Project risk management is an integral part of every project manager’s role and requires a disciplined approach. Ensure you’re able to identify and treat both threats and opportunities by following these key steps to identifying and managing project risk.
What is risk management for projects?
Project risk management is the process of identifying, assessing, treating and communicating anything that could potentially impact your project’s budget, timeline or performance.
In this context, risk is an expression of uncertainty. By proactively managing and controlling this uncertainty over the lifecycle of a project, a project manager and their team can help to keep a project on track and aligned to its goal.
Depending on the type and scale of a project, project risk management can vary in terms of the level of planning, activities and documentation involved. Consistency of approach is key however to ensure risks are evaluated and managed in a structured, uniform way.
Benefits of project risk management
Research shows that robust risk management strategies are helping savvy organisations outpace their competitors. A recent Pulse of the Profession study revealed that agile companies that frequently use standardised risk practices see increased levels of success across their organisation.
Being able to foresee, analyse and manage project risks is a skill that every PM must possess. We are exposed to risks from a variety of areas, including:
- the business environment
- the marketplace
- resource availability (e.g., people and budget)
- the development of deliverables
- our chosen project approach (agile vs waterfall).
By managing risk within their projects in an integrated, iterative and systematic manner, PM’s are required to ensure threats have a reduced impact on the project outcome, while at the same time improving the likelihood of opportunities for the project.
What is positive risk in project management?
A common misconception is that all risks are inherently negative. The fact is risks can be positive or negative. While negative risks are unwanted events that could damage your project, positive risks are opportunities that could benefit it.
The potential for additional resources is one example of a positive risk, as is new technology that may save you time. But it’s important to remember that a positive risk can turn into a negative one, and vice versa.
Both types of risk will need to be managed but the strategies for doing so differ. You should identify and manage negative risks to minimise their impact, whereas positive risks should be managed to leverage their potential benefits.
How to manage risk: 8 steps to effective project risk management
1. Developing your risk management approach or strategy
Your first task is to define how you will manage risk. It’s common that organisations have an existing approach to risk management and a risk framework to support project execution so use this if available, tailoring as necessary. If you don’t have a framework, consider looking up ISO31000. Whatever your risk approach looks like, its purpose is to support your decision-making and project management quality by documenting and agreeing:
- Risk management process
- The risk tolerance
- Tools or techniques to analyse and monitor risk
- Risk categories and response categories
- Records and reporting requirements
- Roles and responsibilities
- Early warning indicators
- Risk budget.
After a risk management approach is agreed with the project authority (e.g., the sponsor, project steering committee, project / programme, or portfolio office), it is signed off and baselined. Typically, this occurs in the project planning phase or initiation stage, becoming a management artefact subject to formal change control.
2. Identification of risks
Risks are constantly identified from pre-project until project closure. Holding risk identification workshops early in the project lifecycle can assist you and other stakeholders in understanding risks and their characteristics. Using tools like the nominal group technique or Ishikawa diagram can increase the visibility of risks that otherwise may have been missed. Data from risk workshops, conversations, observations, lessons learned, and experience is logged in a risk register for management and visibility. PMs often engage in regular risk meetings during the life of the project with one part of the session devoted to the identification of new risks.
3. Articulating risks meaningfully
A clear expression of each risk is logged with its cause, the uncertain event, and the effect or impact the risk would have. This can assist in establishing both who is the most appropriate stakeholder to own and monitor a particular risk and justify the projects’ treatment response – the why.
4. Risk analysis
Both the Project Management Institute’s standard (A Guide to the Project Management Body of Knowledge (PMBOK® Guide) and the PRINCE2® method (two of the most popular project management approaches used in Australian businesses) recommend performing risk analysis using two types of analysis: qualitative (risk probability and impact) and quantitative (stochastic modelling).
Using the analysis helps to balance the cost of treating risks with the cost of being exposed to the risk, simply because we can’t mitigate nor avoid every threat, nor are the resources available to fund every opportunity that may arise.
5. The most appropriate risk response
After each risk is identified and analysed, PMs must determine the most appropriate risk response.
Effective risk response strategies
A response plan can then be embedded within the project plan and actioned as appropriate. Contingent response strategies may also need to be developed – these are often referred to as contingency plans or fallback plans and include identified trigger events that set the plan in effect.
6. Implementation
Once agreed on, the PM ensures risk responses are executed to address and control for risk in pursuit of minimising threats and optimising opportunities.
Too often, PMs spend incredible amounts of time and energy on identifying and analysing every potential risk, then documenting individual responses into a risk register – yet no action is taken to implement the response. The implementation step is critical to ensure that risks are being managed proactively and in an ongoing capacity. Once again, the cadence of regular risk meetings addressing decisions and actions and risk proximity help contain the exposure to uncertainty.
7. Risk and ownership
Every risk must also have an ‘owner’ – however it’s important to clarify that the owner doesn’t necessarily have to be the PM. In larger projects, too much reliance on the PM for risk ownership can be counterproductive.
Whoever they may be, risk owners should be managing and monitoring risks continuously. It’s the project manager’s responsibility to ensure the risk owner understands they must remain vigilant and update the risk status as necessary.
8. Risks at project end and key learnings
At project closure, PMs must check for any risks that may impact deliverables or the final product in its operational or business-as-usual life. Follow-up after the project is essential – after all, you have gone to so much effort to lead the project to a successful end, it makes sense to ensure the final deliverable is set up for success.
An overview of how you identified and addressed risk at the outset of the project, along with your overall experience of risks encountered during the project, may be useful for other projects and the wider organisation. Ensure that you not only take time during the project but also at project closure to record any of your risk learnings and share them with relevant stakeholders.
A PM’s role is to identify, manage, and communicate risk within their projects in a systematic manner. The eight steps when implemented across the project lifecycle reduce the impact of risks on your project outcome(s). And remember, it’s important to recognise that not all risks are threats, they can be opportunities, too. Staying on top of risks will improve the likelihood of leveraging opportunities throughout the project’s lifecycle enabling you and your team to deliver a fit-for-purpose product, service, solution, or result.
To better manage risk use our free downloadable checklist when planning your next project. For more advice on how to improve your risk management skills or to book into an appropriate project management course, contact the experts at PM-Partners today or call 1300 70 13 14.
PRINCE2® is a registered trade mark of AXELOS Limited, used under permission of AXELOS Limited. All rights reserved.
PMBOK is a registered mark of the Project Management Institute, Inc.