Overview
Risk management is an integral part of project management. However, to ensure risk is managed effectively and efficiently, we follow a formal methodology and use industry standard tools and techniques. Risk management is important because if risks are not identified at the right time, they will likely have a negative impact on the scope, schedule or cost of a project—in fact, if any one of these is impacted, the others will likely be impacted.
However, it is important to remember that not every project or initiative needs to have the same level of a risk management process. Risks can be effectively managed without having a formalized process in place, but there are some caveats. In this blog post, I will walk through some of those caveats. If you are a project manager, or if you incorporate risk inputs for status reports, or even just work on a project, this post is for you.
Risk Management Essentials
First, let’s baseline some of the risk management basics.
A risk in project management terms is an uncertain event which may keep a project from achieving its objectives, potentially impacting project timelines and budget. Examples can include an unexpected supply chain issue which delays receipt of something vital to what you are delivering and causing your product to be late; a hard to replace key resource on your team who has a scarce skill set with the potential to get hired away; or even potential budget cuts which will impact the ability to fund the project you are managing.
Risk Management is a disciplined process which allows both Risk Managers and Project Managers to anticipate (as far as possible) and deal with unplanned events as they come up. They do this by thinking through the implications, communicating to relevant stakeholders about what may happen, and determining what could and should be done about those risks.
With that in mind, the three big risk management “to dos” are: identify a risk, determine how to mitigate it, and communicate that knowledge to stakeholders to ensure there are no surprises.
Different Types of Risk
Not all risks are managed in the same manner. While the concept of managing risks is the same, there are key differences in types of risks. My focus today is on project risk management, where projects (and therefore risks) have a defined start and end date. Examples of project risks can include:
• A project without a well-documented scope will make it difficult to define success, and will also make it challenging to say no to constantly changing requirements.
• A project with technical dependencies outside your control may put your overall timeline in jeopardy if that technical dependency is not ready when you are.
At the same time there are other types of risks where there is no defined end date, and risks live on a risk register for months or even years. These include business function risks, which are risks attributed to an organization’s specific functions, such as finance, legal, IT and human resources, to mention a few. Then there are enterprise risks, which are risks that can have a widespread negative impact across an organization. Some areas of enterprise risks include those related to reputation, business competition, financial controls, ethics and cyber security, to name a few.
Risk Management Best Practices
If you refer to the Project Management Body Of Knowledge (PMBOK) or do a Google search on risk management, you will come across articles on many aspects of risk such as the various phases of risk management, the importance of standing risk review meetings, heat maps, and robust risk registers which incorporate data such as probability and impact analysis, mitigation plans, identified risk owners, and of course, the current status of the risk. These are all very good practices to have in place for certain types of projects, such as those that are long term in nature, or which may need a formal Project Management Office (PMO) consisting of fully dedicated individuals focused on functions such as schedule, risk, change requests, contracts, and / or quality.
Risk Management Without the Formalized Process
What about projects that are short term in nature, just 2-3 months long? Would it make sense to maintain a risk register and have bi-weekly or monthly risk meetings? Probably not, because in short-term projects, team members need to meet with project sponsors and leaders multiple times a week to discuss project milestones.
Given the above-mentioned scenario, I would argue that for fast-track projects, risks can be managed without the typical tools and best practices. The key to successfully managing risks in short-term projects is identification of the risks, escalating them to the right people and having a mitigation plan. This can happen both while risks are documented in a risk register and reported in formal dashboards, or just as effectively by raising, discussing and attempting to resolve the risk in daily meetings or offline with key stakeholders.
Key Takeaways
Project managers can effectively manage risks in a fast-moving, short-term project without a formalized process environment. What they need to do is always remain aware of potential risks, tackle them as they come up, and communicate with the relevant stakeholders so they can create a mitigation plan in a timely manner. One of the worst things project managers can do is not communicate a risk until after the fact, leading to unpleasant surprises for the client or project sponsor. I have seen that wherever project managers are disciplined, recognize risks, communicate with key stakeholders in advance and are focused on resolving the risks, then those project managers are, in effect, managing risks without a formalized process.
Vikas Lal - Director, Client Success
As the Director of Client Success with Blue Altair, Lal brings over 25 years of extensive experience in corporate risk management and consulting, He holds an MBA in Finance from The Ohio State University, BA in Economics from the University of Michigan, and is a certified Project Management Professional (PMP).