Risk identification and treatment is an integral part of every project manager’s role and requires a disciplined approach. Ensure you’re prepared to respond to both threats and opportunities by following these key steps to managing risk throughout the project lifecycle.
Risk is an expression of uncertainty. Projects are designed to manage and control this uncertainty, such that it becomes an everyday activity for a project manager and their team to identify, assess, treat, and communicate risks.
Increasingly, robust risk management strategies are helping organisations outpace their competitors – the most recent Pulse of the Profession study revealed that agile companies that frequently use standardised risk practices see increased levels of success across their organisation.
Being able to foresee, analyse and manage project risks is a skill that every PM must possess. We are exposed to risks from a variety of areas, from the business environment and marketplace through to resource availability (e.g., people and budget), to the development of the deliverables – even right down to understanding the risks using a particular project approach (agile vs waterfall). By managing risk within their projects in an integrated, iterative and systematic manner, PM’s are required to ensure threats have a reduced impact on the project outcome, while at the same time improving the likelihood of opportunities for the project.
To help you manage risk, PM-Partners training facilitator Kerry McLennan shares some essential steps for PMs to drive positive results:
8 steps to identifying and treating project risk
1. Developing your risk management approach or strategy
Your first task is to define how you will manage risk. It’s common that organisations have an existing approach to risk management and a risk framework to support project execution so use this if available, tailoring as necessary. If you don’t have a framework, consider looking up ISO31000. Whatever your risk approach looks like, its purpose is to support your decision-making and project management quality by documenting and agreeing:
- Risk management process
- The risk tolerance
- Tools or techniques to analyse and monitor risk
- Risk categories and response categories
- Records and reporting requirements
- Roles and responsibilities
- Early warning indicators
- Risk budget.
After a risk management approach is agreed with the project authority (e.g., the sponsor, project steering committee, project / programme, or portfolio office), it is signed off and baselined. Typically, this occurs in the project planning phase or initiation stage, becoming a management artefact subject to formal change control.
2. Identification of risks
Risks are constantly identified from pre-project until project closure. Holding risk identification workshops early in the project lifecycle can assist you and other stakeholders in understanding risks and their characteristics. Using tools like the nominal group technique or Ishikawa diagram can increase the visibility of risks that otherwise may have been missed. Data from risk workshops, conversations, observations, lessons learned, and experience is logged in a risk register for management and visibility. PMs often engage in regular risk meetings during the life of the project with one part of the session devoted to the identification of new risks.
3. Articulating risks meaningfully
A clear expression of each risk is logged with its cause, the uncertain event, and the effect or impact the risk would have. This can assist in establishing both who is the most appropriate stakeholder to own and monitor a particular risk and justify the projects’ treatment response – the why.
4. Risk analysis
Both the Project Management Institute’s standard (A Guide to the Project Management Body of Knowledge (PMBOK® Guide) and the PRINCE2® method (two of the most popular project management approaches used in Australian businesses) recommend performing risk analysis using two types of analysis: qualitative (risk probability and impact) and quantitative (stochastic modelling).
Using the analysis helps to balance the cost of treating risks with the cost of being exposed to the risk, simply because we can’t mitigate nor avoid every threat, nor are the resources available to fund every opportunity that may arise.
5. The most appropriate risk response
After each risk is identified and analysed, PMs must determine the most appropriate risk response.
A response plan can then be embedded within the project plan and actioned as appropriate. Contingent response strategies may also need to be developed – these are often referred to as contingency plans or fallback plans and include identified trigger events that set the plan in effect.
6. Implementation
Once agreed on, the PM ensures risk responses are executed to address and control for risk in pursuit of minimising threats and optimising opportunities.
Too often, PMs spend incredible amounts of time and energy on identifying and analysing every potential risk, then documenting individual responses into a risk register – yet no action is taken to implement the response. The implementation step is critical to ensure that risks are being managed proactively and in an ongoing capacity. Once again, the cadence of regular risk meetings addressing decisions and actions and risk proximity help contain the exposure to uncertainty.
7. Risk and ownership
Every risk must also have an ‘owner’ – however it’s important to clarify that the owner doesn’t necessarily have to be the PM. In larger projects, too much reliance on the PM for risk ownership can be counterproductive.
Whoever they may be, risk owners should be managing and monitoring risks continuously. It’s the project manager’s responsibility to ensure the risk owner understands they must remain vigilant and update the risk status as necessary.
8. Risks at project end and key learnings
At project closure, PMs must check for any risks that may impact deliverables or the final product in its operational or business-as-usual life. Follow-up after the project is essential – after all, you have gone to so much effort to lead the project to a successful end, it makes sense to ensure the final deliverable is set up for success.
An overview of how you identified and addressed risk at the outset of the project, along with your overall experience of risks encountered during the project, may be useful for other projects and the wider organisation. Ensure that you not only take time during the project but also at project closure to record any of your risk learnings and share them with relevant stakeholders.
A PM’s role is to identify, manage, and communicate risk within their projects in a systematic manner. The eight steps when implemented across the project lifecycle reduce the impact of risks on your project outcome(s). And remember, it’s important to recognise that not all risks are threats, they can be opportunities, too. Staying on top of risks will improve the likelihood of leveraging opportunities throughout the project’s lifecycle enabling you and your team to deliver a fit-for-purpose product, service, solution, or result.
For more advice on how to improve PM risk management skills or to book into an appropriate project management course, contact the experts at PM-Partners today or call 1300 70 13 14.
PRINCE2® is a registered trade mark of AXELOS Limited, used under permission of AXELOS Limited. All rights reserved.
PMBOK is a registered mark of the Project Management Institute, Inc.