Projects face threats and uncertainties that can derail progress making it crucial to manage risk in a project effectively. As a project manager, you must master the art of anticipating, analysing, and responding to risks. This behind-the-scenes look explores best practices for risk management - enabling you to create resiliency and steer projects past obstacles.
Like any complex endeavour, projects carry risks that may impact the budget, schedule, quality, or benefits. Issues can arise from insufficient resources, unrealistic plans, scope creep, dependencies, and external factors.
Without proactive risk management, problems amplify and project failure becomes likely. You must implement a regimen of systematic risk identification, assessment, and mitigation. This builds resiliency, improves transparency, and enables successful delivery despite uncertainties.
Risk management starts by uncovering potential issues early:
Brainstorm risks: Schedule risk workshops with the team to identify threats. Leverage experience from past projects. During these sessions it is very important to qualify the risks for a project to ensure accurate assessment, as sometimes what we might perceive as a risk may not be a risk but a known fact. This distinction ensures a more accurate assessment and allows the team to focus on mitigating genuine threats to the project's success.
Assess environments: Scan the internal and external environment. Look for technical, operational, organisational, or market uncertainties.
For example, in a software development project, a technical uncertainty could be the integration of a new technology that hasn't been fully tested, while a market uncertainty might involve sudden shifts in customer preferences or emerging competitors. Identifying these uncertainties early, allows the team to proactively address potential challenges and develop robust risk mitigation strategies.
Review plans: Analyse the project charter, requirements, budget, schedule, resources, and solution designs for flaws and gaps.
Define risk categories: It's essential to define risk categories in project management to cover areas like scope, schedule, cost, quality, resources, technology, infrastructure, vendors, regulations etc.
Document all risks in a register. Also list root causes and potential impacts. Prioritise based on likelihood and consequences.
Let take an example : For a software implementation project, a risk register template may look like:
Risk ID | Probability | Root Causes | Potential Impacts |
|---|---|---|---|
R01 | Vendor delivery delays | Vendor lack of capacity | Schedule slippage |
R02 | Scope creep due to new requirements | Poor change control | Budget overruns, delays |
R03 | Skill gaps in using new technology | Inadequate training | Development quality issues |
Brainstorming uncovered these initial threats to the project.
With potential risks identified, you must analyse them to determine:
Likelihood of occurrence: Likelihood represents the probability of the Risk occurring and is categorised as "Almost Certain," "Likely," or "Possible."
Impact: Estimated cost, schedule, quality, or scope impact if the Risk occurs. Impact represents the consequence or severity of the Risk and is categorised as "Low," "Medium," or "High.
Overall risk severity: This is determined via qualitative or quantitative analysis.Qualitative risk analysis is indeed widely used in risk management. In qualitative risk analysis, risks are assessed based on their subjective qualities rather than precise numerical data. It involves evaluating the probability and impact of risks using descriptive scales (e.g., low, medium, high) rather than specific numerical values.
Qualitative: Uses a probability and impact matrix to assess low, moderate or high severity. Note: Every organisation has their customised probability and impact matrix you may want to use your organisations map while doing qualitative analysis.
Likelihood/Impact | Low | Medium | High |
|---|---|---|---|
Almost Certain | Low | Medium | High |
Likely | Low | Medium | High |
Possible | Low | Medium | High |
Each cell in the matrix is assigned a risk level, such as "Low," "Medium," or "High," based on the combination of likelihood and impact. For example, if a risk is "Almost Certain" and has a "High" impact, it would be classified as a "High" risk.
Teams can use this matrix to visually assess and prioritise risks. High-priority risks, those with a combination of high likelihood and high impact, should be addressed with mitigation or contingency plans. Medium-priority risks may require monitoring, while low-priority risks may be accepted or reviewed periodically.
Lets map the "software implementation project" example from previous section to this : The PM facilitates a risk analysis workshop. Using a probability and impact matrix, the team determines:
Risk ID | Probability | Impact | Severity |
|---|---|---|---|
R01 | High | High | Extreme |
R02 | Moderate | Moderate | Moderate |
R03 | Low | High | Moderate |
This qualitatively evaluates the overall risk severity.
Quantitative: Numerically quantifies probability, impact, and overall risk exposure levels and enables sensitivity analysis. For example, the analysis below provides insights for responding appropriately to top risks.
Likelihood/Impact | Low | Medium | High |
|---|---|---|---|
Almost Certain | 3x2 = 6 | 6x4 = 24 | 8x5 = 40 |
Likely | 3x2 = 6 | 4x4 = 16 | 4x4 = 16 |
Possible | 1x2 = 2 | 3x4 = 12 | 5x5 = 25 |
In this matrix:
Likelihood is assigned numerical values, such as 1 for "Almost Certain," 2 for "Likely," and 3 for "Possible."
Impact is assigned numerical values, such as 2 for "Low," 4 for "Medium," and 5 for "High."
The risk score for each cell is calculated by multiplying the likelihood and impact values. The higher the score, the greater the Risk. For example, if a risk is "Almost Certain" (3) with a "High" impact (5), the risk score is 3x5 = 15.
Teams can use this quantitative risk matrix to prioritise risks based on their calculated scores. Risks with higher scores require more attention and resources for mitigation or contingency planning. This approach allows for a more numerical and precise analysis of risks, aiding in decision-making and resource allocation.
Continuing our "software implementation project" example from the previous section this would look like:
The PM also models risks numerically to quantify exposure:
R01 has a 70% probability of causing a $100,000 budget overrun.
R02 has a 50% chance of incurring a 2 month schedule delay.
R03 poses a 20% likelihood of a major quality issue.
You can see that this statistical modelling provides additional insights.
When managing risks in a project, it's crucial to define mitigation strategies for major risks that reduce their likelihood or impact.
In risk management, risks can be categorised as positive (opportunities) or negative (threats). For each type of Risk, there are corresponding risk response strategies:
Positive Risks (Opportunities) response strategies:
Exploit: Maximise the potential benefit of the opportunity. For example: Allocate additional resources to expedite project completion and gain a market advantage.
Enhance: Increase the probability and/or impact of the opportunity. For example: Invest in additional training for team members to enhance their skills, increasing the chances of completing the project ahead of schedule.
Share: Allocate some or all of the ownership of the opportunity to a third party. For example: Forming a strategic partnership to share the benefits of a joint venture, spreading both the risks and rewards.
Accept: Acknowledge the opportunity but take no action to capture it actively. For example: If the opportunity is not aligned with project goals, the team may choose to accept it without pursuing further action.
Negative Risks (Threats) response strategies:
Avoid: Change the project plan to eliminate the threat entirely. For example: If a key team member has a high likelihood of leaving, find a replacement or adjust roles to avoid the impact of their departure.
Mitigate: Take actions to reduce the probability and/or impact of the threat. For example: Implementing regular backups to mitigate the Risk of data loss due to technical failures.
Transfer: Shift the impact of the threat to a third party. For example: Purchasing insurance to transfer the financial impact of a potential equipment failure.
Accept: Acknowledge the threat but take no action to actively manage it. For example: Recognising that a potential delay due to weather conditions is a low-impact threat that the project can absorb without specific mitigation efforts.
Choosing the appropriate risk response strategy depends on factors such as the project's objectives, constraints, and the nature of the risks involved. A well-balanced risk management plan considers both positive and negative risks to optimise project outcomes.
Lets see how this maps to our software implementation project example: For top risks, the PM defines mitigation tactics:
R01: Add slack into the schedule as buffer; closely monitor vendor.
R02: Implement rigorous change control processes.
R03: Develop a comprehensive training program.
Contingency plans: Develop workarounds to execute if a risk does occur. The concept of contingency plans is an integral part of risk management, and it aligns with both positive and negative risks.
Despite mitigation efforts, some risks will still occur, hence the contingency reserves and workarounds:
Contingency reserves: Allocate time and money buffers to absorb impact. This can be calculated as
Contingency Reserve = Risk Exposure x Contingency Allowance
To calculate contingency reserve:
Identify potential risks and estimate the impact of each Risk on the project. This is the "Risk Exposure."
Determine a percentage or fixed amount that represents the contingency allowance based on the level of uncertainty and complexity.
Multiply the Risk Exposure by the Contingency Allowance to calculate the Contingency Reserve.
Best Practice: Industry best practices often involve allocating contingency reserves as a percentage of the total project budget or schedule. Tailor this contingency allowance based on the level of Risk and the criticality of the project.
Workarounds: Define alternative execution methods if certain events transpire. Workarounds are often situational, and the focus is on minimising the impact of an issue. The effectiveness of a workaround can be measured by the time and cost it takes to implement compared to the time and cost impact of the original issue.
Best Practice:
Develop predefined workarounds for common types of issues based on historical data or lessons learned.
It's essential to ensure that the implementation of workarounds does not introduce new or residual Risks impacting the project's overall objectives.
Early warning indicators: Establish metrics to monitor risks and trigger contingencies. This can be done by:
Identifying key risk indicators that are early signs of potential issues.
Assigning weights to each indicator based on its importance and sensitivity.
Regularly assessing and summing the values of the risk indicators to calculate the Risk Indicator Index.
With contingency protocols in place, you can rapidly execute workarounds if issues arise. This minimises disruptions.
Vigilantly track identified risks: Regularly monitor and assess the identified risks to stay abreast of their evolving nature. Utilise predefined risk triggers and early warning indicators to detect potential risk events.
Re-evaluate status: Update severity and priorities regularly. Identify new risks and, importantly, qualify those risks.
Risk-to-Issue Transformation: Recognise that risks can transform into issues when uncertainties materialise or when the impact and probability exceed predetermined thresholds. Understand that the transition from Risk to issue signifies the need for immediate attention and resolution.
Implement responses: Carry out mitigation activities. Refine workarounds as required.
Take corrective actions: If identified risks materialise into issues, promptly update the issue register to document their occurrence. Also, rapidly deploy contingencies and corrective actions to address issues and minimise their impact on project objectives.
Update risk register: Document lessons learned, new strategies, and outstanding actions.
Ongoing monitoring and controlling risks enables us to respond dynamically to the risk landscape and keep projects on track despite uncertainties.
As a best practice further Integrating feedback into the risk management process enhances the identification, assessment, and response to risks and issues throughout the project lifecycle.
Identify risks early through brainstorming, analysis, and lessons learned.
Qualitative and quantitative analysis determines probability, impact, and severity.
Mitigation strategies avoid, reduce, transfer or accept risks.
Contingency reserves and workarounds enable agile response.
Monitor, re-assess and control risks continually.
By mastering risk management techniques, you can surface issues proactively, develop effective responses, and steer projects smoothly through obstacles and uncertainties. This behind-the-scenes work is key to project success.
📰 Want to stay informed? Subscribe to our newsletter for the latest project management insights and strategies delivered right to your inbox!
Partager cet article
In the ever-evolving digital landscape, where project management relies heavily on technology and data, cybersecurity has become a critical aspect of ensuring the...
Effective program governance is essential for organisations to achieve strategic goals and desired business outcomes. As programs become more complex, proper oversight...
