14
Managing Project Risks
Managing project risks is the ultimate in proactive project management. It is the project manager’s radar system. The goal of project management is to achieve the project’s critical success factors, including meeting the targeted business objectives and client expectations. The goal of managing project risks is to identify and prepare for any potential threat to the project’s critical success factors before it actually occurs. As a result, risk management is the essence of managing projects. Nothing impacts the decisions we make regarding general project approach, level of planning rigor, staffing, project control procedures, and overall contingencies more than the risks facing the project. Yet, there might be no aspect of project management that has a wider array of real-world implementations.
As a result, there is often a sense of confusion and uncertainty regarding the proper project risk management approach to take. In this chapter, we clarify all of this. We review the core principles, key process steps, and best practices that are essential to managing project risks. We share insights on how to identify common project risks, review the proven strategies that work best in controlling project risks, and highlight the typical risk management problems, so you can avoid them.
Key Risk Management Principles
A proactive management philosophy underlies the key principles of project risk management. By effectively managing project risks using these principles, a project manager remains in control of the project at all times, enables better project decisions, and provides the project the best opportunity for success.
The key principles to managing project risks include the following:
It’s all risk management—All project management is risk management. The current approaches and rules of modern project management—especially those surrounding portfolio management, project definition, and project planning—are all risk management focused. From past experiences, we now know how to structure a project for total success and how to greatly increase the likelihood the project will achieve its objectives.
“Healthy paranoia”—It’s all attitude, even if it is a little psycho. Effective project managers take responsibility for managing risks on their project—believe me, no one else wants the job. As a result, you must strike the balance between having a paranoid outlook about your project (constantly thinking about what could go wrong) and doing everything you can to make sure the project is executed as planned.
Appropriate—The level, type, and visibility of risk management should be consistent with the level of risk and the importance the project has to the organization. The cost of the risk response should not be greater than the impact loss the risk event might cause.
Systematic—Any factor or risk that could impact the project should be identified, quantified, and assessed for possible effects to the project. This includes all people, process, technology, organizational, and environmental influences.
Continuous—The identification of risks is an iterative process. Risk identification is repeatedly performed throughout the project, not just at the beginning.
Relentless—The project manager and the organization must be committed to risk management for the entire project life cycle.
Focused—Focus on the risks that you can control—starting with the high-priority risks.
The Essential Process for Managing Project Risks
To be consistent with our principles, we need a systematic approach that enables us to focus time and resources on the highest priority risk elements. The power in the process is not in its complexity—it’s relatively simple and straightforward—the power is in the management approach it inspires.
Let’s review the essential steps for managing project risks:
Identify—This is the critical step of identifying the risks to the project. The best way to start this process is also the best way to leverage the lessons from the past—use a risk profile. A risk profile, also referred to as a risk checklist or risk assessment form, lists the common sources of project risk that you need to consider. Although most risk profiles help you evaluate the majority of risk factors that are common to all projects, including the listing later in this chapter, the best risk profiles are ones that are specific to your industry, organization, and project type. In addition, the less experience that you have in project management or in the project domain, the more you should facilitate this process with the key stakeholders and subject matter experts on your project team.
Determine probability—For each risk factor that has been identified, determine the likelihood that the risk event will occur. The goal is to quantify the uncertainty as much as possible, although in reality, this is still a judgment call. Common methods include numeric scales (1–5, 1–10) and subjective scales (High, Medium, Low).
Assess impact—For each risk factor, determine the potential impact the risk event would have on the project critical success factors if it occurred. Like the probability element, the goal is to quantify the potential impact as much as possible. Generally, the same type of scale is used here, too. It is a good idea to document the specific impact (which critical success factor) and the magnitude of the impact.
Prioritize—Now that we have a probability and an impact level, we tabulate a final ranking for each risk factor by combining the two values. If you have used numeric scales, this is straightforward; just multiply the two values together to get a final score. If you have used qualitative scales (L, M, H), you should be able to easily translate these to numeric values (1, 2, 3) to figure your final score. This step shows you the highest priority, most important risks, and the ones where you need to focus your initial efforts.
Develop responses—Document a response plan for each risk using one of the five risk response options detailed later in this chapter. Planning efforts are iterative in nature because risk response strategies might entail the allocation of additional resources, tasks, time, and costs to the project plan.
Get buy-in—Review the risk response strategies with the key stakeholders to increase their awareness, get their feedback (if you have not already), and get their acceptance of the planned approaches.
Monitor—Don’t stop. Nothing stays the same. Continue to keep your eye on the risk factors—watch for triggers to activate other planned responses, be mindful of the appearance of new risk factors, and don’t totally forget about the low-level risks. Either via circumstances changing or initial miscalculations, you might find some of these have a higher probability of occurring (or higher impact) than originally perceived.
Risk Response Options
Most people tend to think “mitigation” when they think of risk management. However, there are actually five risk response options. Table 14.1 reviews each response strategy and provides examples of each.
TABLE 14.1 Summary of Risk Response Options
Risk Response | Description | Examples/Notes |
|---|---|---|
Avoidance | Avoiding the risk. Changing the project plan to eliminate the risk. Changing the project plan to protect a project objective from the impact. | Reducing the scope to remove high-risk tasks. Adding resources or time. Adopting a proven approach rather than a new one. Removing a “problem” resource. |
Acceptance | Accepting the consequences of the risk. The project plan is not changed to deal with the risk. A better response strategy cannot be identified. | Active acceptance. Passive acceptance. No action. Contingency allowance (reserves). Notifying management that there could be a major cost increase if this risk occurs. |
Monitor and prepare | Accepting the risk for now. Closely monitor the risk and proactively develop alternative action plans if the event occurs. | Contingency plan. Fallback plan. Establish criteria that will trigger the implementation of the response plans. |
Mitigation | Taking action to reduce the likelihood the risk will occur. Taking action to reduce the impact of the risk. Reducing the probability is always more effective than minimizing the consequences. | Adopting less-complex approaches. Planning on more testing. Adding resources or time to the schedule. Assigning a team member to visit the seller’s facilities frequently to learn about potential delivery problems as early as possible. Providing a less-experienced team member with additional training. Deciding to prototype a high-risk solution element. |
Transference | Transferring ownership of the risk factor. Shifting the consequence of a risk and the ownership of the response to a third party. | Outsourcing difficult work to a more-experienced company. Fixed price contract. Contracts, insurance, warranties, guarantees, and so on. Used most often for financial risk exposure. Does not eliminate the risk. |
Key Risk Management Tools
One aspect of the risk management process described in the PMBOK Guide that many people find difficult to grasp is the reference to unfamiliar tools and techniques. Table 14.2 summarizes many of these tools and techniques to assist your learning and review process.
The risk assessment questionnaire contains questions that pertain to project size, structure, and technology. The risk assessment questionnaire is broken down by risk categories, subcategories, and criteria that rate risk level according to Low, Medium, or High.
TABLE 14.2 Summary of Risk Management Tools
Risk Tool | Description | Notes/Examples |
|---|---|---|
Risk profile | A questionnaire or checklist to guide the identification of project risk factors. | Should be specific to industry, organization, and project type. |
Risk assessment | Generally synonymous with risk profile. Frequently will contain criteria to establish Low, Medium, and High risk levels. | Often used interchangeably for risk profile or risk checklist. |
Risk register (log) | Used to document the identified risks, probability score, impact score, priority, and planned response strategies. | May be combined with other project logs. |
Risk management plan | Describes how the risk management process will be structured and performed. | Describes the process to be used. |
Risk response plan | Describes the response strategies for identified risks. | Risk log. Details action steps to be taken if risk event occurs. |
Probability/impact matrix | Used to establish general High, Medium, and Low classifications for a risk factor. Cross-references the probability score with the impact score. | Generally developed at the organizational level to improve the consistency of risk rankings. |
The Common Sources of Project Risk
The first key to managing risk on your project is to know where to look for it. The good news is that 80% or more of all risks originate from the same sources on every project. After you know the project characteristics that contribute to higher risk levels and the common sources of most project risks, you can quickly and effectively identify risk factors for any project. These factors should be first evaluated during project definition and are the main reason why several iterations of planning are often necessary. In Table 14.3, most of the key project risk factors are listed to better guide your risk identification activities. Note that many of these are emphasis points for project definition and detail project planning.
TABLE 14.3 Common Sources of Risk
Risk Source Category | Examples/Factors |
|---|---|
Project size and complexity | Effort hours Calendar time Estimated budget Team size (number of resources) Number of sites Number of business units Number of system interfaces Number of dependencies on other projects Number of dependencies on other systems Degree of business change |
Requirements | Volatile requirements Unrealistic or aggressive performance standards Complex requirements |
Change impact | Replacement or new system Impact on business policies Impact on business processes Impact on organizational structure Impact on system operations |
Organization | Changes to project objective Lack of priorities Lack of project management buy-in and support Inadequate project funding Misallocation and mismanagement of resources |
Sponsorship | Lack of strong executive commitment Lack of clear ownership Loss of political support |
Stakeholder involvement | All key stakeholders not identified Missing buy-in from a key stakeholder Stakeholder needs not completely identified Key stakeholders not fully engaged |
Schedule | Estimate assumptions not holding true Schedule contingency not adequate |
Funding | Reduction in available capital Cash flow issues Inflation or exchange rate factors |
Facilities | Adequate for team productivity requirements Adequate for project security requirements |
Team | Full-time or part-time roles Location of team members Can’t find desired resources Lack of experience Lack of business knowledge Lack of skills Lack of commitment Personal issues Lack of prior experience working together |
Technology | Missing technical data Use of unproven technology Use of nonstandard technology Development approach Level of complexity |
Vendors and suppliers | Contract types Risk-reward elements Procurement process Experience with vendor/supplier |
External factors | Changing weather conditions Changes in legal and regulatory environment Approvals from governmental agencies Political changes |
Business factors | Time-to-market Mergers and acquisitions Economic events Market conditions |
Assumptions and constraints | Might create schedule, cost, resource, or quality risks |
Project management | Lack of experience Poor leadership Poor communications Lack of contingency plans Inadequate risk management |
Although most sources of risk are inherent attributes of project initiatives or are outside the project manager’s control (as the preceding table summarized), there is another common source of project risks that is generally self-inflicted. These are the project risks we create by not performing adequate project definition or detail project planning.
For a complete listing and explanation of those factors, you can review Part II, “Project Planning.” For a quick review, Table 14.4 lists many of the key factors. Please note that some risk source categories are listed again in this table. This is intentional. In some areas, there are universal, inherent factors that contribute to project risk, and there are other risk factors that are introduced due to inadequate project planning. One example is the project schedule. Estimate assumptions not holding true and inadequate contingency buffer are inherent risks on any project. However, a poorly developed schedule is self-inflicted and a result of project planning deficiencies. Yet, it can be as devastating to your project critical success factors as anything.
TABLE 14.4 Common Project Planning Sources of Risk
Risk Source Category | Examples/Factors |
|---|---|
Project management | Improperly defined project deliverables Incomplete planning Improper procedures Not defining clear roles and responsibilities Lack of contingency plans Inadequate risk management Inadequate attention to the right details Inadequate resource staffing |
Project definition | Unrealistic objectives Inconsistent objectives Incomplete scope definition Inconsistent scope definition Improperly defined project deliverables |
WBS (and project schedule) | Not reviewed and approved by stakeholders Missing tasks Lack of team understanding Missing project management activities External dependencies not identified and understood |
Project schedule | Missing task dependencies Tasks not clearly assigned Resources overallocated Calendar realities not factored Inadequate contingency or reserve |
Project budget | Poorly developed cost estimates Missing cost sources Inadequate contingency or reserve |
Requirements | Incomplete or poorly defined requirements |
Assumptions and constraints | Not completely defined |
Typical Problems
As with any project management process, there are always challenges and things for which you should be on the lookout. Let’s first review the four general problems that are typical with managing project risk:
Undetected risks—These are the risks that will get you because you didn’t even see them coming. The most common reasons for this are project managers not having the proper risk management mindset, project team members not raising awareness of specific risk factors, and planning defects that are not detected.
Unacknowledged risks—These occur in dysfunctional organizations or in immature project management organizations. For whatever reason, often political in nature, an obvious risk factor is not formally acknowledged and, as a result, not properly managed. This is the proverbial “elephant in the room.” A common example of this is an impossible schedule deadline.
Not enough process—It is not uncommon to see this area of project management totally ignored, at least from a systematic standpoint.
Too much process—On the other end of the spectrum, I have often seen gung-ho, analytical project managers overdo the risk management process. They can spend so much time on risk management that planning is never completed, or they get so focused on risks that they become overly cautious and won’t take any chances. Remember: project risk management is not about avoiding all risks.
In addition to the major problems typically found, a number of other smaller issues are common to the risk management process we discussed earlier. Table 14.5 summarizes those common gaps.
TABLE 14.5 Summary of Common Risk Management Gaps
Risk Management Process | Common Gaps |
|---|---|
Risk management planning | No risk management plan. Risk management plan equals risk response plan. |
Risk identification | Performed only once and not proactively managed. Process is incomplete. Missing entire types/categories of risk. Confusing issues with risks. |
Risk qualitative analysis | The organization has not established standard practices/tools. The probability of occurrence is not calculated for each risk. The impact of each risk is not determined. Risks are not prioritized. Risk quantitative analysis is not limited to high-priority risks. |
Risk response planning | Response strategies are not documented. No risk response plan is in place. Response strategies are not appropriate for risk severity. The project plan is not updated to implement and monitor responses. |
Risk monitoring and control | The risk response plan is not maintained. Risk identification is not continued. The project plan is not updated to implement and monitor responses. Responses are not reevaluated. Progress is not tracked, or task owners are not held accountable. |
Powerful Risk Control Strategies
This section breaks out of the strict risk management process and considers some powerful strategies you should consider to either deal with the high-priority risks you now have or reduce the number of new risks from occurring as your project goes forward.
Tackle high risks first—Develop a work plan that attacks your high-risk factors right out of the gate Why? If you are going to have a problem, it is best to know sooner than later. If something is not feasible or acceptable, determine this as soon as possible, so senior management can decide whether the project is worthy of organizational investment and resources.
Use iterative, phased approaches—By breaking the work of the project into multiple iterations and phases, you provide a systematic method of providing tangible output to the stakeholders sooner and more often. The multiple points of review and feedback with the stakeholders enable you to better control your greatest risk—stakeholder expectations and satisfaction.
Test it like you mean it—This strategy overlaps with quality management but is worth emphasizing here too. There’s no better way to avoid and reduce risks with a new work product than to use effective, prioritized testing. An effective test plan will identify defects before the final project work item is deployed to production or made available to the customer audience.
Verify deployments—And for those in the IT software world, this strategy is focused on verifying the deployment of the project work product into a new environment. Often, this is referred to as a “smoke test” and is commonly used with IT services and resources. The project work item might have met all requirements, but if it is not deployed and set up correctly in the target environment, the customer will not be able to tell the difference.
QA the planning process—This strategy has been mentioned before but is worth mentioning again: Be sure to do a quality review on the planning process. This step helps identify planning defects that, if undetected, will become unknown risks with a high-impact potential.
Leverage independent QA audits—Leveraging an independent, experienced, and objective viewpoint can be a powerful way to identify risk factors and determine the best response strategies. This can be especially useful in project situations where the key stakeholders are inexperienced, the climate is very political, or multiple vendors are involved.
Are You Sure It’s a Risk?
Before we end our review of managing project risks, it is worth mentioning that one common problem associated with project risk management is terminology and the proper labeling of risks. This is more of an academic issue, and generally, the subtle differences are not key factors on projects. To make sure you avoid problems here, Table 14.6 quickly reviews the definition of terms closely related to project risk and clarifies those distinctions.
TABLE 14.6 Summary of Risk-Related Terms
Term | Definition | Notes |
|---|---|---|
Risk | An uncertain event that could negatively impact the project critical success factors, if it occurs. | A threat. Probability of occurrence must be between 0% and 100%. |
Issue | An active problem that could impact the project critical success factors. | A risk event that has actually occurred. |
Constraint | A limit that must be planned around. | Factual. Constraints can introduce other risks. |
Assumption | Factor considered to be true, real, or certain. | Assumptions can include accepted risks. Assumptions can introduce other risks. |
Dependency | An external event that must occur for the project to accomplish its objectives. | Identified during planning along with risks, constraints, and assumptions. |
Defect | A discrepancy between what is (actual) and what should be (expected). Mentioned here because planning and overall project management defects can become project risks if not identified and corrected. | Detailed planning efforts are important here. The key source for many unknown risks. |
Figure 14.1 summarizes the main points reviewed in this chapter.
FIGURE 14.1
Overview of managing project risks.