Improving Project Risk Management
It is a fact, not just a saying that all projects carry risk. However, few organisations are able to demonstrate the application of disciplined risk assessment of their projects. This can be a major constraint to the success of any project - or even worse.
Improving the application of project risk management involves two main objectives:
(Context: for the purposes of this discussion, the term project refers to one of significant size, complexity and/ or challenge.)
All projects carry risk, i.e. uncertainty. The most obvious examples of sources come from:
At the start of projects, the potential impact of risk (in cost and / or schedule terms) is almost unlimited. The real choice is either to dedicate proper and timely attention to understanding and managing risk, or suffer its consequences (impacts) downstream. Historically though, organisations have not always been proactive at managing project risk at all - it is even common to hear project managers say things like: "I've not had time to to look at it as I'm too busy developing the project plan".
On larger projects, there are few areas where a disciplined project manager can have a greater positive impact on delivery, than the area of risk.
From a corporate perspective, all key projects should be challenged (through governance) to demonstrate a disciplined approach to its management and that their exposure to risk is reducing in a systematic way, especially in the early stages of the lifecycle.
Very few project teams have comprehensive risk management plans, or a clear definition of the risks that face their projects. This is partly cultural, partly ‘mechanical'; both of which can be addressed.
Improving the management of risk involves improving the ability to identify risks early, via productive methods linked to the project's strategic decision-making lifecycle, along with effective methods of presenting and using the data.
Many risk registers hold poor quality, partially completed or very limited data. Often this results in a poor understanding of risk and little attention being dedicated to its management. It also makes the data of little use to others (e.g. stakeholders), and can foster a false sense of security relating to the delivery of any project.
It is imperative to employ innovative and effective methods to:
In all the literature on risk, much has been written on modeling its impact using statistical methods. This is partly because driven by too much 'process', and has its place and value when major project decisions are being taken, however, many senior managers rightly believe that far greater benefit is achieved by ensuring that mitigation activities are carried out with discipline in a timely manner (relative to the schedule) on projects.
As a minimum, all risks should be assessed to decide:
When presenting risk data to stakeholders and decision makers it is often very productive to include its impact, especially when engaged in decision making around committing to mitigation strategies or fall-back plans.
The strategies and actions to manage risks that pose a significant threat to a project must be built into the baseline project plan, as early as possible. Mitigation actions should never be treated outside the mainstream project management processes, yet in most projects today, this is exactly how it occurs.
Teams need to understand the difference between mitigation and contingency planning, and when each needs to be applied:
Moreover, teams also need to know how to integrate risk management data with the mainstream technical, management and performance measurement processes (e.g. Earned Value Management).
Once a project starts to approach the task in this way, risk management can turn into a controlled, productive process that systematically reduces project risk, thereby enabling projects to minimise its occurrence and impact.
As with any process, project risk management must itself be controlled. There should be periodic reviews and events scheduled into the mainstream project plan to address risk. These reviews must be managed with enormous discipline, as they are not brainstorming or analysis sessions - they should review the status of risk mitigation strategies, and assign actions as appropriate.
In addition, there are simple but very powerful metrics that can be employed, at the project and business levels, to monitor the application of the risk management process and the status of health of projects.
While projects need to manage risks, they will similarly have opportunities, which in many ways are the exact opposite of risk. Some bodies and associations now promote the same core process for managing both together, where opportunities have a positive impact on the project. There can be some merits to this, perhaps the most important of which is to raise the focus on opportunity management and to offer a realistic balance to the overall picture during significant project decisions.
However, the recent trend in some project management methods to classify opportunities as "positive risk", leads to a serious question on language and terminology, as the dictionary definition and common expectation of people is always that risk revolves around "danger". Picture this: we would never say "if I walk along the cliff top in heavy fog there is an opportunity I might fall off!". Classifying opportunities as risk can be very confusing - which is not good. Therefore, it makes little sense from a communication or language perspective, and when it comes to working in teams, communication is crucially important. It may be very neat for process folks, but it does not help with communication and understanding of this topic, which is one of the more challenging topics to describe clearly and hence successfully. Food for thought. We never forget opportunities but we differentiate opportunities from risk. Simple. We like simple too.
(Note: 2013: the latest version of PMI's BoK contains a reference to moving away from classifying opportunities as risk, for this reason)
PMIS Consulting Limited
The Oxford Science Park
Oxford, OX4 4GA
Tel : +44 (0)1865 784040
Fax: +44 (0)870 7598477