PM Notebook
Effective Risk Management is not an Option in Managing Projects - You Need It!
Bill Hoberecht - This email address is being protected from spambots. You need JavaScript enabled to view it.          

Achieving the full value of risk management on technology projects is thwarted by several factors;  the general lack of a universally standard framework for risk management,  a lack of  familiarity with the basics of risk management, and an  inadequate implementation of risk management practices (even by experienced project managers) all contribute to our collective failure in managing project risks.  Recognizing the need and value of Risk Management on your project is a good start.  Being aware of the behaviors that create obstacles in adopting Risk Management can help you in taking the right steps in implementing a sound Risk Management emphasis on your project.


Risk Management is a Formal Discipline, not a Hobby

Managing the risks on a project is far more than following a few trivial process steps, filling out a risk template and periodically looking at a risk report.  Courses on project management provide helpful information on the structure of project risk management activities, but often fail to give sufficient guidance on the expertise that is required to faithfully execute those processes.  As a result, Risk Management, a critically important project management responsibility, is all too frequently not executed well.


Risks are Much More Than Just an Excuse for Project Failure

A few years ago we were going through a project post mortem.  Unfortunately, this project didn’t come close to achieving its objectives.  The project manager offered this explanation:  “But we all knew that the project was high risk.  That’s why we failed.”   Such a sentiment promotes the notion that being involved in a high risk project automatically relaxes the expectation of project success – that is, on a project with high risks the project manager and team no longer need to succeed, they have a ready explanation if failure occurs.  In essence, this project manager was declaring their standing as a victim of circumstance.  In their view, the situation conspired to doom the project; everyone did what they were supposed to do yet the result was still failure (“The operation was a success, but the patient died.”).  It was evident that no one had any responsibility for working through these ‘well known risks’ and taking action that would enable project success.

As an outsider to this particular project, I was astounded by the pervasive culture within this organization – a culture that accepted failure and did not expect proactive handling of potential problem areas.  Executives with low expectations, project managers without proper training in risk management, and team members who could always blame extenuating circumstances when results failed to appear – these factors all contributed to creating an organization of low performing teams with disappointing project performance.

Project risks are not just an excuse for project failure.  Risks are the reason project managers, certain project stakeholders, and project team members need to understand a risk management process and develop their skills in executing that process.  Organizations and project teams that want to succeed, especially when faced with potential problems that could derail the project, will have a culture in which risk management expertise abounds and is always applied to projects.  This article examines common perspectives on the topic of risk management and how a project team can transform itself and become effective in executing risk management practices.


Risk Management – Often Overlooked and Not Supported

In some organizations, Risk Management is well understood and implemented.  Project team members and management who have been trained in Risk Management and demonstrated their skills are qualified to own and participate in risk management activities.  They are supported by a PMO that provides a risk management framework (i.e., process, templates and coaching).  In such organizations, risk management has been institutionalized and is fully engrained into the culture.

More often than not, however, when I take on responsibility for directing a project organization I find that a discipline of risk management is not well understood.  The organization probably doesn’t have a well understood method for managing risk, and most attempts at managing risk are superficial and ineffective.  My experience is consistent with research findings that observe that risk management is viewed as secondary and unwarranted.

If you are responsible for the success of projects and are in an organization that does not have an emphasis on managing risk, you are probably in a situation where you and others will have to exert heroic efforts in order to make your projects successful. (Prepare now for those intense, extended work days that will surely materialize later in your project schedule when you work through serious problems that were not handled earlier in the schedule as project risks.)  However, if you want to transform the project culture and bring risk management into the mainstream operation of your project, then a good starting point is to understand how people feel about and treat risk management.  Here are some of the behaviors and perspectives that I’ve encountered: 

  • The project manager who doesn’t treat risk management as important.  This project manager feels that failure is an option because they always have the ‘project was too risky’ excuse if disaster strikes; in this case, the project manager doesn’t feel an obligation to lead the project to success, and is willing to concede defeat if risks trigger and prevent satisfactory project completion.  This project manager may forgo all risk management activities or may treat risk management as an administrative activity that is delegated and never included in their core of project management activities.
  • The executive stakeholder who wants no involvement in rigorous risk management activities.  This project executive is well intentioned: they want the project to succeed and, quite properly, expect risks to be identified and managed.  However, this executive sometimes delegates all of their involvement, typically to others who have insufficient authority to discharge these responsibilities – this executive doesn’t want to hear about potential problems, they just want the project to complete successfully.  Or this executive may participate in risk activities (e.g., risk reviews), but this involvement doesn’t result in action or decisions because the risk responses are all too unattractive.
  • The PMO that is more concerned with form and not results.  To their credit, members of this PMO insist on the project’s use of a risk management process.  But their fixation on process adherence and existence of risk management documents (plans, risks lists and responses, status) overshadows any discussions or reviews that ensure a quality use of the process (e.g., making sure the right risks are identified and that the responses are satisfactory). The result of this misplaced attention can be an ineffective implementation of risk management practices that don’t decrease in risk to the project.


Effective Risk Management – Key Success Factors

Projects that don’t have an effective implementation of Risk Management are in this position because they are missing one or more key success factors.  These factors are all essential if risk management activities are to be effective on your projects:

  1. Key individuals recognize the relevance or importance of risk management.
  2. The roles and responsibilities in risk management are assigned to individuals who are trained and qualified to carry out their responsibilities.
  3. Your organization and project team have a well-understood process framework that is reasonable for risk management activities on your type of projects; also you have a commonly understood terminology/language to use in identifying, discussing, managing, and reporting on risks.
  4. Executive support and active participation is sufficient for project risk management activities.


Implementing Risk Management on your Project

As project manager, the responsibility falls to you to ensure that risk management is implemented appropriately on your project.  Look for opportunities to leverage risk management assets/materials and the expertise of the PMO or of individuals on other projects who are skilled in risk management.

If you are in a PMO and looking to implement risk management across many projects, you’ll probably want to approach this as a transformation project that fully considers all the complexities of organizational change.  If you are a project manager who is focused on your project and you are just looking to get a reasonable implementation of risk management for your project, here’s a concise ‘to do’ list that can get you started:

  1. Assign risk management responsibilities.  Incorporate risk management responsibilities into job descriptions.  Ensure that responsibilities for risk management are understood by project team members and stakeholders.
  2. Educate and enable.  You’ll need all participants in risk management to understand basic concepts and their role.  I've provided pointers to Risk Management standards, guidelines, articles and processes in Risk Management Resources and Reference Information. Some individuals will need more thorough training to fully equipment them in the art of risk identification, risk response planning and risk reporting.  You’ll want to acquire (or create) and then deliver two forms of training:
    • Quick overview/summary/executive training for those with supporting roles.  I think of this training as being at most 60 minutes in duration, supplemented by a provided set of training materials and an article/essay or two on risk management concepts.
    • In-depth hands on training for Project Managers and selected team members.  A full-day or half-day course on principles, practices and reinforcing exercises in risk management.
  3. Provide a basic, easy to use toolset.  If you have an enterprise system that should be used in managing risks, then put in the effort to learn how to use it effectively.  If your company has no system, then make use of a standalone risk register.
  4. Allocate project time to risk management.  As appropriate, schedule dedicated risk management meetings and include risk management activities on the agenda for the appropriate standing meetings. 
  5. Accountability for risk management actions.  Regularly publish risk management analysis and reports to the project team.   Review this information with project team members and stakeholders, ensuring that they understand any actions for which they are responsible.


What’s Next?

As you take action to implement risk management anew or improve upon your current use of risk management, a bit of knowledge can be exceedingly helpful.  Read the accompanying articles on Risk Management Basics and Risk Management Reference Information to help immerse you, at least for a short while, in the world of Risk Management.