Project Risk is something that is very often ignored and not documented – which often creates surprises that could have been mitigated or averted. The importance of identifying the risks, looking for signs of risks, and communicating the risks should never be underestimated. A risk can be caused by many factors, including but not limited to: resources, hardware, software, the organization, stakeholders, quality, external factors, or client based.
When risks are managed properly, the results are minimized project threats, projects delivered on schedule, projects delivered within budget, and unaffected quality. Also, the project team will be more at ease when the risks are managed appropriately. They can focus on the tasks of the project as opposed to remediation of issues that could have been avoided.
It is key to project success to identify and mitigate risks before they become issues.
Here are the guidelines to implement risk management into your projects:
IDENTIFY RISKS IN ALL STAGES OF THE PROJECT
At the beginning of the project, go through each stage and each task to identify all potential risks. Common methods that will help determine risks are brainstorming sessions with the project team, interviews with subject matter experts, interviews with stakeholders, review of the project documentation, and your expert judgment. These exercises may not bring all risks to light but will help identify the majority of them. Additional risks will likely be identified as the project moves forward.
ESTABLISH OWNERSHIP OF EACH RISK
No one will want to own a risk once it has become an occurrence. The project team will be in response mode and time will be wasted deciding who is available and capable of fixing any issues. To avert this type of situation, give each risk an owner as soon as it is identified. The owner should be someone on the project team who has the expertise to manage the risk and will be responsible for it for the duration of its lifecycle. Applying ownership to each risk will ensure tasks are carried out to decrease threats and enhance opportunities.
PRIORITIZE EACH RISK
It is common that some risks will have a higher impact than others. When identifying risks, determine the risk score of each. (The risk score is usually the impact multiplied by the probability.) More time should be spent on the risks that have the highest potential losses or gains for the obvious reasons. Also, determine if any of the risks are ‘showstoppers’. A showstopper can halt all project work if not managed properly. Prioritize the showstoppers above all other risks.
COMPLETE A RISK ANALYSIS
Analyzing each risk will help reduce the probability of an occurrence. It would be efficient to determine preventive measures for each risk and create a plan to manage the risks should they become constraints. The analysis can be quantitative, qualitative, or both. The analysis should describe the cause of each risk and the primary effects on categories such as quality, budget, or resources. Activities that will aid in the decreased probability of a risk can also be included in the analysis and will aid the risk owner in managing the threat more effectively.
PLAN RISK RESPONSES
Once you have identified, prioritized, and analyzed the risks; complete a risk response plan. The purpose of this plan will be to develop options and actions that will reduce threats and enhance opportunities. To do this, you will need to determine which strategy to use to manage each risk. Strategies include avoidance, acceptance, mitigation, or transfer of the risk. The purpose of this process is to develop options and actions that will reduce threats and enhance opportunities.
Avoidance is the process of eliminating a risk or reducing its score to zero. When faced with a particular risk, a different process or product may be chosen that is less risky than the original.
Acceptance is chosen when a risk has a low-risk score or if the cost and effort of taking an alternative route is more expensive than the risk itself. The risk should continue to be observed to ensure acceptance is still the most desired action plan.
Mitigation will aim to reduce a risk score. For example, a possible mitigation scenario would be to hire a more skilled project team to decrease the amount of time spent reworking a complex design.
An example of risk transfer occurs when a third party vendor is hired to manage the risk. The risk is no longer the responsibility of the project but transferred instead to the vendor.
CREATE A RISK REGISTER
Once risks are identified, they will need to be tracked. A risk register is a great tool used to accomplish the tracking of risks. A typical risk register will include a category that will group similar risks, a description of each, clarify ownership, the impact if the event were to occur, the probability of an occurrence, and the risk score. The risk register will also include a basic analysis of the cause and effect as well as the mitigation plan. This document will essentially be the ‘one-stop-shop’ for all the information relating to risks associated with the project.
COMMUNICATE
Communication is a huge part of mitigating risks. Risks should be consistently discussed throughout the project and added to the agenda of each project meeting. This will ensure risk management becomes natural to the project team, and they have an opportunity to report new ones that may have been identified. Also, ensure the stakeholders, client, and sponsor are all aware of the top risks. They will appreciate not being surprised in the event of a risk occurrence and will continue to trust you throughout the duration of the project.
DON’T FORGET TO CONSIDER OPPORTUNITIES
Projects will have both threats and opportunities. It is just as important to discover the opportunities as the result could be a better, more profitable project. While the project team is diligently working towards the end goal, it is easy to forget that opportunities may exist. Make the effort to look for opportunities within the project because the find may be a high payoff that does not require a large investment of the resources.