Successful project risk management prioritizes risks, or establishes risk analysis as an activity on a level equal to that of cost, time, and scope management. This involves increasing the visibility of risk management functions at all levels and inviting risk managers to top strategy meetings. Organizations with poor risk management systems, view risk management as an unnecessary adjunct and often don’t integrate the same with the core project process.
Image Credit: flickr.com/Robert Higgins
A common fallacy with risk management programs is the biased assessments made by the project manager or the project control engineer who conducts the risk analysis is when they try to justify their proposals and get management and customers off their backs. A good risk management program needs to run independently and remain separate from the core project team. The project risk management process, however, still needs integration with the core project function and active support and participation of the project manager and other members of the project team for success.
Many organizations assign the role of risk management to their corporate engineering department, or bring in outside experts for conducting a risk analysis and ask the project team to cooperate with such experts.
A primary characteristic of a good project risk management plan is availability of good quality data for a risk analysis.
Data collection constitutes about 90 percent of the total risk analysis effort. Most data on risks remains judgmental, but a good risk management program strives to collect high quality data validated as well as repeatable data. Good quality data allows for an accurate analysis and provides the organization with a solid basis for preemptive or remedial action.
Methods to ensure availability of quality data include:
- Spending resources to develop and administer questionnaires that define various risk terms such as ’high probability’ and ‘very high impact on performance.’
- Ensuring that the project manager, with first hand practical knowledge of the project, sits in the risk interviews and asks active questions.
Use of Risk Management Tools
Another characteristic of a good risk management program is the effective use of risk management tools. Risk management tools range from simple Excel spreadsheets, SWOT analysis, and Ishikawa diagrams or influence diagrams, to more quantitative tools such as decision tree models, system failure models, and simulation for cost and schedule. Immature organizations rarely apply such tools in the risk management process, or apply them wrongly.
Organizations with mature risk management processes implement metrics that institute measurable success factors for projects. Organizations with poor risk management procedures do not implement such metrics and very often put together a story that looks like success.
Yet another characteristic of a good project risk management system is the willingness to adopt approaches and practices from others, and share with others.
Mature organizations compare their risk management and project management processes to the processes in other companies, to learn from others. The best risk-mature organizations practice ‘inside-outside benchmarking,’ which not only benchmarks other industries, but also invites outside experts to continue the benchmarking approach on a periodic basis.
Organizations with mature risk management processes indulge in free discussions at various professional avenues and forums to exchange risk management related ideas. They tell their story, obtain valuable feedback, and gain new ideas.
Image Credit: flickr.com/Wonderlane
Follow Up Action
A good risk management program ensures incorporation of the findings of the risk analysis to the organization budget and schedules and follows up risk migration through actions. Such organizations use risk analysis as a guide to making hard choices for allocating more resources, changing project plans, and reassigning personnel, among other things.
Many immature risk management organizations perform a risk analysis but do not act on the assessment.
An effective project risk management process is on-going and continuous, and ingrained with the core project process.
Merely instituting a risk management process without overcoming cultural barriers or ingrained prejudices does not help the organization. The organizational culture needs to foster a commitment to risk awareness and create an atmosphere that encourages discussion about project risks. Risk-immature organizations with people eager to confirm tend to ‘shoot the messenger’ by showing hostility toward people that highlight problems or point out flaws in the project plan, and look down on them as not being team players.
Ad-hoc risk management processes undertaken at the request of a particular client, or a motivated project manager and ending with the departure of the client or project manager, causes the organization to lose the lessons learned from the risk management initiative.
The correct application of risk management allows a risk-mature organization to determine whether it is improving or stagnating, and allows for plan improvements in performance.
- Hillson, D.A. (1997.) Towards a Risk Maturity Model. International Journal of Project & Business. Risk Management, Volume 1 Issue 1: Pg. 35-45.
- Project Management Institute (PMI). (2000.) A Guide to the Project Management Body of Knowledge, 2000 Edition. Newtown Square, PA.
- Hulett, David, T. Key Characteristics of a Mature Risk Management Process. Retrieved from https://www.coleyconsulting.co.uk/risk.htm on 7 October 2010