Improving Project Risk Management – A Practical Guide
The Reality of Dealing with Risk in Projects Today
It is a fact, not just a saying that all projects carry risk. However, few organisations are able to demonstrate the application of disciplined risk assessments of their projects. This can be a major constraint on the success of any project – or even worse.
Improving the application of project risk management involves two main objectives:
- improving the ability to identify risk, while we still have time in the project lifecycle to influence it, and
- embedding the management of risk into the mainstream of delivering projects.
(Context: for the purposes of this discussion, the term project refers to one of significant size, complexity and/ or challenge.)
All projects carry risk, i.e. uncertainty. The most obvious examples of sources come from:
- dependencies (internal or external)
- assumptions made by team members (in relation to any aspect of the project).
At the start of projects, the potential impact of risk (in cost and / or schedule terms) is almost unlimited. The real choice is either to dedicate proper and timely attention to understanding and managing risk, or suffer its consequences (impacts) downstream. Historically though, organisations have not always been proactive at managing project risk at all – it is even common to hear project managers say things like: “I’ve not had time to to look at it as I’m too busy developing the project plan”.
On larger projects, there are few areas where a disciplined project manager can have a greater positive impact on delivery, than the area of risk.
From a corporate perspective, all key projects should be challenged (through governance) to demonstrate a disciplined approach to its management and that their exposure to risk is reducing in a systematic way, especially in the early stages of the lifecycle.
Improving Risk Identification and Capture
Very few project teams have comprehensive risk management plans, or a clear definition of the risks that face their projects. This is partly cultural, partly ‘mechanical’; both of which can be addressed.
Improving the management of risk involves improving the ability to identify risks early, via productive methods linked to the project’s strategic decision-making lifecycle, along with effective methods of presenting and using the data.
Many risk registers hold poor quality, partially completed or very limited data. Often this results in a poor understanding of risk and little attention being dedicated to its management. It also makes the data of little use to others (e.g. stakeholders), and can foster a false sense of security relating to the delivery of any project.
It is imperative to employ innovative and effective methods to:
- significantly improve the identification of risk and the capture and presentation of risk data
- integrate risk management into all aspects of the definition of the project, and
- improve the quality of information substantially and its communication across the project team.
Project Risk Assessment: Improving the Understanding of your Risks
In all the literature on risk, much has been written on modeling its impact using statistical methods. This is partly because driven by too much ‘process’, and has its place and value when major project decisions are being taken, however, many senior managers rightly believe that far greater benefit is achieved by ensuring that mitigation activities are carried out with discipline in a timely manner (relative to the schedule) on projects.
As a minimum, all risks should be assessed to decide:
- the probability of its occurrence (against a relatively simple scale expressing the likelihood of occurrence, e.g. low / medium or high)
- the impact of the risk should it occur (again either in simple overall terms, or perhaps impact on schedule, budget or quality)
When presenting risk data to stakeholders and decision makers it is often very productive to include its impact, especially when engaged in decision making around committing to mitigation strategies or fall-back plans.
(click the above to enlarge)
Improving the Management of Resulting Actions
The strategies and actions to manage risks that pose a significant threat to a project must be built into the baseline project plan, as early as possible. Mitigation actions should never be treated outside the mainstream project management processes, yet in most projects today, this is exactly how it occurs.
Teams need to understand the difference between mitigation and contingency planning, and when each needs to be applied:
- Mitigation strategies are proactive actions that reduce either: a) the probability of a risk occurring or b) the impact of the risk if it still does.
- Fall back (also called contingency) plans are the alternative plans that may be executed if the risk occurs.
Moreover, teams also need to know how to integrate risk management data with the mainstream technical, management and performance measurement processes (e.g. Earned Value Management).
Once a project starts to approach the task in this way, risk management can turn into a controlled, productive process that systematically reduces project risk, thereby enabling projects to minimise its occurrence and impact.
Managing the Overall Process
As with any process, project risk management must itself be controlled. There should be periodic reviews and events scheduled into the mainstream project plan to address risk. These reviews must be managed with enormous discipline, as they are not brainstorming or analysis sessions – they should review the status of risk mitigation strategies, and assign actions as appropriate.
In addition, there are simple but very powerful metrics that can be employed, at the project and business levels, to monitor the application of the risk management process and the status of health of projects.
Let’s not calll ‘Opportunity’ Risk – it makes no sense to people
While projects need to manage risks, they will similarly have opportunities, which in many ways are the exact opposite of risk. Some bodies and associations now promote the same core process for managing both together, where opportunities have a positive impact on the project. There can be some merits to this, perhaps the most important of which is to raise the focus on opportunity management and to offer a realistic balance to the overall picture during significant project decisions.
However, the recent trend in some project management methods to classify opportunities as “positive risk”, leads to a serious question on language and terminology, as the dictionary definition and common expectation of people is always that risk revolves around “danger”. Picture this: we would never say “if I walk around outside in a storm there is an opportunity I might be struck by lightening!”.
Classifying opportunities as risk can be very confusing – which is not good and makes little sense from a communication perspective. When it comes to working in teams, communication is crucially important. It may be very neat for process folks to do this, but it does not help the understanding of this topic, which is one of the more challenging topics to describe clearly and hence successfully. Food for thought. We never forget opportunities but we differentiate opportunities from risk. Simple. We like simple too.
(Note: 2013: the latest version of PMI’s BoK contains a reference to moving away from classifying opportunities as risk, for this reason)
- Email today to find out more on how we can help you with this important topic.