Have you ever endured a project meeting where you spent hours evaluating risks? Afterward, team members walked down the hall saying, “What a waste of time! Now I can get back to the real work.” Today, let’s discuss the use of qualitative risk analysis to get you back on track.
What causes this frustration? First, the evaluation process may not fit the project – too complex for simple projects or deficient for large, complex projects. Second, the process may not fit the maturity level of the project team. Third, team members view the process as burdensome with little value.
Risk evaluation is the process to determine the significance of each risk. There are two ways to evaluate risks:
Watch this YouTube Video: Qualitative and Quantitative Risk Analysis: What’s the Difference?
Watch this YouTube Video: Two Simple Methods to Analyze Project Risks Qualitatively
You cannot respond to all risks, neither should you. Prioritization is a way to deal with competing demands. This aids in determining where you will spend your limited time and effort.
We evaluate in order:
Project managers constantly think about risks, both threats and opportunities. What if the requirements are late? What if the testing environment becomes unstable? How can we exploit the design skills of our developers? Let’s consider a simple but powerful tool to capture and manage your risks—the Risk Register.
The Risk Register is simply a list of risk-related information including but not limited to:
The Risk Register may be created in a spreadsheet, database, risk management tool, SharePoint, or a project management information system. Make sure that the Risk Register is visible and easy to access by your project team members.
The initial risk information is entered when identifying risks in the planning process. For example, project managers may capture initial risks while developing the communications plan or the project schedule. The initial risk information may include the risks, causes, triggers, categories, potential risk owners, and potential risk responses.
As you evaluate your risk in the planning process, you should assign risk ratings for probability and impact and calculate the risk scores.
Next, validate risk owners and have risk owners complete response plans.
Lastly, review and update your risks during your team meetings. Add emerging risks. Other reasons for updating the risk register include change requests, project re-planning, or project recovery.
Risk Register Template
Do you find yourself working overtime, trying to deal with unexpected disruptions? Some negative events that you thought might happen has now occurred. And it's costing you more time and energy than you thought possible. Overwhelmed? Well, let's talk about project risks and issues, the differences, and why it's so important to manage risks.
The Project Management Body of Knowledge (PMBOK) defines risk as, “An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.”
Let's examine a risk statement and underscore some key attributes of risks. Here's a risk statement:
Because the project team failed to review the requirements with the users, the project team may not meet the user's needs, resulting in unsatisfied users.
Notice the risk: project team may not meet the user's needs. Think of risk as events or conditions that might happen in the future.
So, how does an issue differ from a risk? Where a risk might happen, an issue has happened. When a threat occurs, it becomes an issue or problem. By the way, when an opportunity occurs, it becomes a benefit.
Are we splitting hairs? The distinction between risks and issues matters for a few reasons.
Risk vs. Issue Debate
Some project managers and risk managers are not convinced that the differentiation between risk and issue adds any value. Even though the risk has occurred (i.e. it is now an issue in terms of the differentiation) there is still uncertainty regarding the impact and the objectives that will be impacted.
While we are on this topic, let's clarify two other terms—assumptions and constraints.
Do you have problems? Projects running behind schedule? Cycle time for a business process increasing? Sales down? People continuing to live in silos? Let's discuss a simple but powerful tool for solving problems - the Cause and Effect Diagram (alias Fishbone Diagram).
“A problem well-defined is a problem half-solved.” -Anonymous
Are you behind schedule on one of your projects? Develop a cause and effect diagram to identify the causes. And then determine which of the causes had the greatest impact. Don't stop there. Determine how you will minimize the probability and impact of those causes going forward.
Some Project Management Offices (PMOs) never get off the ground. I've seen others that are started and a year or so later die a slow painful death. So, how can you build a PMO you can be proud of, one that thrives?
No one intends to build an impotent PMO, but it happens. The PMO lacks power and effectiveness. Therefore, people see the PMO as a hindrance, not an enabler.
Let's look at five ways we can improve vitality and provide value to our organization.
"There is only one way to avoid criticism: do nothing, say nothing, and be nothing." –Aristotle
1. PMO Sponsorship. Without a strong, influential sponsor, the PMO is doomed. Don’t have a sponsor? Then don’t create a PMO. Because you will be fighting an uphill battle, one that you will likely lose.
2. Clarity. Define specific, measurable goals. How will you measure the success of the PMO? What are the Key Performance Indicators?
The PMO leader should also be clear about the type of PMO being implemented. The Project Management Body of Knowledge (PMBOK) describes three types of PMOs:
Since clarity is essential to success, you must continuously cast the vision of where you are going, how you get there, and why you are going there.
3. Alignment. Define a process to ensure projects align with the organization’s mission and goals. What criteria will be used to select projects?
For example, the project selection criterion might include:
Kill non-value added projects. Transfer resources to value-added projects. Certainly, resource management across the project portfolio is a critical success factor.
Some organizations also use a gate review process. At certain stages of each project, the project is reviewed to ensure continuous alignment.
4. Execution. Teach project managers to use a scalable project management framework or methodology. Provide templates to aid project managers in their execution. Another tip, offer to mentor and support project managers during the execution of their projects.
5. Continuous Improvement. Evaluate the framework, tools, techniques, templates, as well as the projects. Develop and maintain lessons learned.
Thinking about starting a PMO? I recommend that you develop a project charter with your project sponsor and key stakeholders. Define the problems you wish to overcome, goals, deliverables, assumptions, constraints, and top risks to a successful implementation. You can build a PMO that you are proud of through early collaboration with your stakeholders, persistent leadership, and staying focused on delivering value to your organization. Best wishes!
A life well lived life involves looking backward as well as thinking forward. The same is true of projects.
In this article, we will look at how to conduct a risk audit to evaluate the effectiveness of your risk management. Additionally, we'll also talk about how to be more forward thinking through risk reviews.
“Good Risk Management fosters vigilance in times of calm and instills discipline in times of crisis.” -Dr. Michael Ong
The project manager, the project manager and team, or a risk audit team may perform risk audits. What is the focus of the audit? It is a retrospective review where we ask “How did we do?”
Wonder if risk audits can really help you and your team. You bet!
And it doesn’t have to be difficult or require lots of time.
The output of the risk audit is the lessons learned that enable the project manager and the team to increase the likelihood and impact of positive events and decrease the likelihood and impact of negative events.
The size of the risk audit team and the time invested should be commensurate with the size and complexity of the projects. I’ve completed small risk audits with me and a couple of team members in an hour or less.
Sounds great, but how does it really work?
Tom was asked to manage a project to implement an insurance company claims customer service center that would house 100 employees. He decided to have a risk audit performed when the team had completed 40% of the project. Things were going fairly well, but Tom was concerned about an increasing number of issues, particularly with two risk owners.
Tom asked an internal risk audit group — comprised of one company project manager, one IT employee, and one claims manager — to conduct the audit. The team completed the audit in two weeks and discovered the following:
The findings were shared with Tom and the project sponsor. The following changes were made:
“Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you.” -Theodore Roosevelt
How can project managers make better decisions and get better results in the future? Try a risk review.
Remember, the audit team focuses on "How did we do?" Were the risk management processes effective? We are looking backward.
In contrast, risk reviews are prospective and forward-looking. We ask, "How will we do?" We modify our risk response plans and risk management processes to improve our chances in the future.
Project managers and their teams periodically review their project risks for the following:
For more helpful questions, check out my post 12 Questions For Monitoring Project Risks.
Pick one of your worst project, where things have been crazy. Look backward with a risk audit and forward with a risk review. You will likely gain insights and perspective as you see things with fresh eyes. Best wishes!
Some project managers start their projects with a strong focus on risk management. However, somewhere along the way, they lose steam. They spend more time dealing with issues and implementing workarounds. In this article, I am providing questions that can help you in monitoring project risks and as a result, achieve better results.
Other project managers start out strong and stick with their risk management. When problems occur, they turn to their risk response plan. They run toward their risk management tools and techniques to aid them. Consequently, these project managers spend less time responding to issues.
In my last article, we looked at What Every Project Manager Should Know About Monitoring Risks where we reviewed the definition for Monitor Risk. The Project Management Body of Knowledge (PMBOK) 6th Edition defines Monitor Risks as “the process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project.”
Monitoring risks is an ongoing activity, not a one-time event. The frequency varies depending on the project. Some project managers review risks with their team in their weekly project meetings, while others who manage agile projects discuss risks and obstacles in their daily standup meetings.
Perhaps you struggle with the practicality of monitoring risks. It seems like a vague notion. Hence, here are some questions that can help you and your team on the right track.
Question: What other questions would you add to this list?
Many project managers do a great job of identifying risks. Some even evaluate risks and develop response plans. However, project managers get busy as their projects progress and fail to monitor their risks, resulting in challenged or failed projects. Here are some key factors that you should know about monitoring project risks (previously referred to as controlling risks in the PMBOK 5th Edition).
I've heard countless debates about whether project manager can control risks. First of all, what does it mean to control something? Here's the Merriam-Webster dictionary defines control as:
Can project managers really control project risks? Feels more like herding cats, doesn't it?
So, why do people push back on controlling risks? These individuals take the term control literally. They argue, "no one has absolute control over projects."
I'm not sure, but I think these issues resulted in the changes in the Project Management Body of Knowledge (PMBOK). The authors of the 6th Edition changed the Control Risks process to Monitor Risks.
The 5th Edition included the process called Control Risks which was defined as "The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project."
The authors of the 6th Edition changed the Control Risks process to Monitor Risks. "Monitor Risks is the process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project."
Let's move beyond the debates and talk about monitoring project risks and getting results.
For each risk or set of risks, a response should be planned. Risk owners or their assigned risk action owners execute the plans. Some risks merit immediate responses; contingent risks are responded to when trigger conditions are met. For example, if a supplier fails to meet a deadline, the supplies are ordered from another vendor.
Jim, the project manager of a key strategic project, has monitored the residual risk -- the amount of risk remaining -- for his most significant risks. One of the key risks had a 60% probability of occurring with a $22,000 impact on a $100,000 project. The risk owner took actions that decreased the residual risks -- the probability dropped to 20% with an impact of $4,000.
Jim determined that it would be too costly to reduce the risk further; therefore, he asked the risk owner to monitor the risk and to develop a contingency plan. The risk owner reported to Jim once each month on the risk.
Project managers work with the risk owners to evaluate the effectiveness of the responses. Responses are modified as needed.
The project manager uses tools to track the overall project risk. Are the risk response plans ensuring that the project team delivers the project on time, on budget, and in accordance with the requirements?
Trigger conditions are defined when defining risk response plans. Project managers work with the risk owners to determine the trigger conditions and the related metrics. For example, additional resources may be added to an activity if the activity falls behind schedule for two weeks or more.
New risks arise over time. For example, an insurance company was implementing a new policy administration system. A vendor delivered an update while an insurance company was testing major modifications in their interfaces. As the new code was introduced, there was the risk of breaking the interfaces.
Project managers periodically work with their project team to identify new risks. What’s new? What has changed? What have we overlooked?
Project managers should identify new risks for the following events:
So, you’ve implemented the risk management processes:
That’s great! Are the processes of delivering the results you expected efficiently and effectively? Are you spending too much time in certain areas and not enough time in other areas? Seek to reduce the cost of risk management while ensuring that you accomplish your project goals.
Think about your projects. If you compare the degree of variation from your baselines, how are you doing? Would you say your projects are staying within the expected limits? Or perhaps one project is like a car that is swerving all over the road. You wonder if you will ever get home. If so, make the necessary adjustments in monitoring project risks.
Some project managers make timely responses to risks, resulting in positive progress toward their project goals. Others act haphazardly, resulting in undesirable consequences. Let's look at some common risk response mistakes and how to overcome them.
So, what do I mean by risk response mistake? A mistake is an action that is misguided or wrong.
"If you treat risk management as a part-time job, you might soon find yourself looking for one." —Deloitte
Joe Cunningham once managed a project to implement a commercial-off-the-shelf (COTS) software solution for a bank. He and the team had identified the project risks, but they had failed to analyze the common causes of the most significant risks. Consequently, the team was responding to risks but missing the high-leverage responses.
Perhaps you are making mistakes like this one. But, you don't have to.
I've created a list of ten risk response mistakes. I'm sure that you aren't guilty of all. Read through them, thinking about one of your projects. Make notes where you might improve.
Consider using this list as a checklist for one of your current projects. Keep your risk management as simple as possible while ensuring that the responses are economical and effective. Scale your response plans as needed; do more planning for larger complex projects and less for smaller projects.
It's easy to miss project risks. And, until a project manager has identified the threats and opportunities, the risks cannot be managed properly. Projects rise and fall with the project manager's ability to properly identify and manage their most significant risks.
Project managers don't want to spend an inordinate amount of time identifying risks—rightly so.
Neither can project managers afford to miss the critical risks. Let's look at strategies to identify risks and save time when identifying project risks. You can choose and scale these strategies as needed.
1. Use a risk list. A risk list is a list of potential risks for an industry, organization, or company. Ideally, the risks are listed by categories such as schedule, budget, quality, and scope. For example, you could identify schedule risks using a schedule risk list such as:
2. Use risk categories. What can we do if we don't have a risk list? Try a prompt list, a generic list of categories used to "prompt" the identification of risks. Typical project risk categories include:
3. Identify internal and external risks. It’s obvious that we need to identify internal risks. However, project managers may fail to identify external risks. Out of sight, out of mind. For example, an organization may contract with a third party to provide products, services, and supplies. There is the temptation to forget about it.
Just because a contract exists does not mean that the project manager has washed her hands of these risks. The project manager is still responsible for overseeing the activities, making sure the contracted products and services fulfill the project’s needs and integrate properly into the project deliverables.
“The secret of getting ahead is getting started. The secret of getting started is breaking your complex overwhelming tasks into small manageable tasks, and then starting on the first one.” —Mark Twain
4. Perform top-down and bottom-up risk identification. With a top-down approach to risk management, the project sponsor (and sometimes senior management) declares which threats and opportunities matter. The benefit is that it provides a high-level perspective. The project sponsor defines the project goals and determines the business strategies to make it happen.
However, the project sponsor will not likely understand the project planning and execution risks. A bottom-up approach provides the advantage of getting the views of the team members and key stakeholders. An excellent tool for the bottom-up risk identification is the work breakdown structure (WBS). The project manager can work with team members to discuss the lowest level WBS activities in order to identify risks.
5. Perform risk reviews periodically. Remember—risks change over time. Imagine never having your vehicles checked or never having a physical exam by a doctor. Project risk reviews should be performed regularly. In addition, reviews should be performed for the following events:
Keep in mind, we are NOT trying to identify every possible risk. We are scanning the project environment to find the most significant risks. If done properly, these strategies can help us identify the critical risks quickly. Then we can take the next step—treat the risks.
Some project managers take a different approach - it's called wait and see. It works like this: Don't invest time (i.e., waste time) identifying and treating risks. When the uncertain event or condition occurs, the project manager would fix it—translate, the project manager and affected stakeholders would put out the fires!
Responding to issues almost always require more time and cost more money than identifying and treating risks ahead of time. Being disciplined and applying an appropriate amount of time and focus on risks can reduce project expenses, promote the project schedule, reduce stress, and help a project team achieve its mission.