Risk and Issue Management

Risk and issue management are central components of project management. Risks and issues must be successfully identified and minimized to ensure the success of a project. What exactly risks and issues are, what the difference between the two terms is, and how the process of risk and issue management is structured are presented in this article.

1. Introduction

Risk and issues management help to reduce or, at best, prevent negative impacts on a project. A project is considered at risk if any of the following elements are impacted:

• Project Schedule
• Scope
• Budget
• Quality

In addition, factors such as loss of motivation or image must also be taken into account.

Risk analysis and management represent a systematic and formal process approach. The process of risk management takes place in all phases of project life.

Risk and issue management is part of both classic and agile project management. In the SAFe Framework, the process module Agile Risk Management is dedicated to this topic. In the PMI Framework, the topic is mapped in the Risk Management Framework. There is a dedicated certification for this: PMI Risk Management Professional (PMI-RMP).

2. What are project risks?

Project risks are uncertain events with a negative impact on the success of the project. They are determined by the probability of occurrence of the risk and the potential loss if the risk materializes.

2.1 Types of risks

• Commercial risks (e.g. payment difficulties, insolvency of a contractual partner)
• Technical risks (e.g. a concept for a novel technical solution turns out not to be feasible)
• Deadline risks (e.g. a supplier fails to provide the requested service on time)
• Resource risks (e.g. if the resources earmarked for a project are still needed for a previous project)
• Political risks (e.g. when supplier selection decisions are not made as recommended by the project team)

2.2 Risk identification

Workshops can serve as a basis for identifying risks, where the project team identifies risks using, for example, brainstorm techniques, risk checklists, or by analyzing projects that have already been completed. Risks can also be identified spontaneously in weekly team meetings or discussions.

2.3 Risk analysis

The expected value of a risk (= risk value) is a product of the probability of occurrence and the potential consequences if the risk occurs:

Risk value = probability of occurrence [%] * scope [EUR]

The scope is the estimated financial consequences of a risk event. The probability of occurrence is usually estimated by the project team before the project starts.

• Risk prevention or reduction: measures are taken to reduce or eliminate the likelihood of a risk occurring
• Risk limitation: The possible occurrence of the risk is accepted, as avoidance would be too expensive.
• Risk transfer: A risk is transferred to another organization.
• Acceptance of a risk without measures: Used for risks with low consequences.

3. Definition of Issues

Problems are events that are happening now that are already impacting the project and need to be actively addressed to limit the negative consequences (Impacts). In many cases, these are problems that could not have been foreseen. Risks that occur can become problems (issues).

In risk management, the initial focus is on predicting future events (risk identification), while issues management is about finding a quick solution to an existing problem (developing responses/mitigation actions).

4. Cycle of Risk and Issue Management

4.1 Identification of risks/problems

In the start phase of the project, the focus is on identifying risks. There are general and project-specific risks that should be known and communicated as early as possible. Issues are identified directly in operational project activities.

Sources for project risks are:

• The project team
• General risk protocol
• Databases with experiences from previous projects/releases
• Other project/quarter managers
• Risk managers or project consulting

4.2 Documentation of risks/problems

Project management relies on communication of risks/problems by the project team. Due to different roles and responsibilities, different project stakeholders have different views on risks. Therefore, it is important that the project manager is in contact with representatives of all stakeholder groups.

• Proactively report important problems and risks to project management.
• Ensure that the problem is well understood (ideally including severity and solution options).
• Take on all responsibilities of a risk owner if no other owner is found.
• Risk and issue log for documentation.
• Risks and problems should be documented, ideally in a collaborative project management tool like Jira.

4.3 Determining the risk owners

Reporting a risk/problem to project management does not mean that responsibility is transferred to project management. If the identifier clearly indicates that someone else should be responsible, project management has several options:

• Reassignment of the risk/problem to the identifier.
• Handover of the risk or problem to someone better positioned to manage it.

4.4 Assessment of probability and impact

The procedure for risk and issue management also requires an assessment of risks and issues in terms of their impact and probability of occurrence.

Probability describes how likely a risk can occur (in percent):

• Unlikely (0-10%)
• Possible (11-30%)
• Very likely (31-50%)
• Likely (51-80%)
• Very likely (81-99%)
• Occurred (100%)

Impact is classified as: Very low, Low, Medium, High, Very high, or Exact value in EUR.

4.5 Development of solution measures

Once a risk has occurred and/or become an issue, a solution measure must be found. This follows this schema:

• Identification of solution options
• Definition of measures to mitigate consequences
• Ensuring implementation of defined solution measures
• Defined measures must be forwarded to project management
• Setting a planned completion date
• If measures involve potential budget overruns, approval from the project manager is required first.

4.6 Progress control

Once a risk has been identified, it is important to monitor progress in risk mitigation and problem solving at all levels.

4.7 Recording of additional risks/themes

The project team should record the following information when closing a risk:

• Cross-project impacts of risks and issues
• Lessons learned in the form of feedback and recommendations

5. Links

• https://www.projektmagazin.de/glossarterm/risikomanagement
• https://www.atlassian.com/de/software/confluence/templates/risk-assessment
• https://wirtschaftslexikon.gabler.de/definition/risikomanagement-42454