Collaborating with different organizations, we often get the feeling that risks, so to speak, are „lying idle and rotting" in various registers. Risks are, of course, identified during the project planning phase (because the methodology requires it, or because such a project looks good, etc.), but then we rarely revisit them. This is a shame, because risk management in a project can be an effective mechanism for steering the project, both from the perspective of an individual project and the entire portfolio. So, what should we do to make it work?
Proper risk description
First, we should start with a proper risk description. And here, we are not talking about long essays. On the contrary – the risk description should be concise and cover the key attributes that allow for quickly identifying significant risks and properly assessing their status.
In practice, project risk descriptions often only include selected attributes such as the name, risk manager, the likelihood of the risk occurring and the potential impact of the risk on the project. The likelihood and impact are typically defined using a numerical scale (from 1 to 5) or a "t-shirt size" scale (from XS to XL). However, this „classic" risk description is missing a few important pieces of information, namely:
- reaction and action plan,
- proximity (closeness),
- estimation of the impact of the risk materializing on the schedule, budget, and effort in the project,
- type of risk.
The response can be defined using a list of typical reaction types. In Table 1, typical reaction types for threats and opportunities are presented.
Reaction types for opportunities |
Reaction types for threats |
|
|
Table 1. Typical reaction types for threats and opportunities
Source: Hadrone (www.hadrone.com)
Defining responses is useful because it allows us to quickly understand the general approach to mitigating a particular risk, but it is not sufficient. Additionally, it is important to describe a specific action plan that will allow for the effective implementation of the response. Closeness is one of those risk parameters that is very important, yet relatively rarely used.
Closeness stems from the risk's realization date – actions aligned with the planned response can be taken up until this date, because after that, the risk will materialize and we will have to deal with the issue. Proximity, combined with probability and impact, also allows for quickly identifying which risks need to be addressed first.
As mentioned earlier, risks are typically assessed in terms of probability and impact. However, such general statements are also not enough – it is worth estimating the specific impact of risk materialization on project schedule delays, additional costs, or increased effort. This way, on the risk list in the portfolio, we will be able to quickly assess the impact of a risk on the project.
The final attribute to keep in mind is the kind of risk. Risk kinds are defined at the organization level, separately for threats and opportunities, in order to properly classify the risk and reflect its significance for the organization. For example, for threats, the following risk kinds can be defined: legal, financial, resource-related, and supplier-related.
Linking risks to schedule elements
A good risk management practice is to link risks to one or more elements of the project schedule, i.e., actions and milestones that the risk may impact. This way, by analyzing the schedule, we can immediately assess whether the dates within it are realistic or at risk. Without such linkage, identifying the impact of risks on the schedule would be too time-consuming (it would require analyzing the entire risk register each time) and in practice, it wouldn't be done.
Updating risk status
Simply defining a risk is not enough. In a project, many things change, including the risk itself – its status (increasing, decreasing, unchanged), impact, probability, and realization date. In order for the risk register to provide real value, it should be updated regularly. At the same time, the risk update history should be available so that it’s clear how the risk has evolved over time and who made the updates. This information is especially important when a risk materializes and there is a need to investigate the reasons behind the issues... sounds familiar?
Periodic review of the risk register in a project
Going further, risks will only have value in the context of project control if they are systematically reviewed, for example, during a periodic project status review.
Such a review provides two main benefits:
- The Sponsor/Project Steering Committee has the opportunity to react proactively, reducing the negative impact of threats on the project or maximizing the positive impact of opportunities.
- The Project Manager has the chance to communicate the impact of risks on the project’s progress, expecting specific decisions to be made.
The value of risk management in a project is often linked to the needs of the project Sponsor. However, it’s important to remember that risks also serve as a valuable „protection" mechanism for the project manager. By regularly signaling threats and opportunities, the project manager creates a kind of „alibi" in situations where, despite reporting risks, no timely action was taken, and the arising issues negatively impacted the project, or the opportunity to gain additional benefits for the organization was lost by maximizing opportunities (e.g., additional revenue, cost savings, shortened time to market, additional synergies).
Periodic review of risks at the Project Portfolio level
It is important to remember that risk management generates benefits not only within individual projects but, in particular, at the project portfolio level. This requires ensuring quick access to risks from different projects and an easy interpretation of their impact on the projects (see Fig. 1).
Figure 1. Project Portfolio risks in Hadrone PPM software
Source: Hadrone PPM software (www.hadrone.com)
A heat map can be used for quickly identifying significant and critical risks. By properly describing risks, it will also be possible to quickly identify overdue risks—those for which the realization date has passed but that have not yet been closed. This means that, in practice, we do not know the current status of such a risk, so the first step should be to update it in order to make informed decisions.
The key to effectively using risks to steer projects is quickly assessing the status of risks and their impact on the projects. This assessment includes status, impact, probability, proximity, response, estimated impact on the schedule, costs, and effort. This information should be as easily accessible as possible, in a condensed form.
Since there can be many risks in the project portfolio, filters are very useful, enabling quick access to the most important risks from a particular stakeholder's perspective. For example, these could be risks of a specific type, concerning projects in a certain category, that will materialize within the next month and will have a defined impact on extending the project schedule or increasing the project budget.
Closing risks and collecting experiences
Risks also provide valuable input for managing lessons learned. When closing a risk, we should indicate whether it materialized and what the actual impact of the risk's realization was on the project. By reviewing closed risks from specific types of projects, we can both identify potential risks in new projects and avoid the materialization of risks that have occurred in the past (e.g., related to prolonged analysis in a specific business area or issues with collaboration with a particular supplier).
Analyzing historical risks can serve another purpose – preparing predefined risk definitions for specific risk categories along with guidelines for their use (e.g., selecting appropriate risks considering the project category). This approach speeds up the creation of risks in new projects and helps educate less experienced project managers on the types of risks that may occur in a project.
Conclusion
In this article, we aimed to demonstrate the benefits that risk management can bring to an organization, as well as what needs to happen for risks to truly "live" both within a project and across the entire portfolio. I have shared best practices that ensure risk management is not just a tool for meeting internal regulations but a valuable mechanism that increases the likelihood of project success.
It is important to remember that effective risk management requires the right tool, one that allows for convenient recording and updating of risks at the project level, while also providing quick access to information about key risks and their impact on projects at the portfolio level. One of the tools that incorporates this perspective on risk management is the Hadrone PPM software (www.hadrone.com).
