Risk management has historically been viewed by many organisations as something of a “chore”. However, with an increasing number of high profile project failures, more and more companies and government agencies are realising the importance of risk management. By managing risk more effectively organisations can gain a competitive advantage through such things as:o Improved product qualityo Increased ability to deliver on timeo Improved Asset Efficiency due to fewer breakdownso Reduced costs by limiting legal action or preventing breakageso Improved reliability leading to an enhanced reputationRisk Management TechniquesThe key to effective risk management is the application of best practice techniques to a specific situation. The principles of effective risk management remain constant, but they must be flexed to take account of the size, shape and complexity of the project. A formal risk committee reporting once a month would not be appropriate for a DIY project at home but may be necessary for a project as large and complicated as rebuilding Wembley.Step 1: Set up Risk Management Structureo Determine Risk Appetite: Understand the acceptable level of risk that can be absorbed by the organisation, department, project or programme. The costs of avoiding risks beyond this risk appetite (often called risk tolerance) mean that it is no longer beneficial to attempt to avoid them.o Develop Risk Language: From a change management perspective, it is imperative that people within the organisation understand each other. Developing a common risk language or “risk glossary” is a vital step to avoid misunderstanding and to ensure a consistent approach.o Implement Organisational Structure: In order to manage risk effectively, the organisation or project must set up an appropriate organisational structure. Individuals and groups should be set up with clearly defined roles and responsibilities, together with an appropriate reporting structure and meeting schedule.o The structure clearly varies according to the size and complexity of an organisation or project, ranging from a series of overlapping risk sub-committees through to no more than a part-time risk manager. In all cases, however, the objectives, responsibilities and respective authority of each group and individual should be clearly demarcated.Step 2: Identify Risks & IssuesUsing experienced risk managers and a structured approach can save a fortune in downstream costs for a project. Regardless of whether such specialist resources are available, it is important to first understand and validate the objectives and success criteria of the project to determine what is at risk.During the risk identification process, each of the various types of risks (Strategic Risk, Operational Risk, Legal Risk, etc) that the project is exposed to must be reviewed. Specific risk areas, such as the risk to the environment, to the technology infrastructure, to the workforce and supplier reliability must be considered. The potential impact of each risk on the timescales, cost and performance or quality of the project is evaluated, along with the probability of the risk manifesting itselfAll key stakeholders involved in the project should be involved at the identification stage, not only to increase the number of risks identified but also to ensure responsibility can be assigned and buy-in is generated throughout.Step 3: Evaluate & PlanFirst of all an overall risk reduction strategy and approach should be developed that is appropriate for the size and complexity of the project and the overall risk appetite (See above).For each risk that has been identified, a decision should be made as to whether to transfer the risk (e.g. through insurance, to a sub-contractor etc.), mitigate it through specific actions to reduce its probability and impact, monitor the risk more closely or ignore it entirely due to a small impact or low probability of occurrence.All risks should be assigned an owner, a trigger date and the frequency it needs to be reviewed. Specific action steps should be determined in order to reduce the probability or impact of the risks where appropriate and contingency plans developed to come into force once a risk has crystallised. These reduce the impact of the risk or return to business as usual at the earliest opportunity (e.g. Disaster Recovery Plans). Of course, all risk actions should have an owner and be integrated within the overall Project Management PlansStep 4: Management & ControlDuring the Management and Control phase, the mitigating actions to reduce the probability and impact of each risk must be initiated and managed together with the wider project action steps.Exposure to avoidable risks should be reduced at the earliest opportunity, but some risk can never be avoided entirely. Hence the contingency plans developed above may need to be deployed when a risk does materialise.A risk register or risk matrix should be populated and updated regularly throughout the duration of the project. A risk management software tool can often be a cost effective way of maintaining your risk register as it can reduce the manual workload and help prioritise risk management activity.More advanced tools can also quantify risk exposure using techniques such as Monte Carlo analysis. In this way, the relative benefit of reducing the exposure of the project to the residual risks it faces can be weighed against the cost of the risk mitigating actions that are required.Step 5: Management Reporting:Once risks have been identified and plans to reduce them put in place, it is imperative that they are reviewed regularly. The internal and external project environment is continually changing (e.g. in the case of Wembley the rising price of steel, or the changing attitude of the FA). Some risks will fall away, others will arise that could never have been envisaged at the outset.The risk register must therefore be continually updated and reports generated at regular and frequent intervals. Management reports should provide clear visibility on the risks faced, enable prioritisation of the activity and facilitate decision making.A risk aware culture should be embedded throughout the organisation,. This will increase sensitivity to warning signals and ensures continual improvement in the identification, assessment and management of risk.Using this framework, organisations can plan appropriate strategies well in advance of any risk occurring. The probability of a risk occurring is therefore reduced, or its impact minimised should it manifest itself. Through increased awareness of problems across the organisation or project, companies and government agencies can generate enormous value and process improvements through effective risk management.