Project risk management

he post How to identify project risks, covered a number of techniques to identify risks.  Like with most things in project management, management of project risks is not a “one-off” event that you complete, tick the box and then file.  In order to effectively manage risk, you must have active project risk management.

In order to do this, there are a number of steps the project team and PMO must complete on a continuous basis throughout the life of the a project.

1. Capture Risks

If you have invested time in identifying risks that could impact the delivery of a project, it is important that they are accurately captured and recorded.  The tool for this is the Risk Register.

The PMO should provide the risk register as this ensures that all of the risks across multiple projects will be captured using the same format.  This makes it much easier to compare risks on a like for like basis.  It also helps with the filtering a consolidation of risks so those requiring urgent attention are quickly highlighted.

Example project risk register templateProject Risk Register Template

2. Risk Value

All risks are not born equal – some will have a much bigger impact on a project than others.  Therefore, it is important that there is a standard approach for evaluating and valuing risk.

The PMO should take the lead by defining a clear and simple criteria for evaluating the probability and impact of a risk.  This ensures that the same criteria can be applied across multiple projects so that those that have the highest value can be quickly identified.

3. Regular Risk Review

Following the above 2 steps will mean that each project has a register of their risks.  The project manager should review the risks, ideally with other project team members, on a weekly basis.  A good place to do this is part of a regular project working group or team meeting.

The focus should be on all of the high value risks and those that are close or passed their target close dates.  Each one should be reviewed, updated or closed.

4. PMO Risk Reviews

In  similar way to the project teams reviewing the risks, the PMO should run extracts of the risk data looking for outstanding risks, those that have not been updated and the high value risks, to ensure action is being taken.  A good approach is for the PMO to have a regular catch-up with the project manager to discus risks.  If the PMO has sufficient resource, they could even attend the weekly project risk meeting to hear the updates first hand, provide help and challenge (not all project managers like this).

5. Risk Mitigation

There may be some high value risks with a high probability where it makes sense to take mitigating action i.e. a rented HR computer system is being placed by an internal system to provide new tax functionality for payroll.  There is a high probability that the internal system will be 3 months late.  The project manager may recommend that the contract on the rented system is extended 3 months.  If the internal system is delivered on time, the organisation has paid for 3 months additional rental.  However, the cost far outweighs the risk of not being able to process payroll.

Risk mitigation is a tricky area as, like with insurance, no one really wants to pay for it.  Therefore, a compelling case must be put together for any mitigation.  The clearer the case, especially the impact, the more chance of achieving sponsor support.  Where ever possible translate the impact into £, $, etc as this makes it real to the sponsor.

In summary

  • Clearly capture all risks in a standard format
  • Value risks using a standard criteria
  • Risk management is active and continuous
  • Mitigate high impact risk with a high probability