Project Risk Management Guidelines

Introduction

An inevitable part of any project is risk – risk that the operating environment will change unexpectedly, that capacity to undertake and fulfil the project will be compromised, that necessary supplies and services will not be available at the required time, that cost levels will alter etc. Indeed there are almost an infinite number of different risks which could be identified. In general terms, risk is the potential for the realisation of unwanted, negative consequences of an event.  Risk management requires that the major risks that may compromise a project be identified, assessed in terms of their impact and probability, that an active process be undertaken to eliminate or mitigate these risks, and where at all possible, contingency plans be developed to pursue should the event actually occur.

Risk Identification

It can be useful to consider several different forms of risks, such as:

1.      External environment;

2.      Internal organisational;

3.      Project.

External environment risks might include:

·        Political or social upheaval or change

·        Natural disaster – e.g. earthquakes, floods, droughts

·        Change of national laws

·        Community-wide infrastructure failure – e.g. power

·        Major industrial strikes.

Events such as these are beyond the ability of any one organisation to prevent, however they require assessment, and steps taken to mitigate the consequences.

Internal organisational risks cover the normal operational risks that must be considered regardless of the project being undertaken, such as:

·        Staff turnover and loss of skill-base

·        Inability to recruit suitable staff

·        Knowledge rests with a small number of staff (possibly just one) and absence on leave or sickness compromises operations

·        Poorly developed operational policies and procedures leads to poor performance

·        Poor internal communication or conflict leads to poor performance

·        Failure of internal control systems leads to loss of cash or assets

·        Essential business processes compromises by infrastructure or technology failure – e.g. IT failure

·        Fire or other disaster destroys records

·        Financial stability of organisation compromised

·        Changing organisational priorities compromises performance.

Project risks are those relating to the specific project, such as:

·        Cost estimations significantly incorrect

·        Program delivery projections incorrect

·        Specialist technical skills not available

·        Sub-recipients misunderstood expectations of project

·        Poorly developed project management processes in PR or in SR

·        Communication breakdown between PR and SRs

·        Flow of funds delays implementation

·        Procurement delays

·        Misunderstanding between PR and LFA

·        Project overwhelms organisational capacity

·        Global Fund changes PR arrangements or does not approve Phase 2.

Managing Risks

Given the risks involved with any Global Fund project, an essential part of project management is the development of a Risk Management Plan. A Risk Management Plan consists of the following elements:

1.      Identifying risks: external, internal and project;

2.      Assessing risks (probability of event occurring);

3.      Quantifying risks (cost of unwanted, negative event);

4.      Developing response (mitigation and contingency plans);

5.      Risk monitoring and control plan.

To develop a Risk Management Plan, it is useful to bring together a small team of people to review the current project, including using historical experience from similar or related projects to work through the above five (5) elements. By breaking a complex risk into smaller pieces, it is easier to develop up mitigation and contingency plans. Additionally, by breaking up a complex risk, it makes it easier to identify those elements which are beyond the influence of the project team and those where active risk reduction and control can be achieved.

In assessing risks, it may not be possible to assign scientifically documented probabilities, but it is well feasible to assign broad risk probabilities or ratings – high/medium/low. Likewise, in quantifying risks, it may not be possible to assign accurate costs in NGR, but one can use broad high/medium/low ratings. It can be useful to identify possible outcomes through alternative scenarios – i.e. best / most likely / worst scenarios which would each have different estimated costs.  Assigning broad ratings to risk assessment and quantification allows the team to focus upon those risks which are most important to control or mitigate.

Risk mitigation aims to put in place the procedures and control mechanisms to reduce the impact or severity of any undesirable event. Risk mitigation therefore is action before the event occurs. Contingency planning on the other hand is the “Plan B” approach – having in place plans that can be quickly implemented in the event that the undesirable event occurs. Contingency planning provides the “after the event” action, however it is essential that the planning be done beforehand so that the necessary preparations and assignment of roles are resolved and action can be swiftly undertaken.

Risk mitigation and contingency planning are particularly of relevance in Global Fund projects, where new approaches to long-standing health and system problems that have resisted previous endeavours are being attempted. The time and cost required to do risk planning up front is likely to be far less expensive than dealing with the consequences of an actual risk event. The greater the advance notice of risk resulting from good project planning, the greater the possibility to mitigate or avoid the problem. It is highly desirable for PRs and SRs to work together on Risk Management so that each understands the risks that the other partners are subject to and that each partner can contribute to mitigating. Frequently a partner may not be aware that his/her action or inaction on a particular issue creates serious project problems for others. Procurement and Delivery delays and Fund Flow coordination are critical areas for PRs and SRs to work jointly on Risk Management.

Risk Monitoring likewise should be an activity involving PR and SR partners where they regularly jointly review performance, risk and performance indicators to determine whether further risk mitigation needs to be developed or whether a “Plan B” (or “Plan C, D or E”) needs to be activated to ensure a program delay or failure has least damaging impact on the desired program outcome. Risk monitoring can frequently benefit from using jointly determined benchmarks which highlight when variations from the desired plan have exceeded acceptable limits.