Category Archives for 4=Control

Evaluating Risks Using Qualitative Risk Analysis

Have you ever endured a project meeting where you spent hours evaluating risks? Afterward, team members walked down the hall saying, “What a waste of time! Now I can get back to the real work.” Today, let’s discuss the use of qualitative risk analysis to get you back on track.

What causes this frustration? First, the evaluation process may not fit the project – too complex for simple projects or deficient for large, complex projects. Second, the process may not fit the maturity level of the project team. Third, team members view the process as burdensome with little value.

Business people in a meeting analyzing content

Qualitative Risk Analysis

What is Risk Evaluation?

Risk evaluation is the process to determine the significance of each risk. There are two ways to evaluate risks:

  1. Qualitative Risk Analysis. Qualitative analysis such as rating probability and impact should always be performed. This allows you to quickly prioritize and rank your risks.
  2. Quantitative Risk Analysis. Quantitative analysis is not always performed. This analysis requires more time but provides more data to aid in making decisions. (We will cover quantitative evaluations in another post.)

Watch this YouTube Video: Qualitative and Quantitative Risk Analysis: What’s the Difference?

Watch this YouTube Video: Two Simple Methods to Analyze Project Risks Qualitatively

Why Evaluate/Prioritize Project Risks?

You cannot respond to all risks, neither should you. Prioritization is a way to deal with competing demands. This aids in determining where you will spend your limited time and effort.

We evaluate in order:

  •  To have the greatest impact. Eighty percent of the impact will come from twenty percent of the risks. What are the vital few things that we should do that will have the greatest impact on minimizing threats and maximizing opportunities?
  •  To respond wisely and appropriately. The goal of evaluating risks is to discriminate between one risk and another. This aids us in determining the amount of effort to invest in developing response plans.
  •  To assign resources suitably. Assign your most skilled, knowledgeable resources to the projects with the greatest risk.
Continue reading

How to Build and Use a Risk Register

picture of a risk register and watchProject managers constantly think about risks, both threats and opportunities. What if the requirements are late? What if the testing environment becomes unstable? How can we exploit the design skills of our developers? Let’s consider a simple but powerful tool to capture and manage your risks—the Risk Register.

What to Include in a Risk Register

The Risk Register is simply a list of risk-related information including but not limited to:

  • Risk Description. Consider using this syntax: Cause -> Risk -> Impact. For example: “Because Information Technology is updating the testing software, the testing team may experience an unstable test environment resulting in adverse impacts to the schedule.”
  • Risk Owner. Each risk should be owned by one person and that person should have the knowledge and skills to plan and execute risk responses.
  • Triggers. Triggers indicate when a risk is about to occur or that the risk has occurred.
  • Category. Assigning categories to your risks allows you to filter, group, analyze, and respond to your risks by category. Standard project categories include schedule, cost, and quality.
  • Probability Risk Rating. Probability is the likelihood of the risk occurring. Consider using a scale of 1 to 10, 10 being the highest.
  • Impact Risk Rating. Impact, also referred to as severity or consequence, is the amount of impact on the project. Consider using a scale of 1 to 10, 10 being the highest.
  • Risk Score. The risk score is calculated by multiplying probability x impact. If the probability is 8 and the impact is 5, the risk score is 40.
  • Risk Response Strategies. Strategies for threats include: accept the risk, avoid the risk, mitigate the risk, or transfer the risk. Strategies for opportunities include: accept the risk, exploit the risk, enhance the risk, or share the risk.
  • Risk Response Plan or Contingency Plan. The risk owner should determine the appropriate response(s) which may be executed immediately or once a trigger is hit. For example, a risk owner may take immediate actions to mitigate a threat. Contingency plans are plans that are executed if the risk occurs.
  • Fallback Plans. For some risks, you may wish to define a Fallback Plan. The plan outlines what would be done in the event that the Contingency Plan fails.
  • Residual Risks. The risk owner may reduce a risk by 70%. The remaining 30% risk is the residual risk. Note the residual risk and determine if additional response planning is required.
  • Trends. Note if each risk is increasing, decreasing, or is stable.

Other Risk Register Tips

The Risk Register may be created in a spreadsheet, database, risk management tool, SharePoint, or a project management information system. Make sure that the Risk Register is visible and easy to access by your project team members.

The risk management processes include: 1) plan risk management, 2) identify risks, 3) evaluate/assess risks, 4) plan risk responses, 5) implement risk responses, and 6) monitor risks.

The initial risk information is entered when identifying risks in the planning process. For example, project managers may capture initial risks while developing the communications plan or the project schedule. The initial risk information may include the risks, causes, triggers, categories, potential risk owners, and potential risk responses.

As you evaluate your risk in the planning process, you should assign risk ratings for probability and impact and calculate the risk scores.

Next, validate risk owners and have risk owners complete response plans.

Lastly, review and update your risks during your team meetings. Add emerging risks. Other reasons for updating the risk register include change requests, project re-planning, or project recovery.

Other Resources:
Risk Register Template

Project Risks and Issues – What’s the Difference?

Do you find yourself working overtime, trying to deal with unexpected disruptions? Some negative events that you thought might happen has now occurred. And it's costing you more time and energy than you thought possible. Overwhelmed? Well, let's talk about project risks and issues, the differences, and why it's so important to manage risks.

What is Risk?

The Project Management Body of Knowledge (PMBOK) defines risk as, “An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.” 

Let's examine a risk statement and underscore some key attributes of risks. Here's a risk statement:

Because the project team failed to review the requirements with the users, the project team may not meet the user's needs, resulting in unsatisfied users.

  • Cause: Failure to review and validate the requirements
  • Risk: Project team may not meet the user's needs
  • Impact: Users will not be satisfied with the product

Notice the risk: project team may not meet the user's needs. Think of risk as events or conditions that might happen in the future.

What is an Issue?

So, how does an issue differ from a risk? Where a risk might happen, an issue has happened. When a threat occurs, it becomes an issue or problem. By the way, when an opportunity occurs, it becomes a benefit

Why Distinguish a Risk from an Issue?

Are we splitting hairs? The distinction between risks and issues matters for a few reasons.

  • Proactive Management Saves Time. “An ounce of prevention is worth a pound of cure.” Project managers should manage risks proactively. Project managers can save valuable time through prevention. As often noted, Project managers can eliminate up to 90% of threats through risk management.
  • Measure of Management Effectiveness. If a project manager is experiencing lots of issues, it may be a sign that the project manager has not been managing the project effectively. 
  • Different Type Response. Issues require a different response than threats. Project managers respond to threats with different strategies: avoid, mitigate, accept, or transfer. Issues require corrective action to bring the performance of the project in alignment with the project management plan. 

Risk vs. Issue Debate

Some project managers and risk managers are not convinced that the differentiation between risk and issue adds any value. Even though the risk has occurred (i.e. it is now an issue in terms of the differentiation) there is still uncertainty regarding the impact and the objectives that will be impacted. 

What about Assumptions and Constraints?

While we are on this topic, let's clarify two other terms—assumptions and constraints.

  • Assumptions. Assumptions are “a factor in the planning process that is considered to be true, real, or certain, without proof or demonstration” according to the Project Management Body of Knowledge. Assumptions may be a source of risks. Be sure to perform an assumption analysis periodically to validate assumptions.
  • Constraints. A constraint is “a limiting factor that affects the execution of a project, program, portfolio, or process.” Constraints such as a budget or schedule constraints are factual. The project manager must continually consider these defined limits when managing risks, particularly when planning risk responses.

How to Create a Cause and Effect Diagram

Do you have problems? Projects running behind schedule? Cycle time for a business process increasing? Sales down? People continuing to live in silos? Let's discuss a simple but powerful tool for solving problems - the Cause and Effect Diagram (alias Fishbone Diagram).

Steps to Create a Cause and Effect Diagram

  1. Identify and clarify the problem. State the problem objectively. Ask questions concerning the problem. As Jack Welch said, “Continually expand your definition of the problem, and you expand your view of all the different ways that it can be solved.” Write out the problem or effect on the far-right-hand side of the diagram. Draw a horizontal line (the spine of the fish) to the problem.
  2. Identify the cause categories. For example, use the 4 M categories: Machine, Method, Materials, Manpower. Add the categories to the diagram. Draw diagonal lines (bones of the fish) to each category.
  3. Brainstorm causes for each category. Add causes to the appropriate category lines.
  4. Identify the most significant causes.  Ask the team to identify the most significant causes. Remember the Pareto Principle - 80% of the problem comes from 20% of the causes.
  5. Define the risk response plan. What can be done to eliminate or reduce the most significant causal factors? Who will be responsible for taking actions? When are the actions due? 
rocket

“A problem well-defined is a problem half-solved.” -Anonymous

Power Tips for Cause and Effect Diagrams

  1. Invite creative problem solvers who lack knowledge of the problem domain. Does this sound counterintuitive? Your team members may have deep-seated thoughts and assumptions about problems. Ask someone unfamiliar with the problem to participate in the session. Invite them to challenge the norm and inject a different perspective.
  2. Resist the temptation to solve the problem when identifying the problem and causes. Many people prematurely jump to solutions before understanding the problem and causes. Seek first to understand.
  3. Dig deeper in identifying the causes. Use the 5 Whys technique. Identify the problem and then to ask “why” five times. You may ask “why” less than or more than five times. Continue until you identify the primary root causes in which you can take actions yielding significant results.
  4. Use the Cause and Effect Diagram to analyze an opportunity. For step 1, identify the opportunity rather than a problem. For step 5, seek to exploit or enhance the opportunity.

It's Your Turn

Are you behind schedule on one of your projects? Develop a cause and effect diagram to identify the causes. And then determine which of the causes had the greatest impact. Don't stop there. Determine how you will minimize the probability and impact of those causes going forward.

Build A PMO You Can Be Proud Of

Some Project Management Offices (PMOs) never get off the ground. I've seen others that are started and a year or so later die a slow painful death. So, how can you build a PMO you can be proud of, one that thrives?

Why Are There So Many Troubled PMOs?

No one intends to build an impotent PMO, but it happens. The PMO lacks power and effectiveness. Therefore, people see the PMO as a hindrance, not an enabler.

Click here to discover 40 reasons PMOs fail. Furthermore, I describe how to handle PMO threats—things that may hinder your ability to build a PMO—here.

Let's look at five ways we can improve vitality and provide value to our organization.

rocket

"There is only one way to avoid criticism: do nothing, say nothing, and be nothing." –Aristotle

Five Keys to Successful PMOs

1. PMO Sponsorship. Without a strong, influential sponsor, the PMO is doomed. Don’t have a sponsor? Then don’t create a PMO. Because you will be fighting an uphill battle, one that you will likely lose.

2. Clarity. Define specific, measurable goals. How will you measure the success of the PMO? What are the Key Performance Indicators?

The PMO leader should also be clear about the type of PMO being implemented. The Project Management Body of Knowledge (PMBOK) describes three types of PMOs:

  • Supportive – provide support to project managers in a consultative role. Provide templates, training, best practices, and lessons learned. Control is low.
  • Controlling – require project managers to follow a project management framework or methodology using specific tools and templates. Control is moderate.
  • Directive – projects are managed by project managers in the PMO. Control is high.

Since clarity is essential to success, you must continuously cast the vision of where you are going, how you get there, and why you are going there.

3. Alignment. Define a process to ensure projects align with the organization’s mission and goals. What criteria will be used to select projects?

For example, the project selection criterion might include:

  • Strategic importance: Does the project tightly link with the strategic plan?
  • Financial viability: Does the project contribute to the financial success of the organization? Is the project profitable?
  • Flexibility: Does the project provide business and technical flexibility to accommodate future changes?
  • Risk: How high is the risk? What is the project risk score?
  • Regulatory compliance: Is the organization required legally to comply with new regulations?

Kill non-value added projects. Transfer resources to value-added projects. Certainly, resource management across the project portfolio is a critical success factor.

Some organizations also use a gate review process. At certain stages of each project, the project is reviewed to ensure continuous alignment.

4. Execution. Teach project managers to use a scalable project management framework or methodology. Provide templates to aid project managers in their execution. Another tip, offer to mentor and support project managers during the execution of their projects.

5. Continuous Improvement. Evaluate the framework, tools, techniques, templates, as well as the projects. Develop and maintain lessons learned.

How to Jump-Start a PMO

Thinking about starting a PMO? I recommend that you develop a project charter with your project sponsor and key stakeholders. Define the problems you wish to overcome, goals, deliverables, assumptions, constraints, and top risks to a successful implementation. You can build a PMO that you are proud of through early collaboration with your stakeholders, persistent leadership, and staying focused on delivering value to your organization. Best wishes!

How to Conduct a Risk Audit and a Risk Review

A life well lived life involves looking backward as well as thinking forward. The same is true of projects.

In this article, we will look at how to conduct a risk audit to evaluate the effectiveness of your risk management. Additionally, we'll also talk about how to be more forward thinking through risk reviews.

rocket

“Good Risk Management fosters vigilance in times of calm and instills discipline in times of crisis.” -Dr. Michael Ong

How to Conduct a Risk Audit

Who Performs the Risk Audits?

The project manager, the project manager and team, or a risk audit team may perform risk audits. What is the focus of the audit? It is a retrospective review where we ask “How did we do?”

  • Review the effectiveness of the responses to risks
  • Next, review the effectiveness of the risk owners
  • Another, review the effectiveness of the risk processes

How Do Risk Audits Help?

Wonder if risk audits can really help you and your team. You bet!

And it doesn’t have to be difficult or require lots of time.

The output of the risk audit is the lessons learned that enable the project manager and the team to increase the likelihood and impact of positive events and decrease the likelihood and impact of negative events.

The size of the risk audit team and the time invested should be commensurate with the size and complexity of the projects. I’ve completed small risk audits with me and a couple of team members in an hour or less.

Sounds great, but how does it really work?

Real World Example of a Risk Audit

Tom was asked to manage a project to implement an insurance company claims customer service center that would house 100 employees. He decided to have a risk audit performed when the team had completed 40% of the project. Things were going fairly well, but Tom was concerned about an increasing number of issues, particularly with two risk owners.

Tom asked an internal risk audit group — comprised of one company project manager, one IT employee, and one claims manager — to conduct the audit. The team completed the audit in two weeks and discovered the following:

  • To start with, one risk owner — John Billings — had been negligent in managing a significant risk for a critical path activity, resulting in an adverse impact to the schedule of two weeks. Why had Mr. Billings been negligent? He had lost two employees in the last two months, forcing him to pick up the slack.
  • Next, there were two major risks where no responses had been taken and there were no contingency or fallback plans.
  • Furthermore, the team missed an opportunity that could have saved the project $20,000.
  • Finally, the risk evaluation process needed improvements. The scale being used for the qualitative risk analysis was broad and prone to bias.

The findings were shared with Tom and the project sponsor. The following changes were made:

  • First, John Billings was replaced with another risk owner.
  • Second, Tom met with the risk owners who had failed to respond to their risks, shared the audit findings, and asked that response plans be developed and executed.
  • Third, Tom included specific exercises to identify opportunities going forward in the project.
  • Lastly, Tom refined the qualitative risk evaluation scale.
rocket

“Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you.” -Theodore Roosevelt

How to Conduct Risk Reviews

How can project managers make better decisions and get better results in the future? Try a risk review.

Remember, the audit team focuses on "How did we do?" Were the risk management processes effective? We are looking backward.

In contrast, risk reviews are prospective and forward-looking. We ask, "How will we do?" We modify our risk response plans and risk management processes to improve our chances in the future. 

Questions to Ask in Risk Reviews

Project managers and their teams periodically review their project risks for the following:

  • What have we learned from our risk audits that we should apply going forward?
  • Are there new risks?
  • Has the probability and impact changed?
  • Are there individual risks that are merging to form a powerful set of risks?
  • Should we modify our responses including contingency and fallback plans?
  • Should we close irrelevant risks?
  • Are the residual risks increasing or decreasing?

For more helpful questions, check out my post 12 Questions For Monitoring Project Risks.

Your Turn

Pick one of your worst project, where things have been crazy. Look backward with a risk audit and forward with a risk review. You will likely gain insights and perspective as you see things with fresh eyes. Best wishes!

12 Questions for Monitoring Project Risks

Some project managers start their projects with a strong focus on risk management. However, somewhere along the way, they lose steam. They spend more time dealing with issues and implementing workarounds. In this article, I am providing questions that can help you in monitoring project risks and as a result, achieve better results.

Other project managers start out strong and stick with their risk management. When problems occur, they turn to their risk response plan. They run toward their risk management tools and techniques to aid them. Consequently, these project managers spend less time responding to issues.

In my last article, we looked at What Every Project Manager Should Know About Monitoring Risks where we reviewed the definition for Monitor Risk. The Project Management Body of Knowledge (PMBOK) 6th Edition defines Monitor Risks as “the process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project.”

When Should We Monitor Project Risks?

Monitoring risks is an ongoing activity, not a one-time event. The frequency varies depending on the project. Some project managers review risks with their team in their weekly project meetings, while others who manage agile projects discuss risks and obstacles in their daily standup meetings.

12 Questions for Monitoring Project Risks

Perhaps you struggle with the practicality of monitoring risks. It seems like a vague notion. Hence, here are some questions that can help you and your team on the right track.

  1. What new risks should be captured in the risk register?
  2. What risks should be closed?
  3. What has changed in the previously identified risks? Reassess the probability and impact of your risks.
  4. How effective are the current risk response plans and actions? If the risk plans are not effective, modify them for better results.
  5. Have project assumptions changed?
  6. What thresholds have been exceeded? If a threshold or trigger has been exceeded, what actions need to occur?
  7. What contingency or fallback plans should be executed?
  8. Are there common causes that are increasing multiple risks? One causal factor may increase the probability and/or impact of multiple risks. Therefore, attacking these causal factors has high leverage.
  9. Are the right risk owners assigned? If the risk owner is not performing their duties correctly, look for ways to motivate the risk owner or consider a change.
  10. Are workarounds increasing? If your manual workarounds are increasing, this is a sign of inadequate risk identification and responses earlier in the project.
  11. How are the reserves doing? Is it time to request additional reserves? Perhaps the team should consider ways to change facets of the project in order to stay within budget and schedule.
  12. What have we learned?

Question: What other questions would you add to this list?

What Project Managers Should Know About Monitoring Project Risks

Many project managers do a great job of identifying risks. Some even evaluate risks and develop response plans. However, project managers get busy as their projects progress and fail to monitor their risks, resulting in challenged or failed projects. Here are some key factors that you should know about monitoring project risks (previously referred to as controlling risks in the PMBOK 5th Edition).

Do Project Managers Really Control Risks?

I've heard countless debates about whether project manager can control risks. First of all, what does it mean to control something? Here's the Merriam-Webster dictionary defines control as:

rocket

Definition of CONTROL

a to exercise restraining or directing influence over regulate 
  • control one's anger
to have power over rule 
  • A single company controls the industry.
to reduce the incidence or severity of especially to innocuous levels 
  • control an insect population; control a disease

Can project managers really control project risks? Feels more like herding cats, doesn't it?

So, why do people push back on controlling risks? These individuals take the term control literally. They argue, "no one has absolute control over projects."

I'm not sure, but I think these issues resulted in the changes in the Project Management Body of Knowledge (PMBOK). The authors of the 6th Edition changed the Control Risks process to Monitor Risks.


 

PMBOK 5th Edition
Control Risks

The 5th Edition included the process called Control Risks which was defined as "The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project."


PMBOK 6th Edition
Monitor Risks

The authors of the 6th Edition changed the Control Risks process to Monitor Risks"Monitor Risks is the process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project."

Let's move beyond the debates and talk about monitoring project risks and getting results.

Four Steps to Monitoring Project Risks

1. Monitor Agreed-Upon Risk Response Plans

For each risk or set of risks, a response should be planned. Risk owners or their assigned risk action owners execute the plans. Some risks merit immediate responses; contingent risks are responded to when trigger conditions are met. For example, if a supplier fails to meet a deadline, the supplies are ordered from another vendor.

Jim, the project manager of a key strategic project, has monitored the residual risk -- the amount of risk remaining -- for his most significant risks. One of the key risks had a 60% probability of occurring with a $22,000 impact on a $100,000 project. The risk owner took actions that decreased the residual risks -- the probability dropped to 20% with an impact of $4,000.

Jim determined that it would be too costly to reduce the risk further; therefore, he asked the risk owner to monitor the risk and to develop a contingency plan. The risk owner reported to Jim once each month on the risk.

Project managers work with the risk owners to evaluate the effectiveness of the responses. Responses are modified as needed.

2. Track Identified Risks

The project manager uses tools to track the overall project risk. Are the risk response plans ensuring that the project team delivers the project on time, on budget, and in accordance with the requirements?

Trigger conditions are defined when defining risk response plans. Project managers work with the risk owners to determine the trigger conditions and the related metrics. For example, additional resources may be added to an activity if the activity falls behind schedule for two weeks or more.

3. Identify and Analyze New Risks

New risks arise over time. For example, an insurance company was implementing a new policy administration system. A vendor delivered an update while an insurance company was testing major modifications in their interfaces. As the new code was introduced, there was the risk of breaking the interfaces.

Project managers periodically work with their project team to identify new risks. What’s new? What has changed? What have we overlooked?

Project managers should identify new risks for the following events:

  • Major changes to the project or its environment
  • Key milestones reached
  • Occurrence of a major risk
  • Unexpected risks
  • Changes in key team members or stakeholders

4. Evaluate Risk Process Effectiveness

So, you’ve implemented the risk management processes:

  1. Plan for risk management
  2. Identify risks
  3. Perform qualitative risk analysis
  4. Perform quantitative risk analysis
  5. Plan risk responses
  6. Implement risk responses
  7. Monitor risks

That’s great! Are the processes of delivering the results you expected efficiently and effectively? Are you spending too much time in certain areas and not enough time in other areas? Seek to reduce the cost of risk management while ensuring that you accomplish your project goals.

Your Turn

Think about your projects. If you compare the degree of variation from your baselines, how are you doing? Would you say your projects are staying within the expected limits? Or perhaps one project is like a car that is swerving all over the road. You wonder if you will ever get home. If so, make the necessary adjustments in monitoring project risks.

Are You Making These Risk Response Mistakes?

Some project managers make timely responses to risks, resulting in positive progress toward their project goals. Others act haphazardly, resulting in undesirable consequences. Let's look at some common risk response mistakes and how to overcome them.

So, what do I mean by risk response mistake? A mistake is an action that is misguided or wrong.

rocket

"If you treat risk management as a part-time job, you might soon find yourself looking for one." —Deloitte

Joe Cunningham once managed a project to implement a commercial-off-the-shelf (COTS) software solution for a bank. He and the team had identified the project risks, but they had failed to analyze the common causes of the most significant risks. Consequently, the team was responding to risks but missing the high-leverage responses.

Perhaps you are making mistakes like this one. But, you don't have to.

I've created a list of ten risk response mistakes. I'm sure that you aren't guilty of all. Read through them, thinking about one of your projects. Make notes where you might improve.

10 Risk Response Mistakes

  • 1
    Failure to identify risk owners. Once a risk has been identified, project managers should ask, "Who owns the risk?" A risk owner is a person responsible for developing and executing a risk response plan.
  • 2
    Failure to respond to several small, related risks. If we fail to analyze the relationships between risks, we may not understand how risks relate to one another. Individual small risks seem powerless. However, several small, related risks can have a powerful impact.
  • 3
    Failure to identify and plan for secondary risks. When risk owners are developing risk response plans, they may fail to consider secondary risks, risks that arise as a direct result of implementing a risk response. Wise project managers educate and ask their risk owners to identify and plan for significant secondary risks.
  • 4
    Failure to develop contingency plans. Some risk response plans are executed immediately; other risk response plans are contingent. That is to say; the plans will only be executed under certain predefined conditions.
  • 5
    Failure to develop fallback plans. What should a risk owner do if the contingency plan fails? Risk owners should develop and be prepared to execute a fallback plan for significant risks. The fallback plan may be used to mitigate further a threat or enhance an opportunity. A fallback plan may also be defined for cases where a risk may occur.
  • 6
    Failure to define risk triggers. Some risk owners do a great job of defining contingency plans but fail to define clearly the risk trigger such as missing a milestone. Triggers may be used to provide the warning that the risk is about to occur, providing time to implement the risk response plan.
  • 7
    Failure to respond to opportunities. Many project managers still struggle with the fact that risks include positive events or conditions, that if they occur, cause a positive impact on the project goals. Therefore, many project managers fail to identify these positive events and miss the opportunities that could save the project or enhance the project's value.
  • 8
    Failure to update project management plans including the schedule management plan, cost management plan, quality management plan, procurement management plan, human resource plan, scope baseline, schedule baseline, and cost baseline. As risk owners develop response plans, project managers should update the project management plans accordingly. For example, the project manager may add new activities to the schedule and further define how contingency reserves will be consumed.
  • 9
    Failure to update assumptions log. Project managers and team members make lots of assumptions, particularly in the early parts of a project, based on the information at hand. As the project team discovers new information, previously identified assumptions may need updating, or new assumptions may need to be added.
  • 10
    Failure to create contracts or agreements with third parties. Some risk owners may wish to leverage a third party to respond to risks. The project manager should ensure these decisions and contracts are outlined and approved as needed.

Taking Action on Risk Response Planning

Consider using this list as a checklist for one of your current projects. Keep your risk management as simple as possible while ensuring that the responses are economical and effective. Scale your response plans as needed; do more planning for larger complex projects and less for smaller projects.

It’s Easy to Miss Project Risks

It's easy to miss project risks. And, until a project manager has identified the threats and opportunities, the risks cannot be managed properly. Projects rise and fall with the project manager's ability to properly identify and manage their most significant risks.

Project managers don't want to spend an inordinate amount of time identifying risks—rightly so. 

Neither can project managers afford to miss the critical risks. Let's look at strategies to identify risks and save time when identifying project risks. You can choose and scale these strategies as needed.

Risk Identification Techniques

1. Use a risk list. A risk list is a list of potential risks for an industry, organization, or company. Ideally, the risks are listed by categories such as schedule, budget, quality, and scope. For example, you could identify schedule risks using a schedule risk list such as:

  • Schedule is missing key activities
  • Excessive schedule pressure
  • Schedule is optimistic, not realistic
  • The product or service cannot be developed to the size specified in the time allocated
  • Schedule was baselined without review by key stakeholders
  • Scope has increased with no change to the schedule
  • A delay in a critical path activity is causing cascading delays in the subsequent activities
  • A key resource has been reallocated half-time to another project, adversely impacting the work on this project
  • Estimates were created by the project manager, not the individuals doing the work
  • One activity may not provide the required information that a subsequent activity needs
  • Coordination issues are arising from the crashing of several critical path activities

2. Use risk categories. What can we do if we don't have a risk list? Try a prompt list, a generic list of categories used to "prompt" the identification of risks. Typical project risk categories include:

  • Schedule risk - schedule events or conditions, that if they occur, will cause a positive or negative impact to the project goals
  • Budget risk – budget events or conditions, that if they occur, will cause a positive or negative impact to the project goals
  • Quality risk – quality events or conditions, that if they occur, will cause a positive or negative impact to the project goals
  • Scope risk – scope events or conditions, that if they occur, will cause a positive or negative impact to the project goals

3. Identify internal and external risks. It’s obvious that we need to identify internal risks. However, project managers may fail to identify external risks. Out of sight, out of mind. For example, an organization may contract with a third party to provide products, services, and supplies. There is the temptation to forget about it.

Just because a contract exists does not mean that the project manager has washed her hands of these risks. The project manager is still responsible for overseeing the activities, making sure the contracted products and services fulfill the project’s needs and integrate properly into the project deliverables.

rocket

“The secret of getting ahead is getting started. The secret of getting started is breaking your complex overwhelming tasks into small manageable tasks, and then starting on the first one.” —Mark Twain

4. Perform top-down and bottom-up risk identification. With a top-down approach to risk management, the project sponsor (and sometimes senior management) declares which threats and opportunities matter. The benefit is that it provides a high-level perspective. The project sponsor defines the project goals and determines the business strategies to make it happen.

However, the project sponsor will not likely understand the project planning and execution risks. A bottom-up approach provides the advantage of getting the views of the team members and key stakeholders. An excellent tool for the bottom-up risk identification is the work breakdown structure (WBS). The project manager can work with team members to discuss the lowest level WBS activities in order to identify risks.

5. Perform risk reviews periodically. Remember—risks change over time. Imagine never having your vehicles checked or never having a physical exam by a doctor. Project risk reviews should be performed regularly. In addition, reviews should be performed for the following events:

  • Significant change of project goals, deliverables, assumptions, of constraints
  • Change in team members
  • Significant change in requirements
  • New or changing external requirements such as regulatory requirements or contract requirements
  • High number of issues are occurring

Risk Identification Tips

Keep in mind, we are NOT trying to identify every possible risk. We are scanning the project environment to find the most significant risks. If done properly, these strategies can help us identify the critical risks quickly. Then we can take the next step—treat the risks.

Some project managers take a different approach - it's called wait and see. It works like this: Don't invest time (i.e., waste time) identifying and treating risks. When the uncertain event or condition occurs, the project manager would fix it—translate, the project manager and affected stakeholders would put out the fires!

Responding to issues almost always require more time and cost more money than identifying and treating risks ahead of time. Being disciplined and applying an appropriate amount of time and focus on risks can reduce project expenses, promote the project schedule, reduce stress, and help a project team achieve its mission.