As part of the planning process, ministries should identify, analyze and treat the risks associated with the services or project.
A risk is any event or condition that, if it were to occur, may impact the success of the services or project. Most commonly, risks are considered in terms of their impact to the quality and quantity of deliverables, the target timelines, and/or the approved budget.
When assessing risks, consider the following steps:
Note that the information contained on this page is for generic use only. For advice related to specific circumstances, ministry staff are advised to contact the Risk Management Branch & Government Security Office or the Ministry's Procurement Specialist. Additional information can also be found under the Risk Management pages, specific to insurance, securities and bonds, and WorkSafeBC requirements.
The first step in any risk assessment is the identification of all possible risks. This can be difficult, as not all risks will be known, particularly if this is a new service or if the previous file did not fully document the unexpected events that impacted service delivery.
Risk identification entails determining the project risks and their characteristics, including:
- Listing all risks that may impact deliverable quality, quantity, timelines and/or budget;
- Identifying what would trigger a risk event to occur; and
- Determining what the potential impact would be if the risk event did occur.
To assist in identifying risks, consider the following four categories:
- Those risks as a result of outside influences (e.g. political priorities, shifting legal or regulatory environment, labour issues, external stakeholder readiness or motivation/interest, economy, weather conditions, etc.);
- Those risks as a result of internal influences (e.g. executive leadership and/or support, governance, funding commitment, internal stakeholder readiness or motivation/interest, etc.);
- Those risks as a result of managing the project (e.g. time and resource constraints, lack of quality assurance and control steps, poorly defined scope, communication risks, lack of project management methodology and discipline, project complexity, contract management problems, etc.); and
- Those risks related to the project’s ability to meet the defined objectives and intentions (e.g. technical, quality or performance risks, unanticipated outcomes such as too much/too little/unintended use, changes to technology standards, etc.).
Once all known risks have been identified, an analysis of each one is the next step. For each risk identified:
- Assess the likelihood or probability that the risk event will occur;
- Assess the consequence, impact or severity of the risk event if it did occur; and
- Establish a risk score and ranking.
Some ministries may have risk assessment templates that can assist with this step; refer to the ministry links found on the Plan page. If no ministry template exists, this generic risk register template can be useful to document this process.
Once the ranked order of risks has been determined, the next step is to decide how to treat each. Obviously, those risks that have a high likelihood of occurring and a high impact to the project’s success will require more active planning than those with a low likelihood and/or impact.
Risk Treatments could include the following:
- Avoidance: Changing the project plan or performing actions that would eliminate the cause of the risk. For example, if one of the risks was inappropriate access to personal information, the project plan might be changed to eliminate the need to gather any personal information.
- Transference: Transferring the risk to another party. This is the purpose behind indemnities and insurance requirements in contracts; these clauses establish the contractor’s responsibility for their actions and inactions related to the contract, and provide the means to pay for any financial consequences.
- Mitigation: Lowering the impact of the risk by reducing the likelihood of it occurring and/or reducing the consequence. For example, if one of the risks was inappropriate access to personal information, the ministry may decide to give the contractor only a number that corresponds to the ministry-held personal information. In this way, the risk is mitigated as the Province has complete control over how and when the personal information is accessed.
- Acceptance: Accepting that the risk and the consequences, which may be passive (waiting until it happens, if it does) or active (establishing a contingency plan to deal with it if it happens). The rationale for accepting a risk often hinges on the event being unlikely to occur, having a low impact on the project if it does occur, and/or being too costly or impractical to treat in any other manner.
Once risk treatments are decided, a plan should be developed on how risks will be monitored and controlled. This plan should include:
- Developing an action or contingency plan for each identified risk;
- Assigning each risk to a person responsible for monitoring and tracking it; and
- Initiating an immediate action plan for those risks determined to be of the highest priority (i.e. a high likelihood of occurring and a high impact to the project).
As part of the risk management plan, key risk management “gateposts” should be established, which usually are tied to one or more deliverables. This approach will allow the ministry to identify when a risk event is occurring in order to activate the appropriate treatment or contingency plan as early as possible.
The risk management plan should be regularly updated, allowing for adjustments specific to those risk events that have occurred and for any new risks identified.
Finally, all activities related to managing, monitoring and controlling risks should be documented and made available as “lessons learned” for future contracts of similar services.