PROJECT RISK
MANAGEMENT
A PROACTIVE
APPROACH
Paul S. Royer, PMP
Vienna, Virginia
Browse BK Professional by
Paul Royer, PMP, is the founder of Proactive Risk Management, an informa- tion technology and management consulting firm in Olympia, Washington, specializing in project management, risk management, and quality assurance. He has more than 30 years of experience in the information systems indus- try, specifically in health care, government, and consulting. His background includes project management, risk management, quality assurance, systems development, data and process modeling, data warehousing, data administra- tion, training and coaching, methodology development and implementation, business requirement definition, and process improvement. He has a BA in Computer Science from the University of California at Berkeley.
Paul S. Royer, PMP
Vienna, Virginia
Paul Royer, PMP, is the founder of Proactive Risk Management, an information technology and management consulting firm in Olympia, Washington, specializing in project management, risk management, and quality assurance. He has more than 30 years of experience in the information systems industry, specifically in health care, government, and consulting. His background includes project management, risk management, quality assurance, systems development, data and process modeling, data warehousing, data administration, training and coaching, methodology development and implementation, business requirement definition, and process improvement. He has a BA in Computer Science from the University of California at Berkeley.
For more than five years, Paul has concentrated on the risk aspects of project management. He has published several articles with the Project Management Institute on this topic and has presented them at PMI® national symposiums.
It must be remembered that there is nothing more difficult to plan, more doubtful of success, nor more dangerous to manage than the creation of a new system. For the initiator has the enmity of all who would profit by the preservation of the old institution and merely the lukewarm defense in those who would gain by the new ones.
—MACHIAVELLI
The art of project management consists of many processes. As defined by the Project Management Institute in the PMBOK® Guide, there are five essential project management processes, as shown in Figure 1-1. For reference, we define these processes simply as follows:
• Initiating processes—Obtaining commitment to begin a project
• Planning processes—Establishing a plan to accomplish the business need that the project addresses
• Executing processes—Coordinating the people and other resources assigned to the project
• Controlling processes—Ensuring achievement of project goals through monitoring and measuring progress so that remedial action can take place in a timely fashion
• Closing processes—formalizing completion of the project by acceptance of final deliverables, leading to an orderly project end.
Before discussing how to manage risk, we must agree on a definition for the term. In the context of project management, we define risk as:
The potential events or circumstances that threaten the planned execution of the project.
This definition puts a totally negative context around the word risk. Others, such as the Project Management Institute, include the positive opportunities (impacts) that risks may have on a project. However, in developing a proactive risk management philosophy, it is most important to concentrate on the negative aspects of risk.
Each project management process has a corresponding risk management process, as shown in Figure 1-2. To establish a common reference framework, we define the risk management process simply as follows:
• Initiation: Project opportunity assessment—Examining the high-level requirements of the project opportunity to define risks versus opportunities in order to make a decision to proceed or not to proceed with the endeavor
• Planning: Risk management planning—Identifying risks and developing mitigation strategies and contingency plans to minimize their impact
• Executing: Project risk audit—Auditing the effectiveness of project management processes
• Controlling: Continuing risk management—Monitoring identified project risks to trigger the implementation of risk mitigation strategies and contingency plans; identifying new risks
• Closure: Risk knowledge transfer—Capturing lessons learned in the mitigation of project risks for use in future projects.
As defined earlier, the project opportunity assessment examines the high-level requirements of the project opportunity to define risks, as opposed to opportunities, in order to make a decision to proceed or not to proceed with the endeavor. While particularly important to consulting organizations and subcontractors, this process is finding more and more applicability within enterprises that conduct their own projects. No one’s resources are inexhaustible; therefore, it is critical to apply them to the “right” project. In addition to feasibility studies, return on investment analyses, and other strategies, the opportunity assessment provides additional insight to the decision-making process.
The five steps in the opportunity assessment process are:
1. Assign opportunity assessor
2. Identify risks and opportunities
3. Evaluate risks and opportunities
4. Distribute opportunity assessment
5. Make go/no no decision.
The opportunity assessment process looks at nine assessment categories:
• Customer-associated
• Contract
• Project requirements
• Business practice expertise
• Project management
• Work estimates
• Project constraints
• Complexity and scale of deliverables
• Contractors.
The output from the opportunity assessment is a report that contains decision-making insight for management. A risk assessment of each category documents potential risks and assigns a risk rating on a simple low-medium-high scale. Likewise, the assessment documents potential opportunities (benefits) for each category.
Following the decision to proceed with a project, detailed project planning begins. During this process, you must assess and mitigate potential risks to the project. Risk management planning is the process of identifying risks and developing mitigation strategies and contingency plans to minimize their impact. It involves all resources concerned in the enterprise (e.g., project manager, project team, stakeholders, technical support).
Project risks come in two types: identifiable risks and unmanaged assumptions:
• Identifiable risks—Risks identified during engagement contracting activities (i.e., project initiation) or during planning. For the most part, they are highly visible and immediately apparent to everyone (or at least someone) involved with the project.
• Unmanaged assumptions—Project assumptions that are not monitored to ensure continued validity. If an assumption fails to remain valid, it becomes a risk.
Risk planning requires two sets of process steps after establishing a risk planning team: identifying risks and instituting assumption management.
1. Establish risk management planning team
2. Design identifiable risk planning
2.1. Identify risks
2.2. Categorize risks
2.3. Prioritize risks
2.4. Develop risk mitigation strategies
2.5. Establish risk contingency plans
3. Begin assumption monitoring planning
3.1. Identify assumptions
3.2. Verify assumption validity
3.3. Establish assumption monitoring metrics.
To institute a consistent approach to risk management planning, we need a risk classification scheme. Numerous schemes are possible; as an enterprise matures in its management of risk, it will develop its own schema. The following are useful starting points:
1. Risk categories
1.1. Scope/change management risk
1.2. Operational risk
1.3. Financial risk
1.4. Project management risk
1.5. Strategic risk
1.6. Technology risk
1.7. Failed assumption
2. Risk evaluation factors
2.1. Risk severity
2.2. Risk probability
2.3. Risk timeframe
3. Risk mitigation strategies
3.1. Risk acceptance
3.2. Risk avoidance
3.3. Risk protection
3.4. Risk research
3.5. Risk reserves
3.6. Risk transfer
Adhering to a rigorous, consistent scheme for classifying risk may seem like overkill. However, if knowledge transfer concerning risk is an enterprise priority (and it should be), it is much simpler to classify risks during the risk planning process than to try to retrofit classification. (See Chapter 6, Closure: Risk Knowledge Transfer, for more information.)
The deliverables from this process establish risk management priorities and plans to be managed during the execution/control phases of the project. For risks of high impact or probability, the actual project plan and budget should reflect the cost and time of the mitigation strategy. Risk management planning deliverables include:
• Project risk worksheets
• Project assumption worksheets
• Risk management mitigation strategies included in the project plan.
Throughout the execution phase of a project, it is important to ensure that the project is generally healthy. A periodic project risk audit accomplishes this by assessing the effectiveness of project management processes. A risk audit should be performed by a project management professional who is as objective as possible. If stakeholders judge a project to be extremely important, an external risk auditor should be used.
There are eight steps in the project risk audit process:
1. Identifying interviewees (project team, project manager, stakeholders)
2. Gathering evidence
3. Scheduling interviews
4. Conducting interviews
5. Analyzing evidence
6. Preparing findings
7. Preparing recommendations
8. Preparing report.
An initial risk audit takes from 20 to 70 hours over a 5- to 20-day period. Follow-up risk audits may take less time because they focus on prior audit recommendations and verification of continuing compliance to critical success factor (CSF) evidentiary requirements.
Ten critical success factors are used to audit a project’s compliance with industry best project management processes. Auditors also examine factors about the project’s progress against plan and make a prognosis for successful completion. The ten CSFs are:
1. Organization—The project is appropriately organized.
2. Risk management—Project risks are identified and appropriately managed.
3. Planning—The project is appropriately planned.
4. Milestones—Project milestones are being met on schedule.
5. Monitoring and control—Project status is appropriately monitored and adequately controlled.
6. Scope change control—Project scope is appropriately controlled.
7. Resources—The project is appropriately resourced.
8. Functional testing—Appropriate functional acceptance-testing processes and plans are in place.
9. Capacity and performance testing—Appropriate capacity and performance acceptance testing processes and plans are in place.
10. Training—Appropriate and timely training is available.
Deliverables from the risk audit are used to inform both the project manager and stakeholders of risk findings and recommended corrective actions. The individual deliverables are:
• Risk audit summary
• Risk audit working papers
• Interview log
• Documentation log.
During the controlling phase of a project, the project manager must continuously manage risk using the risk management plan developed during the planning phase process. While project team members may have the responsibility for monitoring risk and assumption triggering metrics, the project manager is accountable for managing ongoing risk.
There are three basic processes in continuing risk management:
1. Monitoring identified risks—Monitor the risk mitigation strategy and contingency plan triggers established during the risk management planning process.
1.1. Monitoring risk triggers
1.2. Invoking risk management strategy
1.3. Invoking risk management contingency plans
2. Monitoring identified assumptions—Monitor the assumption validity metrics established during the risk management planning process.
2.1. Monitoring assumption validation triggers
2.2. Invoking risk management planning process
3. Identifying new risks—Invoke the risk management planning process to deal with new risks or assumptions encountered during project execution.
In addition, we must invoke issue and scope change management processes to resolve risk-based issues and manage changes to project scope, resources, or schedule.
Continuing risk management involves executing the established risk management plan and accounting for newly discovered risks and assumptions. The following deliverables are necessary for properly documenting and communicating the effects of continuing risk management:
1. Risk management report
2. Updated risk management plan.
Part of the closure phase of a project is recording lessons learned by evaluating the project and determining what went well and what could be improved next time. This is especially important relating to risk. The risk management planning process stresses the importance of experience-based risk assessment. While industry-based and general project risk lists may be relevant, the most important list to any enterprise is composed of the risks that it has encountered and what was successful in mitigating them. Therefore, it is critical that project closure reviews and documents the success of risk management.
Molding risk knowledge transfer involves several steps:
1. Evaluating risk management success or failure
2. Documenting risk management success or failure
3. Cataloging and archiving risk management success or failure
4. Archiving risk management success or failure.
The primary deliverable from the risk knowledge transfer process is a summary of the success or failure of the executed risk management plan. While a simple paper or electronic repository of the risk and assumption management worksheets will serve this purpose, a repository of searchable data provides a more accessible and useful resource. This chapter outlines a simple database schema for storing the information.
As enterprises focus outward and integrate across functional “silos,” programs of interrelated projects become the norm. Managing these efforts properly requires a higher level of administration, often referred to as “program management.” Like individual projects, programs can get into difficulties; therefore, a consistent process to review the ongoing health of programs is desirable.
A periodic program risk audit accomplishes this by assessing the effectiveness of organizational, communication, and management processes. It should be performed by an objective project management professional. If stakeholders judge a program critical to the success of the enterprise, an external risk auditor should be used.
Similar to the project risk audit process, there are eight steps in the program risk audit process:
1. Identifying interviewees (program manager, stakeholders, project managers)
2. Gathering evidence
3. Scheduling interviews
4. Conducting interviews
5. Analyzing evidence
6. Preparing findings
7. Preparing recommendations
8. Preparing the report.
An initial risk audit should take from 60 to 120 hours over a 10- to 30-day period. Follow-up risk audits may take less time because they focus on prior audit recommendations and verification of continuing compliance to critical success factor evidentiary requirements.
Ten critical success factors (CSFs) are used to audit a program’s compliance with industry best standard program management processes. The auditors also examine factors about the program’s progress against plan and prognosis for successful completion. The ten program CSFs are:
1. Organization—The enterprise is organized to meet its program goals and objectives, scaled to enterprise size.
2. Planning—The enterprise has planned for its program.
3. Financial resources—Sufficient financial resources (macro-level assessment) have been budgeted.
4. Direction—The enterprise is providing clear direction to its program and projects.
5. Coordination—The enterprise is coordinating its program efforts.
6. Communication—The enterprise is effectively communicating its program status and issues.
7. Staffing resources—The enterprise has devoted sufficient (macro-level assessment) program and technical staff to its program and projects.
8. Control—The enterprise is controlling its program and projects.
9. Risk assessment—The enterprise is fully aware of the program issues and risks.
10. Seeks remedies—The enterprise recognizes when it needs help and actively pursues remedies.
Deliverables from the risk audit are used to inform both the program manager and stakeholders of risk findings and recommended corrective actions. The individual deliverables are:
• Risk audit summary
• Risk audit working papers
• Interview log
• Documentation log.
This book provides a consistent framework and proactive approach for mitigating project risks. It complements and extends the risk management process defined by the Project Management Institute’s PMBOK® Guide. The book follows the PMI-defined lifecycle of a project, so it can be used side by side with other project lifecycle references in a training environment or in the real world of project management.
The techniques and material provide different perspectives for different audiences:
• Acquaint the novice student of project management with the basics of project risk management
• Present extensions to traditional risk management concepts for the veteran project manager
• Demonstrate the practicality, necessity, and value of sound project risk management practices to project stakeholders and sponsors.
"What is impressive is not only how Winters builds a case for the urgency and need for bold, inclusive conversations but ...
This practical, accessible, nonjudgmental handbook is the first to help individuals and organizations recognize and preve...
This book is the first practical, hands-on guide that shows how leaders can build psychological safety in their organizat...
"La’Wana Harris has opened this coach’s eyes to the power of coaching practices to create new paths for diversity and inc...