The novice project manager might be worried to learn that her project contains risk. Surely risk is “A Bad Thing,” and it would be better if her project had none? But her more experienced colleague would explain that there are at least three reasons why this is not the right approach, and would encourage her to recognize and manage risk proactively as part of routine project management.
- The first reason to not fear risk is that all projects are inherently risky. Projects are all about managed change, creating deliverables within a set of constraints, in an environment which is subject to both internal and external uncertainties. Projects exist to take risk in a controlled way, since risk is related directly to reward: the more risk the organization is prepared to take with its projects, the greater benefits it can reap; but the organization which plays it too safe will reduce its potential for gain.
- The second reason is that some risks can be helpful. Risk can be defined as “Any uncertainty which, if it happens, would affect one or more project objectives.” This definition includes the possibility of upside risk, i.e. uncertainties that might help the project if they occurred. Such opportunities are as much a part of project risk as downside threats. Project managers are increasingly recognizing that opportunities need proactive management as much as threats do.
- Thirdly, risk in projects should not be feared because most of it can be managed. While there are some uncertainties that lie outside the control of the project manager, many project risks can be tackled effectively, resulting in reduced threats and increased opportunities.
- For all of these reasons, it is important for every project manager to adopt a structured approach to risk management as an integral part of managing the project. Our novice project manager might fear this would add to the already high workload of project management. But risk management can be conducted at different levels of detail, with a “lite process” for simple projects, and a more in-depth approach for complex projects. All levels of risk process should follow the same basic steps:
- First is a definition phase, ensuring that project objectives are agreed and understood by all stakeholders, and determining the level of detail required for the risk process, driven by the riskiness and strategic importance of the project.
- After definition is risk identification, using techniques such as brainstorms, workshops, checklists, prompt lists, interviews, questionnaires etc. Here, care is needed to distinguish between risks and related non-risks (e.g. problems, issues, causes, effects, etc.).
- The significance of identified risks needs to be assessed, prioritizing key risks for further attention and action. Assessment can be qualitative (describing characteristics of each risk in sufficient detail to allow them to be understood), or quantitative (using mathematical models to simulate the effect of risks on project outcomes).
- Next comes response planning, when strategies and actions are determined to deal with risks in a way that is appropriate, achievable and affordable. Each action should be agreed with project stakeholders, and allocated to an owner, then its effectiveness should be assessed.
- Planning must lead to action, so it is important to implement planned actions, monitor effectiveness, and report results to stakeholders. During this phase, risk exposure is actually modified on the project as a result of taking suitable action.
- Any risk process must include review and update. Risk is always changing on a project, so the process must be iterative, regularly reviewing risk exposure, identifying and assessing new risks, and ensuring appropriate responses.
- Finally, we need to close the risk process with a lessons-to-be-learned review when the project ends. We need to avoid making the same mistakes in the future, allowing previously-identified threats to turn into problems, or missing the benefits available from opportunities that we’ve seen before. Risk checklists should be updated with generic risks that might affect future similar projects. We can also record those risk responses that were particularly effective, as well as the ones that didn’t work as expected.
Having understood the risk process, the novice project manager might be tempted to relax, trusting in the “Three Ts”: Tools, Techniques and Training. Though these are important, they are not enough to ensure effective risk management. Other critical success factors will determine whether the risk process succeeds, including risk culture, people aspects, infrastructure, and integration.
- “Culture” describes the shared beliefs, values and knowledge of a group of people with a common purpose. It has both an individual and a corporate component. Effective risk management requires a supportive risk culture. The risk attitudes of individual stakeholders on a project must be understood and managed, and the organization’s overall approach to risk must be appropriate.
- People aspects also need attention, since risk management is not performed by robots. Humans perform all the essential steps in the risk process, including identifying and prioritizing risks, proposing appropriate responses, and implementing agreed actions. These all require human judgment and are affected by preconceptions and unconscious bias.
- Risk management is not “one size fits all.” Different organizations may implement it in varying levels of detail, depending on the type of risk challenge they face. Having chosen a preferred implementation level, the organization then needs to provide the necessary supporting infrastructure so that the risk process can deliver the expected benefits.
- Integration is also important, ensuring that risk management is not viewed as an optional extra for special projects only. Since all projects are risky, all require active risk management. The risk process should be an integral part of the project management approach, involving the whole project team rather than risk specialists.
Risk management is a key contributor to project success and an essential element of professional project management. It is a vital part of the toolkit for novice and experienced project managers alike, offering a structured process to deal with uncertainties that might affect objectives either positively or negatively. Done properly, it is one of the most important things a project manager can do!