How to Conduct a Risk Audit and a Risk Review


  •  Minute Read

A life well-lived life involves looking backward as well as thinking forward. The same is true of projects.

In this article, we will look at how to conduct a risk management audit to evaluate the effectiveness of your risk management. We'll also talk about how to be more forward-thinking through risk reviews.

“Good Risk Management fosters vigilance in times of calm and instills discipline in times of crisis.” -Dr. Michael Ong

How to Conduct a Risk Management Audit

Who Performs the Risk Management Audits?

The project manager, the project manager and team, or a risk audit team may perform risk audits. What is the focus of the audit? It is a retrospective review where we ask "How did we do?"

  • Review the effectiveness of the responses to risks
  • Next, review the effectiveness of the risk owners
  • Another, review the effectiveness of the risk processes

How Do Risk Audits Help?

Wonder if risk audits can really help you and your team. You bet!

And it doesn't have to be difficult or require lots of time.

The output of the risk audit is the lessons learned that enable the project manager and the team to increase the likelihood and impact of positive events and decrease the likelihood and impact of negative events.

The size of the risk audit team and the time invested should be commensurate with the size and complexity of the projects. I've completed small risk audits with me and a couple of team members in an hour or less.

Sounds great, but how does it really work?

Real World Audits

Tom was asked to manage a project to implement an insurance company claims customer service center that would house 100 employees. He decided to have a risk audit performed when the team had completed 40% of the project. Things were going fairly well, but Tom was concerned about an increasing number of issues, particularly with two risk owners.

Tom asked an internal risk audit group -- comprised of one company project manager, one IT employee, and one claims manager -- to conduct the audit. The team completed the audit in two weeks and discovered the following:

  • To start with, one risk owner -- John Billings -- had been negligent in managing a significant risk for a critical path activity, resulting in an adverse impact to the schedule of two weeks. Why had Mr. Billings been negligent? He had lost two employees in the last two months, forcing him to pick up the slack.
  • Next, there were two major risks where no responses had been taken and there were no contingency or fallback plans.
  • Furthermore, the team missed an opportunity that could have saved the project $20,000.
  • Finally, the risk evaluation process needed improvements. The scale being used for the qualitative risk analysis was broad and prone to bias.

The findings were shared with Tom and the project sponsor. The following changes were made:

  • First, John Billings was replaced with another risk owner.
  • Second, Tom met with the risk owners who had failed to respond to their risks, shared the audit findings, and asked that response plans be developed and executed.
  • Third, Tom included specific exercises to identify opportunities going forward in the project.
  • Lastly, Tom refined the qualitative risk evaluation scale.

“Risk is like fire: If controlled, it will help you; if uncontrolled, it will rise up and destroy you.” –Theodore Roosevelt

How to Conduct Risk Reviews

How can project managers make better decisions and get better results in the future? Try a risk review.

Remember, the audit team focuses on "How did we do?" Were the risk management processes effective? We are looking backward.

In contrast, risk reviews are prospective and forward-looking. We ask, "How will we do?" We modify our risk response plans and risk management processes to improve our chances in the future. 

Questions to Ask in Risk Reviews

Project managers and their teams periodically review their project risks for the following:

  • What have we learned from our risk audits that we should apply going forward?
  • Are there new risks?
  • Has the probability and impact changed?
  • Are individual risks merging to form a robust set of risks?
  • Should we modify our responses, including contingency and fallback plans?
  • Should we close irrelevant risks?
  • Are the residual risks increasing or decreasing?

Check out my post 12 Questions For Monitoring Project Risks for more helpful questions.

Your Turn

Pick one of your worst project, where things have been crazy. Look backward with a risk audit and forward with a risk review. You will likely gain insights and perspective as you see things with fresh eyes. Best wishes!

You may also like