To any project manager, project risk management is one of the most critical aspects of project planning. You cannot start a project without fully understanding the risk in achieving your outcome.
Could you have a problem with your schedule? – Risk
Do you have a problem with your budget going over? – Risk
Did you find a way to fast-track your schedule without spending additional funds? – still a [positive] Risk
No other element of the project lifecycle, like risk, can lead to a project going over budget, falling behind schedule, or flat-out failing.
To understand the relationship between the project manager and the project risk manager, we must first go over project management and risk management in detail.
You can't go over it; You can't go around it...
Risks are with your project, day in and day out. Just like my son’s super catchy song off YouTube goes: “We can’t go over it, We can’t go under it, We have to go through it” — you too must learn to go through your risks.
Today’s blog will talk less about navigating the tall marshy grass (I know you just watched that YouTube video), but will give you an overview look into project risk management within the project management lifecycle. And I will end with why project risk managers are required for your projects.
What is Project Management?
To get a good idea of project management, we must first define a “project” – and to do some, we must refer to the handy Project Management Book of Knowledge, 7th edition, also known as the PMBOK 7. PMBOK 7 defines a project as:
“A temporary endeavor undertaken to create a unique product, service, or result.”
A project is a journey as you take an idea and turn it into a reality. A reality that could bring about a new concept in an organization, a new structure in getting things done, or even as simply as planning a weekend trip with family or friends.
The only thing you need for something to be a project is an idea with a start and a finish that ends in some form of a product, service, or result.
Now, project management has a slightly more technical definition. The PMBOK 7 defines project management as:
“The application of knowledge, skills, tools, and techniques to project activities to meet project requirements. Project management refers to guiding the project work to deliver the intended outcomes. Project teams can achieve the outcomes using a broad range of approaches (e.g. predictive, hybrid, and adaptive).”
We see here that project management is the skills, tools, and techniques required to accomplish a project. It is taking one of the project lifecycles and using that lifecycle to reach an end state. But, by the law of nature, risks await you throughout the process of getting from the beginning to the end.
And this is where risk management comes into action.
What is Risk Management on a project?
PMBOK 7 defines a Risk as:
“An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.”
Risks are uncertainties along your project. They come in many different forms and various impacts, whether those impacts are a positive risk or a negative risk.
An important aspect of risks is that they can be either positive (opportunities) or negative (threats). We naturally assume risks are bad and want to avoid them completely, but this is not always true.
An example of a positive and negative risk would be if, for your project, you require a key and limited resource for specific tasks within your project.
-
Negative risks: The resource is behind schedule on their current task, resulting in them not starting your specific task on time. This extends your project’s schedule, increases costs, and impacts your project’s success.
-
Positive risks: Same resources, but this time, the resource finishes their project tasks early, resulting in you being able to use the resource earlier. You, in turn, fast-track your project tasks, decreasing your overall project timeline, decreasing costs, and driving you toward your project success.
Projects can have positive and negative risks throughout the project lifecycle, and it is up to the risk manager to be conscious of potential project risks, put them into a risk register, and develop a risk mitigation plan. They do this by managing the project risk lifecycle.
What Are the 5 Steps To Manage the Project Risk Lifecycle?
Identify Risks
Perform Risk Analysis (Qualitative and Quantitative)
Plan Risk Responses
Implement Risk Responses
Monitor Risks
Like the project management lifecycle, the risk lifecycle is continuous throughout a project until project closure. Project team members should constantly be aware of and looking the potential impact of risks on their project scope, time, costs, etc. Now, you might be wondering how both project management and project risk management are
Key Connections Between Project Management and Project Risk Management.
So far, we have discussed the definitions and some details about project management and project risk management. But this blog is about “A Match Made in Strategy,” – so how are these two related?
If anything, it sounds like a toxic relationship at its best!
But project management and risk management are a match-made in strategy due to their similarities and ability to ensure your project meets all your objectives.
The Connection Between Project Management and Project Risk Management Starts in the Phases of Project Management:
Project Management has five phases:
Initiation
Planning
Execution
Monitor and Controlling
Closing
Initiation:
PMBOK 7 defines the Initiation Phase as:
“Those processes performed to define a new project or a new phase of an existing project by obtaining authorization to start the project or phase.”
The initiation phase is critical for project managers and the project team because it allows them to set the project’s initial and high-level goals.
At this time, leadership is working through the organization’s processes to initiate the project, including which lifecycle (waterfall, hybrid, agile) the project will embrace.
A critical item for project managers during the initiation phase is to identify and begin to understand the project’s stakeholders. A detailed analysis will happen during the Plan Stakeholder Management phase. However, reviewing the stakeholders to start building a plan for threats and opportunities will assist with the next step in Planning Risk Management.
Planning:
Planning is where the individual process group plans build the risk management plan. A plan that is included within the project management plan.
During initiation, the risk management plan defines the risk management process for use throughout the project lifecycle. Skipping or taking any type of shortcut during planning is a quick way to create risk early in the plan.
Which results in unneeded stress for the early stages of the project.
Although there is no set “must haves” in the risk management plan, the Practice Standard for Project Risk Management recommends:
-
Introduction
-
Project Description
-
Risk Management Methodology
-
Risk Management Organization
-
Roles, Responsibilities, and Authority
-
Stakeholder Risk Tolerance
-
Critieria for Success
-
Risk Management Tools and Guidelines For Use
-
Thresholds and Corresponding Definitions
-
Templates
-
Communications Plan
-
Strategy
-
Risk Breakdown Structure
This might seem like a lot of information. Luckily, if you are planning properly, all of this information should fall into place.
It does not matter if you are using an agile project management or waterfall lifecycle. The need still exists to view the risk management plan as the blueprint for how the risk management process will operate across the project team. It has everything you need to manage project risk properly. It encompasses everything from roles and responsibilities to the detailed risk breakdown structure.
And don’t forget, It is a best practice to create a Risk Management Plan.
If done properly, with the right details, and communicated across the team, the risk management plan will guide the team during the risk analysis, assign the risk owner, and communicate the risk to the team.
At this point, it is time to truly begin managing risk through the consolidation of risk across all process groups involved in planning (scope planning, schedule planning, cost planning, etc). Risks will start rolling in almost simultaneously while building and finalizing the risk management plan – you will be initiating your risk management artifacts (more on this later!).
Now that there is a plan in place and a good number of risks identified, you and your team can move into the project’s execution phase!
Execution:
During execution, this is where we see the “Proactive Over Reactive” mentality you see in The Risk Blog’s logo. Now is the time to take all the process group planning and put it into action.
Everything done up to this point with planning was done for this phase.
Monitor and Controlling:
All risks cannot be identified in the project’s planning phase. This will be an ongoing process as new risks are discovered and old risks are closed. Here, in monitoring and controlling, we see the fruits of our labor with risk management planning.
Throughout this phase, project managers are:
-
Consistently evaluating known risks for status changes
-
Evaluating risk triggers for risks that might occur soon.
-
Implementing risk responses for triggered or inevitably triggered risks
-
Looking for new risks and developing the risk responses for them
-
Discussing risk with risk owners and updating the risk register
Risk managers must monitor and control the risks throughout the project.
In a structured way, the team now looks for potential risks. There’s an evaluation of those risks against the risk matrix to determine the priority level of the associated risks. And finally a process to work through the documented process to find corrective actions for each new risk.
Closing:
Closing is an exciting time for the project manager. Hopefully, at this point, you and your team are kicking back to observe all the work you have done to meet the project’s initial goals and achieve a successful outcome. But before you open the email to see what future projects are out there, you need to officially close out your project and all your risk registers!
At the end of your project, all risks in the risk register need to formally closed. The team must evaluate all the risks and determine whether any positive or negative residual risk realizations impact the project’s outcomes.
At the end of the project, risks can stick around as residual risks. When this happens, you need to hand over the risks to the department of your company benefiting from the project. Let them know the risk and the possible outcome if the risk decides to materialize.
A lessons-learned analysis is the last and most important step in closing a project. For future, similar projects, a lessons-learned helps those projects to learn from your problems and successes. Helping them solve their risks in a similar (or maybe not so similar way).
Closing is exciting, but it still requires significant administrative work. The benefit comes from ensuring your company or organization get the most out of the project. When it is complete, hopefully you can kick back for a few minutes and get ready for that next project!
The Link Between the Project Risk Management and Project Management Ends With The Risk Management Life Cycle:
The key steps to project risk management lie in the lifecycle that sits within the project management process. The risk management lifecycle is an iterative process that evolves throughout the project and is how risk management happens throughout execution and during monitoring and controlling.
Do you remember the risk management lifecycle? If not, here they are again (so you don’t have to scroll up).
Plan Risk Management
Identify Risks
Perform Qualitative Risk Analysis
Perform Quantitative Risk Analysis
Plan Risk Responses
Implement Risk Responses
Monitor Risks
Each area of this life cycle has detailed inputs, tools, techniques, and outputs detailed within the Project Management Institute, Process Groups: A Practice Guide. Now, let’s look at these life cycle steps below.
Plan Risk Management
Plan risk management is similar to the planning phase discussed before. This is where the project team determines how all the processes and details in the risk management plan will go into action.
This is where the signoff of the risk management plan happens. It is also where stakeholders get aligned with their initial risk appetite and attitude towards risk.
During the plan risk management phase, an important concept is leveling the team and the project stakeholders on all aspects around the risk approach, the risk responsibilities, the time of scheduled meetings, etc. This time needs to be a priority in syncing the team on how to handle risk management throughout the project.
This is also the best time to agree on the templates used throughout the project. The project team and stakeholders have an agreed approach on the documented risk status reports, the risk register, escalation procedures, and other risk-related tasks/documents within the risk management plan.
Doing all this work while just preparing for the project sounds intensive. However, having an agreed process for managing risks will not lead to rework when your stakeholders do not like your presentation material during the first stakeholder meeting.
Identify Risks
Now that we have set the stage, everyone understands their roles and responsibilities; we have templates, our qualitative and quantitative analysis procedures, and the risk management plan is published – we can start getting after risk identification!
Risk identification will frustrate and humble you – as they are like that ol Pokemon craze, you will want to “Catch Them All” but never get there. The goal during this process is to have risk meetings with your stakeholders, identify as many project risks as possible, and record the risks. Early identification of risks is key, but you will continue to discover risks throughout the project – so again, do not stress about “catching them all!”
During this process, you will not just identify your risks but also need to document them. This is another area not to get carried away. Writing risk statements for your risks is not the time to show your technical expertise or creativity in terminology, as you want your risk statements to be readable across your team.
In the Marine Corps, we had a saying for when things started getting too technical or complicated – “Keep It Simple Stupid” (also known as just KISS). To maintain some KISS while writing the risk statements, there are a few different methods to keeping them simple.
Cause -> Risk -> Effect: If we go over the speed limit, we could get a ticket, resulting in losing our driving privileges.
If -> Then: If we go over the speed limit, then we could end up with a ticket and lose our driving privileges.
There really are multiple ways to write these statements. The project team should determine how they are written on your project, documented in the risk management plan, and enforced within the risk register.
A great practice during this process is to pull up past projects similar to the one you are working on. This allows you to see what risks were encountered so that you can log them in your risk register for qualitative analysis.
And don’t forget that during risk identification, it is important to not just look for the bad – but identify the good! If you have a positive risk that can save money and improve your schedule, document it! You want to look for and log your positive risks just as much as you want to log the negative ones!
Perform Qualitative Risk Analysis
Now that you have done the work to identify your risks and logged them into the risk register, it is time to start analyzing the risks. This process starts with the Qualitative analysis, which is easier stated as a way to prioritize your project risks.
This is when you analyze the identified risks and add some weight to them to determine which ones will go into quantitative analysis. Finding the priority for risks can be based on multiple factors that the project manager and project team documented in the risk management plan.
A common practice is to do a Probability x Impact assessment of the risks – using a scoring system agreed upon by the team – risks are analyzed based on the probability of it happening and its impact on the project objectives.
Qualitative analysis is a process in bringing the chaos of a risk register – and putting it into a logistical and structured list for further analysis. Once the risks are stacked according to the parameters agreed on by the team and documented in the risk management plan, the team can start the qualitative analysis process.
Plan and Implement Risk Responses
Once risks are complete with quantitative analysis – they can move into the planning and implementing risk responses. Risk response strategies should be listed within the risk register, and the project team should understand the risk trigger, allowing for a timely and effective response.
The Practice Standard for Project Risk Management lists multiple risk response strategies. The project manager must understand how to apply these strategies to successfully manage risks.
Risk Response Strategies:
Avoid a threat, Exploit an opportunity
Transfer a threat, Share an opportunity
Mitigate a threat, Enhance an opportunity
Escalate a threat or an opportunity
Accept a threat or an opportunity
Which strategies are used depends on the project, the risk owner, and the risk’s impact on the project’s objectives.
Monitor and Control Risks
Finally, we make it to the monitor and control risk management process – the part of this flow that makes the risk register a living document as risks are continuously identified, analyzed, planned, and implemented. The key factor around monitoring and controlling risks is that while the project evolves, additional risks will come into play – starting the whole risk management lifecycle over again.
Monitoring and controlling risks does not stop until the project is complete, signed off, and documented. All risks should be closed out at the end of the project, even if they were not realized – and everything should be documented as lessons learned for future projects within the organization.
Importance of Integration between the Project Manager and Risk Manager
The above analysis was only a small test dive into project risk management. Some concepts were not covered as deeply as possible, and others were omitted from this blog. There is much more happening within the risk management process and the project management process as well.
Project management includes risk management, but the project management professionals running around an organization have multiple responsibilities. Cost, scope, timelines, meetings, briefs, stakeholders, etc., the project manager cannot accomplish all these tasks themselves.
This is where the risk manager comes into the picture. They run this entire risk management process from front to back, ensuring project risks do not hinder project success. Having a risk manager takes the pressure off the back of the project manager, leading to a team focused on one mission: meeting the project objectives.
Conclusion
Organizations need project risk managers just as much as they need project managers. These two positions are deeply intertwined during the project – and are the true keys to a successful project.
Risks are inevitable. Risk management is time-consuming, technical, and costly if not done right – the project manager handles the strategic picture, and the risk manager handles risk management – making these two roles a match made in project management.
The Risk Blog is reader supported – Please consider contributing to the operating costs of running this blog!
