How to Build a Robust Project Risk Culture [8 Steps]

A robust risk culture goes beyond having a strong basic risk management process. But the rewards for the extra work you’ll put in to build that culture are huge. Particularly for large, complex, or strategically important projects.

Some of my readers may hope to influence the risk culture of their whole organization. But, for many, I suspect this may be too great an ambition. For you, the right aspiration is to build a positive risk culture within your project. As a Project Manager, that’s entirely within your scope.

So, some readers will draw information related to this badge…
But explicitly, we’re going to focus on how your project that can create and impose risk management discipline on a blank project canvas.

But these ideas scale. And the process for creating a robust risk management culture within your project can apply equally if you get a chance to influence your wider organization.

What is Risk Culture?

Risk culture is a shared set of processes, knowledge, attitudes, beliefs and values about how to deal with risk. If your team has a common purpose and approaches risk in a consistent way, which reflects that purpose, that will protect your project and make it more secure.

So, what does ‘good’ look like?

How to Build a Robust Project Risk Culture

For your risk culture to work well, three things need to come into alignment:

1. Attitudes and Ethics
   You, your Project Sponsor, and your Project Board need to set the right tone from the top of your project organization. And that needs to be reflected by a sense of responsibility for risk throughout your project. Team members need to be constantly aware of risk, and share a common attitude to it. You need to be sure that this is consistent with the attitude your stakeholders will take to project risks.
2. Behaviors and Practices
   You and your team need to do as well as think about risk. To make this work, you need a solid set of risk awareness and management processes. These need to work smoothly and be an integral part of how your project does things, rather than just an add-on to other processes. Information about risks needs to flow, and people need to deal with it quickly and consistently.
3. Rewards and Recognition
   You need to back up attitudes and processes with recognition and reward for people who do things right. Accountability is vital, but people will only accept it if they know that, by doing so, they will gain endorsement for their behavior. This is especially so if you set out to build a ‘whistle-blower’ procedure to bring to the surface any failing. Whistle-blowers must enjoy protection and support.

With these components in place, your project can be confident of making informed decisions, and understanding the risks it takes.

What are the Benefits of a Robust Risk Culture?

A project is a temporary endeavor. So why would you go to the extra trouble creating an infrastructure?

Every project will have a culture, whether you craft it or not. Part of the project leadership role is to decide what culture will serve you best, and to work at creating it. It isn’t extra work to create a culture: it’s extra work to create a worthwhile one.

And there are plenty of benefits you can gain by embedding risk management into your day-to-day project practices. These work together to have an increasing effect on the overall health and performance of your project.

Systems and Procedures

When you build risk management into your culture, you will reduce the overhead of imposing risk management on each step. Your team will apply a consistent set processes, with standard tools and templates, automatically. And, for a longer project, you’ll be able to optimize these over time, to work efficiently. Ideally if you can provide your team with training, you will see greater consistency in how they apply your processes.

Records and History

One of the challenges of identifying and analyzing risk is to learn from the past. Placing risk management at the heart of your poject culture, you can build an archive of knowledge, to carry forward to future projects. You may or may not be able to start to embed this culture more widely in your organization, but you have a career. And you can carry this knowledge with you from project to project.

Patterns and trends may start to emerge, that you can use to optimize your risk planning and processes, and inform benchmarks and metrics. This will hep you improve your budget and schedule estimates, and therefore reduceover-runs.

Attitudes and Values

Prudent behavior is an obvious outcome of a more risk-aware culture. But prudence is just a filter applied to your decisions. The more powerful outcome will be better quality decision-making.

You get better decisions when they can draw upon more data, and a deeper understanding of the nature of risk and uncertainty. You will start to see more consistency in how your team evaluates scenarios, seeing risk as a core business and strategic issue, rather than a stand-alone project-only concern.

Probity and Control

Your biggest wins will come from better governance, with little or no extra cost and time overhead. Taking an evidence-based approach to planning, strategy-development, and policy-making will lead to more robust decisions, with conscious choices around risk profile. And when you apply risk methodologies in a consistent way, they will contribute to improved oversight and transparency around high-risk decisions.

How to Create a Robust Risk Culture in Your Project

As a Project Manager, you will almost certainly be thinking:

Okay, I buy it. I want a robust risk culture… What’s the plan?’

So let me give you a workplan, in the form of an outline Work Breakdown Structure.

Phase 1: Getting Started

1. Sponsorship
   1. Engage your project sponsor.
      The process must start with you, but without the support of your project sponsor, you run the risk of team members wondering how important it really is.
   2. Win top-tier commitment
      Your sponsor must win support across the top of your project’s governance structure, and among other senior people who need to be a part of your project process.
   3. Access resources and budget
      Commitment must be conspicuous to everyone, and backed up by funding and resources. Include your rsk culture in your project budget from the start.
2. Communication
   1. Communicate the imperative
      Start communicating the imperative for solid risk management, and your intent to build a robust culture, from early on.
   2. Stakeholder engagement
      As you would with any project, identify and analyze stakeholders in your plan to create a risk culture, and build a thorough communications plan.
   3. Reporting
      Create a reporting process to ensure your sponsor and project board can monitor and guide progress.

Phase 2: Build Your Assets

3. Team
   1. Team Enrolment
      When you bring on new people to work on the project, ideally find people who share your attitude to a strong risk culture. But, as a necessity, share your expectations with new team members as they join.
   2. Brief your team
      You want to create a common understanding of the culture you are creating, and the processes and behaviors that go with it. If necessary, provide training or other development opportunities
   3. Build depth of understanding
      Keep people up-to-date by sharing new thinking and good practices that emerge. Use lessons learned reviews and project meetings to fine-tune processes and behaviors.
4. Basics
   1. Create the basic process and basic supporting tools
      Adapt or create the tools, templates, and process that will implement the behaviors yu want.
   2. Make them ‘Good’
      Test and refine your tools, but do not aim for perfect.
   3. Share your processes and tools
      Get your process and toolset out into your wider organization. You may not aspire to change at that level, but by adopting a generous approach to sharing, you’ll create a somewhat more comfortable environment for your own project’s culture to sit within.

Phase 3: Demonstrate and Grow Value

5. Quick wins
   1. Create quick wins
      Look for opportunities to demonstrate the value of what you are doing.
   2. Communicate successes widely
      Ideal opportunities are formal project reports and presentations – particularly to senior executives in your organization.
   3. Engage champions
      Look for enthusiasts from among your team, who have seen success. And engage them to spread the word to your wider stakeholder community.
6. Learning and Development
   1. Evaluate early implementation or piloting of processes and tools
      Discover what works and what does not.
   2. Enhance your initial process and tools
      Develop the processes and tools, and supplement with more tools.
   3. Develop briefing and training materials.
      For a long project, you’ll need to brief and train new team members.

Extending the Risk Culture Beyond Your Project

If you do aspire to extend your Risk Culture beyond your project, then one way is to treat a successful project implenentation of risk culture as an organizational pilot.

7. Roll-out
   1. Training
      Create a training programme and schedule wider organizational staff to attend modules designed for their work.
   2. Communication
      Build an organization-wide communication plan, and maintain your communication process relentlessly.
   3. On-going support
      Set up mechanisms to support practitioners who are using your new processes and tools.
8. Embedding and Reviewing
   1. Assess progress periodically.
   2. Scan your business, political and competitive environment for changes that should inform regular reviews of your processes, tools, and decision criteria.
   3. Consolidate performance and reward successes.

The Assets You’ll Need for a Strong Project Risk Culture

In this final section, I want to briefly outline the asset set you’ll need to develop, to maintain your risk culture.

Policies

A risk culture needs underlying policies. But keep them as light-touch as you can. They need to reflect the nature of your project and the risks it faces. Think about factors like scale, complexity, value, consequences of success or failure.

Crucially, your policies should identify responsibilities at all levels. Everyone must share responsibility – that is the meaning of ‘culture’.  But who will take the lead on risk management, and review the processes, tools, and outcomes? And what about governance? How will risk be monitored at Sponsor or Project Board level?

Processes

Develop processes that meet the needs of your project and fit the priorities of your stakeholders. You will do better with a simple process that is used effectively than a comprehensive one that is soon abandoned or used infrequently. Document your processes clearly, and disseminate them widely. And keep them under periodic review.

Perhaps most important is the need to integrate your processes with supporting infrastructure like:

• tools
• templates
• contract forms
• technology
• reporting and escalation processes
• how you communicate with your organization and stakeholders,
• your other project and program management processes,
• your organizational process for knowledge management
• team-member training and induction.

Tool-set

Build a set of tools to meet your project’s needs, and follow the process you’ve created. The most fundamental risk tool will be a risk register. But, on larger projects, you will need more; all the way up to complex and costly enterprise-scale software products.

Capabilities

Set up training and learning programs to create a team of capable people who share a common understanding, language, and toolset. After training, create opportunities for everyone to use their new knowledge and develop their skills, judgment and awareness. Maintain their professional development by encouraging sharing of experiences and learning.

Incentives and Recognition

The old saying ‘what gets measured gets managed’ is true here. If you don’t monitor and gather data on risk management activities, then there will be little incentive for people to comply.

Likewise, if your sponsor and project board do not review what these data are telling them and act on what they learn, then poor performance will be tolerated. Use simple incentives like recognition and thanks. And, above all, ensure that people know what you expect of them and that this expectation is a part of how you will assess their performance on your project.

Implementation Imperatives

As with all change, establishing this culture needs commitment throughout your project, but especially from the top. This means that, once started, you must maintain your commitment to it.

And more than that, you need conspicuous support and endorsement from the governance structures and individuals that oversee your project. Lobby them hard.

As a project manager, risk management is in your blood. You are used to imposing its discipline on the uncertainty and pressures of a project environment. But here is your chance to do it well.

A Risk Culture can to achieve two things at the same time:

• to make your life easier by making important behaviors into the default, and
• to enhance your project’s performance and results.

Whilst this kind of culture-building is never easy, this is not a costly initiative, yet it offers a great return on effort. I urge you to consider it.

An earlier version of this article was published at ProjectManager.com in May 2016.