Risk is inherent in the nature of a project. So, that makes project risk management a central part of the project management toolset.
Don’t think of it as an add-on. Nor even as a discipline in its own right. Instead, it’s best to regard risk management as a thread that runs through the heart of project management.
I tend to agree with Tim Lister’s often re-quoted statement that:
‘Risk Management is Project Management for Grown-Ups’
What I take from this is that, when you understand how projects work, and can manage a basic project effectively, you will increasingly use project risk management as your primary framework for controlling your project.
The very first of my Project Management in Under 5 video series (still ongoing) addressed this very question…
Let’s remind ourselves of the definition of a project. To ring the changes, let’s take what is, perhaps, the simplest definition: the PMI’s:
A project is ‘a temporary endeavor undertaken to create a unique product, service or result.’
The fact that we are doing something unique – often new and innovative too – using a temporary organizational structure that probably consists of a group of people who have worked together before, introduces a lot of uncertainty. And uncertainty is the very nature of risk.
Risk is defined as:
‘Uncertainty that can affect outcomes’
For me, the term management suggests an active process that seeks to gain control over the uncertainty of risks, by following a simple process. In the video, we saw a four-step process:
This is not a one-off sequence of tasks that takes place somewhere suitable, within your project. It is a constant cycle that goes on throughout your project. That’s what Tim Lister means when he implies this is the way grown-ups manage projects.
There are some excellent books on project risk management. As an introductory text, that takes you beyond the single chapter you’ll find in most project management books, I can only really recommend my own: Risk Happens! (US|UK).
However, if you want to go deeper, there are others I’d recommend too – and you can browse them at our Project Management bookshop.
But our purpose here is to introduce you to the absolute essentials of project risk management. So let’s dive straight in.
Before you do anything else, you need to identify the risks to your project.
While some risks may be unforeseeable, many will be accessible to your team’s collective experience, instinct and imagination. Get the team together and make a long-list of everything that could go wrong.
To help you, we recommend our Indispensable Guide to the Sources of Project Risk. This article will introduce you to the types of project risk, and also get you started with spotting the risks on your project.
Two other articles that you could usefully read are:
Your long-list can quickly get very long indeed. So you need to prioritise your work in managing the risks. Three factors will typically have the largest influence on your priorities. The first two derive from the definition of a risk: ‘Uncertainty that can affect outcomes’.
How severe the impact would be, if the risk occurs. There are lots of ways to measure the impact, depending on what type of impact you anticipate, and what your priorities are for your project. At its simplest, this can just be a high, medium, low scale.
How likely you consider this risk to be. This is usually the a hardest element to estimate, because we rarely have good data on which to base our estimates. And, in the absence of a data-driven approach we need to rely on estimation and intuition. The problem is that most people are highly unsophisticated in our understanding of probabilities and statistics, and our intuitions frequently lead us astray. To avoid falling into the trap of believing our estimates are more robust than they are, keep your evaluation simple: a high, medium, low scale is often the best approach.
Impact and likelihood are implicit in the definition of risk.
A slightly more pedantic definition might be that ‘risk is uncertainty that can affect outcomes in the future’.
This introduces time into the definition. The third thing to consider in prioritizing a risk is its proximity. Is it likely to be a concern soon or much later? Once again a simple scale of soon, middle and far distance will often suffice.
Already, with just simple three point scales, you have 27 possible priority values.
Assuming you consider impact, likelihood and proximity to be equally important, you can get a numerical priority ranking by allocating scoes to the scales:
If you multiply the scores, you’ll get priority rankings from 1 to 64. That is more than adequate to prioritize effectively.
Please note, though, that this scoring approach is suitable for ranking and prioritization. It is not a sound quantitative approach for estimating the value of a risk, in an but the most approximate way.
When you run a project, you are spending someone else’s money or putting their reputation at hazard. So, it is imperative that you are accountable and can show that you are treating these risks seriously.
Build a Risk Register or Risk Log to record the risks you identify, how you assess them and, crucially, what you do about them. Your Risk register is a tool of governance, accountability and transparency on the one hand, and a management tool on the other. Throughout your project, you should be constantly referring to it, to assess how your risk profile is shifting, and what your next risk management action should be.
As you’d expect, there are risk register templates in all of our core project management course programs, as well as in our Project Management Templates Kit.
Towards the bottom of your priority scale, you may choose to do nothing about your risks.
But at the top of the scale, not only must you act, but you will need a basket of different strategies to deal with these highly dangerous threats. You will want to find ways to reduce both the likelihood and impact of the risk, and put in place measures to tackle the outcomes if the risk arises. For large risks, each will need its own management plan.
You’ll build your risk management plan out of six generic strategies:
Interestingly, the PMI has announced that the forthcoming (estimated September 2017) sixth edition of the Project Management Body of Knowledge (PMBoK®) will include a new risk strategy: risk reporting or escalation. I don’t see that as a strategy to manage the risk, just a tactical process step, if the management plan needs a higher level of expertise or authority.
One thing people often struggle with, is to find a suitable plan for a big risk. First of all, make your plan multi-pronged. But most important, many big risks aren’t risks at all. Take for example, a typical project risk on a typical project risk register:
‘The project is delayed’
That’s not a risk, it’s a possible outcome. The way to make progress is to ask, ‘what could happen to delay the project?’ There are doubtless many possible answers to this. Each one is a separate risk. And each of these separate risks will be best addressed by its own management plan.
There is one systematic failing of many inexperienced project managers. They often do an excellent piece of desk work on risk management. They file a thorough and elegant Risk Register, and then to move on to the next issue on their project. they somehow imagine that the risk will get to hear about their plan, and so not materialize.
You can never file risk management as ‘done’ while your project is running. Treat your risk register as a day-to-day tool and not as a part of your static documentation. Make sure every line on your risk register is allocated to a single named individual as a risk owner.
Have a regular cycle of reviewing your risks, speaking to the people who you have tasked to deal with them, and generating more action until the threat is reduced to an acceptable level. Periodically, get a team together to identify new risks.
But, above all, when you have a risk plan, work the plan. A set of actions is nothing if you don’t do them.Above all, when you have a #project #risk plan, work the plan. #PM Click To Tweet
This table lists some of the factors that will influence your decision about how to scale your risk management process.
Scale of project
Level of threat
Uncertainty of outcome
The next table lists some of the ways that you can adapt the fundamental process to the needs of your project and the environment within which you are pursuing it.
Investment in the process
Degree of formality
Level of detail
We’d love to hear what you consider to be the essentials of managing risks on projects, to give better project management. We’ll respond to every comment we receive.
Dr Mike Clayton is one of the most successful and in-demand project management trainers in the UK. He is author of 13 best-selling books, including four about project management. He is also a prolific blogger and contributor to ProjectManager.com and Project, the journal of the Association for Project Management. Between 1990 and 2002, Mike was a successful project manager, leading large project teams and delivering complex projects. In 2016, Mike launched OnlinePMCourses.
Please log in again. The login page will open in a new window. After logging in you can close it and return to this page.