Most of your project problems can be avoided or greatly reduced through risk management. The simple act of identifying and discussing risks goes a long way towards reducing problems in your project. So how do we start the risk management process?
During the planning process, project managers should define a risk management plan. The plan answers many questions:
- How will you identify risks?
- Who will be involved?
- How often will you perform risk management activities?
- What tools and techniques will you use?
- Who will own the project risks?
As you start, it’s a good idea to see whether organizational risk management assets are available. There is no need to reinvent the wheel. If you have a PMO, see if they have a risk management template. If not, check with other project managers.
Warning – do not use the same risk management plan for every project. The template simply provides a starting point. Work with your team to define or adapt the plan to the needs of your project.
The risk management plan should be commensurate with the size and complexity of your project. That is, for simple projects, your risk management plan may be a page or two. For large, complex projects, the plan may be much longer.
Work with your team to ensure healthy discussion about how you will manage risks. Much of the value of the plan is not in the physical document – it’s in the discussion and interaction with your team.
Risk management plans typically include:
- Project risk background – Describe how your project supports your company’s strategic plan and why the project is important. Is this project like other projects the company has completed in the past or is this project out of the ordinary (and therefore riskier)? How complex is the project? What parts of the project are most risky? How much experience does the team have in managing risks?
- Methodology – Describe the methods of how you will identify risks, assess risks, perform risk response planning, and monitor risks.
- Roles and responsibilities – Who will perform which risk management activities? Consider designing a responsibility chart/matrix. List roles such as project manager, risk owner, project team, and stakeholders along with their responsibilities.
- Timing – Define how often you will perform risk management activities. Standard practice is to review risks weekly during your project meetings. If you have an agile project, consider discussing risks for a couple of minutes in your daily stand-up meetings.
- Risk categories – Define the categories for your risks. Standard categories include schedule, scope, quality, and budget. You may find a risk breakdown structure (RBS) in the organizational process assets that provide a longer list of categories and sub-categories. (Companies with strong risk governance may require that you use a standard set of risk categories.)
- Definitions – Define risk management terms such as probability, impact, risk, issues, risk appetite, and risk tolerance. Defining probability and impact and your probability and impact scale (e.g., 1-10, 10 being highest) is critical to minimize bias in risk assessments/ratings.
- Risk attitude, appetite, and tolerance. What is management’s attitude toward risks in your project? Where do they want to take risks? Where are they risk adverse? How tolerant is management of schedule slippage? Is a schedule slippage of two weeks okay? How about four weeks? How about cost variance tolerance?
- Reporting format – What format will you use to report risks? What will you include?
For larger, more complex projects, you may wish to also include some of the following:
- How will risks be recorded/captured? In a spreadsheet, in SharePoint, in a project management tool?
- Will there be risk audits? If so, who will perform them? What is the purpose of the audits?
- Who will be responsible for risk reassessments/reviews?
- How will you calculate risk scores (e.g., probability x impact)?
- Will there be go/no go decisions during the project? If so, when?
- What tools and techniques will you use to identify risks, qualify risks, quantify risks, and monitor risks?
- Will you quantify risks? If so, which ones? The highest risks?
- How will lessons learned be documented? When? By whom? How will the lessons learned be shared with other project managers?
- How will you determine whether the project is performing well? What metrics will be monitored?
- Must organizational standards and policies such as an Enterprise Risk Management policy be followed? Who enforces this? How is the policy enforced?
Yes, it takes time to define a risk management plan. However, this may be the best investment in your project. Done properly, risk management saves time, reduces stress, and positions your team for success. Start with a solid foundation – start with a well-defined, management-approved risk management plan.
Question: What do you include in your risk management plan? Feel free to share any other tips in the comments.