A RISK MANAGEMENT APPROACH FOR THE PROJECT MANAGEMENT PROCESS

A number of project management and project risk management processes have been developed by various researchers, consultants and project managers. Most project managers apply some project management process that comprises a number of steps or phases that are executed in a systematic way. At some point in the project management process a risk management process, also comprising a number of steps, is usually initiated and executed. An initial risk analysis process is complemented by a risk monitoring and control activity that continues for the remaining duration of the project. This paper describes a methodology to combine typical processes for project management and project risk management into a single process.


INTRODUCTION
It has been said that risk management is just 'good project management'. Does this imply that project management can be achieved by applying a risk management process? Or can a project management process be improved by adding a risk management process to it? An investigation was done on project management as well as project risk management processes with the aim of improving the current situation within the organisation that executes projects and practises project management on a daily basis. Steward and Fortune [1] comment that project management has grown up from an experience driven occupation to a well-defined process with ever increasing complexity. The same can be said for the area of risk management, or more specifically for project risk management. Project risk management is generally classified as a part of the general project management process. Closer analysis of the project risk management process reveals that it actually behaves like a general project management process .
Organisations have come to the point where they realise that they have to improve the control and use of their existing resources. This is inevitable to survive amongst abundant competitors in all fields of application. Project management is an approach that aims to improve the use of resources thereby improving the operation of organisations.
Project risk management is more than merely identifying, evaluating and treating of risks. It has become an important part of the overall project management process. Neglecting or avoiding it would be like driving a car without checking whether all wheel nuts are fastened. The same can be said for opportunities that need to be exploited which would otherwise be lost in attaining improved project performance.
The general processes for project management and project risk management are first discussed in some detail to obtain an understanding of the different phases of each process. A model for an integrated project risk management process is then derived. Finally a procedure is investigated to ensure that the combined process can add value to the organisation and improve the efficiency of its projects.

PRINCIPLES OF PROJECT MANAGEMENT
The 'Guide to the Project Management Body of Knowledge (PMBoK)' [2] is one of several project management approaches or processes used in practice. The PMBoK guide, as well as a number of other project risk management approaches (e.g. AS/NZS 4360 and PRAM), was used in this study as a basis for the project management and project risk management framework. The nine areas of knowledge of the PMBoK are applied within the project framework to achieve the management of projects. Risk management is needed in all project life cycle phases, as well as system life cycle phases if the delivery of the project is a technical system. Risk is also a function of the project duration; lengthy projects being inherently more risky due to legislative, environmental and organisational changes.
A complete description of the project life cycle, knowledge areas and process groups is indicated in figure 1.

Project Life Cycle
The project life cycle (PLC) is the collection of phases that takes place from the beginning of the project until its end. This fits the description of a project being temporary, which states that a project has a fixed starting point as well as a fixed end point. The phases provide better management of the project by the performing organisation. The system of phases is not fixed and is usually adapted to the environment of application.

Process Groups
The PMBoK [2] defines each phase to consist of specific processes and their interactions. It defines a process as "a series of actions bringing about a result". These processes are organised into five process groups namely: Initiating, Planning, Executing, Controlling and Closing. The process groups are linked by the outputs they produce. The input to the next group is generated by the previous one. Overlapping of the process groups could also occur. The repetition of the Initiating process at every phase is used to keep the project focused.

PRINCIPLES OF PROJECT RISK MANAGEMENT
Elkington and Smallman [3] found that there is a strong link between the amount of risk management undertaken and the level of project success; more successful projects use more risk management. However, this finding can also be accredited to more thorough project management done due to the risk management process.

Common Principles of Project Risk Management Processes
Schmidt et al [4] list the key elements of the risk management process as identification, assessment, analysis, reduction and or mitigation and monitoring. Patterson and Neailey [5] developed a project risk management methodology for product and process development as illustrated in figure 2.  Risk Identification. This step describes the identification [6] of all possible risk events, including their causes, possible impact on the project, and the respective probability of occurrence. Elkington et al [3] add that this is the most important and probably most difficult step of the risk management process. The identification calls for divergent thinking of the project manager and application of some 'creativity and imagination'. The emphasis should therefore be on creating a comprehensive list, rather than seeking prematurely to identify a limited set of key risks. Risk identification can be guided by using standard categories, or by following the work breakdown structure for the project as a frame of reference. Guidelines aim to ensure that nearly all risks can be identified before they occur. Ward [7] said that the real risks are the ones that were not identified during the identification phase.
Risk Analysis or Assessment. The objective of risk analysis is to generate decision-making data for identified risks. Thus the risks must be quantified, classified, prioritised and incorporated into the overall project. The deliverable of this phase is to establish the importance of risks, or potential impact of risks, and what the likelihood is of the risk event occurring.
Risk Planning -Reduction and / or Mitigation. Risk planning generates proactive action plans to minimise the impact of the risks that do not meet the acceptability criteria. The information from the identification and analysis phases is used for the planning phase.

Risk Control (Monitoring).
This phase implements the planning done in order to mitigate the impact or probability of the risks; avoid the risks altogether or accept the risks with their consequences.
Risk Tracking (Monitoring). The objective of risk tracking is to monitor the risks and ensure that the controlling strategy is effective. All risks are tracked because their probability of occurrence could change throughout the PLC.

Documented Risk Management Processes
A number of specific risk management processes that can be applied to projects have been defined by various authors. Some of these risk management processes are: • Australian/New Zealand Risk Management Standard [8] • Chapman and Ward Project Risk Management Process [9] • Guide to the PMBoK (Chapter 11) [2] • Project Risk Analysis and Management (PRAM) Guide [10] • Risk Analysis and Management for Projects (RAMP) Handbook [11] These processes are all more or less aligned with the common principles of risk management described above. They can all be used within an overall project management process.

DEFINING A PROJECT MANAGEMENT PROCESS THROUGH A RISK MANAGEMENT APPROACH
The previous paragraphs have dealt with both the project management and project risk management processes. Both of them are comprehensive in structure. A combined process which can manage both the overall project, as well as the risk involved with it, could make life easier for both the project manager, risk manager and the project organisation. The approach that was used to develop a combined process is shown in figure 3. Two bases were used, namely the existing knowledge of project management and that of project risk management. It was important to create a mixture of both these sources to develop a new approach that would encapsulate the strengths of both processes.
The project life cycle consists of phases that simplify the management process. Kerzner [12] says that these phases also provide links to the organisation that performs the project management function. Typically these links are interfaces between the project office and the other functions within an organisation. The choice of the phases is not fixed and depends on the industry and the project organisation. This 'freedom' in the choice of the phases for the project life cycle was used to apply the project risk management approach to the overall project management process. This is analogous to the way in which Tummala and Burchett [13] applied the project management process to cost risk management.
The 'best' project risk management phases [14] should be used to define the phases for a new process. The existing knowledge on project risk management should be combined to extract the best suitable cycle of phases. Grey [15] created a comparison method that can be used to reduce the number of different processes to a single process. This comparison does not include the comprehensive process defined by Chapman and Ward [9] and was enhanced to include it. An overall comparison between risk management processes is shown in figure 4.

Figure 4: Comparison of Project Risk Management processes
The comparison of the typical project management phases with the project risk management phases as suggested by Chapman and Ward is shown in figure 5. This comparison is done at two levels, namely the phase level and the task level. The filled squares indicate the similarities between the phases, even if their focus differs. A brief description of the activities or tasks associated with each phase of the project management process as well as the project risk management process is also given in figure 5.
From this comparison it could be assumed that there were certain similarities between the two processes. But it has to be noted that the one process deals with the overall project management, and the other process with risks found within the project specifically. The project risk management phases of identification, structuring, clarifying ownership, estimating, evaluating and planning, are typical activities that would be done during the 'Planning' phase of the project management process. This is actually advised by Chapman and Ward as the appropriate timing of the first application of the risk management process.

Initiation
Planning Implementation Termination  The two processes as outlined in figure 5 were then combined into a single process which is shown in figure 6. This process is referred to as the 'risk project life cycle' in order to distinguish it from the existing processes. The number of phases shown (10) might seem too cumbersome for the top level. However, since this combined risk/project management process is a complete process, it should not distract the project manager from executing it because he would have executed it separately anyway.  This process of phases has to be repeated throughout the life cycle. This enables the process to have dynamic information on the project and ensures that changes in the risk environment can be accommodated by the process.
The second level definition is made up of the processes defined by the PMBOK [2] and the risk management processes. In this case the process of Chapman and Ward [9] can be used since it contains the most detail.

APPLICATION OF THE RISK PROJECT MANAGEMENT PROCESS
The application of this risk project management process (or 'risk project life cycle') within a business enterprise should be aligned with the value chain of the organisation. This value chain is defined in two levels as seen in figure 7. Also shown is the mapping of the value chain with the risk project management process as defined. Although the exact mapping will depend on the complexity of the project, the detail given in this figure can be applied in general.

Offer
Execute Close  The risk project life cycle will start during the offer preparation. The main reason for this approach is that this would ensure that the offer that is being prepared could include a risk assessment of the project at hand. The organisation can thus decide if the offer that is being prepared will be beneficial to the overall organisation in terms of the level of risk that the organisation is prepared to accept. Completion of a full cycle of the risk project life cycle during the offer preparation will ensure that an overview of the main risks exists, as well as the full extent of the project is known. These are important issues which are often neglected if the overall process does not capture them specifically.
The second repetition of the life cycle should take place before the project goes into delivery. This time the emphasis is on capturing detailed planning of the project as a whole. The result should be such that the output must be fit for the purpose of managing the project with all related activities.
The risk project life cycle should be repeated during the delivery of the project. The process should now be done in more detail than the first pass, thus ensuring that the risks are managed dynamically, and that the project planning is up to date. The project is closed out with the termination phase at the end.
Using the risk project life cycle the involvement of the project manager should be larger during the initial stages of the project. The current process used in the organisation should also be changed so that at least the 1 st cycle can be completed before the final offer is negotiated with the customer. The existing and newly proposed approach is shown in figure 8 as a profile of involvement. The proposed process forces the project manager to apply the essential aspects of risk management within the project as an integrated activity.

PRACTICAL VALUE ADD OF RISK PROJECT MANAGEMENT
Many authors have noted that little information exists on systems that can measure the effectiveness of project management, or risk management for that matter. The search into this topic resulted in a representative list of articles [16][17][18][19][20][21][22][23]. The reason for this can be twofold. First, that many authors sense the need to have the invested effort measured against the output. Second, that no bulls eye solution has been formulated which addresses the answer to this question.
An engineering approach to determine the effectiveness of a system would be to measure the output against the inserted input. In this case the output of a risk project management system would be the gain, which could either be financial or status of the implementing organisation and possibly some other factors. The investment that is usually fed into the input of the system can be from various sources, usually connected with a financial cost to the implementing organisation. The inputs can be measured without much difficulty, since these values are all finite and quantifiable. The same cannot be said for the output of the system. The averted losses can be quantified, but how can the losses be measured that were not experienced? These were avoided due to the effective management of risk, even if not identified during the risk identification phase. The same can be said for opportunities that are gained, especially on the status of the organisation. The output thus defined consists of tangible as well as intangible values [18]. The concept is illustrated in figure 9.  One method of measuring the effectiveness of risk management in projects is to define key performance indicators for projects and comparing the performance of projects for which risk management was applied versus projects for which it was not applied. Clarke and Varma [23] discuss some key performance indicators that could be used for this purpose.
If risk management is applied for all projects in a company, the effectiveness could also be determined by closely monitoring the cost of the risk management activities and comparing that against the cost that resulted when risk events actually occurred, and cost of risk events that could have occurred but did not. The measurement of risk management effectiveness is an area that needs to be researched and developed further.

CONCLUSION
The main aim of this research is to combine the processes for project management and project risk management into a single, integrated process. Such a combination of the two processes should make it easier for the project manager to manage a complex project. The project organisation can also benefit from the combined process, since it does not have to focus on two different processes.
The processes for both project management and project risk management were analysed on the level of the life cycle. These life cycles are represented by a number of phases which ensure that the interfaces amongst each other as well as to the outside world can be properly defined.
The choice of the phases for the project management process are not prescribed and thus give freedom to the project manager or organisation to choose it to fit the purpose best. This freedom has been used to bring the risk management phases into the project management life cycle.
The result is a new life cycle which is referred to as the 'risk project life cycle'. It has the phases to control both the issues regarding project management as well as risk management. Therefore it can be assumed that this risk management approach to project management can work effectively in managing projects.
The end goal is to ensure that a new approach will also add value to the organisation where it will be implemented. This task is difficult, as the gain cannot be quantified in numbers easily. The investments that the organisation makes by means of projects should be optimised and the risk project life cycle can aid in this optimisation. Project performance should be measured using key performance indicators and documented carefully for future comparisons and evaluation.