As a project manager, one of your perennial concerns is risk and how to manage it actively. You spend a lot of time on your project identifying what can go wrong, which risks are the more serious, how you can manage them, and overseeing the actions of your team to mitigate the threats they impose.
We’ve written before on what constitutes positive risk, particularly in the context of project management, but as a project manager, it has always felt to me as though risk management is swimming against the tide of the organization in which I am working. It is the project that creates and imposes the discipline on a blank canvas – at best a willing one, but frequently against some resistance. Risk management can feel like hard work.
Yet this should not be so. Intellectually, everyone knows it is a “good thing.” Many people recognize how much an organization could gain by adopting the risk management into its daily routine: its operating procedures. And, from your perspective, as a project manager, if you could help move your organization towards a strong risk management culture it would make it easier for you to incorporate organizational learning from previous projects into your plan.
Typical Benefits of a Strong Risk Management Culture
There are plenty of benefits to be gained from embedding risk management into the day-to-day practices of your organization. These compound one-another to have an increasing effect on the overall health and performance of your organization.
Systems and Procedures
Building risk management into your culture will reduce the overhead of imposing risk management on each new project, by creating a consistent set of standard tools and templates. It also becomes easier to optimize these over time, to work efficiently within your wider culture. And, if you are able to introduce training – or simply familiarity – to a wider group of colleagues, you will see greater consistency in their application.
Records and History
One of the challenges of risk identification and estimation is accessing historic knowledge. Once risk management is a part of your organizational culture, you will start to build an archive of knowledge, from which to learn from past activities. Patterns and trends may start to emerge, that can be used to adjust planning and processes, and inform benchmarks and metrics. You should start to see budget and schedule estimates improve, and over-runs therefore reduce.
Attitudes and Values
Prudent behavior is an obvious outcome of a more risk-aware culture. The subtler outcome will be better decision-making. It will be informed by more data, and also by a greater understanding of the nature of uncertainty. You will start to see more consistency in the evaluation of scenarios, placing risk as a core business issue, rather than a stand-alone and maybe annoying side concern.
Probity and Control
The big wins come from improved governance, with little or no cost and time overhead. The attitude of evidence-based planning, strategy-development, and policy-making will lead to more robust decisions, with conscious choices around risk profile. And risk methodologies will also contribute to improved oversight and transparency around high-risk decisions.
Building-blocks of a Strong Risk Management Culture
The three foundations for a risk-aware and risk-responsible culture are:
- a strong process
- supporting infrastructure
- people who will implement it
Your people must have the commitment, capability and tools to get it right.
There are seven building blocks from with to create this cultural change.
As with all change, establishing this culture needs commitment from the top of your organization. This is not just senior management, but the people who oversee them: ministers and elected officials in the public sector, trustees in the charitable sector, and non-executive directors in the private sector. No amount of process and best practice, nor tools and templates will succeed, if people at the top do not conspicuously value the principle of good risk management.
A risk culture needs underlying policies, but keep them as light as you can. They need to reflect the nature of your organization and the risks it faces. Crucially, your policies should identify responsibilities at the highest levels and, in particular, who at top level will sponsor the introduction and maintenance of risk management. The governance implications imply that you will need to think about how risk will be monitored at Board level.
Develop processes that also match the needs of your organization. You will do better with a concise process that is well used than a comprehensive one that is soon abandoned or used infrequently. They need to be clearly documented and widely disseminated, and kept under periodic review.
Perhaps most important is the need to integrate your processes with: supporting infrastructure like tools, templates, contract forms and technology, reporting and escalation processes and how you communicate with your organization and stakeholders, your existing project and program management processes, and all your organizational process for knowledge management and staff training and induction.
Build a set of tools to meet your organization’s needs. The most fundamental will be a risk register, but you will find many more, all the way up to complex and costly enterprise-scale software products.
Set up training and learning programs to create a cadre of capable people who share a common understanding, language, and toolset. After training, create opportunities to use their new knowledge and develop their skills, judgment and awareness. Maintain their professional development by encouraging sharing of experiences and learning.
The old saying “what gets measured gets managed” is true here. If you do not monitor and gather data on risk management activities, then there will be little incentive for people to comply. Likewise, if senior management and the governance bodies of your organization do not review what these data are telling them and act on what they learn, then poor performance will be tolerated. Use simple incentives and, above all, ensure that people know what is expected of them and that this expectation is a part of their terms and conditions of employment.
As a project manager, I don’t need to tell you about the imperative to embed these changes into the full range of organizational processes. Part of this is also the creation of a review cycle to learn from experiences and adjust your risk practices You may also find it helpful to compare yourselves with other organizations, to benchmark your performance in adopting the culture and applying your processes.
The Steps Along the Way
As a project manager, you are doubtless thinking: this all sounds good… but where’s the plan? In this last section, I’ll offer you an outline work plan, in the form of a work breakdown structure, from which you can create something tailored to the needs of your organization.
- Find your sponsor.
The process must start with someone at a very senior level taking ownership.
- Win top-tier commitment
Your sponsor must win support across the top of the organization among executive and non-executive leaders.
- Access resources and budget
Commitment must be conspicuous to all and backed up by funding and resources.
- Communicate the Imperative
Start communicating the imperative and intent early on.
- Stakeholder engagement
Identify and analyse stakeholders and build a thorough communications plan.
Create a reporting process to ensure your sponsor and senior team can monitor and guide progress.
- Create a team
Find people with the right breadth of skills and experience to work on the project.
- Brief your team
You want to create a common understanding and, if necessary, provide training or other development opportunities
- Build depth of understanding
Research your work through reading and speaking with colleagues. Make contact with other organizations and arrange site visits.
- Create the basic process and basic supporting tools
- Make them ‘Good’
Test and refine them, but do not aim for perfect.
Get your process and toolset out into the organization to test them.
- Create quick wins
Look for opportunities to demonstrate the value of what you are doing.
- Communicate successes widely
- Engage champions
Look for enthusiasts from among the people who have seen success, and engage them to spread the word.
Learning and Development
- Evaluate pilot
Discover what works and what does not.
- Enhance your initial process and tools
Develop the processes and tools, and supplement with more tools.
- Develop briefing and training materials.
Create a training programme and schedule staff to attend modules designed for their work.
Maintain your communication process relentlessly.
- On-going support
Set up mechanisms to support practitioners who are using your new processes and tools.
Embedding and Reviewing
- Assess progress periodically.
- Scan your business, political and competitive environment for changes that should inform regular reviews of your processes, tools, and decision criteria.
- Consolidate performance and reward successes.
Call to Action
As a project manager, risk management is in your blood. You are used to imposing its discipline on the uncertainty and pressures of a project environment. But here is your chance to achieve two things at the same time: to make your life easier by building a culture you can draw upon in future projects, and to enhance your organization’s wider performance. Whilst this kind of culture change is ever easy, this is not a costly initiative. I urge you to consider it.
One way to avoid unnecessary risk in a project is by making sure you’re equipped with the proper tools for the job. ProjectManager.com is a collaborative, online software solution that helps you manage from planning and monitoring to reporting on a project. Take this free 30-day trial and see for yourself.