Some project managers start their projects with a strong focus on risk management. However, somewhere along the way, they lose steam. They spend more time dealing with issues and implementing workarounds. In this article, I am providing questions that can help you in monitoring project risks and as a result, achieve better results.
Other project managers start out strong and stick with their risk management. When problems occur, they turn to their risk response plan. They run toward their risk management tools and techniques to aid them. Consequently, these project managers spend less time responding to issues.
In my last article, we looked at What Every Project Manager Should Know About Monitoring Risks where we reviewed the definition for Monitor Risk. The Project Management Body of Knowledge (PMBOK) 6th Edition defines Monitor Risks as “the process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project.”
Monitoring risks is an ongoing activity, not a one-time event. The frequency varies depending on the project. Some project managers review risks with their team in their weekly project meetings, while others who manage agile projects discuss risks and obstacles in their daily standup meetings.
Perhaps you struggle with the practicality of monitoring risks. It seems like a vague notion. Hence, here are some questions that can help you and your team on the right track.
Question: What other questions would you add to this list?
Many project managers do a great job of identifying risks. Some even evaluate risks and develop response plans. However, project managers get busy as their projects progress and fail to monitor their risks, resulting in challenged or failed projects. Here are some key factors that you should know about monitoring project risks (previously referred to as controlling risks in the PMBOK 5th Edition).
I've heard countless debates about whether project manager can control risks. First of all, what does it mean to control something? Here's the Merriam-Webster dictionary defines control as:
Can project managers really control project risks? Feels more like herding cats, doesn't it?
So, why do people push back on controlling risks? These individuals take the term control literally. They argue, "no one has absolute control over projects."
I'm not sure, but I think these issues resulted in the changes in the Project Management Body of Knowledge (PMBOK). The authors of the 6th Edition changed the Control Risks process to Monitor Risks.
The 5th Edition included the process called Control Risks which was defined as "The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project."
The authors of the 6th Edition changed the Control Risks process to Monitor Risks. "Monitor Risks is the process of monitoring the implementation of agreed-upon risk response plans, tracking identified risks, identifying and analyzing new risks, and evaluating risk process effectiveness throughout the project."
Let's move beyond the debates and talk about monitoring project risks and getting results.
For each risk or set of risks, a response should be planned. Risk owners or their assigned risk action owners execute the plans. Some risks merit immediate responses; contingent risks are responded to when trigger conditions are met. For example, if a supplier fails to meet a deadline, the supplies are ordered from another vendor.
Jim, the project manager of a key strategic project, has monitored the residual risk -- the amount of risk remaining -- for his most significant risks. One of the key risks had a 60% probability of occurring with a $22,000 impact on a $100,000 project. The risk owner took actions that decreased the residual risks -- the probability dropped to 20% with an impact of $4,000.
Jim determined that it would be too costly to reduce the risk further; therefore, he asked the risk owner to monitor the risk and to develop a contingency plan. The risk owner reported to Jim once each month on the risk.
Project managers work with the risk owners to evaluate the effectiveness of the responses. Responses are modified as needed.
The project manager uses tools to track the overall project risk. Are the risk response plans ensuring that the project team delivers the project on time, on budget, and in accordance with the requirements?
Trigger conditions are defined when defining risk response plans. Project managers work with the risk owners to determine the trigger conditions and the related metrics. For example, additional resources may be added to an activity if the activity falls behind schedule for two weeks or more.
New risks arise over time. For example, an insurance company was implementing a new policy administration system. A vendor delivered an update while an insurance company was testing major modifications in their interfaces. As the new code was introduced, there was the risk of breaking the interfaces.
Project managers periodically work with their project team to identify new risks. What’s new? What has changed? What have we overlooked?
Project managers should identify new risks for the following events:
So, you’ve implemented the risk management processes:
That’s great! Are the processes of delivering the results you expected efficiently and effectively? Are you spending too much time in certain areas and not enough time in other areas? Seek to reduce the cost of risk management while ensuring that you accomplish your project goals.
Think about your projects. If you compare the degree of variation from your baselines, how are you doing? Would you say your projects are staying within the expected limits? Or perhaps one project is like a car that is swerving all over the road. You wonder if you will ever get home. If so, make the necessary adjustments in monitoring project risks.
Some project managers make timely responses to risks, resulting in positive progress toward their project goals. Others act haphazardly, resulting in undesirable consequences. Let's look at some common risk response mistakes and how to overcome them.
So, what do I mean by risk response mistake? A mistake is an action that is misguided or wrong.
"If you treat risk management as a part-time job, you might soon find yourself looking for one." —Deloitte
Joe Cunningham once managed a project to implement a commercial-off-the-shelf (COTS) software solution for a bank. He and the team had identified the project risks, but they had failed to analyze the common causes of the most significant risks. Consequently, the team was responding to risks but missing the high-leverage responses.
Perhaps you are making mistakes like this one. But, you don't have to.
I've created a list of ten risk response mistakes. I'm sure that you aren't guilty of all. Read through them, thinking about one of your projects. Make notes where you might improve.
Consider using this list as a checklist for one of your current projects. Keep your risk management as simple as possible while ensuring that the responses are economical and effective. Scale your response plans as needed; do more planning for larger complex projects and less for smaller projects.
It's easy to miss project risks. And, until a project manager has identified the threats and opportunities, the risks cannot be managed properly. Projects rise and fall with the project manager's ability to properly identify and manage their most significant risks.
Project managers don't want to spend an inordinate amount of time identifying risks—rightly so.
Neither can project managers afford to miss the critical risks. Let's look at strategies to identify risks and save time when identifying project risks. You can choose and scale these strategies as needed.
1. Use a risk list. A risk list is a list of potential risks for an industry, organization, or company. Ideally, the risks are listed by categories such as schedule, budget, quality, and scope. For example, you could identify schedule risks using a schedule risk list such as:
2. Use risk categories. What can we do if we don't have a risk list? Try a prompt list, a generic list of categories used to "prompt" the identification of risks. Typical project risk categories include:
3. Identify internal and external risks. It’s obvious that we need to identify internal risks. However, project managers may fail to identify external risks. Out of sight, out of mind. For example, an organization may contract with a third party to provide products, services, and supplies. There is the temptation to forget about it.
Just because a contract exists does not mean that the project manager has washed her hands of these risks. The project manager is still responsible for overseeing the activities, making sure the contracted products and services fulfill the project’s needs and integrate properly into the project deliverables.
“The secret of getting ahead is getting started. The secret of getting started is breaking your complex overwhelming tasks into small manageable tasks, and then starting on the first one.” —Mark Twain
4. Perform top-down and bottom-up risk identification. With a top-down approach to risk management, the project sponsor (and sometimes senior management) declares which threats and opportunities matter. The benefit is that it provides a high-level perspective. The project sponsor defines the project goals and determines the business strategies to make it happen.
However, the project sponsor will not likely understand the project planning and execution risks. A bottom-up approach provides the advantage of getting the views of the team members and key stakeholders. An excellent tool for the bottom-up risk identification is the work breakdown structure (WBS). The project manager can work with team members to discuss the lowest level WBS activities in order to identify risks.
5. Perform risk reviews periodically. Remember—risks change over time. Imagine never having your vehicles checked or never having a physical exam by a doctor. Project risk reviews should be performed regularly. In addition, reviews should be performed for the following events:
Keep in mind, we are NOT trying to identify every possible risk. We are scanning the project environment to find the most significant risks. If done properly, these strategies can help us identify the critical risks quickly. Then we can take the next step—treat the risks.
Some project managers take a different approach - it's called wait and see. It works like this: Don't invest time (i.e., waste time) identifying and treating risks. When the uncertain event or condition occurs, the project manager would fix it—translate, the project manager and affected stakeholders would put out the fires!
Responding to issues almost always require more time and cost more money than identifying and treating risks ahead of time. Being disciplined and applying an appropriate amount of time and focus on risks can reduce project expenses, promote the project schedule, reduce stress, and help a project team achieve its mission.
Poor risk management is costly. Project managers are caught off guard by emerging risks. And these risks may turn into issues costing more time and money.
But, it doesn't have to be that way. We can identify risks early. We can assess and prioritize our risks, allowing us to make better use of our limited time.
Let's look at the cost of poor risk management through the life of Tom Whitley. We will discuss his mistakes. Lastly, I'll provide you with a simple project risk management checklist to keep you from making the same mistakes.
The Star Mutual Insurance Company (SMIC) hired Tom Whitley as a project manager to manage information technology projects. Although Tom missed a few deadlines, he implemented most of his projects, though small, on time and under budget in his first year.
Tom was promoted to program manager after only 12 months with the company. He was assigned his first SMIC program, a combination of projects aimed at helping the company achieve a consistent underwriting profit. The program included projects to implement a new imaging system, a new policy administration system, and a new claims system, each led by a different project manager.
Tom pushed the project managers to take action quickly. He wanted to see progress within two to four weeks.
When one of the project managers spoke of identifying, evaluating, and managing risks, Tom cut her short, “We’ll get to the risk management later. I want an agile approach with the minimum process.”
The senior management team praised Tom for the early action. The imaging team had started building workflows. Check. The policy administration team started developing the interface to the claims administration system. Check. The CEO told the board of directors that things were going well for the first two months of the program (or so she thought).
In the third month, significant issues emerged. First, users were continuously changing the requirements for the policy administration system. Second, Tom started having problems with the third-party vendor resources. Third, the test regions were unstable, making it impossible for the testing teams to stay on schedule.
Tom and the project managers were spending more time dealing with issues and less time preparing for upcoming project activities. Things spiraled out of control. Eventually, SMIC replaced Tom as the program manager. The CEO reported the problems to the board and promised to get things back on track. But, it never happened.
After two years of trying to get the applications implemented, the company terminated the program and wrote off $15 million in expenses. SMIC continued missing revenue goals while expenses rose sharply. The CEO was fired after the company was downgraded twice and after four years of underwriting losses.
“Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so.” —Douglas Adams
Although this is a fictitious story, many project managers (and companies) fail to use risk management as an effective means of achieving their objectives. If you were leading the next program, what would you do differently? Take note of Tom's mistakes.
How about you? How would you describe the health of your projects? Review one of your projects with this checklist:
Risk management gets a lot of fanfare, but many project managers fail to cash in on the benefits. Here are some simple and practical project risk management tips that can aid project managers in getting better results.
“The first step in the risk management process is to acknowledge the reality of risk. Denial is a common tactic that substitutes deliberate ignorance for thoughtful planning.” —Charles Tremper
Do you feel uncertain about your project schedule? Does something see out of order but you just can’t put your finger on it. In this article, let’s look at five causes of schedule risks and ways to avoid or reduce these risks.
Many times, it starts with pressure from a sponsor to deliver the project early. For sure, project managers have a responsibility to work with their sponsors to understand the requirements and to complete the projects within the sponsor-imposed deadlines. Rather than wasting our time complaining about the deadlines, how can we work with our sponsors and team members to find solutions to schedule issues?
My friend Colin Gautrey has some wise advice on 8 Ways You Can Better Respond to Unrealistic Demands.
As we work to develop and compress our schedules, let’s be aware of the common causes of risk. We will be in a better position to manage the risks and deliver our projects on schedule.
Question: What other ways have you seen project managers unintentionally create schedule risks?
How often have you neared a project implementation date, only to find new requirements? Or perhaps your team said they had gathered the requirements, but in reality, the team had hastily rushed through the requirement process resulting in rework, missed deadlines, and another blown budget.
If you want to improve your chance for project success, focus on improving your requirement processes. You can’t overcome all the issues overnight, but here are a few things to consider.Continue reading
The Standish Group says three of the biggest factors that lead to failed and challenged projects are:
We should attack these threats with a vengeance. How can we do this? We add skilled requirements analysts to our teams.
The role of the project manager is to achieve the project’s goals or objectives. Who performs the business analysis tasks for the projects? That depends.
For small projects, the project manager may assume many roles including but not be limited to:
For larger projects, project managers must find ways to complete project tasks through others. They must not fall into the trap of doing everything themselves. Wise project managers recruit team members with the necessary skills and talents.Continue reading
Earlier I wrote about eights ways to treat risks. One of the risk responses is avoidance. The focus of this strategy is to ensure the risk does not occur by eliminating the cause of the risk.
It was Fall, and I had raked the leaves in my backyard into three piles. I was trying to decide what to do with them. I knew there was a ban on burning in my area since we had been extremely dry for months.
What were my options? I could bag the leaves. I could haul the leaves into the woods. Or I could burn the leaves.
I decided to take a chance and burn the leaves. Later, I soaked the areas with water to fully extinguish the remaining embers.Continue reading