The document summarizes a presentation on demystifying project risk management. It discusses practical tips for project risk practitioners, including how to determine the appropriate level of risk management for a project based on its size and riskiness. It also covers managing both threats and opportunities, setting risk thresholds, regularly updating the risk assessment, and concluding risk management after project completion with a lessons learned review. The goal is to provide a scalable and iterative approach to risk management called ATOM.

1. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 1
DEMYSTIFYING PROJECT
RISK MANAGEMENT
Practical tips for practitioners
Presented by
Dr David Hillson
HonFAPM, PMI Fellow, CFIRM
at
APM SWWE Branch meeting,
BAWA Bristol,
18 April 2023
The Risk Doctor The Risk Doctor Partnership
david@risk-doctor.com www.risk-doctor.com

2. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 2
Topics
How much risk management do I need to do?
What about upside risk?
How much risk is too much?
How to stay up to date?
When does risk management end?
…but first…

3. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 3
Why manage risk on projects?
The most important thing!
All projects are risky
Risks drive us off plan
Risk management effectiveness  Project success
Risk can (should/must) be managed proactively
RISK MANAGEMENT
PRIORITY

4. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 4

5. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 5
1. How much risk management?
All projects are risky, but…
Risk process must be scaleable
Ensure level, type & visibility of process match:
riskiness of project
importance of project to organisation
Affects
methodology, tools & techniques
organisation & staffing
reporting requirements etc.
Document decisions in Risk Management Plan

6. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 6
Define project riskiness
Yes, but how?
Define meaningful “size” criteria for this project (~10)
Determine threshold levels for each criteria
Score project
Use overall score to define project as Small/Medium/Large
Allow shortcuts for “obviously Small/Large”
Scope risk process to match project risk challenge
define /dI’fam/ v.t. state precise meaning
of; describe scope of; outline; mark out
(limits, boundary).
dI’fa
scribe

7. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 7
Define project riskiness
[Example Project Sizing Tool]
CRITERION Criterion Value = 2 Criterion Value = 4 Criterion Value = 8 Criterion Value = 16 Criterion
Score
Strategic importance Minor contribution to business
objectives
Significant contribution to
business objectives
Major contribution to business
objectives
Critical to business success
Commercial /
contractual complexity
No unusual commercial
arrangements or conditions
Minor deviation from existing
commercial practices
Novel commercial practices, new
to at least one party
Ground-breaking commercial
practices
External constraints
and dependencies
None Some external influence on
elements of the project
Key project objectives depend on
external factors
Overall project success depends
on external factors
Requirement stability Clear fully-defined agreed
objectives
Some requirement uncertainty,
minor changes during project
Major requirement uncertainty,
major changes during project
Requirements not finalised and
subject to negotiation
Technical complexity Routine repeat business, no new
technology
Enhancement of existing
product/service
Novel product/project with some
innovation
Ground-breaking project with
high innovation
Market sector regulatory
characteristics
No regulatory requirements Standard regulatory framework Challenging regulatory
requirements
Highly regulated or novel sector
Project value Small project value
(<$250K)
Significant project value
($250K-1M)
Major project value
($1-3M)
Large project value
(>$3M)
Project duration Duration <3 months Duration 3-12 months Duration 1-3 years Duration >3 years
Project resources Small in-house project team Medium in-house project team Large project team including
external contractors
International project team or
joint venture
Post-project liabilities None Acceptable exposure Significant exposure Punitive exposure
OVERALL PROJECT SCORE
PROJECT SCORE: <35 = Small; 35-74 = Medium; ≥75 = Large
Shortcuts: Project Value <$50K = Small; >$5M = Large

8. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 8
Scaleable risk process
 Small projects = lower risk challenge = simplified risk process
Medium projects = average risk challenge = typical risk process
Large projects = higher risk challenge = enhanced risk process

9. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 9
Scaleable risk process
Yes, but how?
 Small projects/simplified risk process
Still include all process steps, but…
Involve fewer people, use existing project meetings, use
fewer/simpler techniques, less detailed updates, simple reporting…
Medium projects/typical risk process
No changes!
Large projects/enhanced risk process
Involve more people, dedicated workshops, use more in-depth
techniques, deeper updates, tailored reporting…
Consider quantitative risk analysis

10. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 10

Risk = Uncertainty
True or False ?
Risk = Uncertainty that matters
(i.e. can affect objectives)
2. What about upside risk?
What is risk?
≠

11. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 11
Risk connects uncertainty with objectives
ISO 31000:2018
“The effect of uncertainty on objectives”
What is risk?
Risk includes both opportunities & threats
“An effect is a deviation from the expected.
It can be positive, negative or both…”

12. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 12
Which impacts matter?
Uncertainties that help as well as
uncertainties that harm
Both need managing proactively
Managing risk means…
…not only preventing potential problems
“Stop things going wrong”
…but also finding potential benefits
“Help things go right”

13. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 13
Goals of risk management
Minimise threats
Maximise opportunities
Optimise achievement of objectives

14. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 14
Managing opportunities matters
Yes, but how?
Same risk process
Extended techniques for opportunities
risk identification (find positive uncertainties)
two-dimensional techniques
risk assessment & prioritisation (pick best ones)
Double P-I Matrix
risk responses (make happen, or maximise)
equivalent strategies

15. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 15
Two-dimensional risk
identification techniques
SWOT Analysis
“We’re good/bad at… So what?”
Assumptions/Constraints Analysis
“What if…? What if not…?”
Fault/Benefit Tree Analysis
“Yes, but how…?”

16. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 16
VHI
HI
MED
LO
VLO
POSITIVE IMPACT
(Opportunities)
VHI HI MED LO VLO
PROBABILITY
NEGATIVE IMPACT
(Threats)
VHI
HI
MED
LO
VLO
VLO LO MED HI VHI
PROBABILITY
Prioritising opportunities
1
QUICK WINS:
EASY TO GET &
BIG BENEFIT
3
CONSIDER IMPROVING:
EASY BUT
LOWER BENEFIT
2
WORTH EXPLORING:
HARDER TO GET
BUT BIG BENEFIT
4
DON’T
BOTHER!

17. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 17
Avoid
Reduce
Transfer
Accept
THREAT GENERIC STRATEGY OPPORTUNITY
ELIMINATE UNCERTAINTY
CHANGE SIZE
INVOLVE OTHERS
TAKE THE RISK
Exploit
Enhance
Share
Accept
Responding to opportunities

18. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 18
3. How much risk is too much risk?
“It depends”… on…
… project objectives
… stakeholder risk appetite
… organisational risk thresholds
One person’s “Critical” is another’s “Who cares?”
Define impact scales (VHI)/HI/MED/LO/(VLO)
Who defines?
Project sponsor with other key stakeholders
Record in Project Charter, business case or Risk Management Plan

19. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 19
Each risk has one probability of occurrence and at least one impact
Example of project-specific scales
RANK PROB
IMPACT ON PROJECT OBJECTIVES (+ or -)
TIME COST PERFORMANCE
VHI 71-99% >12 weeks >$1000K Effect on overall functionality
HI 51-70% 7-12 weeks $500-1000K Major effect on key parameters
MED 31-50% 3 - 6 weeks $250-500K Minor effect on key parameters
LO 11-30% 1 - 2 weeks $100-250K Effect on >1 minor parameters
VLO 1-10% < 1 week < $100K Effect on 1 minor parameter
NIL - No change No change No change in performance

20. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 20
Defining HI/MED/LO impacts
Impact = different for each objective
Assume 5-point scale (could be 3 or 4):
For threats:
VHI = intolerable, unacceptable, “Oh no!”
VLO = negligible, insignificant, “Who cares?”
Other points spread between
For opportunities:
VHI = essential, “Can’t miss”, “Must have”
VLO = insignificant, “Who cares?”
Often same as threat scales, could differ
define /dI’fam/ v.t. state precise meaning
of; describe scope of; outline; mark out
(limits, boundary).
dI’fa
scribe

21. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 21
Threat Impacts Opportunity Impacts
Step 1 – Define VHI Step 2 – Define VLO Step 3 – Set
intermediate values
Step 4 – Define VHI Step 5 – Define VLO Step 6 – Set
intermediate values
Time Cost Time Cost Time Cost Time Cost Time Cost Time Cost
VHI >8 wks >$1m >4 wks >$500k
HI 4-8 wks $500k-1m 3-4 wks
$250k-
500k
MED 2-4 wks
$100k-
500k
2-3 wks $80-$250k
LO 1-2 wks $10k-100k 1-2 wks $10k-80k
VLO <1 wk <$10k <1 wk <$10k
Worked example
Project objective: Release new product to market
Planned timeline = 10 months; project budget = $4M
Delivery >2 months late would miss market window; cost growth to >$5M means cancellation
Earliest feasible delivery date to meet market requirements = 4 weeks early
Cost savings of >$500K would double profit margin
Schedule/budget variation of ±10% is acceptable

22. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 22
4. How to stay up to date?
Essential because risk changes:
risks happen (opportunities & threats)
risks are resolved
risks time-out
risks get better or worse
new risks emerge
Repeat the entire process?
or
Review/update risk exposure regularly?

23. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 23
The ATOM solution
INITIATE ATOM PROCESS
FIRST RISK ASSESSMENT
Identify risks
Assess risks
Plan responses
RISK CONTROL
Implement responses
Risk reporting
RISK UPDATE
Risk reviews
REPEAT
REGULARLY
REPEAT FOR
NEW PHASE OR
ON MAJOR
SCOPE CHANGE
MAJOR
REVIEW
MINOR
REVIEW

24. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 24
The ATOM solution
Major Review and Minor Review
Major
At key lifecycle points (milestones/phases/gates) & on major scope change
Full reassessment of risk exposure – repeat steps in First Risk Assessment
Minor
At regular intervals (to fit project rhythm)
Update existing risk assessment and responses
Scaleable feature
Large projects: more Major Reviews, deeper reassessment
Small projects: mostly Minor Reviews, higher-level

25. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 25
Risk reviews
Risk review should:
address status of existing risks [all or top-priority only]
identify whether new risks have arisen
confirm risk ownership
consider effectiveness of planned responses
identify new responses where needed
[assess secondary risks]
[check effectiveness of risk process]
[assess implications of any change in project context]
Hold dedicated review workshop or use existing meeting
Remember the risk process is iterative and scaleable

26. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 26
5. When does risk management end?
Most risk processes appear to be endless!
ISO 31000:2018 Risk
Management – Guidelines
Standard for Risk
Management (2017)
PRAM Guide, Second
edition (2004/2010)
Management of Risk,
Fourth Edition (2022)

27. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 27
5. When does risk management end?
Most risk processes appear to be endless!
No project risks exist at project completion
Note: There are still risks to handover, execution, maintenance, disposal…
Risk management should end when project ends
Yes, but how?

28. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 28
The ATOM solution
INITIATE ATOM PROCESS
FIRST RISK ASSESSMENT
Identify risks
Assess risks
Plan responses
RISK CONTROL
Implement responses
Risk reporting
RISK UPDATE
Risk reviews
POST-PROJECT RISK REVIEW
REPEAT
REGULARLY
REPEAT FOR
NEW PHASE OR
ON MAJOR
SCOPE CHANGE
MAJOR
REVIEW
MINOR
REVIEW

29. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 29
Purpose of post-project risk review
Learn from experience
“Capture risk-related knowledge and experience in a form
that can be used by future similar projects”
“Lessons-learned”
Part of post-project review, or dedicated meeting
Ask open questions:
What risks were identified? Any generic?
What threats happened, what opportunities were missed?
Which responses worked & which didn’t?
What did we do well, and what could have been better?
How much effort was spent on RM? Possible efficiencies?
 “Lessons-to-be-learned”

30. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 30
Lessons-to-be-learned (L2BL)
Not learned until implemented
Consider L2BL Register

31. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 31
Final thoughts

32. © 2010-23 David Hillson/The Risk Doctor Partnership, Slide 32
For further information
Dr David Hillson
The Risk Doctor
+44(0)7717.665222
david@risk-doctor.com
www.risk-doctor.com
www.atom-risk.com
YouTube.com/RiskDoctorVideo