International Journal of Advanced and Applied Sciences, 4(6) 2017, Pages: 1-13

Contents lists available at Science-Gate

International Journal of Advanced and Applied Sciences

Journal homepage: http://www.science-gate.com/IJAAS.html

Risk management standards for project management

Petr Rehacek *

Department of Systems Engineering, Faculty of Economics, VSB – Technical University, Ostrava, Czech Republic

ARTICLE INFO ABSTRACT

Article history: The purpose of this paper is to present and compare the main standards for
Received 24 January 2017 project risk management that are currently available today. Four
Received in revised form international standards recognized world-wide were selected for
23 April 2017 comparison: PMI, PRINCE2, IPMA, ISO 31000 and IEC 62198. Project
Accepted 25 April 2017 management has evolved over recent years into a mature professional
discipline characterized by a formalized body of knowledge and the
Keywords: definition of systematic processes for the execution of a project. All these and
Management possibly other factors as well, have resulted in growing numbers of books,
Project articles and conferences being devoted to project risk management. This
Risk level of activity has also led to the development of a number of standards that
prescribe for and advise organizations on the best way to manage their risks.
Every meaningful standard for project management contains project risk
management as its important part.

© 2017 The Authors. Published by IASE. This is an open access article under the CC
BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

1. Introduction project risk that affects most projects. In the early

stages of a project, the level of risk exposure is at its
*Risk is present in our everyday life and risk maximum but information on the project risks is at a
management is universal but in most circumstances minimum. This situation does not mean that a
an unstructured activity, based on common sense, project should not go forward because little is
relevant knowledge, experience and instinct. Chapter known at that time. Rather, there may be different
1 introduces the article, basic principles and ways of approaching the project that have different
concepts of risk management. Chapter 2 consists of risk implications. The more this situation is
brief recapitulation of the selected standards in a recognized, the more realistic the project plans and
manner that facilitates their comparison. This is expectations of results will be. Although wording of
followed by a comparison in chapter 3 including definition of the term risk varies (Table 1), it always
discussion regarding the commonalities among the contains uncertainty and effect on objectives.
standards. Chapter 4 contains the conclusion. As we can see, the definitions are really similar.
Risk management is defined as coordinated The main characteristic of the risk is its uncertainty.
activities to direct and control an organization with We simply don't have complete information, but we
regard to risk (ISO, 2009). Based on this definition, know what we don't know (Rehacek, 2011;
project risk management can be derivatively defined Šviráková and Soukalová, 2015). In case of complete
as coordinate activities to direct and control a information, there is no uncertainty and therefore no
project with regard to risk. Project risk management risk - we just have problem to solve or benefit to
is not an optional activity: it is essential to successful exploit.
project management. It should be applied to all A risk may have one or more causes and, if it
projects and be included in project plans and occurs, it may have one or more impacts. A cause
operational documents. In this way, it becomes an may be a given or potential requirement,
integral part of every aspect of managing the project. assumption, constraint, or condition that creates the
Project Risk Management addresses the possibility of negative or positive outcomes.
uncertainty in project estimates and assumptions. Šviráková (2014) uses system dynamics
Therefore, it builds upon and extends other project methodology to identify causes and consequences of
management processes. There is a paradox about project risks. The cause, event and effect relationship
is shown in Fig. 1.
* Corresponding Author. Organizations perceive risk as the effect of
Email Address: perehacek@gmail.com uncertainty on projects and organizational
https://doi.org/10.21833/ijaas.2017.06.001 objectives. Organizations and stakeholders are
2313-626X/© 2017 The Authors. Published by IASE.
This is an open access article under the CC BY-NC-ND license willing to accept varying degrees of risk depending
(http://creativecommons.org/licenses/by-nc-nd/4.0/) on their risk attitude. The risk attitudes of both the

1
 Petr Rehacek/ International Journal of Advanced and Applied Sciences, 4(6) 2017, Pages: 1-13

organization and the stakeholders may be influenced 2. Most Common Standards for Risk Management
by a number of factors, which are broadly classified
into three themes (PMI, 2013): 2.1. PMI

 Risk appetite is the degree of uncertainty an The Project Management Body of Knowledge is a
entity is willing to take on in anticipation of a set of standard terminology and guidelines (a body
reward. of knowledge) for project management. The body of
 Risk tolerance is the degree, amount, or volume knowledge evolves over time and is presented in A
of risk that an organization or individual will Guide to the Project Management Body of
withstand. Knowledge, a book whose fifth edition came out in
 Risk threshold refers to measures along the level 2013. The Guide is a document resulting from work
of uncertainty or the level of impact at which a overseen by the Project Management Institute (PMI),
stakeholder may have a specific interest. Below which offers the CAPM and PMP certifications.
that risk threshold, the organization will accept the Most of this subchapter is made up of quotations
risk. Above that risk threshold, the organization from PMI (2013) and PMI (2009). PMBOK's Project
will not tolerate the risk Risk Management includes the processes of
conducting risk management planning,
Positive and negative risks are commonly identification, analysis, response planning, and
referred to as opportunities and threats. The project controlling risk on a project. The objectives of
may be accepted if the risks are within tolerances project risk management are to increase the
and are in balance with the rewards that may be likelihood and impact of positive events, and
gained by taking the risks. Positive risks that offer decrease the likelihood and impact of negative
opportunities within the limits of risk tolerances events in the project.
may be pursued in order to generate enhanced value.

Table 1: Risk definitions

Methodology Definition
Project risk is an uncertain event or condition that, if it occurs, has a positive or a negative effect on projects
PMI
objectives such as scope, schedule, cost, and quality.
A risk is an uncertain event or set of events that, should it occur, will have an effect on the achievement of
PRINCE2 objectives. It consists of a combination of the probability of a perceived threat or opportunity occurring, and the
magnitude of its impact on objectives.
IPMA Precarious event or condition which if it occurs impacts the attainment of the project objective negatively.
ISO and IEC Risk is effect of uncertainty on objectives.

Fig. 1: Risk cause, event and effect (OGC, 2009)

Fig. 2 provides an overview of the Project Risk assessing and combining their probability of
Management processes, which are as follows: occurrence and impact.
 Perform Quantitative Risk Analysis: The process of
 Plan Risk Management: The process of defining numeric analysis of the effect of identified risks on
how to conduct risk management activities for a overall project objectives.
project.  Plan Risk Responses: The process of developing
 Identify Risks: The process of determining which options and actions to enhance opportunities and
risks may affect the project and documenting their to reduce threats to project objectives.
characteristics.  Control Risks: The process of implementing risk
 Perform Qualitative Risk Analysis: The process of response plans, tracking identified risks,
prioritizing risks for further analysis or action by monitoring residual risks, identifying new risks,

2
 Petr Rehacek/ International Journal of Advanced and Applied Sciences, 4(6) 2017, Pages: 1-13

and evaluating risk process effectiveness management are commensurate with both the risks
throughout the project. and the importance of the project to the
organization. The risk management plan is vital to
2.1.1. Plan risk management communicate with and obtain agreement and
support from all stakeholders to ensure the risk
Plan Risk Management is the process of defining management process is supported and performed
how to conduct risk management activities for a effectively over the project life cycle.
project. The key benefit of this process is it ensures
that the degree, type, and visibility of risk

Fig. 2: Project risk management overview (PMI, 2013)

Careful and explicit planning enhances the processes. Planning is also important to provide
probability of success for other risk management sufficient resources and time for risk management

3
 Petr Rehacek/ International Journal of Advanced and Applied Sciences, 4(6) 2017, Pages: 1-13

activities and to establish an agreed upon basis for outside the project team may provide additional
evaluating risks. The Plan Risk Management process objective information.
should begin when a project is conceived and should A range of tools and techniques is available for
be completed early during project planning. risk identification. These fall into the following three
categories, as illustrated in Fig. 3.
2.1.2. Identify risks Historical Review: Historical reviews are based
on what occurred in the past, either on this project,
Risks identification is the process of determining or other similar projects in the same organization, or
which risks may affect the project and documenting comparable projects in other organizations.
their characteristics. The key benefit of this process Historical review approaches rely on careful
is the documentation of existing risks and the selection of comparable situations which are
knowledge and ability it provides to the project team genuinely similar to the current project, and filtering
to anticipate events. of data to ensure that only relevant previous risks
Identify risks is an iterative process, because new are considered. In each case, the risks identified in
risks may evolve or become known as the project the selected historical situation should be
progresses through its life cycle. The frequency of considered, asking whether they or similar risks
iteration and participation in each cycle will vary by might arise in this project.
situation. The format of the risk statements should Current Assessments: Current assessments rely
be consistent to ensure that each risk is understood on detailed consideration of the current project,
clearly and unambiguously in order to support analysing its characteristics against given
effective analysis and response development. The frameworks and models in order to expose areas of
risk statement should support the ability to compare uncertainty. Unlike historical review approaches,
the relative effect of one risk against others on the current assessment techniques do not rely on
project. The process should involve the project team outside reference points, but are based purely on
so they can develop and maintain a sense of examination of the project.
ownership and responsibility for the risks and
associated risk response actions. Stakeholders

Fig. 3: Three perspectives of risk identification (PMI, 2009)

Creativity Techniques: A wide range of creativity Consequently, the Identify Risks process for a
techniques can be used for risk identification, which particular project should use a combination of
encourages project stakeholders to use their techniques, perhaps selecting one from each
imagination to find risks which might affect the category. For example, a project may choose to use a
project. The outcomes or effectiveness of these risk identification checklist (historical review),
techniques depend on the ability of participants to together with assumptions analysis (current
think creatively. These techniques can be used either assessment) and brainstorming (creativity).
singly or in groups, and employ varying degrees of The primary output from risk identification is the
structure. These techniques depend on the ability of initial entry into the risk register. The risk register is
participants to think creatively, and their success is a document in which the results of risk analysis and
enhanced by use of a skilled facilitator. risk response planning are recorded. It contains the
Each category of risk identification technique has outcomes of the other risk management processes as
strengths and weaknesses, and no single technique they are conducted, resulting in an increase in the
can be expected to reveal all knowable risks. level and type of information contained in the risk

4
 Petr Rehacek/ International Journal of Advanced and Applied Sciences, 4(6) 2017, Pages: 1-13

register over time. The preparation of the risk As new information becomes available through
register begins in the risk identification process with the qualitative risk assessment, the risk register is
the following information, and then becomes updated. Updates to the risk register may include
available to other project management and risk assessments of probability and impacts for each risk,
management processes: risk ranking or scores, risk urgency information or
risk categorization, and a watch list for low
 List of identified risks: The identified risks are probability risks or risks requiring further analysis.
described in as much detail as is reasonable. A
structure for describing risks using risk 2.1.4. Perform quantitative risk analysis
statements may be applied, for example, event
may occur causing impact, or if cause exists, event Perform Quantitative Risk Analysis is the process
may occur leading to effect. In addition to the list of numerically analyzing the effect of identified risks
of identified risks, the root causes of those risks on overall project objectives. The key benefit of this
may become more evident. These are the process is that it produces quantitative risk
fundamental conditions or events that may give information to support decision making in order to
rise to one or more identified risks. They should be reduce project uncertainty.
recorded and used to support future risk Perform Quantitative Risk Analysis is performed
identification for this and other projects. on risks that have been prioritized by the Perform
 List of potential responses: Potential responses to Qualitative Risk Analysis process as potentially and
a risk may sometimes be identified during the risk substantially impacting the projects competing
identification. These responses, if identified, demands. The Perform Quantitative Risk Analysis
should be used as inputs to planning of the risk process analyzes the effect of those risks on project
responses. objectives. It is used mostly to evaluate the aggregate
effect of all risks affecting the project. When the risks
2.1.3. Perform qualitative risk analysis drive the quantitative analysis, the process may be
used to assign a numerical priority rating to those
Qualitative Risk Analysis is the process of risks individually.
prioritizing risks for further analysis or action by Perform Quantitative Risk Analysis generally
assessing and combining their probability of follows the Perform Qualitative Risk Analysis
occurrence and impact. The key benefit of this process. In some cases, it may not be possible to
process is that it enables project managers to reduce execute the Perform Quantitative Risk Analysis
the level of uncertainty and to focus on high-priority process due to lack of sufficient data to develop
risks. appropriate models. The project manager should
Qualitative risk analysis assesses the priority of exercise expert judgment to determine the need for
identified risks using their relative probability or and the viability of quantitative risk analysis. The
likelihood of occurrence, the corresponding impact availability of time and budget, and the need for
on project objectives if the risks occur, as well as qualitative or quantitative statements about risk and
other factors such as the time frame for response impacts, will determine which method(s) to use on
and the organizations risk tolerance associated with any particular project. Perform Quantitative Risk
the project constraints of cost, schedule, scope, and Analysis should be repeated, as needed, as part of
quality. Such assessments reflect the risk attitude of the Control Risks process to determine if the overall
the project team and other stakeholders. Effective project risk has been satisfactorily decreased. Trends
assessment therefore requires explicit identification may indicate the need for more or less focus on
and management of the risk approaches of key appropriate risk management activities.
participants. Project documents are updated with information
Establishing definitions of the levels of resulting from quantitative risk analysis. For
probability and impact can reduce the influence of example, risk register updates could include:
bias. The time criticality of risk-related actions may
magnify the importance of a risk. An evaluation of  Probabilistic analysis of the project.
the quality of the available information on project  Probability of achieving cost and time objectives.
risks also helps to clarify the assessment of the risks  Prioritized list of quantified risks.
importance to the project.  Trends in quantitative risk analysis results.
Qualitative risk analysis is usually a rapid and
cost-effective means of establishing priorities for 2.1.5. Plan risk responses
planning of the risk responses and lays the
foundation for Quantitative Risk Analysis, if Plan Risk Responses is the process of developing
required. The performance of qualitative risk options and actions to enhance opportunities and to
analysis is performed regularly throughout the reduce threats to project objectives. The key benefit
project life cycle, as defined in the projects risk of this process is that it addresses the risks by their
management plan. This process can lead into priority, inserting resources and activities into the
Perform Quantitative Risk Analysis or directly into budget, schedule and project management plan as
Plan Risk Responses. needed.

5
 Petr Rehacek/ International Journal of Advanced and Applied Sciences, 4(6) 2017, Pages: 1-13

In the Plan Risk Responses process, several Control Risks can involve choosing alternative
project documents are updated as needed. For strategies, executing a contingency or fall-back plan,
example, when appropriate risk responses are taking corrective action, and modifying the project
chosen and agreed upon, they are included in the management plan. The risk response owner reports
risk register. The risk register should be written to a periodically to the project manager on the
level of detail that corresponds with the priority effectiveness of the plan, any unanticipated effects,
ranking and the planned response. Often, the high and any correction needed to handle the risk
and moderate risks are addressed in detail. Risks appropriately. Control Risks also includes updating
judged to be of low priority are included in a watch the organizational process assets, including project
list for periodic monitoring. lessons learned databases and risk management
Strategies for Negative Risks or Threats Three templates, for the benefit of future projects.
strategies, which typically deal with threats or risks Implementing contingency plans or workarounds
that may have negative impacts on project objectives sometimes results in a change request. Change
if they occur, are: avoid, transfer, and mitigate. The requests can include recommended corrective and
fourth strategy is accept, can be used for negative preventive actions as well.
risks or threats as well as positive risks or If the approved change requests have an effect on
opportunities. Each of these risk response strategies the risk management processes, the corresponding
have varied and unique influence on the risk component documents of the project management
condition. These strategies should be chosen to plan are revised and reissued to reflect the approved
match the risks probability and impact on the changes. Project documents that may be updated as
projects overall objectives. Avoidance and mitigation a result of the Control Risk process include, but are
strategies are usually good strategies for critical not limited to the risk register.
risks with high impact, while transference and
acceptance are usually good strategies for threats 2.2. PRINCE2
that are less critical and with low overall impact.
Strategies for Positive Risks or Opportunities PRINCE2 (OGC, 2009) is a process-based project
Three of the four responses are suggested to deal management approach suitable for any type of
with risks with potentially positive impacts on project; it is a de facto standard used extensively by
project objectives: exploit, share, and enhance. The the UK public sector and is widely recognized and
fourth strategy is accept, can be used for negative used in the private sector, both in the UK and
risks or threats as well as positive risks or internationally. According to PRINCE2 there are six
opportunities. aspects of a project implementation that always need
to be controlled: time, scope, costs, benefits, quality
2.1.6. Control risks and risks (Šviráková, 2014).
PRINCE2s approach to the management of risk is
Control Risks is the process of implementing risk based on OGCs publication Management of Risk:
response plans, tracking identified risks, monitoring Guidance for Practitioners (OGC, 2009). Most of this
residual risks, identifying new risks, and evaluating subchapter is made up of quotations from this
risk process effectiveness throughout the project. source. PRINCE2's risk management is described by
The key benefit of this process is that it improves risk theme. This theme addresses how project
efficiency of the risk approach throughout the management manages the uncertainties in its plans
project life cycle to continuously optimize risk and in the wider project environment.
responses. Fig. 4 shows the elements of the risk management
Planned risk responses that are included in the procedure: Identify Assess, Plan, Implement and
risk register are executed during the life cycle of the Communicate.
project, but the project work should be continuously
monitored for new, changing, and out-dated risks.
The Control Risks process applies techniques, such
as variance and trend analysis, which require the use
of performance information generated during
project execution. Other purposes of the Control
Risks processes are to determine if:

 Project assumptions are still valid,

 Analysis shows an assessed risk has changed or
can be retired,
 Risk management policies and procedures are
being followed, and
 Contingency reserves for cost or schedule should
be modified in alignment with the current risk
assessment. Fig. 4: The risk management procedure according to
PRINCE2 (OGC, 2009)

6
 Petr Rehacek/ International Journal of Advanced and Applied Sciences, 4(6) 2017, Pages: 1-13

2.2.1. Identify (Context and risks)  The probability of the threats and opportunities in
terms of how likely they are to occur.
Identify context: The primary goal of the  The impact of each threat and opportunity in
Identify context step is to obtain information about terms of the project objectives. For example, if the
the project in order to understand the specific objectives are measured in time and cost, the
objectives that are at risk and to formulate the Risk impact should also be measured in units of time
Management Strategy for the project. The Risk and cost.
Management Strategy describes how risks will be  The proximity of these threats and opportunities
managed during the project. It is created during the with regard to when they might materialize.
initiation stage and then reviewed and possibly  How the impact of the threats and opportunities
updated at the end of each stage. The projects Risk may change over the life of the project.
Management Strategy should be based on the
corporate risk management policy or on the Evaluate: The primary goal of the Evaluate step is
programmes Risk Management Strategy. to assess the net effect of all the identified threats
Identify risks: The primary goal of the Identify and opportunities on a project when aggregated
risks step is to recognize the threats and together. This will enable an assessment to be made
opportunities that may affect the projects objectives. of the overall severity of the risks facing the project,
PRINCE2 recommends the following actions: to determine whether this level of risk is within the
risk tolerance set by the Project Board and whether
 Capture identified threats and opportunities in the the project has continued business justification.
Risk Register
 Prepare early warning indicators to monitor 2.2.3. Plan
critical aspects of the project and provide
information on the potential sources of risk The primary goal of the Plan step is to prepare
 Understand the stakeholders view of the specific specific management responses to the threats and
risks captured. opportunities identified, ideally to remove or reduce
the threats and to maximize the opportunities.
An effective way of identifying risks is to use a Attention to the Plan step ensures as far as possible
risk workshop. This is a group session designed to that the project is not taken by surprise if a risk
identify threats and opportunities. The session materializes.
should be facilitated by someone who is able to use a The Plan step involves identifying and evaluating
range of identification techniques, such as those a range of options for responding to threats and
listed in the boxed example. Workshops should lead opportunities. It is important that the risk response
to the identification of a broad range of risks and is proportional to the risk and that it offers value for
possible risk owners. money. A key factor in the selection of responses will
An important aspect of identifying risks is being be balancing the cost of implementing the responses
able to provide a clear and unambiguous expression against the probability and impact of allowing the
of each one. A useful way of expressing risk is to risk to occur. Any chosen responses should be built
consider the following aspects of each risk: into the appropriate level of plan, with a provision
made for any fall-back plans.
 Risk cause: This should describe the source of the
risk, i.e. the event or situation that gives rise to the 2.2.4. Implement
risk. These are often referred to as risk drivers.
They are not risks in themselves, but the potential The primary goal of the Implement step is to
trigger points for risk. These may be either ensure that the planned risk responses are actioned,
internal or external to the project. their effectiveness monitored, and corrective action
 Risk event: This should describe the area of taken where responses do not match expectations.
uncertainty in terms of the threat or the An important part of the Implement step is to
opportunity. ensure that there are clear roles and responsibilities
 Risk effect: This should describe the impact(s) that allocated to support the Project Manager in the
the risk would have on the project objectives management of project risks.
should the risk materialize. The main roles in this respect are:

2.2.2. Assess (Estimate and evaluate)  Risk owner: A named individual who is
responsible for the management, monitoring and
Estimate: The primary goal of the Estimate step is control of all aspects of a particular risk assigned
to assess the threats and the opportunities to the to them, including the implementation of the
project in terms of their probability and impact. The selected responses to address the threats or to
risk proximity will also be of interest to gauge how maximize the opportunities
quickly the risk is likely to materialize if no action  Risk actionee: An individual assigned to carry out
were taken. PRINCE2 recommends that the following a risk response action or actions to respond to a
is understood:

7
 Petr Rehacek/ International Journal of Advanced and Applied Sciences, 4(6) 2017, Pages: 1-13

particular risk or set of risks. They support and industry standards. When projects are part of a
take direction from the risk owner. programme or portfolio, the risk management
framework also describes who is responsible for
In many cases, the risk owner and risk actionee handling which risks and opportunities and what
are likely to be the same person. The risk owner kind of escalation paths there are (upwards,
should be the person most capable of managing the downwards, sideways).
risk. Allocating too many risks to any one individual
should be avoided. 2.3.2. Identify risks and opportunities

2.2.5. Communicate The individual is responsible for the ongoing task

of identifying all sources of risks and opportunities
Communication is a step that is carried out and involving others in this process. There are
continually. The Communicate step should ensure various sources of risks and opportunities, both
that information related to the threats and internal to the project and external. The individual
opportunities faced by the project is communicated can make use of various techniques and sources to
both within the project and externally to identify risks and opportunities (e.g. from lessons
stakeholders. learned, literature, risk and opportunity breakdown
structures and interactive sessions with team
2.3. IPMA members, stakeholders and subject matter experts).
The identification process is not only about
The IPMA Individual Competence Baseline (ICB) identifying risks, but also about opportunities that
is the global standard for individual competences in could, for instance, make the deliverables cheaper, or
project, programme and portfolio management. Most make the project run faster, less prone to risks or
of this subchapter is made up of quotations from simply better from a quality perspective. Because the
IPMA (2015). Risk and Opportunities is one of core influences coming from the environment of the
project competences in practice competence area. project do change over time, risk and opportunity
According to IPMA (2015), risk (negative effects) identification should be a continuous and ongoing
and opportunity (positive effects) are always viewed process.
in their relation to and consequences for realising
the objectives of the project. It is advisable as a first 2.3.3. Assess the probability and impact of risks
step to consider which overall strategies would best and opportunities
serve the handling of risks and opportunities relative
to the corporate strategies and the project in The individual is responsible for the ongoing task
question. After that, the risk and opportunity of assessing identified risks and opportunities. Risk
management process is characterised by first and opportunity assessment can be done
identifying and assessing risks and opportunities, qualitatively and quantitatively. The best approach is
followed by the development and implementation of to do both and to regularly re-assess both risks and
a response plan covering the intended and planned opportunities. The qualitative assessment could
actions for dealing with identified risks and cover a more in-depth analysis of the sources behind
opportunities. The response plan should be identified risks and/or opportunities; it also deals
developed and implemented in line with the chosen with conditions and impacts. An example is scenario
overall risk and opportunity strategies. The planning. The quantitative assessment deals with
individual is responsible for involving team probabilities and estimates and it also translates
members and keeping the team committed to the probabilistic impacts into quantifiable measures.
risk and opportunity management process; for Quantitative assessment provides numerical values
making the team alert to risks and opportunities; for measuring probability and impact expected from
involving other stakeholders in the process and for risks and opportunities.
involving the appropriate subject matter experts Monte Carlo analysis and decision trees are
whenever necessary. examples of powerful quantitative risk assessment
techniques.
2.3.1. Develop and implement a risk
management framework 2.3.4. Select strategies and implement response
plans to address risks and opportunities
The individual designs, develops and implements
a risk management framework in order to ensure The individual is responsible for the ongoing
that risks and opportunities are managed process of selecting and implementing optimal
consistently and systematically throughout the responses to any identified risk or opportunity. This
project lifecycle. The risk management framework process entails assessing various possible types of
should include the definition of the methods to be responses and finally selecting the ones that are
used to identify, categorise, evaluate, assess and optimal or most appropriate. For each risk the
treat risks and should link to the organisations risk response options may include:
management policy and international, national or

8
 Petr Rehacek/ International Journal of Advanced and Applied Sciences, 4(6) 2017, Pages: 1-13

 Avoiding the risk by deciding not to start or requirements for implementing risk management
continue with the activity that gives rise to the and the process for conducting effective risk
risk; management. Furthermore, ISO/IEC 31010
 Accepting or increasing the risk in order to pursue describes individual risk assessment techniques.
an opportunity; Most of this subchapter is made up of quotations
 Removing the risk source; from ISO (2009) and IEC (2013).
 Changing the likelihood; The overview schema of guidelines is shown on
 Changing the consequences; Fig. 5. We can see that process design for risk
 Sharing the risk with another party or parties management is similar in all literature sources.
(including contracts and risk financing);
 Accepting the risk by informed decision; 2.4.1. Communication and consultation
 Preparing and implementing a contingency plan;
 Similar response options apply to opportunities; Communication and consultation with
stakeholders is important as they make judgements
 Eliminating the uncertainty by making the
opportunity definitely happen (exploit); about risk based on their perceptions. These
perceptions can vary due to differences in values,
 Allocating ownership to a third party who is best
needs, assumptions, concepts and concerns of
able to handle it (share);
stakeholders. As their views can have a significant
 Increasing probability and/or impact, by
impact on the decisions made, the 'stakeholders'
identifying and maximising key opportunity
perceptions should be identified, recorded, and
drivers (enhance);
taken into account in the decision-making process.
 Taking no special measures to address the
Organisations should consider using appropriate
opportunity (ignore).
methods based on the information needs of the
stakeholders. Communication and consultation with
Those risks that are not acceptable and those
appropriate external and internal stakeholders
opportunities that are to be pursued require an
should take place within all steps of the risk
appropriate response plan. Often, even after
management process. The most effective
implementing risk responses, there is a residual risk
consultation starts early and continues throughout
that still has to be managed.
the risk management process.
Communication and consultation should facilitate
2.3.5. Evaluate and monitor risks, opportunities truthful, relevant, accurate and understandable
and implemented responses exchanges of information, taking into account
confidential and personal integrity aspects. Effective
After the appropriate risk and opportunity external and internal communication and
responses have been implemented (this may include consultation should take place to ensure that those
appointing risk owners for certain or all risks) the accountable for implementing the risk management
risks and opportunities will need to be monitored. process and stakeholders understand the basis on
The risks and opportunities and the appropriateness which decisions are made, and the reasons why
of the selected responses should be re-assessed particular actions are required.
periodically. Risk and opportunity probabilities
and/or impacts may change, new information may 2.4.2. Establishing the context
become available, new risks and opportunities may
arise and the responses may no longer be
Risk only exists in the context of objectives. It is
appropriate. The overall strategies may also need to
essential for the organization to understand the
be evaluated. In fact, risk and opportunity
internal and external context related to its
management is not just a periodic process, but
objectives, and the associated factors that give rise to
should take place continuously as all actions may
uncertainties. While many of these factors are
carry a risk aspect.
similar to those considered in the design of the risk
management framework, when establishing the
2.4. ISO 31000 and IEC 62198 context for the risk management process, they need
to be considered in greater detail and particularly
International Organization for Standardization how they relate to the purpose and scope of applying
covers the risk management as well with family of the risk management process. Failure to adequately
standards ISO 31000. IS0 31000 itself covers the capture the context can affect conclusions and
principles and general guidelines. It provides a decisions in other steps of the process.
universally recognized paradigm for practitioners. The external context is the external environment
IEC 62198 provides principles and generic in which the organization seeks to define and
guidelines on managing risk and uncertainty in achieve its objectives. Understanding the external
projects. In particular it describes a systematic environment is important in order to ensure that the
approach to managing risk in projects based on ISO external sources of risk are identified and
31000, Risk management - Principles and guidelines. perspectives of external stakeholders are
Guidance is provided on the principles for managing considered. It is based on the organization-wide
risk in projects, the framework and organizational

9
 Petr Rehacek/ International Journal of Advanced and Applied Sciences, 4(6) 2017, Pages: 1-13

context, but tailored to the purpose and scope of the achieve its objectives. For project risk management
process. it means context of the project and achievement of
The internal context is the internal environment project goals.
in which the organization seeks to define and

Fig. 5: ISO 31000: Relationship between the principles, framework and process (ISO, 2009)

2.4.3. Risk identification identification step, providing some measure of the

magnitude of risk. Therefore risk analysis provides
The purpose of risk identification is to identify an input to risk evaluation and to decisions on
uncertainties and their range of possible effects (i.e. whether and how risks need to be treated and on the
consequences) on project objectives. Identification of most appropriate risk treatment strategies and
uncertainties and their effects may result in update methods. Risk analysis involves detailed assessment
to risk criteria and/or update to the purpose and of uncertainties, risk sources, events and scenarios
scope of the process. To ensure that as far as and their positive and negative consequences along
possible all risks that matter to projects objectives with their likelihood. There may be multiple
are identified, risk identification should be consequences with several objectives or assets
conducted systematically, iteratively, knowledgeably affected or a range of magnitudes of consequence
and collaboratively, drawing on the knowledge and possible.
views of stakeholders. It should use best available Where there is a range of consequences which
information supplemented by further enquiry as can be quantified this can be displayed as a
necessary. probability distribution. Descriptive or numerical
If risks are not identified within this step, they information about possible consequences under
will not be included in further analysis, which may different circumstances can be obtained through
result in incorrect or incomplete understanding of modelling from available data or experiments.
risks. Project team should also identify any existing Consequences can be described in terms of tangible
risk treatments related to the risks identified in this or intangible effects.
step, as they may also facilitate in developing Risk analysis involves applying one or more
understanding on identified risks. techniques to measure the risks captured in the risk
identification step. The techniques can be based on
2.4.4. Risk analysis qualitative and/ or quantitative methods. The
techniques used and the means of measurement
The purpose of risk analysis is to extend the should be harmonized, where appropriate, so risk
understanding of the risk developer in the risk analysis outputs can be aggregated and compared.

10
 Petr Rehacek/ International Journal of Advanced and Applied Sciences, 4(6) 2017, Pages: 1-13

2.4.5. Risk evaluation selecting risk treatment options, the project team
should consider the values and perceptions of
The purpose of risk evaluation is to decide stakeholders and the most appropriate ways to
whether a risk is acceptable or unacceptable to the communicate and consult them. Where risk
organisation in relation to its objectives. This treatment options can affect internal or external
involves comparing the level of risk found during the stakeholders, they should be involved in the
analysis process with the previously defined risk decision.
criteria. Based on this comparison treatment should Even if carefully designed and implemented, risk
be considered. Decisions should take into account treatments might not have the effect assumed. It can
the wider context of the risk and include also create unintended consequences inside or
consideration of the risks borne by other parties. outside the project. Monitoring needs to be an
This includes legal, regulatory and other integral part of the risk treatment implementation to
requirements. give assurance that the treatments remain effective.
If applicable both positive and negative Risk treatment can also introduce new risks that
consequences should be considered in risk need to be assessed, treated, monitored and
evaluation. In such situations, evaluation should be reviewed. These new risks should be incorporated
made based on risk criteria with a view to achieve into the same treatment plan as the original risk and
the projects objectives. In some circumstances, the not treated as a new risk. The link between the two
risk evaluation can lead to a decision to undertake risks should be identified and maintained.
further analysis. The risk evaluation can also lead to
a decision not to treat the risk in any way other than 2.4.7. Monitoring and review
maintaining existing controls.
If it is decided in the course of risk evaluation Monitoring and review should be part of the core
that the risk should be accepted without risk management process and involve checking or
modification, it will be appropriate to record this surveillance with ongoing oversight by top
decision so that it can be subjected to ongoing management and those with delegated authority.
review. Responsibilities for monitoring and review should be
clearly defined. The project's monitoring and review
2.4.6. Risk treatment processes should encompass all aspects of the risk
management process and they may include the use
Risk treatment involves selecting one or more of indicators and alerts.
options for responding to risks, and implementing Progress in implementing risk treatment plans
those options. provides a performance measure. The results can be
Risk treatment options are not necessarily incorporated into the project's overall performance
mutually exclusive or appropriate in all management, measurement and external and
circumstances. Options for treating risk involve one internal reporting activities. The results of
or more of the following: monitoring and review should be recorded and
externally and internally reported as appropriate,
 avoiding the risk by deciding not to start or and should also be used as an input to the review of
continue with the activity that gives rise to the the risk management framework.
risk;
 taking or increasing the risk in order to pursue an 3. Comparison of standards for risk management
opportunity;
 removing the risk source; In the chapter 3 there was provided an overview
 changing the likelihood; of most known world standards for risk
 changing the consequences; management methods. Although the standards are
 sharing the risk with another party or parties similar in its core, there are some differences if we
through contracts; look into the details. First, let’s compare the process
 risk financing (internally e.g. retention, or transfer of individual standards.
e.g. buying insurance); In the Table 2 there is comparison of the
 retaining the risk by informed decision. processes of selected standards. The core parts of
the processes in all standards are identifying risks;
Selecting the most appropriate risk treatment risk analysis, plan risk responses and control risks
option involves balancing the benefits derived in (although in different standards the names of
relation to the achievement of the objectives against process phases have different names).
any costs, effort, or disadvantages of PMI and IPMA have as first step of the process
implementation. Justification for risk treatment may plan of risk management / develop risk management
be broader than economic considerations and take framework. On the other hand, PRINCE2 and ISO
into account all obligations and commitments of the 31000 / IEC 62198 have identified / establish
organization. The selection of risk treatment options context. Same two standards include communication
should be made in accordance with the project's and as part of the risk management process, whereas
organizations objectives and risk criteria. When PMI and IPMA don't have communication
emphasised as the part of the process.
11
 Petr Rehacek/ International Journal of Advanced and Applied Sciences, 4(6) 2017, Pages: 1-13

Concerning risk analysis, only PMI separates In my opinion, definitely formal planning of risk
analysis into qualitative analysis and quantitative management approach and explicit mentioning of
analysis. IS0 31000 / IEC 62198 separates analysis communication as part of the process has added
phase into risk analysis and risk evaluation. Other value in overall design of risk management process
two standards have analysis only as one step (Rehacek, 2014). Both steps should be part of ideal
although in the details they are mentioning both risk management process.
qualitative and quantitative techniques.

Table 2: Comparison of risk management processes

PRINCE2 ISO 31000 / IEC
PMI PMBOK IPMA (ICB 4.0) ISO 21500
(based on MoR) 62198
Plan Risk Develop and implement a risk Establishing the
Management Identify management framework Context
(Context and Risks) Identify risks and
Identify Risks Risk Identification Identify Risks
opportunities
Perform Qualitative
Assess Assess the probability and Risk analysis
Risk Analysis
(Estimate and impact of risks and Assess risks
Perform Quantitative
Evaluate) opportunities Risk evaluation
Risk Analysis
Select strategies and
implement response plans to
Plan Risk Responses Plan Risk treatment Treat Risks
address risks and
opportunities
Evaluate and monitor risks,
Monitoring and
Control Risks Implement opportunities and Control Risks
Review
implemented responses
Communication and
Communicate
Consultation

Another comparison can be made for approach of implementation of contingency plan (or fall-back) as
planning risk responses. Summary is elaborated in type of response strategy.
Table 3 (T means threat and O opportunity in first Ideal and modern risk management process
column of the table). All standards except ISO 31000 should definitely treat both risks and opportunities.
take into account both threats and opportunities. ISO On the other hand, the contingency plan seems to be
31000 focus mainly on threats when discussing not necessary to mention as basic risk response
risks, but IEC 62198 mention consistently both strategy. In fact, it is plan which can be used for any
threat and opportunity when planning risk risk response strategy which can result with impact
responses. Types of responses are similar in all on project objectives. For example combination with
standards. PRINCE2 and IPMA mention mitigate or accept response is quite reasonable.

Table 3: Comparison of risk responses

PMI PMBOK PRINCE2 IPMA (ICB 4.0) ISO 31000 IEC 62198 ISO 21500
avoid avoid avoid / remove source avoid / remove source avoid / remove source avoid
transfer transfer share share / finance share / finance deflect
change change change
T
mitigate reduce likehood / consequence likehood / consequence likehood / consequence mitigate
fallback contingency plan contingency plan
accept accept accept accept /retain retain

exploit exploit exploit exploit

share share share share
O
enhance enhance enhance enhance
accept reject ignore retain

Concerning individual qualitative and study completely to the reader. It is obvious, that
quantitative techniques for risk analysis, the level of some tools and techniques are suitable more for
detail is various in individual standards. Some different kind of businesses - production or
standards describes techniques with great detail - manufacturing is different than healthcare or retail
for example ISO 31000 refers to the additional for example. Selection of appropriate tools and
standard ISO 30010 which contains detailed techniques for the risk management process is
description of many techniques, PMI PMBOK important factor of tailoring for purpose of the
summarizes some of techniques into detail as well, project, organization or both.
while PRINCE2 and IPMA contains only general An organization or business unit which wants to
references for useful techniques and leaves further implement project risk management or generally

12
 Petr Rehacek/ International Journal of Advanced and Applied Sciences, 4(6) 2017, Pages: 1-13

risk management will not make a mistake choosing References

any of these standards and inspiration. Tweaking
according to context of organization or maturity of IEC (2013). Managing risk in projects - Application guidelines. IEC
project management will be definitely wise, so final 62198, International Electrotechnical Commission, Geneva,
Switzerland.
framework is tailored exactly to fit given
organization. IEC/ISO (2009). Risk Management-Risk assessment techniques.
IEC/ISO 31010. International Organization for
Standardization. Geneva, Switzerland.
4. Conclusion
IPMA (2015). IPMA Individual competence baseline for project,
programme and portfolio management. International Project
In the previous chapters, the concept of risk and Management Association. Available online at:
risk management was recapitulated followed by http://products.ipma.world/wp-content/uploads/2016/03/
brief but complete description of project risk IPMA_ICB_4_0_WEB.pdf
management process in most known world ISO (2009). Risk management – Guidelines. ISO 31000,
standards for risk management: PMI PMBOK, International Organization for Standardization. Geneva,
PRINCE2, IPMA, ISO 31000 and IEC 62198. Switzerland.
Comparison of process phases of individual OGC (2009). Managing successful projects with PRINCE2. Office of
processes and risk response strategies was Government Commerce, London, UK.
performed. Result of comparison showed that PMI (2009). Practice standard for project risk management.
although all world standards have similar core of the Project Management Institute, Atlanta, USA. Available online
risk management process, some differences exists. at: https://www.pmi.org/pmbok-guide-standards
Therefore, if an organization wants to implement PMI (2013). A guide to the project management body of
own risk management process or framework knowledge (PMBOK Guide). Project Management Institute,
inspired by world known best practice, it could be Atlanta, USA. Available online at: https://www.pmi.org/
pmbok-guide-standards
useful to look on more than just one standard and
tailor suitable combination based on own needs. Rehacek P (2011). Risk management and FMEA. In the 9th
International Conference on Strategic Management and its
As was as well shown, up-to-date methodology of Support by Information Systems. Celadna, Czech Republic:
treating risks must count not only with treat but as 154-158.
well with opportunity, when dealing with risks. All
Rehacek P (2014). Standard ISO 21500 and PMBoK® guide for
standards recommend plenty of tools and techniques project management. International Journal of Engineering
for risk analysis; especially ISO 31010 (IEC/ISO, Science and Innovative Technology, 3(1): 2998-295.
2009) provides very broad and detailed description Šviráková E (2014). System dynamics methodology: Application
of such techniques. in project management education. In the International
Again, an organization implementing project risk Conference on Efficiency and Responsibility in Education, TBU
management should pick such tools and techniques Publications, Czech University Life Sciences Prague, Prague,
Czech Republic: 813-822. Available online at:
from whole range of them which suits well the https://publikace.k.utb.cz/handle/10563/1004238
context of whole organization, while leaving some
space to tailor project risk management according to Šviráková E and Soukalová R (2015). Creative project
management: Reality modelling. In the Innovation Vision
project context for project manager in charge of 2020: From Regional Development Sustainability to Global
given project. Economic Growth, International Business Information
Management Association (IBIMA), Amsterdam, Netherlands,
1: 1085-1097. Available online at: https://publikace.k.utb.cz/
handle/10563/1005704

13