FOUNDATIONS OF IMPLEMENTATION OF RISK MANAGEMENT PROCESS WITHIN PROJECT MANAGEMENT FOUNDATIONS OF IMPLEMENTATION OF RISK MANAGEMENT PROCESS WITHIN PROJECT MANAGEMENT

The term risk is often elusive, because its interpretation is commonly based on the specific aspect and goal of its utilization. Therefore, there are many definitions and approaches to cover this term. However, the situations in which we perceive risk have certain common elements. The first one is that we do not know what will happen. The second one is that specific interests are exposed to consequences in such situations [1]. Thus, there are essentially two components needed for risk to exist – an uncertain event and its adverse consequences (see Fig. 1). Risk can be defined as an uncertain event that, should it occur, will have an effect on the achievement of objectives. A risk is measured by a combination of the probability of a perceived threat and the magnitude of its consequences on objectives [11].

The risk essentially models causal relation between uncertain cause or event and its consequence. The consequences of the risk represent adverse impacts on specific values or interests. In context of project, the impacts are represented by influence of project objectives. In case the risk event is imminent, indicating an impending impact, the risk is commonly referred to as threat. There are basically two types of impacts within the context of the project [4]: G not delivering the project's outcome that can achieve expected benefit; and G not achieving the project's end result within required quality, time and costs.
From the project point of view, it is necessary to ascertain types of relations, whose consequences can be identified with mentioned two types of project's consequences.
The occurrence of event associated with risk is not isolated, but it is always a result of the complex causal relations between various events and attributes of environment, in which the project is carried

FOUNDATIONS OF IMPLEMENTATION OF RISK MANAGEMENT PROCESS WITHIN PROJECT MANAGEMENT
Katarina Kampova * Nowadays, most organisations are experiencing unprecedented levels of change. Change has become a way of life for organisations that need to remain effective and competitive in order to thrive. It is essential to manage the inherent risk associated with change and innovation. Project brings together resources, skills, technology and ideas to deliver business benefits or to achieve business objectives. Good project management helps to ensure that these benefits or objectives are achieved within budget, within time and to the required quality.
Project management must control and contain risks if a project is to stand a chance of being successful and ensure the security of the project. Without an ongoing and effective risk management procedure it is not possible to give confidence that the project is able to meet its objectives. This paper covers the main aspects of the management of risk as they apply to project management and proposes the methodology, which is applicable in implementation of risk management within a project.
out. Individual components (issues, topics, or concerns) of the project environment that form its properties and may ultimately drive its behaviour and hence affect the probability of risk event occurrence are designated as the risk factors [5]. The monitoring of risk factors, changes and trends of development of the risk environment can indicate the dynamics of risk intensity changes.
For the identification of the project's risks, it is important to recognize the context, in which the risk is assessed. The context of the risk determines which event is considered as the risk event and which as the risk factor. The project risk management should recognize the whole context of the risk and therefore it is necessary to identify these relations as a complex sequence of the different events, which occur within the certain project environment and lead to peril of the project (See Fig. 2).
The risk management within this broad context of causal relations may be illustrated on IT project considering the risk of deprivation of the project's source code (Event 3) with negative impact on time and costs of the project (Consequences). The loss of source code is in this case immediate event preceding the adverse consequences. This event can occur as a result of theft of project servers (Event 1b) or damage to the server (Event 2b). The theft can result from overcoming the physical protection of servers (Event 1a) and damage can occur as a result of the natural disaster -lightning, fire, flood, etc. (Event 2a).
The risk can be generally managed through the control of various attributes of the environment. The consequences of risk event can be mitigated regardless of having knowledge about the event and its causal relations. The consequences in the example can be moderated by a backup procedure implemented on the independent servers (attribute 3). However, the knowledge of the causalities facilitates the effective control of risk probability and thus prevents the risk event from occurring. The risk in the example can be prevented by ensuring higher level of physical protection of assets of the project (attribute 1) or by securing hardware equipment of the project against natural disaster with surge protectors, appropriate choice of location, etc. (attribute 2). Generally, it is not possible to compile a list of risks, which would be universally applicable to every project. Nevertheless, the project risks can be broadly classified under two categories, based on distinguishing types of consequences as follows [4]: G business risks; and G direct project risks.
Business risks cover the threats associated with a project's end result not fulfilling business expectations and not delivering required benefits. It is the responsibility of the project board or project steering committee to manage business risks and to keep the validity and viability of the business case within the business strategy.
Direct project risk includes the collection of threats to the management of the project and hence to the achievement of the project's end results within cost and time. These risks should be managed on a day-to-day basis during all phases of the project life cycle, from initial idea to project close-out.

Managing risk
Every project takes place in an environment that is constantly changing [3] and project itself is subject to constant change too. Fast changing environment with many interested parties and external influencing factors and changes in a project due to unanticipated occurrences require reconsideration of project's priorities and relative importance of risks. The risk is inseparable aspect of the whole project life cycle and in a way, risk events are a result of bad planning [2]. Therefore, it is necessary to introduce a risk management process, which continually provides reassessment of changes within the project environment and proposes the suitable responses to the risk.
Boardly, the management of risk comprises two main parts (Fig. 3): G risk analysis; and G risk management.
The risk analysis and risk management phases must be treated separately, to ensure that decisions are made objectively and based R E V I E W on all the relevant information. These processes are, however, interrelated and undertaken iteratively. The formal recording of information is an important element in risk analysis and risk management. The documentation provides the foundation that supports the overall management of risk [4].
Risk analysis is a process that should be conducted continuously throughout the project as information becomes available and as circumstances change. Risk analysis consists of overlapping activities: G risk identification, G risk evaluation, G identification of risk responses; and G selection of risk response.
The objective of risk identification is to uncover various potential risk events that could be faced by the project and also to identify their determining circumstances. This step is focused on revealing as many risks and their causal relations as possible, regardless the judgment of the likelihood or magnitude of impacts. Once identified, risks are all entered in the risk log. The risk log is a control tool for the project manager, providing a quick reference to the key risks facing the project, what monitoring activities should be taking place and by whom [1].
Risk evaluation is the activity concerned with assessing the level of each risk within the risk log. The level of risk is determined by quantification of risk uncertainty. The risk uncertainty means that we do not know what will happen, when it will happen and what actual size of impact it will have. This uncertainty chiefly comes from insufficient knowledge, inaccurate information or by natural variability of the risk factors [12]. Probability is often used as a metric of uncertainty [7].
Another aspect of probability considerations is when the risk might occur. Some risks are predicted to occur further away in time than others. This prediction is called the risk's proximity [1]. Risk proximity is an element of risk uncertainty, which depicts the period of time within which the risk event is most likely to occur [6]. It can be quantified by means of exponential probability distribution, which describes the time between risk events.
After evaluating the risks, many people stop, believing that knowledge will protect them. However, awareness and assessment do not change risk exposure, unless they lead to action [9]. Therefore, ensuing step of risk evaluation focuses on the identification of suitable risk responses. The result provides an insight into the possibilities of actions, which might be carried out in order to appropriately respond to the risk. The actions break into broadly five types: prevention, reduction, transference, acceptance and contingency [4].
Prevention terminates the risk. It is the type of action, where countermeasures are put in place that either stop the risk event from occurring, or prevent it having any impact on the project [1]. Reduction treats the risk and reduces either the probability of the risk developing or limits the impact on the project to acceptable levels. Transference is a specific form of reduction, which reduces impacts only and often only financial impact [11]. Transference passes the risk to a third party via insurance policy or penalty clause. Acceptance tolerates the risk either because nothing can be done at a reasonable cost to mitigate it, or because the risk is so small the effort to do anything is not worthwhile [13]. Contingency prepares for the risk by actions planned and organized to come into force as and when the risk occurs.
The last step of risk analysis is the selection of the most appropriate actions, based on the preceding steps. For each possible action it is a question of balancing the cost of taking that action against the likelihood and impact of allowing the risk to occur.
The process of risk management logically follows risk analysis. Once the risks have been identified and evaluated, attention needs to focus on managing them. The objective of this process is planning, organizing and controlling of risk responses selected in the risk analysis. Risk management consists of two major phases: G planning and resourcing; and G monitoring and controlling.
The phase of planning and resourcing is focused on developing a detailed plan of actions required to carry out and on identification and allocation of the resources to be used for the implementation of actions. The monitoring and controlling phase identifies signs of a change in the status of the risk after the amelioration actions have been put into effect. The objective of this phase is to check and report whether the overall management of risk is being applied effectively.

Conclusion
In the past thirty years project management has been a discipline which has developed tremendously and increased in visibility [3]. The projects are more numerous, more complex and more varied in nature. Project management faces the fast changing context driven by the business striving to deliver demanded benefits. Such conditions challenge the project managers to effectively manage the substantive risk associated with rapidly developing environment.
In order to manage risks and deliver successful project it is necessary to provide a mechanism to harness the resources and enable the project to achieve business objectives. This paper has introduced a fundamental framework covering basic principles of perception of risk within the context of the project and activities required to manage the risks during the project. The approach focusing on risk environment was introduced together with the classification broadly segmenting the project risks. The management of risk procedures stemmed from the understanding of risk environment was described. The risk management is comprehended as continuously carried out actions arranged in two overlapping phases. The phase or risk analysis identifies the project risks as well as the options for treating them and the phase of risk management plan, resource, control and monitor the implementation of actions dealing with the project risks.