The Risky Business of Project Management

Undertaking any project, whether in-house or in partnership with a professional services firm, entails risk. Project risk is defined as any area of concern that could prevent a project from achieving all of its benefits. Project risk requires careful management and involves identification, assessment, and mitigation.

Identifying Risk

It is important at the beginning of any project to go through the risk identification process. Not all project risks are obvious. When identifying risks, look for areas in the project that are based on:

1. Insufficient or unreliable data
2. Insufficient preparation
3. Inadequate resources
4. Lack of control

Pay especially close attention to the following:

• Identification of requirements
• Involvement of project sponsorship
• Level of project management experience
• Third party involvement
• Political/cultural environment
• Change control procedures and management
• Complexity of the technology

The Assessment

Process Risk identification is only the first step. Risks need to be assessed to quantify and prioritize them according to their impact on the project. Keep in mind significant professional judgment is required during the assessment process to quantify the magnitude of potential negative impact and to develop risk control measures. The assessment process should determine:

1. The likelihood of the risk occurring
2. The range of outcomes
3. The estimated timing of the risk
4. The frequency with which it will occur

It should also determine the warning signs of the risk that will forecast that the occurrence of the risk is imminent. The prioritized risks provide the basis for establishing Project Success Factors (PSFs). Specific action plans are developed to address each PSF. For example, assume that required key policy changes are a high risk. An action plan must be developed to:

• Focus on thorough and frequent communications
• Implement a steering committee structure
• Obtain strong support for the project team from executive management
• Stress the benefits of the project
• Identify training needs early

Once risks have been identified and assessed, mitigation plans should be developed. The plans document what the response will be when a risk event occurs. Keep in mind that a mitigation plan might be to do nothing to mitigate the risk. The need is to accept that a risk exists and to be prepared to deal with the consequences when and if it happens. This type of action plan typically applies to low priority/minimal project impact risks. A mitigation plan should outline “Plan B” for the project area impacted by the risk. Identifying Plan B prior to having to execute it will help avoid increasing the negative impact of the risk event or causing other unknown risks to occur.

Risk Management Must Be Ongoing

An effective risk management process means choosing and implementing risk-control strategies that work. Identifying, assessing, and developing mitigation plans are not one-time events. These processes need to occur throughout the life of the project. As the project progresses and project risk changes occur, documentation resulting from the identification, assessment and mitigation planning processes need to be updated.