Wednesday Dec 11, 2024
Wednesday Dec 11, 2024
Saturday, 9 June 2012 01:07 - - {{hitsCtrl.values.hits}}
Effective project risk management is crucial for the success of projects. Project risks which remain unidentified or which are not mitigated in any manner stand to undermine all other areas of project management. Specifically, projects’ risks that are not adequately managed stand to impact the time, quality and budget constraints of a project or, in some cases, the wider organisation.
What is risk management?
Risk management, in the context of project management, is a forward-looking process for the identification, assessment and management of risks. In the project management context, the premise remains the same.
Project risk management is a process of looking forward, identifying potential risks, analysing and assessing them and then putting plans in place to monitor or treat them. Globally, in several organisations ‘risk management’ is treated as a critical function and sometimes having a ‘Risk Manager’ or bringing the function under the Financial Analysis Manager.
Effective risk management requires a proactive approach, early risk identification, an appropriate level of documentation of risks via a risk register and the involvement of all relevant stakeholders in all stages of the risk management process.
Basic risk management process
There are essentially three key steps to a project risk management process. As with all aspects of project management, there may be variations on this theme and multiple theories as to tools and specific approaches. Regardless, the key aspects of the process are constant.
The three key steps of a project risk management process are risk identification, risk evaluation and risk treatment. Each of these three principles is further explained below:
1. Risk identification: Risk identification involves constant scanning of internal and external factors that could impact the project to identify any potential events that may impact project costs, quality, scope or timeline. Potential sources of risk could include changes in economic circumstances, vendor changes and resource complications among many other things. Once a risk is identified it should immediately be logged in a project risk register.
2. Risk evaluation: Risk evaluation involves risk analysis in the form of quantification of the likelihood of a risk occurring and the magnitude of its potential impact on the project. These two measures are often then combined to derive an overall risk severity.
3. Risk treatment: Risk treatment refers to the way in which the risk is decided to be dealt with. It may be decided that the risk is to be just monitored, mitigated or moved. For example, a risk is said to be mitigated if steps are put in place to avoid its occurrence.
ERM (Enterprise Risk Management)
Enterprise Risk Management (ERM) in business includes the methods and processes used by organisations to manage risks and seize opportunities related to the achievement of their objectives.
ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organisation’s objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy and monitoring progress.
By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.
ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, Sarbanes-Oxley Act, and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organisations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies.
Goals of an ERM program
Organisations by nature manage risks and have a variety of existing departments or functions (“risk functions”) that identify and manage particular risks. However, each risk function varies in capability and how it coordinates with other risk functions.
A central goal and challenge of ERM is improving this capability and coordination, while integrating the output to provide a unified picture of risk for stakeholders and improving the organisation’s ability to manage the risks effectively.
Typical risk functions
The primary risk functions in large corporations that may participate in an ERM program typically include:
Common challenges in ERM implementation
Various consulting firms offer suggestions for how to implement an ERM program. Common topics and challenges include:
Internal audit role
In addition to information technology audit, internal auditors play an important role in evaluating the risk management processes of an organisation and advocating their continued improvement. However, to preserve its organisational independence and objective judgment, Internal Audit professional standards indicate the function should not take any direct responsibility for making risk management decisions for the enterprise or managing the risk management function.
It is important to note that the essential function of Internal Audit has moved away from ‘watch dog’ to value adding ‘process improver’. I have pity and contempt for the managements of organisations that still use internal audit for the sole purpose of catching mistakes, collusions, fraud, quality defects, lapses, avoidable waste and the like. I would rather see a company build quality assurance at every ‘touch point’ of the operation through the commitment and enthusiasm of the people. This is where HR has to play a vital part.
10 Golden rules of project risk management
Rule 1: Make risk management part of your project
The first rule is essential to the success of project risk management. If you don’t truly embed risk management in your project, you cannot reap the full benefits of this approach. You can encounter a number of faulty approaches in companies.
Some projects use no approach whatsoever to risk management. They are either ignorant, running their first project or they are somehow confident that no risks will occur in their project (which of course will happen).
Some people blindly trust the project manager, especially if he (usually it is a man) looks like a battered army veteran who has been in the trenches for the last two decades. Professional companies make risk management part of their day to day operations and include it in project meetings and the training of staff.
Rule 2: Identify risks early in your project
The first step in project risk management is to identify the risks that are present in your project. This requires an open mind set that focuses on future scenarios that may occur. Two main sources exist to identify risks, people and paper.
People are your team members that each bring along their personal experiences and expertise. Other people to talk to are experts outside your project that have a track record with the type of project or work you are facing. They can reveal some booby traps you will encounter or some golden opportunities that may not have crossed your mind. Interviews and team sessions (risk brainstorming) are the common methods to discover the risks people know.
Paper is a different story. Projects tend to generate a significant number of (electronic) documents that contain project risks. They may not always have that name, but someone who reads carefully (between the lines) will find them. The project plan, business case and resource planning are good starters. Another categories are old project plans, your company Intranet and specialised websites.
Are you able to identify all project risks before they occur? Probably not. However if you combine a number of different identification methods, you are likely to find the large majority. If you deal with them properly, you have enough time left for the unexpected risks that take place.
Rule 3: Communicate about risks
Failed projects show that project managers in such projects were frequently unaware of the big hammer that was about to hit them. The frightening finding was that frequently someone of the project organisation actually did see that hammer, but didn’t inform the project manager of its existence. If you don’t want this to happen in your project, you better pay attention to risk communication.
A good approach is to consistently include risk communication in the tasks you carry out. If you have a team meeting, make project risks part of the default agenda (and not the final item on the list!). This shows risks are important to the project manager and gives team members a “natural moment” to discuss them and report new ones.
Another important line of communication is that of the project manager and project sponsor or principal. Focus your communication efforts on the big risks here and make sure you don’t surprise the boss or the customer! Also take care that the sponsor makes decisions on the top risks, because usually some of them exceed the mandate of the project manager.
Rule 4: Consider both threats and opportunities
Project risks have a negative connotation: they are the “bad guys” that can harm your project. However modern risk approaches also focus on positive risks, the project opportunities. These are the uncertain events that beneficial to your project and organisation. These “good guys” make your project faster, better and more profitable.
Unfortunately, lots of project teams struggle to cross the finish line, being overloaded with work that needs to be done quickly. This creates project dynamics where only negative risks matter (if the team considers any risks at all). Make sure you create some time to deal with the opportunities in your project, even if it is only half an hour. Chances are that you see a couple of opportunities with a high pay-off that don’t require a big investment in time or resources.
Rule 5: Clarify ownership issues
Some project managers think they are done once they have created a list with risks. However this is only a starting point. The next step is to make clear who is responsible for what risk! Someone has to feel the heat if a risk is not taken care of properly.
The trick is simple: assign a risk owner for each risk that you have found. The risk owner is the person in your team that has the responsibility to optimise this risk for the project. The effects are really positive. At first people usually feel uncomfortable that they are actually responsible for certain risks, but as time passes they will act and carry out tasks to decrease threats and enhance opportunities.
Ownership also exists on another level. If a project threat occurs, someone has to pay the bill. This sounds logical, but it is an issue you have to address before a risk occurs. Especially if different business units, departments and suppliers are involved in your project, it becomes important who bears the consequences and has to empty his wallet.
An important side effect of clarifying the ownership of risk effects, is that line managers start to pay attention to a project, especially when a lot of money is at stake. The ownership issue is equally important with project opportunities. Fights over (unexpected) revenues can become a long-term pastime of management.
Rule 6: Prioritise risks
A project manager once told me “I treat all risks equally.” This makes project life really simple. However, it doesn’t deliver the best results possible. Some risks have a higher impact than others. Therefore, you better spend your time on the risks that can cause the biggest losses and gains. Check if you have any showstoppers in your project that could derail your project. If so, these are your number one priority.
The other risks can be prioritised on gut feeling or, more objectively, on a set of criteria. The criteria most project teams use is to consider the effects of a risk and the likelihood that it will occur. Whatever prioritisation measure you use, use it consistently and focus on the big risks.
Rule 7: Analyse risks
Understanding the nature of a risk is a precondition for a good response. Therefore take some time to have a closer look at individual risks and don’t jump to conclusions without knowing what a risk is about.
Risk analysis occurs at different levels. If you want to understand a risk at an individual level it is most fruitful to think about the effects that it has and the causes that can make it happen. Looking at the effects, you can describe what effects take place immediately after a risk occurs and what effects happen as a result of the primary effects or because time elapses.
A more detailed analysis may show the order of magnitude effect in a certain effect category like costs, lead time or product quality. Another angle to look at risks, is to focus on the events that precede a risk occurrence, the risk causes. List the different causes and the circumstances that decrease or increase the likelihood.
Another level of risk analysis is investigate the entire project. Each project manager needs to answer the usual questions about the total budget needed or the date the project will finish. If you take risks into account, you can do a simulation to show your project sponsor how likely it is that you finish on a given date or within a certain time frame. A similar exercise can be done for project costs.
The information you gather in a risk analysis will provide valuable insights in your project and the necessary input to find effective responses to optimise the risks.
Rule 8: Plan and implement risk responses
Implementing a risk response is the activity that actually adds value to your project. You prevent a threat occurring or minimise negative effects. Execution is key here. The other rules have helped you to map, prioritise and understand risks. This will help you to make a sound risk response plan that focuses on the big wins.
If you deal with threats you basically have three options, risk avoidance, risk minimisation and risk acceptance. Avoiding risks means you organise your project in such a way that you don’t encounter a risk anymore. This could mean changing supplier or adopting a different technology or, if you deal with a fatal risk, terminating a project. Spending more money on a doomed project is a bad investment.
The biggest category of responses is the one to minimise risks. You can try to prevent a risk occurring by influencing the causes or decreasing the negative effects that could result. If you have carried out rule 7 properly (risk analysis) you will have plenty of opportunities to influence it. A final response is to accept a risk. This is a good choice if the effects on the project are minimal or the possibilities to influence it prove to be very difficult, time consuming or relatively expensive. Just make sure that it is a conscious choice to accept a certain risk.
Responses for risk opportunities are the reverse of the ones for threats. They will focus on seeking risks, maximising them or ignoring them (if opportunities prove to be too small).
Rule 9: Register project risks
This rule is about bookkeeping (however don’t stop reading). Maintaining a risk log enables you to view progress and make sure that you won’t forget a risk or two. It is also a perfect communication tool that informs your team members and stakeholders what is going on (rule 3).
A good risk log contains risks descriptions, clarifies ownership issues (rule 5) and enables you to carry out some basic analyses with regard to causes and effects (rule 7). Most project managers aren’t really fond of administrative tasks, but doing your bookkeeping with regards to risks pays off, especially if the number of risks is large.
Some project managers don’t want to record risks, because they feel this makes it easier to blame them in case things go wrong. However the reverse is true. If you record project risks and the effective responses you have implemented, you create a track record that no one can deny. Even if a risk happens that derails the project. Doing projects is taking risks.
Rule 10: Track risks and associated tasks
The risk register you have created as a result of rule 9, will help you to track risks and their associated tasks. Tracking tasks is a day-to-day job for each project manager. Integrating risk tasks into that daily routine is the easiest solution. Risk tasks may be carried out to identify or analyse risks or to generate, select and implement responses.
Tracking risks differs from tracking tasks. It focuses on the current situation of risks. Which risks are more likely to happen? Has the relative importance of risks changed? Answering these questions will help to pay attention to the risks that matter most for your project value.
(The writer is the Managing Director & CEO, McQuire Rens & Jones (Pvt) Ltd. He has held Regional Responsibilities of two Multinational Companies of which one, Smithkline Beecham International, was a Fortune 500 company before merging to become GSK. He carries out consultancy assignments and management training in Dubai, India, Maldives, Singapore, Malaysia, Indonesia and Bangladesh. Nalin has been consultant to assignments in the CEB, Airport & Aviation Services and setting up the PUCSL. He is a much sought-after business consultant and corporate management trainer in Sri Lanka. He has won special commendation from the UN Headquarters in New York for his record speed in re-profiling and re-structuring the UNDP. He has lead consultancy assignments for the World Bank and the ADB. Nalin is an executive coach to top teams of several multinational and blue chip companies. He is a Director on the Board of Entrust Securities Plc.)
