by Cheryl Wilson PMP, PMI-RMP, CCEP
In my series of Risk Management Maturity Concepts, I want to bring you through my experiences of implementing an effective risk program. Recently I worked with a client’s troubled project by putting a risk program in to place. When I ask about what they already had in place and why they implemented it, they indicated: “I have a risk register with 5 columns with 12 risks.”
Using the ideas from my first article in this series, I told them and what I want to emphasis here is that the steps prior to even implementing the risk register are critical in providing the project manager with the tools necessary towards achieving a successful risk program. Merely having a risk register is not enough and leaves the project vulnerable. You are more than likely to have missed information that you should be managing in your risk environment.
The section on “Inputs” to your risk environment will help ensure your project is ready for issues, contingency planning, government reporting requirements, audits, metrics, etc. These preparations are critical to your risk environment. They can guide you to deciding what is necessary in your risk register. Every project will be slightly different. You cannot manage every project in the same way.
Since normally your projects will progress through your defined project life cycle, it is critical to frequently reassess the risks as the risk environment never remains static. Thus, methods of how you identify your risks will change to address this dynamic landscape.
One of the first documents you will discuss and write for your project will be the Project Management Plan. Within this plan, the risk environment should be discussed in the Risk Management subsidiary plan. I recommend for projects that are complex, large or in trouble, a separate Risk Management Plan be written and evolved on its own.
As the risk environment is an iterative rolling wave process, the following areas should be addressed in your risk management plan. Future articles will expand each section in more detail.
- Identification of potential risks by utilizing risk tools and techniques. There are many tools and techniques to identify risk potentials, their root causes, triggers, etc. Depending on whether your project team is in one location, or virtual has an impact on how risk identification will happen. The project team needs to know how to identify a new risk and how to report the risks. They need to know to whom to report the risk, and the time sensitivity of such reporting.
One area projects have the most problems with is identifying the true risk and understanding the difference between the cause of the risk and the effect of the risk. Identify the WRONG risk is in itself a risk to the project. If you are wondering why your project has a long list of risks, but no progress in mitigation of those risks, it is more than likely the wrong risks are stated!
2. Assessment of risks both quantitatively and qualitatively. In order to know the risk potentials that will have the most impact on the project, the project manager and the project team need to prioritize all risks. A common temptation is to skip the methods of quantitative risk assessment—where estimation of risk value is precisely calculated with numerical measures—and only concentrate on a few cheap and easy qualitative methods. Quantitative methods often provide a more accurate image of risk likelihoods and can be critical to the success of risk management and contingency planning. Today’s computers and software can reduce the effort of using quantitative risk analysis.
3. Prioritization of risks using impact analysis. Prioritization of the risks by assessing their potentially negative impact and the likelihood of occurrence is necessary to effectively utilizing limited risk management resources. There are two common ways to do this. One way is to assess the risk’s impact and probability on a scale of 1 to 5, where 1 and 5 represent the minimum and maximum possible negative impact and in similar fashion, the likelihood of risk occurrence. The other way is to assess these two variables in terms of low, medium, and high. Prioritizing your risks will enable your organization to focus on the most critical potentials first before tackling others.
4. Design and implementation of risk mitigation and contingency plans. After you have prioritized your risks, develop risk mitigation and contingency plans for the highest potential risks in order to manage, eliminate, or reduce their potential impacts to acceptable levels. Mitigation plans need to tie each risk to scope, time, cost, and quality while identifying mitigation strategies and contingency plan triggers. You also need to clearly define risk-related roles and responsibilities in terms of risk owners (the person responsible for ensuring appropriate mitigation strategies) and risk action owners (the people responsible for implementing the chosen strategies).
5. Management of the risk environment in order to reduce risk impacts. The last step is reviewing mitigation and contingency plans on a frequent basis to stay abreast of changing circumstances that may affect them. As noted above, it is a best practice to set a schedule for risk discussions, such as weekly for high risks, bi-weekly for medium risks, and monthly for low risks. Another best practice is bringing in internal or external risk auditors, such as quarterly, to evaluate the effectiveness of your risk management and contingency planning. Risk audits will often point out better ways of handling a specific risk so that you can change your mitigation strategy going forward.
In summary, the need to be dynamic in identifying, assessing, and managing the risks confronting your projects is clearly a solid practice of improving project success rates. It is always better to mitigate a risk than attempt to survive an issue.