours and
determines the levels of reporting.

The score represents the lower thresholds for the classification of risks assuming
"normal" conditions.

MECHATRONICS ENGINEERING
RISK MANAGEMENT

Rating/ 1=high 2=medium- 3=medium-low 4=low

Probability high

A=100 Very high ex- Very high ex- High exposure Moderate expo-
posure posure sure

B=50 High exposure Moderate expo- Moderate expo- Low exposure

sure sure

C=10 Low exposure Low exposure Low exposure Low exposure

Figure no.2. Exposure-probability matrix of risk in projects Source: Lavanya&Malarvizhi,
2008

An update of the score at the next level or even the next + 1 is re- quired if the risk is
affected by critical factors such as:

How important the specific client is;

Whether the project is essential for the further development of the client
relationship;

The risk is already in the centre of the customer's attention;

The specific sanctions for the deviations from the project targets are agreed
upon in the contract with the client.

Period of occurrence of the risk

The time frame in which this risk will have an impact is identified. It is classified in one
of the following:

Appropriate (now or within 1 month;

Medium: the next 2-6 months;

Large: over 6 months.

In addition to classifying risks according to the guidelines above, it is also necessary to

describe the impact on cost, schedule, scope, and quality in as much detail as possible,
based on the nature of the risk.

MECHATRONICS ENGINEERING
RISK MANAGEMENT

Step 3-Risk management

Risk management involves: planning the risk response, identifying the risk triggers, and
establishing the person responsible for resolving the risk.

Planning the risk response

There may not be quick solutions to reduce or eliminate all the risks that a project
faces. Some risks may be needed and strategically managed over more extended
periods. Therefore, action plans should be developed to reduce these risks. These
action plans should include:

Description of risk with risk assessment; Description of the risk reduction

action;

Owner of the risk action;

A committed completion date of the risk action.

All risk action plans should be allocated to the person identified to carry out the action
plan (responsible).For each risk, a risk response must be recorded in the risk register, in
agreement with the stakeholders. This should be provided by the project manager.

The risk response plans are aimed at the following objectives:

Elimination of risk;

Decreased probability of occurrence of risk;

Reducing the impact of risk on the project objectives.

Risk response plans usually have an impact on time and costs. There- fore, it is
mandatory that the time and cost of the defined response plan be calculated as
accurately as possible. This also helps to select a response plan from the alternatives
and to check if the response plan is more expensive or has more impact on one of the
project objectives than the risk itself.

Risk triggers

For each risk, a trigger must be recorded in the risk register. The trig- ger identifies the
risk symptoms or warning signs. This indicates that risk has occurred or is about to
occur. The risk trigger also shows when a certain risk is expected to occur. Following the
successful implementation of a set of response plans, the risk score could be reduced
following consultation with stakeholders.

MECHATRONICS ENGINEERING
RISK MANAGEMENT

Risk responsibility

The basic rule is that the project manager is responsible for managing all the risks in the
project.

Based on this basic rule, a Risk Owner (which is not necessarily the project manager)
must be determined and named in the Risk Register. The risk owner usually is the one
who may best monitor the risk trigger, but it can also be the one that can best manage
the defined measurement measures. The risk owner is responsible for the immediate
reporting of any change in the status of the risk trigger and for conducting the defined
coun- termeasures.

MECHATRONICS ENGINEERING
RISK MANAGEMENT

Step 4-Risk monitoring and control

Risk monitoring and control include:

Identifying new risks and planning for them;

Track existing risks to verify that:

 Reassessment of risks is necessary, and

 Any risk conditions have been triggered;

Monitor any risks that may become more critical over time;

Addressing other risks that require a long-term, planned, and man- aged
approach with risk action plans.

Reclassification of risks

For the risks that cannot be closed, the criticism must decrease over a while due to the
implementation of the action plan. If this is not the case, then the action plan may not
be valid and should be reviewed.

Risk reporting

The risk register is continuously updated, from the identification of the risk by planning
the risk response and updating the status during the monitoring and control of risks.
This project risk register is the primary risk reporting tool and is available on the central
project server, which is acces- sible to all stakeholders.

Risk monitoring and risk control or review is an iterative process that uses progress, and
delivery status reports to monitor and control risks. This is activated by various status
reports, such as quality reports, progress re- ports, tracking reports, etc.

Risk reviews are a compulsory element of landmark meetings and or regular project
meetings, but can also be carried out at risk assessments scheduled separately. These
risk analyses should be performed on a regular basis. The frequency could also be
determined based on the overall risk lev- el of a project.

Therefore, the risks of a project must be anticipated, identified, and recorded. The risks
that may arise are anticipated during the project design and planning phase (table 1).

MECHATRONICS ENGINEERING
RISK MANAGEMENT

(at what stage the work is), status (action is taken, ongoing, not started), and resources
allocated.

Lack of communication, causing a lack of clarity and confusion;

The pressure to arbitrarily reduce task durations and run tasks in parallel,
which would increase the risk of errors;

Unsolved project conflicts on time;

The business becomes obsolete, or is undermined by external or in- ternal

changes;

Delay in the previous phases of the project endangers the ability to

be fulfilled on the set date. For example, delivery of materials on time, for a conference,
or at the time of launch.

Increased workload or time requirements due to new directions or

policies were added;

Inadequate customer testing leads to an extensive list of customers

accessing them.

The project is delayed due to legal action;

MECHATRONICS ENGINEERING
RISK MANAGEMENT

The client refuses to approve deliveries/benchmarks or delays the approval,

putting pressure on the project manager to "work in a risky situation";

Theft of materials, intellectual property or equipment;

Emergency, such as extreme weather, which leads to loss of re- sources,

materials, spaces, etc.

Stakeholder actions delay the project.

Other aspects regarding risk management are risk threshold, risk effi- ciency
measurement, and risk audit (Lavanya&Malarvizhi, 2008).

Risk threshold

Risk priorities need to be set to focus directly on where it is most criti- cal. The highest
priorities are the risks with the highest degree of risk expo- sure. Low exposure risks can
be eliminated from mitigation plans but should be reviewed later in the project.

The organizational mandate is that if the projects have at least a "very high" risk or
more than 3 "high" risks, guidance must be sought from the management of the
organization and stakeholders, as the project may have a high risk of failure. This is the
recommended risk threshold. Projects can customize the threshold according to the
needs of the project.

Measuring risk efficiency

The efficiency of risk analysis and management is measured by cap- turing the following
values during project closure. The results of the analy- sis are used to decipher the
lessons learned, which is updated in the database of lessons learned organization.
Number of risks encountered / Number of identified risks;

Was the risk impact as severe as initially thought?

How many risks have reappeared?

How are the real problems and problems differentiated by a project from
the anticipated risks?

MECHATRONICS ENGINEERING
RISK MANAGEMENT

Exhaustion and granularity of the identified risks;

The effectiveness of the mitigation or intervention plan.

The link between project risks and organizational risks

This link is not a "process adherence" audit, but rather an aid for im- proving the quality
of risk identification and risk analysis. The link is also used as a forum for assessing and
identifying good risk management prac- tices within the various projects in the
organization.

The risk audit is performed by a group of independent fields or tech- nical experts by
reviewing the documentation and interviews. The main re- sults of this risk audit are:

Customized checklist for assessing the risks of a project;

Identifying the areas of importance for risk analysis for a project (risk
taxonomy);

Risk radar or risk-prone areas of the product group;

Potential additional risks identified based on the review;

Top 10 risks in the organization from crucial projects that require

management's attention.

When using software, risk management becomes the most challenging aspect of
project management. Although we can never predict the future with certainty, we can
apply a simple and efficient risk management process to predict project uncertainties
and minimize the occurrence or impact of these uncertainties.

Not only does risk management help to avoid crises, but it also helps us to remember
and learn from past mistakes. This action enhances the chance of successful completion
of the project and reduces the consequenc- es of these risks.

Conclusions

One of the essential activities in project management is project risk management.

Different risks may arise at each stage of a project. They must be identified, defined,
registered, and reported to the stakeholders. Also, these risks must be managed
responsibly so that the projects are not in dan- ger of being closed; to record cost
higher than those budgeted; not to com- plete the deliverables or not to have delivered
the project on time. However, the project manager can use several tools, such as „the

MECHATRONICS ENGINEERING
RISK MANAGEMENT

Ex- posure-probability matrix of risk in projects” and „the pattern to record the
anticipated risks of the project” for ease of risk management. It may also use guidelines
to analyze risks: the likelihood of risk occurrence, the impact of the risk, the exposure to
risk or risk score, and the period of appearance of the risk, to take appropriate
measures can be made to mitigate them.

To reduce the risks of the projects, they need effective risk manage- ment approaching
a specific process, which comprises four main stages; risk identification, risk analysis or
assessment, risk management, and risk con- trol.

Risk management is not the end of the activity in terms of efficient risk management. It
is a constant learning process for project managers to continually improve their
practices to increase the efficiency of the process.

MECHATRONICS ENGINEERING
RISK MANAGEMENT

MECHATRONICS ENGINEERING