Project Risk and Procurement Management Strategy; Full Guideline with Samples

Risk Management Strategy

Organizations often base their projects to their company objectives and their strategic plans. However, the uncertainties and dynamics of the real world may hinder companies from implementing their projects and consequently their strategies. Risk management involves maneuvering the dynamics and uncertainties to inform organization decision making processes to ensure successful delivering of company projects. Therefore, risk management has become a vital factor in business success for projects and entire organizations. 

Even with the recognized importance of risk management, it is also true that implementing it involves laborious undertakings such as research of all the projects’ factors. The primary priority of most project managers is the realization of an effective risk management strategy (Hopkinson 2012). Nonetheless, such knowledge has not always been salient and only became conventional after the corporate world experienced several financial crises in the 21st century. This project will thereby provide a definition of the concept of risk, how risk can be measured, ranked and finally how a risk management strategy can be constructed for successful implementation of a project.

The Notion of Risk

Since the dawn of mankind, the events that have unfolded on a daily basis have been a source of risks that humans have processed through the emotions of fear and insecurity. Human has thereby developed a coping strategy that informs them when something bad is about to happen (Bernstein and Bernstein 1996). Through this knowledge, mankind got better at putting itself in a risky situation such as hunting big game without fear of death (Andrews et al. 2006). The notion of risk that comes from real life situation such as the one described above is not different to the notion of risk experienced in the corporate world. The main difference between the two scenarios is that in a business setting, risks are tied to threats that managers need to stave off to maximize opportunity. Researchers have provided different definitions of risk. Therefore, while some authors could argue with others on whether certain types of risks exist, it is invariable that risk will always be associated with uncertainty connected to future events. This project will use a working definition of risk provided by (Galati and Tsatsaronis 2003).

Different types of organizations approach risks from different perspectives. While some try to minimize risk at all cost, other induces risk since they are often related to rewards (Manning et al. 2005). An organization that maximizes risk are referred to as risk-seeking while those that minimize it are referred as risk-averse. Examples of risk-averse organizations include the government, the health sector, and chemical industries. Most business moreover, also often falls in this category(Zanora, Kuz’mins’ka and Danchenko 2013). Risk-seeking organizations include high performing business companies, venture capitalists, and entrepreneurs, what differentiate these organizations concerning risk is that risk is sometimes associated with reward (Skinner 2008). Thereby, high performing business companies will engage in risk-seeking behavior that gives them more reward than most businesses.  An example lies in the health sector where uncertainties are frowned upon, and the players in this industry prefer proven methods over novel ones (Irwin et al. 2004). The differences in approaches of risk thereby determine where an organization lies on the risk aversion spectrum. Before determining their approach to risk, organizations fast consider their business factors with emotional, political, social and financial in mind. Most 21st century organizations prefer aversion to risk and only take risks when the cost of doing otherwise beats the cost of taking the risk. Nevertheless, other companies see that there are opportunities involved with risks. Such a scenario may be like winning a war when nations may see that loss of life is a risk that they are bound to take if they value victory. In such instances, organizations tend to reduce the involved risk to achieve the projected reward (Gompers and Lerner 1997).

Measuring Risks in Management

            Human beings have seen the dawn of time tried to stave off uncertainty and risk albeit in objectively ineffective ways. For example, people in the ancient days responded to risk through prayer, sacrifice and even acceptance of their fate. The idea of God was heavily used for consolation purposes when their fates betrayed them.  Divine Providence was used to intervene on their behalf; they believed that to get a positive outcome, one had to appease spirits of their ancestors contrary to which bad outcomes would haunt them(Bernstein and Bernstein 1996). In these ages, the risk was not quantified for their belief in predestination and non-changeability of fate was firm with them. As humanity progressed through the Greek, Chinese and Roman civilizations, the calculation of probability become more common. The Middle Ages became the first time that human sued mathematics to quantify risk(Sutcliffe2006). This was when the Pacioli Puzzle was used to calculate the probabilities of winning a dice game. Blaise Pascal developed the Pascal triangle to calculate the probabilities of winning games with equal odds. The use of probabilities was streamlined by antecedent by Fermat and Bernoulli who came up with the Fermat principle and Bernoulli’s effect respectively (Bernstein 1996). Bernoulli theorized that when randomly sampling coin flips, the proposition of tails to head approach 0.5 with an increase in the volume of coin tosses, thereby, laying the foundation for population properties generalization. In 1738, Abraham de Moivre developed the normal distribution which has since become critical in measuring probability in the modern age(Bernstein 1996). In this method, about 60% of the plotted data lies in a single standard deviation of the data mean, 95% lies in double standard deviation while 98% lies in triple standard deviation.  The works discovered above lay the foundation for more complex risk measuring technique such as life tables (Wearne and Wright 1998). For example, in life tables, it is estimated that for a population sample in the year 1670, 64 out of a 100 people reached six years (Reason 2016). However, only one person in a hundred reached 76 years. Life tables were somewhat defined to calculate life annuities and other actuarial measurements of risk (Hart et al. 2007).

This project’s section will, however, give examples of risk calculation concerning financial market since such methods can be extrapolated to almost any other modern industry. There are several ways in which risk in an organization can be measured. The most common way is the use of standard deviation (Wilson 1996). A standard deviation is a form of measurement that quantifies the dispersion amount within a data set. When financial data or data of any kind is mapped, such dispersion can then be figured out. An example of how risk can be measured through the use of standard deviation is through the computation of volatility versus uncertainty (Rockafellar and Uryasev 2000). For example, in a stock portfolio optimization that assumes that a certain company’s stocks will yield a 12% return and 15% standard deviation, the 15% is either interpreted as the volatility of these stocks over the period or as uncertainty measure attached to the 12% return. In the initial case, the total return is estimated over the entire time followed by additionally estimating the returns value under smaller time frames (Avellaneda and ParÁS 1996). The next case, however, estimates the total return and provides the level of confidence, or lack of, that an investor has overestimated return(Garlick 2007).

For instance, when one wants to differentiate between uncertainty and volatility, one should consider differences between a decade old bond and a capital partnership with a decade old capital lock up(Ducker 2010). For the bond, the certainty of return is guaranteed, but the investor is aware of the high volatility the bond has (Moschini and Hennessy 2001). The venture capitalist, however, has no volatility due to the unmarketable nature of his investment but still suffers substantial uncertainty. The above examples provide two approaches to risk characterized by organization attitude towards risk(Conrow 2003). For example, air travel, the medical sector, and government prefer to liken risk to uncertainty while in the capital investment, the risk is volatility (Carson et al. 2006).

Some types of risks differ from each other in terms of their severity. This is an important phenomenon to consider since a risk that has lower probability may pose more danger to an organization if its severity is high compared to another types of risk that has higher probability of occurrence but lower severity(Hillson 2002). The discipline applied to balance significance of risks is referred to as risk ranking. It can be done by application of different sets of tools. However, risk matrices are the most commonly employed of the tools. The matrix has likelihood of occurrence and consequence of the risk as its axis(Alghalith 2007). It gives managers an impression of the risk’s significance by helping him determine the amount of resources that should be input into managing the risk(Carpenter 2010). When constructing a risk matrix, managers should first determine the intended purpose of the matrix. Acceptability levels or risk tolerance levels should be established so as to determine the severity of potential future events(Hillson 2009). Typically, a risk matrix resembles the table below.

  Negligible Marginal Critical catastrophic

The columnar axis of the matrix above represents a probability range that list events with respect to increasing likelihood of occurrence from ‘rare’ to ‘certain’(Gray 2013). The horizontal axis represents a consequence range that list events with increasing severity upon occurrence from ‘negligible’ to ‘catastrophic’. Negligible events that also fall into the rare category have the list severe impact upon project(Kendrick 2009). Thereby, they are ranked lowest. Inversely, catastrophic event that also fall into the certain category are the most severe risks and are thereby ranked highest(Moss 2014). Events that lie in between the two have an increasing degree of severity. Managers should thereby come up with a threshold for determining each project’s risk tolerant(Munier 2014). To demonstrate the above risk ranking method, this paper proposes an example where each event will be replaced with a monetary value. The above ranking method is intuitive due to its color coded nature(Pickett 2005). The warmer part of the matrix represent increasing severity whereas the cooler parts represent decreasing severity(Pearson and Mitroff 1993). Managers should therefore aim to strike a balance along the range of the matrix to establish an effective risk tolerant threshold(Institute 2009).  For instance, negligible risk will be given a monetary value range between $2000 and $10000.marginal risks will be given values between $10000 and $200000 (Roger 2002). Critical risks will be given values between $2000 and $1000000 whereas catastrophic risks will be given value above $1000000. After inputting the above case scenario into the matrix, the ranking of risk results as follows.

Rank Range Loss ($) Description of the loss
4 Catastrophic More than 1000000 Death and/or permanent disability to employeesIrredeemable environmental damageDissolution of business
3 Critical Between 200000 and 1000000 Partial disability or injuries and/or illness to more than 3 employeesRedeemable environmental damage.Violations of laws and regulations
2 Marginal Between 10000 and 200000 Illness or injury that results into loss of work days.Placable damage to the environment
1 Negligible Between 2000 and 10000 Minor injury and/or illness to employees that results into a singular loss of a work day. No violation of regulations or laws occur.Minimal or little environmental damage.

Since a risk matrix is two dimensional, two tables are required to map out both the probability ranking and the consequence ranking(Lundren 2013). Just as the consequence ranking has been performed above,monetary value will be given to the range of probability to provide a mathematically based ranking(Ward 2011). The range thereby run from 1 to 5 to represent improbable, remote, occasional,probable and frequent. By combining the two tables,one can get a clearer ranking of a risk based on both consequence and likelihood(Lerbinger1997). Managers can then deduce the risk tolerance of the project towards certain risks(Kouns 2013). For example, a risk that has a consequence rank of four and a likelihood ranking of certain, would not be tolerable for any project while that that has a consequence ranking of one and a likelihood ranking of two is addressable through adjusting of the project parameters or the organization policy(Rasmussen1997).

Rank Range Probability within a business’s life Description
5 Certain Once in every two years Continually experienced
4 Likely Once in every four years Frequently occurs
3 Possible One in every six years Occur several times
2 Unlikely Once in every twelve years Reasonable expectation for unlikely occurrence
1 rare Once in every twenty four years Unlikely occurrence, impossible


Project Risk Management Strategy

The end game of a project risk management strategy is the minimization of negative incidences and minimization of negative events during the course of a project. It is iterative owing to the fact that it begins at project commencement, continues through the project’s lifecycle and ends during the project termination(Carpenter 2010). It maps out the risk factors outlined in the risk management program of the organization. Construction of a risk management strategy follows four steps. These include:

  1. Elucidation of the strategy’s objectives
  2. Assessment of the risks connected to different project areas.
  3. The risk management process
  4. Decision making throughout the process of risk management

A sample risk management strategy

After evaluation of the above risk management process, the following steps will be used to construct our own risk management strategy.

1. Identification of risk

2. Risk measurement and risk ranking

3. Planning the response to risk

4. Implementing the response to risk

5. Communication

The first foursteps are sequential and successive whereas the fifth takes place between all of the four. Each step has inputs, processes and outputs(Avellaneda and ParÁS 1996).

Identification of risk

The inputs of this step are activity analysis, stakeholders map, lessons learnt, organization object and issues that crop up during the project timeline. The processes and technique used to identify the risk include checklist, group technique, questionnaire, risk description and constraints analysis(Cooper 2005). The output of risk identification will be the risk register and early warning indicators. The output of this stage will give three dimensions that will define the risk. The first dimension will explain in detail the risk sources which are also known as drivers (Froot et al. 1993). The second dimension will be a detailed explanation of the impact associated with the identified risk. The last dimension will classify the risk as either a threat or an opportunity(Carson et al. 2006).

Measuring and ranking of risk

As previously discussed in this paper, risk measurement and risk rankingare crucial in project management since they help managers to assess the severity of projected risk(Galati and Tsatsaronis 2003).To craft the severity of the identified risks, the following factors should be considered.

  • Each risk is associated with either threat or opportunity
  • The risks’ impacts should be based on the project’s objectives
  • The expected time of risk occurrence should be calculated.
  • The value of loss should moreover be calculated
  • The inputs of this process will be risk register and early warning signs derived from the outputs of the previous state.
  • The techniques and processes to be implemented will include probability trees, risk matrices volatility versus uncertainty assessment, probability impact grid, Pareto assessment and expected value assessment(Bernstein and Bernstein 1996). The output of this stage will be an update of the risk register. To convert the rating and measurement of risk into computable figure, the following formula will be used:
  • RMV = P*RIV
  • RMV = Risk Monetary Value
  • P = Probability of occurrence
  • V = Risk Impact Value

Planning of the risk response

There are many possible responses that a manager may come across in the event of encountering a risk. Difference in approach to risk response is determined by the nature of the risk whether the risk is opportunity or a threat(Conrow, 2003). The table below shows a summary of possible responses that a manager may choose from.

Opportunity responses Threat responses
Exploit the impact of the risk Avoid
  Enhance the impact of the risk Reduce the probability of risk impact Reduce the impact of the risk Transfer the financial impact of the risk  
 Share the impact of the risk Share the financial impact of the risk with others  
Reject the impact of the risk Accept the financial impact

The inputs of this stage are the risk profile summary from the previous stage output, the risk ranking and dependency, the update risk register and insurance policies. The techniques and processes to be cost benefit-analysis and decision trees(Garlick 2007). The output of this stage will be the risk owner, the risk actionee, the risk register update and the risk response planning.

Implementation of the risk response

This is the process where the drafted risk response plan is put into action.The outputs of the previous stage will define the implementation strategy as follows:

  • Risk owner- this is identified in planning stage of the risk management strategy. The individual is held accountable for controlling the risk and other aspects of management such as controlling, implementing and monitoring risk responses.
  • Risk actionee- the individual is given the sole mandate of carrying the action plan. The action plan derived from the risk response plan.


Communication binds or the other four processes together through the creation of feedback loops. Several types of document are involved in the communication process of a project’s risk management strategy(Carpenter 2010). They include:

  • Highlights- these are publication reports showing the progress of a project with inclusion of completed subprojects, sub-projects pending completion and the performances of these sub-projects in terms of quality, cost and time(Epstein and Rejc 2006).
  • Checkpoints- these are typical reports published in the midst of different project packages executions(La Porte, T.R.,1996).

Best practices in minimizing risk in projects

Several rules should be considered as primary when one wants to minimize occurrence of risk in a project(Andrews et al 2006).

  • Identification potential risk in the project’s beginning- Potential risks could be identified through the input of theproject’s team from their knowledge and past experiences (Donaldson and Kohn 2000). It could also be brainstormed from all the missed opportunities of projects that did not reach fruition.
  • Communication throughout the project should be clear- communication about risk should be performed effectively through solicitation among team members in frequent periodic meeting(Mitroff and Pearson 1993). The project’s sponsors should also be included in the communication process for them to provide the necessary resources that risk management processrequires (Boin and Lagadec 2000).Opportunities and threats should be considered during risk assessment. Risk often possess a negative connotation thereby likening them to threats. However, since opportunities also exist in the form of risks,
  • Prioritize risk- since risksdiffer in their degrees of significance and severity, those with higher impacts and probabilities should be given precedence.
  • Develop effective responses to identified risk- appropriate responses should be developed to provide strategies to reduce probabilities of risk occurrence, manage risks upon occurrence and ensure that opportunities are capitalized.


The occurrence of risks is unescapable event in any project. This is since projects are future oriented and the future is rife with uncertainties. Therefore,project managers do not only need to develop means of combating the harmful effects of risks but also need to come up with ways of capitalizing on the positive effects of risks. Risks management has been the result of years of trial and error approaches to dealing with risks(Pearson and Clair 1998). The current world however has at its disposal techniques that assist in the process of risk management in terms of identification of risk, measuring, ranking, planning and implementing strategies.

Students working on case studies or might need academic help, might find our custom Case Studies Writing Services helpful.

Please make sure you check our marketing writing help:
 Marketing dissertation writing services
 Marketing essay writing services
 Marketing assignment help

Also look at some of our business services
Business Essay Writing Service
Business Dissertation Writing Services
Business Report Writing
Business Assignment Help
Business Planning Writing Service
Business Assignment Writing Service