Project Risk Management: a practical guide
Most people agree that all projects carry risk (uncertainty). However, few organisations can demonstrate the application of disciplined risk management on their projects. This can be a major constraint on the success of any project.
This article shows how you can improve project risk management, through two main things:
- improving the ability to identify risk, when there is still time in the project life-cycle to mitigate it, and
- embedding the management of risk into the mainstream of delivering projects.
The nature of Projects is all about risk
All projects carry risk. The most obvious examples come from:
- dependencies (internal or external)
- assumptions made by team members (in relation to any aspect of the project).
At the start of projects, the potential impact of risk (in cost and/or schedule terms) is almost unlimited. The real choice is either to commit timely attention to identifying and managing risk or potentially suffer its consequence (impact) downstream.
Historically, most organisations have not been active in managing project risk at all. It is even common to hear project managers say: “I’ve not had time to look at risk as I’m too busy developing the project plan”.
On larger projects, there are few areas where a disciplined project manager can have a greater positive impact on delivery, than having a dedicated approach to managing risk.
From a company perspective, all key projects should be challenged (through governance) to demonstrate a disciplined approach to reducing the exposure to risk in a systematic way. Especially in the early stages of the life-cycle.
Improving risk identification and capture – how to do the hardest part
Very few project teams have extensive risk management plans, or even a clear definition of the specific risks that face their projects. This is partly cultural, partly ‘mechanical’. Both can be addressed.
Many risk registers hold poor quality, partially completed, or very limited data. This results in a poor understanding of risk and little attention to its management. It also makes risk data of little use to other stakeholders and can foster a false sense of security about the delivery of any project.
Improving the management of risk involves improving the ability to identify risks early, using productive methods linked to the project’s strategic decision-making life-cycle, along with effective methods of presenting and using risk data.
It is imperative to employ innovative and effective methods to:
- significantly improve the identification of risk and the capture and presentation of risk data;
- integrate risk management into all decisions within the definition of the project; and
- improve the quality of information substantially and its communication across the project team.
Project Risk Assessment: Improving the understanding of your risks
In all the literature on risk, much has been written on modelling its impact using statistical methods. This has its place especially when major project decisions are being taken. However, many senior managers rightly believe that far greater benefit is achieved by ensuring that mitigation activities are carried out in a disciplined and timely manner.
As a minimum, all risks should be assessed to decide:
- the probability of its occurrence (against a scale expressing the likelihood of occurrence, e.g. low/medium or high);
- the impact of the risk should it occur (again either in simple overall terms, or perhaps impact on schedule, budget, or quality).
When presenting risks to stakeholders and decision-makers it is very productive to include their impact. Especially when committing to mitigation strategies or fall-back plans.
(click the above to enlarge)
Improving the Management of Risk – there is no risk that cannot be influenced in some way.
Even when the risk is outside the control of the core team, they can still mitigate its impact. The strategies and actions to mitigate risks that pose a significant threat to a project must be built into the baseline project plan, as early as possible. Mitigation actions should not be treated outside the mainstream project management processes. Yet in most projects today, this is exactly how it occurs.
Teams need to understand the difference between mitigation and contingency planning, and when each needs to be applied:
- mitigation strategies are proactive actions that reduce either: a) the probability of a risk occurring or b) the impact of the risk if it still does;
- fall back (also called contingency) plans are the alternative plans that may be needed if the risk occurs.
Teams also need to know how to integrate risk management data with the mainstream technical, management and performance measurement processes (e.g. Earned Value Management).
Once a project starts to approach this task in this way, risk management can turn into a controlled, productive process that systematically reduces project risk. Thereby enabling projects to minimise its occurrence and impact.
Managing the Overall Process
Project risk management must itself be controlled, as with any process. There should be periodic reviews and events scheduled into the mainstream project plan to address risk. They are not brainstorming or analysis sessions and must be managed with great discipline. The sessions should review the result of risk mitigation strategies, and assign new actions as appropriate.
In addition, there are simple but very powerful metrics that can be employed, at the project and business levels, to monitor the application of the risk management process and the status of the health of projects.
Let’s not call ‘Opportunity’ Risk – it just makes no sense to people
While projects need to manage risks, they will similarly have opportunities, which in many ways are the exact opposite of risk. Some bodies and associations now promote the same core process for managing both together, where opportunities have a positive impact on the project. There can be some merits to this, perhaps the most important of which is to raise the focus on opportunity management and to offer a realistic balance to the overall picture during significant project decisions.
However, the recent trend in some project management methods to classify opportunities as “positive risk”, leads to serious confusion.
The dictionary definition and common expectation of people is always that risk revolves around “danger”. Picture this: we would never say “if I walk around outside in a severe storm there is an opportunity I might be struck by lightening!”.
Classifying opportunities as risk is very confusing and makes no sense from a communication perspective. When it comes to working in teams, communication is crucially important. It may be very neat for process folks to do this, but it does not help the understanding of this topic, which is one of the more challenging topics to describe clearly and hence successfully. Food for thought. We never forget opportunities but we differentiate opportunities from risk. Simple. We like simple too.
(Note: 2013: the latest version of PMI’s BoK contains a reference to moving away from classifying opportunities as risk, for this reason)