Risk management fundamentally consists of assigning to a nested structure of projects and their associated activities at least a cost and a time and then identifying risks and the impact of such risks on the cost and time assigned to each particular activity and project the same risk could affect more than one activity or project but may have differing levels of impact. Where a risk has an impact on the cost of an activity, for example, then the analysis can be performed against each activity independently. If, on the other hand, a risk has an impact on time, then the analysis of the impact must feed through the entire project structure. For each risk that is identified, mitigating plans are identified and put in place to reduce or prevent the risk. The mitigating plans are generally in the form of a series of actions that are to be followed The mitigating plans could have the effect of reducing the probability of the risk arising or of reducing the extent of the risk's impact on a particular activity or project.
Increasingly, companies are turning to risk management to identify and implement ways of reducing their exposure to risk, especially in large-scale projects. Various risk management software products have been developed to assist in this, much of the software being specifically for use in risk management in the medical field. Development of risk management systems has focused on ways of automating the analysis of risk and identification of mitigating actions. For example, U.S. Pat. No. 5,9307,62 describes risk management software which is capable of automatically identifying appropriate mitigating actions in response to an identified risk. However, commonly, those having responsibility for the management of risk in large scale projects have not been part of the day-to-day management of the projects involved. As a result, risk management software has remained a stand-alone software product.
Especially for large-scale projects, it has been realised that the separation of risk management and project management is not ideal. Firstly, such separation results in unnecessary duplication of work. More importantly, where there is a separation of risk management and project management, poor communication can result in changes in a project not being accommodated in the modelling of the risk for that project and in actions, identified as best mitigating a risk, not being implemented in the project.