Risk Management on Projects

Project Risk Management

How does project risk management differ from any other type of risk management? Well in most regards it doesn’t. However, as this is a project focused activity it helps simplify the overall focus by looking only at the core project fundamentals of scope – which are cost, quality and time. Remember that, I may test you later!

There are a number of good training videos available on YouTube that cover this principal. I’ve added a couple below to help bring home the point of this article. I find watching a presentation often easier to take in than reading some else’s thoughts.

Project Risk Management

So what is project Risk Management is all about? In an earlier article I talk about what risk and risk management are about. If you are still confused about what risks are and what risk management is about then read this article, it should bring you into the picture. On projects we talk about risk as any event that could cause an unplanned change to the projects scope – i.e. impact the project costs, timeline or quality of the deliverables, or any combination of the three.

What isn’t always obvious when talking about project risk management is that we also need to consider the positive impact a risk may have on a project – i.e. reduce costs, decrease the time line or increase the quality of deliverables. In reality it’s not very often that project risks present positive opportunities. Never the less, as project managers we have a responsibility to recognize and act on these risks positive or negative. That’s Project Risk Management.

David Hinde wrote a good article back in 2009 about using the Prince 2 Risk Management technique. Without getting imbedded in any particular methodology, the general approach to project risk management should follow a similar framework and this is as good as any for the purpose of this article:

David talks through a Seven Step process,

Step 1: Having a Risk Management Strategy

This means setting up a process and procedure and getting full buy-in from stake holders in how the organization will manage risk management for the project.

Step 2: Risk Management Identification Techniques

Where do you start in the identification of risks around a project? There are many risk management techniques and David suggests a few which are excellent. However, I like to take a step back and make a list of all the critical elements of a project on the basis of “if this task doesn’t happen will it be a show stopper?”. This helps be build a prioritized list of critical tasks against which I can then consider the risks – what could go wrong to impact this task.

Here’s my thought process on risk identification outlined:

List out critical deliverables
List out, against each deliverable, dependent tasks
List out against all dependent tasks and critical deliverables “any” potential event that could delay or stop the delivery to plan.
Grab a template risk analysis matrix and complete the first pass of assessment – probability v impact for each risk.
Take it to a project meeting and use it as the baseline for brainstorming.
Step 3: Risk Management Early Warning Indicators

Don’t rely on basic performance of the project as an indicator that everything is going well. Status reports showing a steady completion of tasks could be hiding a potential risk.

In risk management a number of other factors need to be on the project managers radar on daily basis. Things that I always look for are delivery dates from vendors – how confirmed are they, is there a movement in delivery dates (you’ll only see this if you regularly ask for confirmation updates from the vendor), resource issues – key individuals taking sick leave or personal leave more often than normal.

Delays in getting certain approvals signed-off by the steering committee or other governance bodies – will this impact orders going out or decisions being made on critical tasks? Getting qualified people in for inspections and certification (new buildings for example require a lot of local regulatory inspections). These are just a few of the daily challenges a Project Manager will face and all can be indicators of trouble to come.

As you gain more experience in risk management you start to instinctively recognize the early warning signs and challenge the culprits earlier in the process. You’ll also finds the a good project manager will build-in mitigation for the common project ailments at the very start, sometimes seeing the tell-tale signs when selecting vendors or suppliers will be enough to select better alternatives and this is what I call dynamic risk management at work.

Also keep an eye on the world around you – economic or geological events elsewhere can have a dramatic impact on local suppliers and supplies of key project materials. For example, flooding in Thailand has impacted the delivery of various computer components that are manufactured there, causing impact in both supply lines and pricing. (Yes, I work in Asia so see this type of impact first hand..)

Step 4: Assessing the Overall Risk Exposure in Risk Management

Taken directly from David’s article as he says this quite clearly – “PRINCE2 2009 gives an approach to show the overall risk situation of a project. Each risk is given a likelihood in percentage terms and an impact should it occur in monetary terms. By multiplying one by the other an expected value can be calculated. Totaling the expected values of all the risks gives a monetary figure that easily shows the exposure of the whole project to risk.”

There are many similar ways I’ve seen risk calculated in organizations variations on risk management. Â As long as there is a common approach for showing all risks, prioritization and impact on a project then risk management will work and add value in protecting the investment in the project. Each project and each organization will have their own requirements in terms of how they want to see risks analysed and presented. By and large it doesn’t matter how this is done, as long as it IS doesn’t and it makes sense in the context of the project and organization. There are risk management tools to help organise and manage this.

In another article I’ll talk more about the Risk Management matrix and show a few examples. In my mind the only wrong way to do this is to not do it at all.

Step 5: Considering the Effect of Time on a Risk and Risk Management

The effect of time when analyzing risks is that the more imminent a risk the higher priority it may take. I say “may” as it may be that a very low priority risk with low impact may be about to happen where as a higher priority risk may be weeks or months away. How do you manage this?

Common sense (of which there is no such thing) would suggest that if the higher priority risks are still a long time away then the imminent lower priority risks should be dealt with first, as a higher priority..? Perhaps?

You’ll have to take a pragmatic view on this, every situation needs to be taken on its merits and in risk management, not being an exact science, you’ll be expected to make judgment calls and discuss options with your client and project board or steering committee. After all, the governance board of a project has a responsibility to steer such decisions so the role of a good project manager should be to collate the facts and present the data with recommendations. Let the higher paid guys make the big decisions.

Step 6: Giving a Clearer Approach to Help Define Risks in Risk Management

David gives an example in his article which I’m struggling to relate to the world of projects as I know them. I think essentially what this focuses on is the “mechanics” of the risks in such a way as to help us understand and look at the cause and effect of scenarios that could lead to the risk happening.

In this way we can focus on the lowest common denominator(s) that will generate the risk and mitigate those items. Is that a little confusing? The principal is, I believe to nip the problem in the bud by recognizing what or where the bud is. Don’t get hung up on this, I would say this is something you’d tend to do naturally as you gain experience in reviewing risks and dealing with risk mitigation (prevention).

Step 7: Focus on Opportunities in Risk Management

Finally – and last but not least, where can we make or recognize risks as opportunities. An example David talks about suggests that, for example, a new release of a software product that would offer major benefits if included in the project would be a possible “positive” risk.

This I can relate to more, with the experience of being asked to change the specification on a traders dealing system half way through a major project because the manufacturer had released a major systems improvement, a completely new model, that the bank saw as a strategic advantage.

The analysis of this risk covered the obvious change in costs, the new system was more expensive, the implementation was zero impact compared to the older system however there was a large element of re-training the trading staff and proving the system for the bank before go live. This became the biggest challenge once the cost differential had been signed-off by the project board.

The additional training time required was squeezed into evenings and weekends so the final project delivery schedule was not impacted – but getting vendor and project resources to support the additional work and making sure the system was fully functional and supported operationally when the new facility went live, added cost and stress that hadn’t been anticipated. This is where risk management and change management overlap – a topic for another article.

The client was happy with the result and additional investment made. Simple risk management gets the job done.

Project Risk Management
Here are those Risk Management Training videos I mentioned at the

Posted in Uncategorized | Tagged | Comments Off

Preparing Annual Risk Management Strategy

Organizations would be focusing on preparing the risk management strategy and plan for 2011 as it is the last quarter of the year. Normally, Chief Audit Executives, Chief Risk Officers, Head of Internal Audit, Chief Information Security Officers, Head of Compliance, Head of Ethics and Head of Fraud Risks are very busy in the last quarter finishing off the year-end targets, objectives and key performance indicators. The next year strategy is developed from the previous year reports, observations, balance score cards and risk dashboards. A simplistic risk management strategy focuses on the following:

1) Financials -Developing a budget and other cost indicators

2) Operations- Preparing audit and review schedules. Listing out policies, procedures and manuals to be prepared and reviewed.

3) Resources- Formulating a hiring and a training plan

4) Knowledge – Developing knowledge bases, writing research papers and upgrading risk management tools and software.

Risk management has become complex and critical in the present economic environment. Without sophisticated and skilled risk management departments the organizations may face multiple disaster scenarios. Globalization, technology, economic environment, regulators, competitors, and speed of change, all have contributed in making business operations more complex. Risk management departments need to gear up and develop annual strategy considering these aspects in mind.

Five suggestions for preparing a comprehensive annual strategy are given below:

1. Break the Silo Approach

Depending on the size of the organization, the organization may have a number of departments focusing on risk management. To name some, in respect to the department heads mentioned in the first paragraph, we have Internal Audit, Fraud Prevention & Investigation, Compliance, Information Security and Business Ethics. These departments generally have some overlapping functions and turf wars. Silos are formed and the senior management has difficulty in making sense of various risk dashboards and reports presented by the department heads.

Prepare individual plans for the departments and roll them upwards to have a combined one of all risk management departments. Prepare one single strategy and plan for the organization as a whole to present the same to senior management. Present a plan to the management which emphasis on the top risks to the organization, with a plan to mitigate and control them. The management will have higher respect and provide greater support to the integrated approach. Various risk management departments will also be able to save cost and time on monitoring various risks by reducing duplication of work, leveraging synergies and sharing tools and information.

2. Determine Risk Philosophy and Appetite of the Organization

In some cases, the risk management departments present a risk dashboard to the senior management of the organization. If the CEO of the organization asks “Can I hold you on this? Are you sure that if these top 10 risks are mitigated, the organization will sail through the year?”; the head of the department generally cannot a say a definitive “yes”. The answer is given with a maybe, but, if etc. but not a “yes”. So the question is how should a head of department address this concern.

Risk managers need to determine the risk philosophy and appetite of the organization. To assess the risk philosophy, understand the organization culture and environment. The way business operations are conducted daily and the organization’s strategy are good indicators to find the risk philosophy. Assess whether business has an aggressive or conservative attitude towards risks for achieving business goals.

Risk appetite is the amount of risk which the organization is willing to take to undertake business activities. A simple question to ask the board of members would be -”What amount is going to make you uncomfortable if it appears in the business newspapers?” Consolidate the risk exposures from the various risks identified by the risk departments and present it to the board. Finally, assess whether the company’s internal outlook on risk philosophy and appetite are consistent with the viewpoints of the board and other stakeholders. Realign the two where required to prepare the annual strategy.

3. Understand and Integrate with Business Strategy

In a few companies, the annual strategies and plans of business and risk management are drawn up in parallel, with neither having information of what the other is planning. The risk management strategy cannot be internally department focused. The risk department heads need to obtain information on the business strategy of the organization to understand strategic risks.

For example, obtain information on new products and services which the organization is introducing in the coming year. Identify the territories, branches, and countries which the organization is planning to expand its business operations. Determine what will be the risks of expansion and innovation. Let us say, a USA company is planning to introduce its products in India. Now India has different laws, regulations and taxes. Also, the operational risks are different. Understand these risks and integrate them in the annual strategy and plan. This way, neither the risk management departments nor the business operation departments will be surprised. The budgets and plans would be incorporated and approved before the year commences, hence there will be limited fire fighting.

4. Focus on Building Relationships

One of the grouses which risk departments have is that they are not on CXO’s radar, do not have direct reporting to the top or representation at the board and are sidelined from the critical business operations due to negative perceptions.

Plan for the coming year and prepare a wish list. Include in it time required from CEO and other CXO’s, formation and membership of risk oversight committee, a new organization structure with the head directly reporting to CEO and a nomination at the board. Discuss these aspects with the CEO and senior management during plan preparation. This will ensure that the senior management schedules the requirements in their plans. Insist that the CEO puts risk management as one of the points in his/her personal balance score card. This will make sure he/she is dedicated and committed to risk management throughout the year.

Discuss the composition of the risk oversight committee and audit committee. Identify the members you wish to nominate who support risk management initiatives. Define the process of reporting to the board and the audit committee. Get their commitment for board nomination and new organization structure for risk management departments. Start the groundwork for building relationships at the planning stage itself.

5. Assess Competitors Strategies

The risk departments are generally happy with what they are doing and discover information about tools and methodologies from various institutes periodicals, magazines and conferences. In a few cases there is some focus on the operations of risk management departments of competing businesses and organizations.

Determine which organizations are competition to the business in respect to products and services in various territories. Focus on finding information of the risk management department operations of these organizations. Find out which risks the organizations faced, how they were mitigated, what kind of tools and knowledge bases they are using, what are the staff strength and the skill set and the organization structure. Will some of the practices result in cost savings and better synergies within business? Determine the similarities and differences, and assess what can be incorporated in your organization effectively. There are some lessons which can be learned from competitors success and failures. Leverage on competition knowledge to learn these lessons.

The above mentioned five points are those which can be easily in

Posted in Uncategorized | Tagged , | Comments Off