In the Project Management Institute (PMI) world, Project Risk Management is one of 10 knowledge areas.. Unfortunately, as organizations execute projects, it is often relegated to secondary importance or ignored completely. Why? Because risk management is often difficult for project teams to wrap their arms around. It’s easier to simply increase project contingency in the name of risk and be done with it. However, the current business climate demands better predictability of project results. Whether projects get funded or not depends on an organization’s track record of predictability. Understanding and managing the risks of a project allows better outcomes.
I like to think of project management in terms of PLOC – plan, lead organize and control. We can think of risk management in the same way. In either case, a data-driven approach is required. Risk planning is the first step. A written strategy around how risk will be handled on the project along with the resources required is essential. If resources are not allocated to risk management, no one will pay attention to it.
Risk identification is probably the most critical part of risk management. This should be started before project authorization, during FEL-2. Risks should be sorted into typical project categories: project execution, engineering/design (do we have the right resources, and will they complete their tasks in the budgeted hours?), technology (is there new technology being applied on this project?), scope (will there be scope creep?), suppliers/contractors (will our suppliers deliver equipment that meets spec on time, and will our contractors have the labor force they need to deliver the project?), technical performance (will the completed project meet project specifications and guarantees?), client (will our client make last minute changes or cause delays?). Tools such as lessons-learned files, life-cycle cost analysis, and team brainstorming sessions should be used to fully identify and vet the risks.
Once all the project risks have been captured, the real data driven, quantitative analysis can begin. All identified risks should be subjected to a thorough cost, schedule and technical evaluation. Usually, a “what if” analysis provides the starting point for determining the cost and schedule impact to the project.
As experienced project managers know, risk management cannot strictly be a quantitative exercise. We’ve calculated the cost and schedule impact, judgement must now be applied to the numbers to make the analysis meaningful. Some risks will happen, other will not. The team should assign probabilities of each risk occurring. No need to get overly specific at this point: high probability (75%), moderate probability (50%) and low probability (25%) will be sufficient. These probabilities should be applied to each risk so the overall risk profile of the project has been developed as a combination of quantitative analysis and experience factors.
When risks have been identified, analyzed and quantified, these results should be captured in a database or spreadsheet. This will allow periodic review and tracking (below). Some companies even use the results of the cost and schedule analysis to adjust the management reserve of the project budget.
Risk mitigation is the next part of the risk management process and, as mentioned earlier, project resources are essential for this. Every risk should be assigned to the person most familiar with it and in the best position to mitigate it. A timetable for mitigation updates should be established. As the team is working on mitigation strategies, they should be looking for opportunities to transfer the risk. I’m a big proponent of transferring project risk to the party that can best manage it. Some project owners like to push all the risk to suppliers and contractors, even if they’re not in the best position to manage it. That is not the best strategy, in my opinion. In the long run, the owner’s cost and schedule will increase if risk is not managed properly.
The initial risk management plan should be reviewed at least once a month through the life of the project. Project metrics such as earned value analysis and schedule reviews should be used to update the risk profile. Costs and probabilities can also be updated. If the probability of a risk item goes to 100%, the impact should be added to the management reserve. Conversely, if the probability goes to 0%, the risk has been mitigated and can be removed from the project.
In summary, based on my project management experience, risk management is a critical process that enables project results to be more predictable and reduce or eliminate ”gotchas”. The Premier Resources Group (PRG) Advisors can support your project team and help identify and reduce risk on your current or upcoming projects – we would welcome the opportunity.