Risk management is one of those aspects of project management that all project managers conceptually understand, but many do not do well enough. I suspect at times most project managers do not give enough focus to risk. I know I have been guilty of this often enough.
There are different approaches to managing risk. In this article I do not want to talk about the actual mechanics of risk management – we all know the process and principles, but simply the signs that it is not being done properly, and the ways to make it real.
Symptoms of poor risk management
There will be lots of unique factors affecting every project. This means that each project has a unique set of risks. Even so, in general there are common symptoms of poor risk management:
- There is no understanding of the risks. This point obvious, but is a surprisingly common reality for many projects I see. Ask a group of project managers to tell you the risks on their projects and to see the risk log. It is amazing how often nothing at all is being done about risk.
- There is an old, outdated risk log. We have all been guilty of this on some projects. Some form of risk assessment is done at the start of the project. Risks are identified, categorised, assessed and some vague words are written down about what to do about them. The log is then filed away and largely forgotten about. Should anyone ask to see the risk log, an old dusty document is produced. It has never been updated since the start of the project! Be honest – I’m sure you’ve seen this lots of time.
- There is apparent compliance to risk management, but it results in no action. This is the hardest to spot, and is a common trait for many project managers, especially the less capable ones. A risk management process is defined, is active and a risk log is regularly maintained. Risk review meetings are held, but no real action ever occurs in response to those risks, and everyone looks very bored at the meetings. Risk management is done to achieve compliance to standards, rather than to achieve better project outcomes. In a way this is the worst situation of all, as effort is made, but nothing useful is done. You could argue it’s better to at least save the effort!
Making it real
Risk management is included as a project management practice because it adds value, but to add value it needs to be a real live activity. How can you tell if risk management is being really done? I think there are 4 fundamental characteristics of a project in which risk management is real:
- The project manager has the right mindset: one of the reason we need project management in the first place is because of the inherent risk in projects. If there were no risks then in many situations we would not need project managers. The ability to overcome risks is a key trait of great project management. Successful project managers are constantly aware of risk and alert for new risks. Unless the project manager really believes in the existence of risk, the value of risk management, and has a feel for risk – risk management won’t happen!
- The risk management process results in action: too many risk management processes are about creating paper trails, logs and spreadsheets – and ticking compliance boxes. Unless risk management results in deliberate action it is adding no value.
- The project plan reflects risks: there are small risks and big risks. All the big risks need to have some sort of mitigating actions – and those actions should be reflected in the project plans (or project backlog). The point of the plan is to shape the activity of the project team. If there are risks that need to be managed, this activity needs to include those related to risk management.
- The project manager understands the risk profile. Risks come and go. Events happen which increase or decrease risk. Some of these events are under the control of the project manager and some are not. But in simple terms at the start of a project, the project has a certain maximum risk profile. At the end of a successful project the risk, or at least the project delivery risk, is zero. Good project managers understand this profile through the life of the project and understand which actions or events change the risk profile as the project progresses. A great test for whether you are in control of risk or not is to ask yourself what are the key events or milestones on the project which align with a decrease in the overall delivery risk – and how does this trend over the projected life of the project. If you know this, then risk management is real.