Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Golden rules for effective project risk management

Managing project risks is not only an important element of enterprise risk management; it can also help prevent the threats to business continuity that project failures can engender. Failed projects result in financial and opportunity losses as well as potentially severe reputation damage; all of which can threaten the continuity of the business. In this article Bart Jutte provides ten ‘golden rules’ for successful project risk management. They are based on the personal experiences of the author who has been involved in projects for over 15 years.

The 10 golden rules:

Rule 1: Make risk management part of your project
The first rule is essential to the success of project risk management. If you don’t truly embed risk management in your project, you cannot reap the full benefits of this approach. Some projects ignore risk management. The project managers are either ignorant, running their first project, or they are somehow confident that no risks will occur in their project (which of course will happen). Some people blindly trust the project manager, especially if he (usually it is a man) looks like a battered army veteran who has been in the trenches for the last two decades. Professional companies make risk management part of their day to day operations and include it in project meetings and the training of staff.

Rule 2: Identify risks early in your project
The first step in project risk management is to identify the risks that are present in your project. This requires an open mind-set that focuses on future scenarios that may occur. Two main sources exist to identify risks: people and paper. People are your team members, each bringing along their personal experiences and expertise. Other people to talk to are experts outside your project that have a track record with the type of project or work you are facing. They can reveal some booby traps you will encounter or some golden opportunities that may not have crossed your mind. Interviews and team sessions (risk brainstorming) are the common methods to discover the risks people know about. Paper is a different story. Projects tend to generate a significant number of (electronic) documents that contain project risks. They may not always have that name, but someone who reads carefully (between the lines) will find them. The project plan, business case and resource planning are good starters. Other sources of risk information are old project plans, your company intranet and specialized websites.

Are you able to identify all project risks before they occur? Probably not. However if you combine a number of different identification methods, you are likely to find the majority.

Rule 3: Communicate about risks
My experience is that project managers of failed projects were often unaware of the big hammer that was about to hit them. However, often someone within the project organization actually did see that hammer, but didn’t inform the project manager of its existence. If you don’t want this to happen in your project, you need to pay attention to risk communication.

A good approach is to consistently include risk communication in the tasks you carry out. If you have a team meeting, make project risks part of the default agenda (and not the final item on the list!). This shows that risks are important to the project manager and gives team members a ‘natural moment’ to discuss them and report new ones.

Another important line of communication is that of the project manager and project sponsor or principal. Focus your communication efforts on the big risks here and make sure you don’t surprise the boss or the customer!

Also take care that the sponsor makes decisions on the top risks, because usually some of them exceed the mandate of the project manager.

Rule 4: Consider both threats and opportunities
Project risks have a negative connotation: they are the ‘bad guys’ that can harm your project. However modern risk approaches also focus on positive risk taking: the project opportunities that are there to be grasped. These are the uncertain events that are beneficial to your project and organization. These potential ‘good guys’ can make your project faster, better and more profitable.

Unfortunately, lots of project teams struggle to cross the finish line, being overloaded with work that needs to be done quickly. This creates project dynamics where only negative risks matter (if the team considers any risks at all). Make sure you create some time to deal with the opportunities in your project. Chances are that you will see a couple of opportunities with a high pay-off that don’t require a big investment in time or resources.

Rule 5: Clarify ownership issues
Some project managers think they are done once they have created a list of risks. However this is only a starting point. The next step is to make clear who is responsible for which risk! Someone has to feel the heat if a risk is not taken care of properly. The trick is simple: assign a risk owner for each risk that you have found. The risk owner is the person in your team that has the responsibility to optimize this risk for the project. The effects are really positive. At first people usually feel uncomfortable that they are actually responsible for certain risks, but as time passes they will act and carry out tasks to decrease threats and enhance opportunities.

Ownership also exists on another level. If a project threat occurs, someone has to pay the bill. This sounds logical, but it is an issue you have to address before a risk occurs. Especially if different business units, departments and suppliers are involved in your project, it becomes important to know who bears the consequences and has to empty his/her wallet. An important side effect of clarifying the ownership of risk effects is that line managers start to pay attention to a project, especially when a lot of money is at stake. The ownership issue is equally important with project opportunities. Fights over (unexpected) revenues can become a long-term pastime of management.

Rule 6: Prioritize risks
A project manager once told me “I treat all risks equally”. This makes project life really simple. However, it doesn’t deliver the best results possible. Some risks have a higher impact than others. Therefore, you need to spend more time on the risks that can cause the biggest losses and gains. Check if you have any showstoppers in your project that could derail your project. If so, these are your number one priority. The other risks can be prioritized on gut feeling or, more objectively, on a set of criteria. The criteria most project teams use consider the effects of a risk and the likelihood that it will occur. Whatever prioritization measure you use, use it consistently and focus on the big risks.

Rule 7: Analyze risks
Understanding the nature of a risk is a precondition for a good response. Therefore take some time to have a closer look at individual risks and don’t jump to conclusions without knowing what a risk is about.

Risk analysis occurs at different levels. If you want to understand a risk at an individual level it is most fruitful to think about the effects that it has and the causes that can make it happen. Looking at the effects, you can describe what effects take place immediately after a risk occurs and what effects happen as a result of the primary effects or because time elapses. A more detailed analysis may show the order of magnitude effect on a specific project category: such as costs, lead time or product quality. Another angle to consider is to focus on the events that precede a risk occurrence: the risk causes. List the different causes and the circumstances that decrease or increase the likelihood.

Another level of risk analysis is to investigate the entire project. Each project manager needs to answer the usual questions about the total budget needed or the date the project will finish. If you take risks into account, you can do a simulation to show your project sponsor how likely it is that you will finish on a given date or within a certain time frame. A similar exercise can be done for project costs.

The information you gather in a risk analysis will provide valuable insights into your project and the necessary input to find effective responses to optimize the risks.

Rule 8: Plan and implement risk responses
Implementing a risk response is the activity that actually adds value to your project. Risk responses prevent a threat from occurring or minimize negative effects if the risk happens. Execution is key here. The other rules have helped you to map, prioritize and understand risks. This will help you to make a sound risk response plan that focuses on the big wins.

If you deal with threats you basically have three options: risk avoidance; risk minimization; and risk acceptance. Avoiding risks means you organize your project in such a way that you don’t encounter a risk anymore. This could mean changing supplier or adopting a different technology or – if you have to deal with a critical risk - terminating a project; spending more money on a doomed project is a bad investment.

Rule 9: Register project risks
This rule is about book keeping (however don’t stop reading). Maintaining a risk log enables you to view progress and make sure that you won’t forget a risk or two. It is also a perfect communication tool that informs your team members and stakeholders what is going on (Rule 3).

A good risk log contains risks descriptions, clarifies ownership issues (Rule 5) and enables you to carry out some basic analyses with regard to causes and effects (Rule 7). Most project managers aren’t really fond of administrative tasks, but doing your book keeping with regards to risks pays off, especially if the number of risks is large. Some project managers don’t want to record risks, because they feel this makes it easier to blame them in case things go wrong. However the reverse is true. If you record project risks and the effective responses you have implemented, you create a track record that no one can deny: even if a risk happens that derails the project.

Rule 10: Track risks and associated tasks
The risk register you have created as a result of Rule 9, will help you to track risks and their associated tasks. Tracking tasks is a day-to-day job for each project manager. Integrating risks tasks into that daily routine is the easiest solution. Risk tasks may be carried out to identify or analyze risks or to generate, select and implement responses.

Tracking risks differs from tracking tasks. It focuses on the current situation of risks. Which risks are more likely to happen? Has the relative importance of risks changed? Answering these questions will help you pay attention to the risks that matter most for your project value.

The 10 golden risk rules above give you guidelines on how to implement risk management successfully in your project. However keep in mind that you can always improve. Therefore Rule number 11 would be to use the Japanese Kaizen approach: measure the effects of your risk management efforts and continuously implement improvements to make it even better.

Author: This article is a management summary of the ‘Project Risk Management Handbook’ written by Bart Jutte and is published with permission. The book can be obtained from Amazon and other book sellers. The article is © CONCILIO. All rights reserved.

•Date: 10th August 2012 • World •Type: Article • Topic: Enterprise risk management

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here