Protection through PMO risk management planIf you ask a project management what are their responsibilities, very high on the list will be the identification and management of risks. The reason being that risks have the ability to derail the best laid plans of a project.

This statement is true. Risks have a nasty habit of becoming issues that impact the progress of the project and, in extreme cases, can cause the project to fail. This is not career enhancing for the project manager.

In numerous articles, books, training, videos, etc you will find information on how to capture risks. It will also include how they should be reviewed and managed on a regular basis. This is very good practice and you can read more information in post Project Risk Management. However, not all of them include the step of risk mitigation planning. This is a shame as this is a powerful tool for the project manager.

Before exploring Risk Mitigation Planning, I want to take a moment considering the typical approach to risk management.

  • Step 1: Project team identify and grade risks
  • Step 2: Risks are reviewed and mitigating action identified
  • Step 3: Risks mitigated where deemed appropriate
  • Step 4: Risks monitored on regular basis

This is a solid approach. However, in many cases, mitigating action is identified but usually most sponsors do not agree to mitigate as it usually costs money and may not be needed. Like with insurance policies, no one wants to pay money for insurance until their jewelery is stolen!

So given that a sponsor will be reluctant to authorize mitigation activity, the project manager needs a back-up plan. This comes in the form of the Risk Management Plan.

Risk Management Plan

While this is called the risk management plan, it’s focus is on dealing with issues. When a risk event occurs and impacts the project, it ceases being a risk (something that may happen) and becomes an issue (something that has happened).

For all of the high probability, high impact risks, work with the team to formulate a plan of what you will do if the risk becomes an issue. Now it is important to note that this is NOT the same as risk mitigation.

Risk Mitigation

Action you take to mitigate the impact of a risk. For example, you may decide to engage a 3rd party to build an interface for a system if there is a high probability the in-house interface will not be delivered in time.

Risk Management Plan

Action you take when the risk becomes an issue. Taking the implementation of the interface. The decision has been taken to build in-house, it has been decided not to mitigate by getting a 3rd party to build a solution in parallel.

So if the risk that the interface will not be delivered on time becomes true, the issue that needs to be handled is that the interface will be late.

Therefore, as there will probably no time to engage a 3rd party to build, the Risk Management Plan should contain the tasks that will be performed to address the issue.

Capturing Risk Management Plan

  • The inputs to the process should be the high probability, high impact risks identified during the ongoing risk identification process.
  • Review the list and identify the risks that need to have management plan.
  • Set up sessions with the resources who are best placed to consider how the risk will be managed if it becomes an issue. Note: you may need to set-up different sessions for each risk as they may need resources with different skills.
  • Make sure that everyone understands the risk and agrees the impact. Then walk through the steps of what will probably happen if the risk becomes an issue. The aim is to consider all aspects so that a set of response actions can be established.

The reason for going through these steps is to come up with a plan ahead of the risk becoming an issue. The benefit of this is that the approach can be established when the team has more time and is not under pressure.

Take a moment to think of the alternative. The project team is working at 100% capacity to reach critical milestones. A high impact risk becomes an issue. The project team are then in crisis mode and need to divert their attention to understanding the problem and establishing a course of action. As they are under pressure, the decision making process is compromised.

The outcome is that the issue takes longer to resolve as the wrong course of action was taken at the start, more time reviewing options before the correct solution identified. Oh and the original milestones the team was working on has been missed.

Now look at the same scenario with a Risk Management Plan. The risk becomes an issue, the team review the issue, refer to the Risk Management Plan and follow the predefined course of action that has been developed when the team is not under pressure. Yes, time is still lost.

However, it takes a lot less time and the team are able to return to the original milestones with minimal delays.
Risk Management Plan Template

This typically takes the form of a spreadsheet or word processor document. I personally like a word processor document as it allows more space to capture the required information.

The document does not have to be overly complicated. All it needs to capture is:

  • Risk
  • Impact
  • Action Plan (with owners)

The plan should be reviewed and updated at least when a new high impact, high probability risk is identified.

In summary

While it takes a lot of effort to build Risk Management Plans, for critical projects it is worth it as it will provide a better chance of success. It is also good for the career as it will demonstrate to your managers that you are a very insightful project or PMO manager.