Project Risk Management – Keep It Simple
Risk Management has become an extremely hot topic to companies, from the Board level enterprise risk management programs, to the project manager with a project risk register. While the importance of risk management and its value-add to a company are almost never disputed, the application and follow through are often lacking.
Three Helpful Tips to Drive Your Risk Management Program Towards Excellence
1. Keep it Simple so People Will Actually Use it
Risk Management theory and its application on capital projects often differ by the degree of complexity and time that a project team is willing to spend. The theory includes basic risk concepts, methods and procedures for managing risk and excessive forms, charts and tables. In reality, the fast pace of projects often have team members questioning whether following these processes and forms truly adds value to their project.
At its core, risk management comprises of four steps:
- Risk Identification: Determining which risks might affect the achievement of an objective and documenting their characteristics.
- Risk Analysis: Qualitative analysis involves prioritizing risks by (subjective) assessment of likelihood and impacts. Quantitative risk analysis involves analyzing probabilistically the effect of the identified risks on overall objectives.
- Response Planning: Developing options and actions to enhance opportunities and reduce threats to objectives.
- Risk Monitoring and Control: Tracking identified risks, monitoring residual risks, identifying new risks, executing risk response plans, evaluating their effectiveness, as well as accepting or retiring a risk.
It is common to keep track of these risks and their corresponding actions in a risk register. This is an extremely useful tool for a risk professional to manage risk; however, a particularly ineffective tool to display in a risk management meeting. When conducting meetings and presenting slides to a group, use the ’20 second rule’. If the audience cannot read, comprehend and make a meaningful contribution or comment to the slide within 20 seconds, then there is too much information on a slide. A typical risk register has enough information to keep someone busy for thirty minutes or so.
Simplify your risk meetings. If the purpose is to identify new risks, assemble the correct group of individuals on your project for the task and do that one thing for the meeting: identify new risks. Do not attempt to analyze the risks or mitigate them. That is for another day. Once your process is setup and you are conducting regular project risk meetings, limit the discussion to high priority risks. Do not display the entire register, just the risk title (what are we worried about) and the risk response (what are we doing about it).
2. Risk Data Should Come from the Front Line
It is a common misconception on projects that the risk process is for executives and board members, and that risk registers are populated by information coming from risk professionals and management experts. In reality, hazards and risks are often experienced by front line workers. Project management teams need to consult front line workers on risk and hazard identification, causes of these risks and possible response strategies. Including front line workers in the risk process pulls useful information into the risk register, and pushes risk responses to where they will actually be used.
3. Management is the Key to Risk Management
If a risk does not have at least one action associated with the risk response, then it is not actively being managed.
The four steps of risk management are described above. Unfortunately projects often get caught up in the theory of risk management, which involves filling out forms and populating colourful charts. Excessive energy is devoted in the identification and analysis steps. Is this a moderate or high impact? Is the likelihood possible or unlikely? This distracts from the main purpose of the exercise – what are we doing about this undesired event? Who is doing the action? When will this be accomplished? How often have you come across a project where the beginning of the risk process is documented, risks are identified, analyzed and mitigation plans described, and it ends there? No accountability for mitigation plans, dates or follow through.
If there is no action, date and accountability, there is no management.
Project and Risk Management Consultants Based in the Toronto Area, Providing Services WorldwideLQ Consulting and Management is a Canadian based project management services company. We provide a full range of management and consulting services when and where you need it most, whether it’s a one-time requirement or full management from project initiation to close-out. If you have any questions or would like to learn more, please feel free to contact LQ Consulting and Management at our corporate office in Burlington, Ontario.