I find Risk management is one of the tougher parts of managing projects.
I get that ideally I should be working on preventing problems, the reality is that more often I am dealing with problems as they come up. I spoke to a couple of colleagues and they had the same problem.
I see two major reasons for this
- Lack of formal RM training. There are some excellent Risk Management tools available, but effective risk management requires more than just tracking the what the team has identified.
- Risks are identified during the initial phases, but the risk identification process is rarely revisited to search for new risks before the become issues.
Risk management needs to be proactive to be effective, it’s more than a list that’s tracked, it’s about getting ahead of the identified issue and preventing or mitigating the problems before they go wrong, and doing all you can to make things go right.
The process can start at any time during the initiation or planning phase of the project, but can not be completed until the full scope of the project is identified and the Work Breakdown Structure is complete. This ensures the team knows what the project is going to produce. While the planning phase of the program may have a specific risk identification session, risks can be identified by any member of the team at any time during the project.
The later in the project the risk is identified the more resources maybe required to deal with the issue. The identification should involve all stakeholders and consider including non-stakeholders with specialist knowledge as required. Everyone brings a slightly different mix of perspective and skills to what should be a iterative process. There are any number of tools (Delphi, brainstorming, SWOT analysis and so on) that can be used to aid identification of risks.
The identification is followed by a qualitative and quantitative analysis and then an initial cut at response planning. After this exercise is run you have a Risk Register that consists of the following:-
- List of risks
- Potential responses to the risks
- Root cause of the risk
- Uncertainty in the risk
- Risk categories
At this point it’s important to understand the sponsors risk tolerance level. Some risks may be unacceptable to the sponsor and may require modification of the project scope or response plan. For example, a risk that may drive a cost increase of 10% or a schedule slip of 4 weeks may be acceptable, but any more than that is unacceptable.