Project Risk Management. When you hear those words, you imagine super serious process. Stakeholders are rolling up their eyes because they don’t want to hear about additional reserves. And fuck ups still happen.
You are not alone here. Risk management requires a considerable shift in the approach to the work. It stops many PMs from even trying.
There is a simple approach that works. I will describe it now in the form of a Project Risk Management Plan.
Table of Contents:
1. Considerations that Shape your Approach
A word of caution. It is basics. This approach is suitable as a first step from no Risk Management at all. There are many different approaches and methodologies. This one will work for small to medium projects.
However, don’t fall under the illusion that you need to implement a robust approach at once. It is challenging and requires changes in mindset and organisational environment.
Consider the following:
Why do Even You Need it?
Risk management is aimed at saving money, time, and nerves. It helps to improve chances for project success and avoid problems.
But there is a catch:
Risk management works well in a structured project management approach. It enhances processes that already work and provide predictable results.
Why do YOU need it?
Definitely, for the same reasons.
However, please consider whether you are at focusing on a right knowledge area. Entirely possible that you need to address other areas first. The real source of problems on your project may be inefficient project management in general.
If you are sure, let’s move on.
Experience of the Project Team
Project Team experience in Risk Management is the most crucial factor for success.
Risk Management is not one person show. It is not a task for a project manager. I doubt that even your huge personal experience in project management can compensate the team’s input.
Don’t try even to do it alone if your team is unaware of risk management approaches. Educating them will be a much more efficient investment of your time.
That is not all!
Maturity of the Performing Ogranisation
Risk management is process oriented. Best practices and experience of the organisation is a crucial factor as well.
Moreover, lessons learned and knowledge base of risk is a key input to Risks Management Process.
If your company doesn’t manage risks, be ready to explore all the hidden problems of your industry and environment you work in.
That is another vote for starting small.
How to Define Appropriate Efforts
Risk management activities require time and efforts of the whole team. Sometimes external stakeholders should be involved.
The more robust your methodology is, the more time it requires.
However, there is a limit where it is still efficient to spend resources to fight the known risks.
It is not for Free
Preventing risks is not free of charge. It doesn’t happen somewhere outside of a project. In fact, all risk management activities should be a part of project baselines.
How much money and time do your sponsors want to spend?
If the client and performing organisation are not mature in risk management, they will be affected by absence blindness. So, expect to have difficulties proving the efficiency of your actions.
2. Inputs to Your Risk Management Methodology
There is one trick.
You can save a lot of time and efforts on Risk Management if related activities become an integral part of other processes.
Here is how it works.
Option 1. You dedicate periods of time to identify risks at specific points in your workflow. Therefore, you will end up with several sessions where you will talk explicitly about risks and their attributes.
Option 2. You perform Risk Identification on the go. Creating Project Charter – log risk. Working on Work Breakdown Structure – think about assumptions, constraints and – log risks. Thinking about options – always consider risks and opportunities.
Option #1 is a good starting point. It works with teams that have a habit of buffering tasks rather than talking about risks.
Nevertheless, option #2 should be your goal. Each team member and each stakeholder should always consider risks.
Why does it matter?
When your team is more efficient in risk management activities, you will be able to cover more risks. As your capacity is limited, you need to very selective about the primary inputs to your risk management.
Here is the minimal list for consideration.
Do You Know the Expected Result?
On a high-level, everything boils down to a risk of not meeting stakeholders expectations.
This statement applies to any aspect of the project management.
An absolute cure here is Project Charter.
If you don’t have a charter on the project, you don’t really know what needs to be delivered and what objectives you need to achieve. In reality, it may mean that stakeholders don’t know what the acceptable result is.
As you know:
What’s the catch?
Expectations can dramatically change during the project without you knowing it.
Therefore, you may have no clear Expected Result and “open” scope. If that is the case, you may want to focus more on managing risks related to short-term expectations. You can elaborate on the end result in the progress.
If you do have a clear vision of the end product or service, it is more beneficial to focus on ensuring the final delivery and reaching key milestones.
So, as you can see the quality of project initiation plays a significant role in selecting the approach for the whole project.
The Whole PM Approach is an Input
In theory, each process and all artefacts of the project involve risks.
On practice, you have only a few real sources of severe risks.
Where do you need to focus?
- Environment and Organisational process. Your own company, people and processes they are involved in are a source of risks. At the very least they can delay you. At large they might try to impede your work.
- Project Management plan. Or it’s absence. Without one, you can never say whether you are progressing towards success or failure. Simply because you cannot measure against desired plan.
- Scope Baseline. How accurately is your scope defined? Do you even have clear requirements? Usually, it is the main source of all kinds of risks. If I were to choose one area, it would be scope management.
- Estimates of time and costs. Even with a clearly defined scope, you can have serious risks in the estimation process. Estimation process incorporates errors from other knowledge areas.
- Performance metrics. Do you have a plan how to measure against the estimates you created? Do you have thresholds clearly defined? Do you have a reporting system? Do you measure the right metrics?
- Stakeholder Register. Do you have a plan to define and control their expectations? There is no straightforward and universal process here. No tricks work the same with different people. Moreover, your personal judgement is involved. There is a lot of space for errors.
- Communications plan. Information on the project should also be integrated with other processes. For example, as a WBS can be used to ensure the common understanding of the deliverables. Do you have a plan how to avoid misunderstanding and wrong expectations?
What’s the hardest part?
Naming all possible sources of the risks is difficult. You can try to systemise, categorise and group them. However, it takes a lot of organisational experience. Knowledge of one PM is not enough.
I have a large list of risk categories, that can help you pinpoint some major problematic areas.
When Should it Happen?
Knowing the main sources of risks, you need to set up checkpoints where you will identify and analyse risk.
Here is a pro tip.
Risk Management is iterative. Some activities will happen several times until you get a realistic project plan. So, it is vital to elaborate on risk from a high to a more detailed level. You need to spend an adequate amount of time to the level of details and certainty of the project.
It means you should not spend too much time while you have initial drafts of the project plan. Most of the critical risks will be address early on during planning, and many others will disappear in the process.
Here is what’s really important:
You need to ensure that you don’t miss new risks. The ones that appear as the result of your risk management activities.
If you don’t know what to do at these checkpoints, take your time to review the Risk Management Framework.
3. Risk Management Plan Template
Why is it important to have a written Risk Management Plan?
At some point, you will need to prove the efficiency of your risk management activities.
How will you do that?
You can just state:
Here is my plan. I used the allocated budget of N man-days/dollars. Here is the list of risks that we were able to mitigate, avoid or workaround. That helped us to deliver the project/part of the project on the agreed milestones.
Simple, isn’t it?
Keep in mind that you spend resources to prevent problems before they appear. Therefore, if you are doing it well for an outside person, it may seem like everything just works. It is magic or luck when no serious problems happen.
In the end, why should we allocate budget for risks?
You need a short description of your risk management approach. It should summarise the activities, events, responsibilities and integration with the project management plan.
Keep it simple and short.
Roles and Responsibilities
At the very least answer the following questions:
- Who is responsible for the risk identification?
- Who is responsible and has authority to log risks into Risk Register?
- How can you find a responsible person for a specific risk?
- How and when should anyone report new risks?
- How and when should a responsible person report on the risks that occurred?
- Any specific rules that authorise usage of dedicated risks reserves.
What is the allocated budget of money and time for risks management activities and reserves?
Why do you need this?
It is a baseline. It will help you prove your efficiency. You will be able to compare resources you spent versus the costs of potential losses. Moreover, don’t forget that you can spend the budget to leverage the opportunities.
Even if you are doing most of the risk identification on the go, you will have some additional events.
- At some points, you may still want to devote more time to Risk Identification. For example, when you created a WBS, project schedule or budget.
- Also, you will have to stop, analyse, and shortlist the known risks.
- After that, you will need to identify Risk Response Plans for the selected risks.
- Don’t forget to plan some time to review Risk Register, check the efficiency of Risk Response Plans and Risk Management in general.
- As an option, you may want to consider developing an Emergency plan for serious problems.
Definition of Probability and Impact
Here you need to state the clear definitions of probability and impact levels.
The goal is to ensure that everyone on the project understands those values in the same way.
You can learn everything you need about probability and impact in a comprehensive article:
Reporting and Tracking
Here you need to define reporting formats for the risks. You may want to have separate reports for:
- New Risks
- Risks that happened
- Risks that did not happen
- Risk Response Report
You also need a uniform way to integrate risks responses into the project. They should relate to specific parts of the scope, milestones or objectives. Risk should not fly somewhere in the middle.
If someone identified a risk, the worst thing you can do is to forget to log it. Such risks backfire really hard.
4. Risk Management Action Plan
Below is the step-by-step action plan you can use to kickstart risk management on your project.
1. Create Risk Management Plan
First things first. Write out your Risk Management Plan. It’s not that difficult, but you need to plan before you act!
An important part of this process is to clearly define probability and impact levels.
2. Create Risk Register
Create a template that is aligned with what you described in the first point.
If you don’t know where to start, take a look at my article about the Risk Register. You can find a template there.
3. Explain the Methodology to the Project Team
It can be tricky with an inexperienced team.
Risk management tends to separate actual estimates of efforts and costs required to finish a task from all fears, uncertainty, and buffers.
People don’t like to show uncertainty, inefficiency or incompetence. Likewise, they don’t really like to expose others. It’s a conflict. No one likes conflicts.
That is why it is so important to send the right message.
3.1 How to Get the Buy-In From the Team
Explain what the benefits for them are!
What is the real story here?
Reduced level of stress.
Risk management helps to control the work with less tension. You have a commitment from a team member. He or she explained the related risks. Together you agreed to try to mitigate most critical ones.
Was it effective? Cool, you did a good job. Everyone’s happy.
Was it inefficient? Response plan did not help. Work this out together.
The manager is aware of the problem early on. There are management reserves for unforeseen risks. And it is a valid reason to use it.
Everyone will be aware of the new risk and the actions taken to resolve the issue. In most cases, everyone will be supportive.
3.2 No More Buffers, Only Specific Risks
Transparency is the key. You need to ensure that all buffers transform into risk responses, contingency or management reserves.
Only this way you can actually control the project work.
You need to know the exact amount of “buffer” for each task. Moreover, it is important to monitor whether the reserve was actually used or not. Was it even efficient?
3.3 Describe Responsibilities
You need to set two aspects of responsibility:
- General responsibility for following risk management plan.
- Responsibility for a specific risk.
You can not do risk management efficiently on your own. In theory, the whole organisation should keep the possibility of risk In mind. To say nothing of your project team.
That leads to next important point
3.4 Clear Expectations
You need to set clear expectations for each team role.
In most case, you will need to build a role hierarchy. All team members should actively participate in risk identification.
While team leads and senior experts should also:
- Develop response plans
- Monitor risk triggers
- Control response plans efficiency
- Escalated related problems
4. Identify Risks Continuously
Now it’s time to develop a habit of talking and thinking about risks.
Once you have a feeling that you understand the scope of work, you know what needs to be done, you are quite happy with estimates, ask these questions:
- What can go wrong?
- What will delay us?
- What if… and name all dependent activities.
- Can this part of the project impact the project management plan?
Don’t stop here, think of different scenarios and “what if” cases. If something bothers you or the team, put it into Risk Register.
As an additional source of ideas, check this list of risk categories.
5. Log all Risks into Risk Register
During planning, Risk Register should be close at hand. I prefer to have a bookmarked Google spreadsheet. Always accessible, easy to update rapidly.
6. Analyse and Shortlist Risks at Key Events
At some point, you will have a good draft of a project plan. Also, there should be an extensive list of risks alongside.
Take the list and assess each risk in terms of impact and probability. Focus on the most severe ones and put them aside for further analysis.
7. Make Risk Response Plans a Part of the Project
Once you shortlisted the Risk Register select the risk, you want to work with. Collaborate with the project team and stakeholders to identify possible steps, extra activities or reserves that will help to mitigate or avoid the risk.
Make these activities and reserves a part of your project.
By the way, don’t forget to keep an eye on opportunities. It is wise to leverage any chance to improve the project progress.
8. Talk About Risks Daily
Now new, possible and know risks should be a part of your work with the team and stakeholders.
You need to be aware of the risks that may happen soon. Look for triggers, control the implementation of risk responses and be on a lookout for new risks.
Risks are not static. They change their properties. New risks may appear. Known risks may go away.
Risk management should be an integral part of any change request. Changes always impose risks.
Start small, take baby steps and always think about business value your risk management activities provide.