I’ve written several blogs where I’ve discussed the importance of managing risks and included some tips for managing risks. But just what does managing risks involve? So often, I see risk management graphics that are so overwhelming that I’m not even sure how to read them. Is there a simple way to manage risks well? The answer to that question depends on the complexity of the project and the culture of the project team.
More complex projects require a greater focus on risk management. Teams that are not used to a process that includes risk management may present a cultural challenge. Team members may balk at having to do risk management or question why they need to spend time on something that doesn’t move the project forward. In this blog, I will share the three main steps in project risk management, help you understand the important questions to be asking, and share with you the secret sauce.
Step One: Identify
At the outset of a project, the entire team needs to make risk identification a part of their job. This is not a step that can be done by one person in a vacuum. The entire team should be involved. Trying to have only one person on a project team identifying risks reminds me of the fable about six blind men who individually feel only a part of the elephant and must join forces to develop a better understanding of the elephant.
The team needs to commit to periodically taking time away from regular work to sit back, think, identify, assess, and manage risks. Things change over the course of any project and new risks may arise.
Yes, the project manager is hopefully thinking about risks on a proactive basis throughout the course of the project. He or she will not know all of the intricate details of the tasks that other team members are doing. Set aside time on a regular basis for the entire team to sit back and identify new risks. That’s the first step.
Step Two: Assess
Risk assessment involves the analysis, evaluation, and documentation of several factors. The extent to which you spend time on risk assessment will depend on the complexity of the project, the dollars at stake, the length of time on the project, and the number of risks. Answer these questions:
- Who is the risk expert? Document the name of the person who knows the most about this risk. This may not be the person who will be responsible for managing the risk. The risk expert can provide a point of contact in the future if questions arise.
- Who is going to manage the risk? As projects unfold, it is helpful to have a person watching each risk. This may or may not be the project manager. This person is the person who should be charged with identifying any trigger events and/or risk mitigation strategies.
- What is the financial impact if the risk materializes? A risk that impacts only one small deliverable will have less impact than a risk that could potentially impact an entire event.
- What is the chance that this risk will actually materialize? For example, the chance of a hurricane occurring in Florida during the summer is higher than it is in winter, or in Massachusetts. If you are working on a technology data center conversion in Florida that is scheduled for January and several months of delays occur, the risk of a hurricane will increase and should be managed with more attention.
- What is the likelihood that the risk can be detected early enough to mitigate the risk? For example, hurricanes have a high likelihood of detection, while tornados have a lower likelihood of detection.
- Are there any trigger events? A trigger event is an event that, if it occurs, is likely to result in a risk materializing. Trigger events can be used to predict when a risk may occur.
- Do we need a risk mitigation strategy? A risk mitigation strategy is a plan to reduce any negative impact or increase any positive impact from a materialized risk. Sometimes risks can have a positive outcome, and the team must be poised to exploit the risk. The higher the risk is ranked, the more important the risk mitigation plan becomes. The effort to develop risk mitigation plans should be commensurate with the amount of risk to the project.
A note about items #3 – 5: In order to fairly rank a set of risks, the quantitative values must be estimated consistently. The same person or group, to help insure this consistency, should do the quantitative estimating.
Step Three: Monitor & Manage
Monitoring risks may be slightly easier with software that automatically ranks your top risks. Software or no software, the key is to periodically re-assess your risks. Just as you set up a time to identify risks, you need to set aside time to re-assess your risks. This means asking questions #3 – 5 regularly, and it may mean developing a risk mitigation strategy for a risk that has suddenly escalated as a concern.
Managing risks is more than producing a neat report that can be submitted to management at the end of every week. The purpose is to minimize any adverse impact from a risk that materializes, and capitalize on any positive risk that materializes.
All projects have risks. Part of the assessment process is to rank your risks so that you understand which risks pose the greatest threat. For those risks, it is important to have a mitigation strategy. For lower ranked risks, you may choose to simply accept the risk.
It doesn’t matter whether you consider project risk management in 3, 4, 5, 6, or 7 steps. What matters is that you focus on it in a proactive way. Some project gurus consider assessment to include the identification of new risks. Some break the process into five steps that breaks step two (assessment) into assessment and ranking. Another expert breaks project risk management into seven steps. In this approach, embedding a risk management culture into your project is factored in as a separate step.
Now for the secret sauce: Neuroscientists tell us that writing and editing are two different steps, and require different parts of the brain. I suspect that the same is true of risk identification and risk assessment. I do know that emailing members of a team that is running in circles and simply asking if there is anything new on risks is not going to yield results. It takes focused time. Think about the identification piece and the assessment piece separately. Set aside time on a regular basis to stop running in circles and focus on risk management as a team.
Interested in some coaching help on this? Check out our options here or schedule a call to discuss your needs.