“Let our advance worrying become advance thinking and planning”
Winston Churchill
In “Managing Risk in Project“, David Hillson reflects on the challenges that are common in all projects. He states that all projects have these intrinsic challenges, in their features as:
- uniqueness
- intrinsic complexity
- assumptions and constraints
- people (stakeholders and project team).
No project is equal to another, either due to unique set of circumstances in which the projects take place or due to the variable nature of the views or expectations of the stakeholders. All projects have a level of uniqueness, therefore a challenge. Secondly, there is a challenge associated with the degree of complexity as a result of combination of project features, including project size, geographical and cultural reach, technical difficulty, innovation potential, number of relationships both within the project team and in the surrounding environment. Thirdly, all projects are based on assumptions. There is a natural and obvious level of approximation that the project team adopts in defining and planning the activities and these assumptions may not hold ground for the entire course of the project. Constraints are always there (logistics, time, budget etc). Assumptions and constraints can both be very changeable. And lastly David Hillson reminds us that the “human factor” is a common underlying challenge. Projects are designed and executed by human beings for human beings. And humans can be heavily biased and unpredictable… .. . ..
With uniqueness, complexity, changeable assumptions and constraints and human weaknesses come the project uncertainty. I believe that putting in place an active, robust project risk management framework is essential. For that, and inspired by the interview with Donna Festorazzi and her presentation at Moredun, I researched the subject and I came out with a 5-principle guidance. I hope you will find the reading interesting and that this guidance could help you in establishing an effective project risk management framework.
1. Get people on board..
As for the organisation’s operation risk management, to be successful, project risk management frameworks require engagement and cooperation at all levels. Not only should management be leading with the principles and should lay down the policies, but management should also ensure adequate engagement, training and compliance.
Workshops, brainstorming and information sessions should be open to a wide participation from staff and stakeholders. Explain them the reasons for requiring their participation and the importance of the subject. As an example, if you get staff involved in the definition of the format for the project risk register, you are much more likely to get greater compliance in its update and a more effective and proactive use during the course of the project.
The effectiveness of the process relies on the contribution of the staff, at all levels.
2. Get the terminology and scope right..
You may have a variety of procedures, processes, information sources for your staff to refer to. For example, every project management standard has its own process for risk management, with its own lexicon, so project managers trained differently might not interpret and address the subject of risks in the same manner. There are also a variety of approaches with the “enterprise risk management”, so your organisation may have a set of policies that do not reflect what you could have read, studied or practiced elsewhere. It is possible that you will hear about the ISO31000, a standard for risk management recognised internationally (see also later in the article). This standard may be quoted (or referred to) by consultants and practitioners as it provides a good structure for risk management operations, including project risks. This is highly regarded in the sector. You may find the terminology in your risk policies not in line with this standard. This might result with possible confusion and lack of harmonisation with the terminology.
First of all, ensure you have internal agreement on an agreed risk lexicon and scope: what is a “risk”, what is the “risk appetite”, what is the “internal” and “external context”, etc.
A good start is ensuring that there is agreement on the correct formulation of what a risk is (or isn’t). A “risk” is different from an “issue”, for example. You may want to refer to this David Hillson’s article on this.
Get a glossary agreed within your organisation and ensure that it provides a comprehensive list of key project risk terms.
3. Get the process right..
The process for effective project risk management must take into consideration various factors: the business sector in which your organisation operates, the company’s objectives and ethos, the project complexity, the project horizon etc. In any case, no matter what size of the organisation, you need a process in place to map the various risk management activities. Otherwise…. how would you be able to plan for people deployment, to monitor budget, to ensure effective control and relevant reporting??
The process included in the ISO3100 standard (reproduced in the picture below) may look over-sized and slightly daunting to some medium-to-small organisations. Some readers may argue that this is designed for risk management for the enterprise, rather than for project risks.
ISO31000 is a good blueprint for any risk management process. It is generic and pliable. It has in its objectives the provision of a generic framework for identification, analysis, assessment, treatment and monitoring of risk, with a clear and easy-to-use lexicon.
Projects are different from the normal operation of the organisation (see BIS-Guidelines for managing projects) so adjustments to the ISO31000 might be required. But I here advocate for a process that maps (at least in a broad sense) this standard.
You will have to adapt it (and you may need help with this, see Step 5). But this will be a useful starting point.
4. Get your team and staff to follow the process..
Discipline is important. Don’t let compliance drop.
The project risk management framework that you have set up must be appropriate (to the size of projects and maturity of the organisation), responsive and adaptable to change. Battling human heuristics and biases will be hard (note: we will write about human heuristics and biases in one of our next articles). Temptation is always there, to neglect, to skip, to by-pass, to delay and procrastinate….You have to work hard and relentlessly to get your people to stick to the agreed process (while still being mindful of the framework’s flexibility…).
You need to ensure the process is monitored all the way through, that communication is clear and effective, that all contributors (management, risk owners, risk actors, team members) play their part. Occasionally, you might need to put some pressure on the team to get things done.
Sticking to a process pays off. If your team is on board with the process and follows it, you will know where you are with the management of project risks, you will be responsive to changes, and you will be aware of the options for the risk mitigation and (why not?) of the opportunities….
5. Get help..
Confused? Should you feel that you don’t have the capacity, the experience or knowledge for a diagnosis of your needs or you would need guidance on how to define an appropriate project risk management, there are plenty of free online resources on the subject. Consider getting help from an external consultant with experience in risk management. There are plenty of practitioners out there that would be able to help you in ensuring that you get a tailored, fit-for-purpose project risk management framework.
An “external” voice may help in winning over resistance and in breaking the barriers between the organisation’s internal silos.
These are five, simple principles that would I hope could help you in designing and implementing a more effective project risk framework. Please do get in touch if you have comments or questions.
Marco Bottacini, Senior Portfolio Manager, GALVmed
The views and opinions expressed in this blog are those of the author and do not necessarily reflect the views and opinion of GALVmed.
Project Management Discussion Group 
as I website possessor I think the subject material here is real good, regards for your efforts.
LikeLike