Project Risk Management: a practical guide
Most people agree that all projects carry risk (uncertainty). However, few organisations can demonstrate the application of disciplined risk management on their projects. This can be a major constraint on the success of any project.
This article shows how you can improve project risk management, through two main things:
- improving the ability to identify risk, when there is still time in the project life-cycle to mitigate it, and
- embedding the management of risk into the mainstream of delivering projects.
The nature of Projects is all about risk
All projects carry risk. The most obvious examples come from:
- dependencies (internal or external)
- assumptions made by team members (in relation to any aspect of the project).
At the start of projects, the potential impact of risk (in cost and/or schedule terms) is almost unlimited. The real choice is either to dedicate timely attention to identifying and managing risk, or potentially suffer its maximum consequence (impact) downstream. Historically, most organisations have not been proactive at managing project risk at all. It is even common to hear project managers say: “I’ve not had time to to look at it as I’m too busy developing the project plan”.
On larger projects, there are few areas where a disciplined project manager can have a greater positive impact on delivery, than having a disciplined approach to managing risk.
From a corporate perspective, all key projects should be challenged (through governance) to demonstrate a disciplined approach to its management and that exposure to risk is reducing in a systematic way, especially in the early stages of the life-cycle.
Improving risk identification and capture – how to do the hardest part
Very few project teams have comprehensive risk management plans, or even a clear definition of the specific risks that face their projects. This is partly cultural, partly ‘mechanical’; both of which can be addressed.
Many risk registers hold poor quality, partially completed or very limited data. Often this results in a poor understanding of risk and little attention being dedicated to its management. It also makes the data of little use to others (e.g. stakeholders), and can foster a false sense of security relating to the delivery of any project.
Improving the management of risk involves improving the ability to identify risks early, using productive methods linked to the project’s strategic decision-making life-cycle, along with effective methods of presenting and using the data.
It is imperative to employ innovative and effective methods to:
- significantly improve the identification of risk and the capture and presentation of risk data;
- integrate risk management into all aspects of the definition of the project; and
- improve the quality of information substantially and its communication across the project team.
Project Risk Assessment: Improving the understanding of your risks
In all the literature on risk, much has been written on modelling its impact using statistical methods. This has its place especially when major project decisions are being taken, however, many senior managers rightly believe that far greater benefit is achieved by ensuring that mitigation activities are carried out with discipline and in a timely manner.
As a minimum, all risks should be assessed to decide:
- the probability of its occurrence (against a scale expressing the likelihood of occurrence, e.g. low / medium or high);
- the impact of the risk should it occur (again either in simple overall terms, or perhaps impact on schedule, budget or quality).
When presenting risks to stakeholders and decision makers it is very productive to include their impacts, especially when committing to mitigation strategies or fall-back plans.
(click the above to enlarge)
Improving the Management of Risk – there is no risk that cannot be influenced in some way.
Even when the risk is outside the control of the core team, they can still limit its impact. The strategies and actions to manage risks that pose a significant threat to a project must be built into the baseline project plan, as early as possible. Mitigation actions should never be treated outside the mainstream project management processes, yet in most projects today, this is exactly how it occurs.
Teams need to understand the difference between mitigation and contingency planning, and when each needs to be applied:
- mitigation strategies are proactive actions that reduce either: a) the probability of a risk occurring or b) the impact of the risk if it still does;
- fall back (also called contingency) plans are the alternative plans that may be executed if the risk occurs.
Moreover, teams also need to know how to integrate risk management data with the mainstream technical, management and performance measurement processes (e.g. Earned Value Management).
Once a project starts to approach the task in this way, risk management can turn into a controlled, productive process that systematically reduces project risk, thereby enabling projects to minimise its occurrence and impact.
Managing the Overall Process
As with any process, project risk management must itself be controlled. There should be periodic reviews and events scheduled into the mainstream project plan to address risk. These reviews must be managed with enormous discipline, as they are not brainstorming or analysis sessions – they should review the success of risk mitigation strategies, and assign new actions as appropriate.
In addition, there are simple but very powerful metrics that can be employed, at the project and business levels, to monitor the application of the risk management process and the status of health of projects.
Let’s not call ‘Opportunity’ Risk – because it makes no sense to people
While projects need to manage risks, they will similarly have opportunities, which in many ways are the exact opposite of risk. Some bodies and associations now promote the same core process for managing both together, where opportunities have a positive impact on the project. There can be some merits to this, perhaps the most important of which is to raise the focus on opportunity management and to offer a realistic balance to the overall picture during significant project decisions.
However, the recent trend in some project management methods to classify opportunities as “positive risk”, leads to a serious question on language and terminology, as the dictionary definition and common expectation of people is always that risk revolves around “danger”. Picture this: we would never say “if I walk around outside in a storm there is an opportunity I might be struck by lightening!”.
Classifying opportunities as risk is very confusing and makes no sense from a communication perspective. When it comes to working in teams, communication is crucially important. It may be very neat for process folks to do this, but it does not help the understanding of this topic, which is one of the more challenging topics to describe clearly and hence successfully. Food for thought. We never forget opportunities but we differentiate opportunities from risk. Simple. We like simple too.
(Note: 2013: the latest version of PMI’s BoK contains a reference to moving away from classifying opportunities as risk, for this reason)