This post is the second part of a 2-part part on project risk management. Part 1 provided an introduction to project risk management and an overview of how it can help project managers better manage the uncertainties on their project. Uncertainties can include both negative risks (threats) and positive risks (opportunities). We did mention that the official name is risk management, covering both threats and opportunities. However, in my experience, the discussion is more rich and powerful is we discuss uncertainties management.
But it is what it is. And in PMBOK, project risk management is the official title.
In the second part of two posts on the subject, we will review each of the process included in the project risk management process (as defined in PMBOK, 5th edition). Let’s start.
Project Risk Management Processes
The first step in project risk management is to identify risks. Most book will say that the goal here is to develop a list of potential risks. While this remains true, I would suggest that he key benefit of identifying risks is awareness.
As I said in part 1, the most important part of risk management is the dialogue. It is very important to create an open and honest work environment in which risks can be discussed. Too often, I have seen management lead in such a way that punishes risk discussions, with blaming the employees if risk are not contained or eliminated. As an aside, that approach will also kill opportunities. Let’s not go there, as project managers.
It is important to do an honest compilation of risks, and how they can impact the project. This awareness and knowledge is the foundation to properly manage risk during the project. It is best to encourage all team members to participate in the identification of project risks.
Key documents to consider during this activity include:
- scope baseline
- activity cost estimates
- activity duration estimates
- stakeholder register
The activity identify risks will create the first version of the risk register. The risk register is the document in which the results of risk analysis and risk response planning are recorded. It is very important to understand that identify risks is not only done in the planning phase of the project. It is an iterative process. Risks may disappear, new risks may be identified. In all cases, it is important to review and update the risk register periodically, at appropriate intervals for the size and complexity of the project. I would note that discussing and monitoring risks should be an ongoing activity. Too often, I see people trying to convert risk management to an exercise of filling forms and templates.
It is important to look at project assumptions in the identification of risks. They can be an important source of blind spots, and a huge cause of risks. Also, activities with a wide range of potential cost or duration should be considered as potential risks.
Also make sure you have the appropriate discussion with key stakeholders to understand their requirements and view of risks. Otherwise, the project could become very difficult and frustrating to manage.
Finally, if the project has a huge procurement component, with complex requirements, this will also bring risks to the project that should be appropriately managed.
These are important elements to consider, but keep your eyes and ears open. I will say it again. Risk management cannot and should not be reduced to a simple checklist exercise.
Perform qualitative risk analysis
This activity will prioritize risks and assess the probability and impact of occurrence. It is the beginning of the process to further manage the identified risks and increase the probability of success of the project. Again, the analysis is not only performed at the beginning of the project, during the planning phase. It is performed regularly throughout the project.
Key documents used to perform the qualitative risk analysis include the scope baseline and risk register. Projects created to implement a product or services well-defined will usually have more well-understood risks. Design projects, including creativity and innovation to design something new and transform something will require more attention to risk management.
On Design projects
Another element of risk to careful watch is the quality of the data available. Making management decision, even on risk management, based on low-quality data can be… very risky. I love data analytics, but don’t fall in the trap of believing that anything Excel can compute is high quality and reliable.
The risk register is updated at the end of this activity. The update will include the assessments of probability and impacts, risk ranking, risk categorization and the risks kept on the watch list. Don’t forget the watch list, they may become important later.
Perform quantitative risk analysis
After risk are identified and prioritized, they will be analyzed to provide a numerical value of their impact on the project. This step is mostly used to assess the overall impact of risks (negative and positive, or I prefer to say uncertainties, on the project. It should also be repeated as often and frequently as needed, based on the size and complexity of the project.
If you like maths and statistical model, like Monte-Carlo simulation, this activity will be interesting to do. If you like dollar amount, this activity will also try to put an estimated dollar value on each risk.
Key output of this activity will include the prioritized list of quantified risks.
I would note here that it is important to know what these quantified values mean and do not mean. It is often misunderstood. This would require a post on its own. For the moment, I would definitely suggest reading the book Black Swan, written by Nassim Taleb.
Plan risk responses
After all these analysis, it is now time to develop options to enhance opportunities and reduce threats to project objectives. Project plans and documents will be updated accordingly, based on the decision taken here. A new schedule may need to be approved, new resources may be required, budget may be needed to buy insurance, etc.
Risk response should be appropriate. They should be aligned with the complexity of the project and their cost-benefit. It is not the best approach to try to eliminate or transfer all risks. Sometimes, proper monitoring of the project will be sufficient and the best approach. Again, it is building a culture of open dialogue on risk (threats and opportunities) that is the most important thing to accomplish. If you think about it, if you are doing risk management to eliminate all risks, you are actually not managing uncertainties. You are pretending that the world can be perfectly planned, and that is a fantasy. A leader must learn to manage uncertainties.
Strategies for negative risks include:
- Avoid: eliminate the threat completely. The ultimate avoidance is… not doing the project. Avoid all risks will also results in taking no opportunity. It is impossible to be successful without taking some risks in life.
- Transfer: transferring the risk to a third party. Examples can include insurance and options. It should be noted that this strategy also has the risk of the third-party not being able to deliver the risk response if required.
- Mitigate: reducing the probability or impact using various approaches. Of course, it is important to consider the cost-benefit of these solutions.
- Accept: as long as it is done consciously through an appropriate dialogue and analysis, acceptance of the risk is a potential solution. Actions can be taken later if the risk materialize.
Strategies for positive risks include:
- Exploit: As opportunities appear, you are quick even and strategic enough to react and benefit from them?
- Enhance: Is it possible to do something to increase the odds of opportunities? Sometimes you can modify the project plan to enhance opportunities.
- Share: If it is a capacity issue, doing a partnership with others may be a way to exploit the opportunity.
- Accept: simply monitoring the project and reacting if opportunities arise.
As needed, many project documents may be updated at the end of this activity. Among others, the project scope baseline, schedule baseline and cost baseline may need to be updated, to reflect the various risk responses. Change requests may need to be issued to update these documents.
I think I have said it often enough by now. Risk management is not just completing some checklists and templates during the planning of the project. It is important to create a work environment that support ongoing risk management. I repeat because I have seen this problem much too often.
Controlling risks is an important monitoring activity. The risk register is a key input to this activity. Risk responses are included in the risk register. They are implemented during the project execution. It is important to moniter risk events, the effectiveness of the risk responses, and adjust if needed. It is also important to monitor the projects for new risks and identified risks that are now obsolete.
Project information such as deliverable status, schedule progress and costs incurred, should be monitored to identify risk events and required decision.
The intensity of the effort to control risks should of course be adapted to the size and complexity of the project. In project management, there is no perfect solution good for all projects.
The objective of risk management should be to enhance the success of the project, minimizing threats and maximizing opportunities. Too often, it is viewed as an intellectual exercise of completing forms, templates and documents in the planning phase of a project. Effective risk management starts with the tone of the leadership of the project.
Michel Dion, PMP, CPA
Founder and Developer of Project-Aria
Discover my book:
Leadership Toolbox for Project Managers: Achieve Better Results in a Dynamic World