The Risk Management Process in Project Management

ProjectManager.com

Would you buy a T-shirt that said, “Risk Happens”?

If you answered yes, then you’re thinking like a project manager. Risk is part of your planning makeup. When you start the planning process for a project, one of the first things you think about is: what can go wrong?

It sounds negative, but it’s not. It’s preventative. Because issues will inevitably come up, and you need a mitigation strategy in place to know how to manage risks on your project.

But how do you work towards resolving the unknown? It’s sounds like a philosophical paradox, but it’s not. It’s very practical. There are many ways you can get a glimpse at potential risks, so you can identify and track risks on your project.

What is Risk Management on Projects?

Project risk management is the process of identifying, analyzing and then responding to any risk that arises over the life cycle of a project to help the project remain on track and meet its goal. Risk management isn’t reactive only; it should be part of the planning process to figure out risk that might happen in the project and how to control that risk if it in fact occurs.

A risk is anything that could potentially impact your project’s timeline, performance or budget. Risks are potentialities, and in a project management context, if they become realities, they then become classified as “issues” that must be addressed. So risk management, then, is the process of identifying, categorizing, prioritizing and planning for risks before they become issues.

Risk management can mean different things on different types of projects. On large-scale projects, risk management strategies might include extensive detailed planning for each risk to ensure mitigation strategies are in place if issues arise. For smaller projects, risk management might mean a simple, prioritized list of high, medium and low priority risks.

How to Manage Risk

Jason Westland, CEO, ProjectManager.com, offers his take on why you should care about project risk. He also offers some practical measures to apply to managing risk when in the midst of your project. To begin with, he notes, it’s crucial to start with a clear and precise definition of what your project has been tasked to deliver. In other words, write a very detailed project charter, with your project vision, objectives, scope and deliverables. This way risks can be identified at every stage of the project. Then you’ll want to engage your team early in identifying any and all risks. 

Devin Deen, Scrum expert and video trainer, says you can’t be afraid to get more than just your team involved to identify and prioritize risks. “Many project managers simply email out to their project team and ask their project team members to send them things they think might go wrong on the project, in terms of a risk to the project,” he says in his training video on how to plot project risk. “But what I like to do is actually get the entire project team together, some of your clients’ representatives on the project, and perhaps some other vendors who might be integrating with your project. Get them all in the room together and do a risk identification session.”

And with every risk you define, you’ll want to put that in your risk tracking template and begin to prioritize the level of risk. Then create a risk management plan to capture the negative and positive impacts to the project and what actions you will use to deal with them. You’ll want to set up regular meetings to monitor risk while your project is ongoing. It’s also good to keep communication with your team ongoing throughout the project. Transparency is critical so everyone knows what to be on the lookout for during the project itself

And if you’re not working in an organization with a clear risk management strategy in place? “Talk openly to your boss or project sponsor about risk,” Westland writes. “You want them to be aware of what risks are lurking in the shadows of the project. Never keep this information to yourself, you’ll just be avoiding a problem that is sure to come up later.”

be transparent about risk on a project

What is Positive Risk? 

Not all risk is created equally. Risk can be either positive or negative, though most people assume risks are inherently the latter. Where negative risk implies something unwanted that has the potential to irreparably damage a project, positive risks are opportunities that can affect the project in beneficial ways.

Negative risks are part of your risk management plan, just as positive risk should be, but the difference is in approach. You manage and account for known negative risks to neuter their impact, but positive risks can also be managed to take full advantage of them.

There are many examples of positive risks in projects: you could complete the project early; you could acquire more customers than you accounted for; you could imagine how a delay in shipping might open up a potential window for better marketing opportunities, etc. It’s important to note, though, that these definitions are not etched in stone. Positive risk can quickly turn to negative risk and vice versa, so you must be sure to plan for all eventualities with your team.

How to Respond to Positive Risk

Like everything else on a project, you’re going to want to strategize and have the mechanisms in place to reap the rewards that may be seeded in positive risk. Our contributor, Elizabeth Harrin, wrote about how to identify and respond to positive risk, in a recent post. She offered three tips:

  1. The first thing you’ll want to know is if the risk is something you can exploit. That means figuring out ways to increase the likelihood of that risk occurring.
  2. Next, you may want to share the risk. Sometimes you alone are not equipped to take full advantage of the risk, and by involving others you increase the opportunity of yielding the most positive outcome from the risk.
  3. Finally, there may be nothing to do at all, and that’s exactly what you should do. Nothing. You can apply this to negative risk as well, for not doing something is sometimes the best thing you can do when confronted with a specific risk in the context of your project.

“We’ve all been conditioned to think of risks as negative,” wrote Harrin. “But risk is a way to safeguard yourself by preparing for the possibility of failure or danger.” If you have prepared for risk, understand its potential to both serve and derail your project, then risk can help you widen the aperture and see things that may have beforehand been invisible.

not all risk on a project is bad

Managing Risk throughout the Organization

Can your organization also improve by adopting risk management into its daily routine? According to risk management expert Mike Clayton, the answer is a resounding, Yes! He notes that as a project manager you can help move your organization towards a stronger risk management culture through incorporating organizational learning from your previous projects.

Building a risk management protocol into your organization’s culture by creating a consistent set of standard tools and templates, with training, can reduce overhead over time. That way, each time you start a new project, it won’t be like having to reinvent the wheel. You’ll have a head start and a path already in place to more efficiently and quickly address the specific risks of your individual project.

Things such as your organization’s records and history are an archive of knowledge that can help you learn from that experience when approaching risk in a new project. Also, by adapting the attitudes and values of your organization to become more aware of risk, means your organization can develop a better sense of the nature of uncertainty as a core business issue. With improved governance comes better planing, strategy, policy and decisions.

“There are plenty of benefits to be gained from embedding risk management into the day-to-day practices of your organization,” Clayton writes. “These compound one-another to have an increasing effect on the overall health and performance of your organization.”

risk management for your organization

6 Steps in the Risk Management Process

So, how do you handle something as seemingly elusive as project risk management? The same way you do anything when managing a project. You make a risk management plan. It’s all about process.

Process can make the unmanageable manageable. You can take what looks like a disadvantage and turn it into an advantage if you follow these six steps.

Identify the Risk

You can’t resolve a risk if you don’t know what it is. There are many ways to identify risk. As you do go through this step, you’ll want to collect the data in a risk register.

One way is brainstorming or even brainwriting, which is a more structured way to get a group to look at a problem.

As noted earlier, you can tap your resources. That can be your team, colleagues or stakeholders. Find those individuals with relevant experience and set up interviews so you can gather the information you’ll need to both identify and resolve. It doesn’t hurt to speak with that person in your organization who is the glass is always half-empty type. Their doom-and-gloom perspective can be surprisingly helpful to see risks that might not be evident to everyone else.

Look both forward and backwards. That is, imagine the project in progress. Think of the many things that can go wrong. Note them. Do the same with historical data on past projects. Now your list of potential risk has grown.

As you’re identifying risk, you’ll want to make sure you that your risk register isn’t filling up with risks that are really outliers and not risks at all. Make sure the risks are rooted in the cause of a problem. Basically, drill down to the root cause to see if the risk is one that will have the kind of impact on your project that needs identifying.

When trying to minimize risk, it’s good to trust your intuition. This can point you to unlikely scenarios that you just assume couldn’t happen. Remember, don’t be overconfident. Use process to weed out risks from non-risks.

how to manage risk

Analyze the Risk

Okay, you’ve got a lot of potential risks listed in your risk register, but what are you going to do with them? The next step is to determine how likely each of those risks are to happen. This information should also go into your risk register.

When you assess project risk you can ultimately and proactively address many impacts, such as avoiding potential litigation, addressing regulatory issues, complying with new legislation, reducing your exposure and minimizing impact.

Analyzing risk is hard. There is never enough information you can gather. Of course, a lot of that data is complex, but most industries have best practices, which can help you with your analysis. You might be surprised to discover that your company already has a framework for this process.

So, how do you analyze risk in your project? Through qualitative and quantitative risk analysis, of course. What does that mean? It means you determine the risk factor by how it impacts your project across a variety of metrics.

Those rules you apply are how the risk influences your activity resources, duration and cost estimates. Another aspect of your project to think about is how the risk is going to impact your schedule and budget. Then there is the project quality and procurements. These points must be considered to understand the full effect of risk on your project.

PM Software for Risk Management

Prioritize the Risk

Not all risks are created equally. You need to evaluate the risk to know what resources you’re going to assemble towards resolving it when and if it occurs. Some risks are going to be acceptable. You would grind the project to a halt and possibly not even be able to finish it without first prioritizing the risks.

Having a large list of risks can be daunting. But you can manage this by simply categorizing risks as high, medium or low. Now there’s a horizon line and you can see the risk in context. With this perspective, you can begin to plan for how and when you’ll address these risks.

Some risks are going to require immediate attention. These are the risks that can derail your project. Failure isn’t an option. Other risks are important, but perhaps not threatening the success of your project. You can act accordingly.

Then there are those risks that have little to no impact on the overall project’s schedule and budget. Some of these low-priority risks might be important, but not enough to waste time on. They can be somewhat ignored, because sometimes you just should let stuff go.

Assign an Owner to the Risk

All your hard work identifying and evaluating risk is for naught if you don’t assign someone to oversee the risk. In fact, this is something that you should do when listing the risks. Who is the person who is responsible for that risk, identifying it when and if it should occur and then leading the work towards resolving it?

That determination is up to you. There might be a team member who is more skilled or experienced in the risk. Then that person should lead the charge to resolve it. Or it might just be an arbitrary choice. Of course, it’s better to assign the task to the right person, but equally important in making sure that every risk has a person responsible for it.

Think about it. If you don’t give each risk a person tasked with watching out for it, and then dealing with resolving it when and if it should arise, you’re opening yourself up to more risk. It’s one thing to identify risk, but if you don’t manage it then you’re not protecting the project.

Respond to the Risk

Now the rubber hits the road. You’ve found a risk. All that planning you’ve done is going to get implicated. First you need to know if this is a positive or negative risk. Is it something you could exploit for the betterment of the project?

For each major risk identified, you create a plan to mitigate it. You develop a strategy, some preventative or contingency plan. You then act on the risk by how you prioritized it. You have communications with the risk owner and, together, decide on which of the plans you created to implement to resolve the risk.

Monitor the Risk

You can’t just set forces against a risk without tracking the progress of that initiative. That’s where the monitoring comes in. Whoever owns the risk will be responsible for tracking its progress towards resolution. But you will need to stay updated to have an accurate picture of the project’s overall progress to identify and monitor new risks.

You’ll want to set up a series of meetings to manage the risks. Make sure you’ve already decided on the means of communications to do this. It’s best to have various channels dedicated to communication.

You can have face-to-face meetings, but some updates might be best delivered by email or text or through a project management software tool. They might even be able to automate some, keeping the focus on the work and not busywork.

Whatever you choose to do, remember: always be transparent. It’s best if everyone in the project knows what is going on, so they know what to be on the lookout for and help manage the process.

Risk management is complicated. A risk register or template is a good start, but you’re going to want a robust project management software to facilitate the process of risk management. ProjectManager.com is a cloud-based tool that fosters the collaborative environment you need to get risks resolved, as well as provides real-time information, so you’re always acting on accurate data. Try it yourself and see, take this free 30-day trial.

Back to Blog

More Posts Like This

Get the Best PM Tools for Your Team

Start a Free Trial