Project management is plagued with uncertainties. From the risk of data security breaches, to the possibility that your top designer gets head-hunted by your main competitor, these risks can pose a real threat to your ability to deliver a project successfully.
Every company needs a resilient strategy to manage risk events and keep their projects on track. In this article, we'll dive into the topic of project risk management, looking at why it's so important in today's business culture, and a 5-step approach to get a risk management process in place.
Project risk management is the process of identifying and anticipating the potential risks to a project. Risks are variables that impact project performance, cause delays, and reduce productivity. They can come from a variety of sources, and strike at any stage of the project implementation.
Project managers spend considerable time identifying risks and devising strategies to mitigate them. As much as we'd like to, it's not possible to completely eliminate risk, and businesses increasingly recognize the need to develop a robust risk appetite to roll with the punches.
However, the aim of project risk management is to minimize potential risks and their impacts, and keep the project moving.
The current business landscape is a minefield of potential risks, from the mundane to the catastrophic. Mass layoffs and critical staff shortages in many sectors are liable to cause resource risks and constraints. Meanwhile, supply chains are threatened by market uncertainties and increasing political unrest that undermines the stability of global business.
Security risks are also on the rise, with cybercriminals becoming more sophisticated and outpacing development of counter-measures. The global cost of damages from ransomware attacks alone is predicted to exceed $30 billion in 2023.
The frequency of extreme weather events caused by climate change is also surging, increasingly causing disasters and contributing to the scarcity of key resources. Businesses that lose assets to extreme weather often cannot recover.
Now more than ever, it is of paramount importance to design projects with a dynamic and flexible risk management outlook. Project managers need to frequently reevaluate and strategize their risk management process based on the changing landscape of the market, environment and cybersecurity.
Each project has its own goals and challenges, and with that comes a unique set of risks. However, there are certain categories of risk that need to be considered for any project.
A project can't run without its resources, and resources have a significant impact on a project's performance and pace. Common risks associated with resources include staff shortages, staff skills, equipment unavailability, cost overruns, and delays.
A comprehensive risk mitigation plan must consider all the potential resource constraints that can disrupt the continued supply of staff and materials for the project.
Project management cannot guarantee financial success of a project without a reliable budget estimate. Cost overruns can threaten the success of the project, and are usually due to inadequate data on project scope and resources, inaccurate estimation of supply costs and resource allocations, or outdated procurement procedures.
A cost risk management process should allow for contingency costs. Contingency costs are incurred when unexpected but high-impact events impede the progress of a project. Reserving funds to cover contingency costs is necessary to keep the project moving to completion.
Deviations from a project's original scope and layout can result in major delays and additional costs. Factors that can lead to scope changes include a lack of consensus between project team members regarding the scope, and unclear change management processes.
The operations of a business are what keeps everything ticking, and risks that threaten these processes can impact all project outcomes. These threats can be related to internal operating processes, or external factors.
Examples of operational failures include data loss, shortages of critical staff, disruptions to services at a company level, major safety threats, or financial losses. These large-scale effects trickle down and impact the implementation of individual projects.
Market risks are often unpredictable and pose a major challenge while devising a risk management plan. Risks in this category stem from investment planning, competitor risk, fluctuations in the market pricing of commodities, and credit risks.
Many market risks are unavoidable but can be mitigated during the risk management process. Other risks are more easily evaded, such as those due to inaccurate assessment of market conditions, such as demand, pricing, and availability.
Performance risk is centered around the project outcome, and a failure to deliver the anticipated results lowers performance. Performance risks result from poor coordination between project teams, poor oversight, underuse of tracking tools, and a failure to identify risks and adjust course as needed.
Performance risks are easily anticipated, but a failure to account for them impacts the company in the long run and gives competitors the edge in the market.
Cyberthreats plague the security of businesses large and small alike and undermine their success. Ransomware, malware, phishing attacks, and password theft are a few risks associated with technology.
Resilient cybersecurity systems are a staple for cloud and internet-services-based companies with their business on the line from malware threats.
Other potential technological risks include a lack of timely infrastructure installations, compliant and updated software systems, equipment monitoring, and a shortage of reliable support systems.
The current climate change crisis poses an ominous threat to businesses and livelihoods, and no risk registry is complete without a climate risk and disaster management process.
Sudden extreme weather changes such as floods, hurricanes, and droughts can cause massive destruction to infrastructure, affect supply chain management, impact resource availability, and disrupt cyber services.
A resilient project risk management plan includes backup and recovery planning to handle adverse events and ensure business continuity. For example, data centers may backup data at multiple geographical locations, so that services can continue uninterrupted even if one of the centers is offline.
The first step to establishing a project risk management process is to identify the potential risks. Unfortunately, this critical step is time-consuming, as risk identification is unique to each project delivery plan. It can help to look at each of the above categories of risk, and how they might occur at each stage of the project life cycle.
Project managers may begin to identify risks through brainstorming sessions that include diverse members from cross-functional teams. Project managers may choose to meet with team members in multiple sessions to come up with a comprehensive list of identified risks.
Having different people from cross-functional teams in combined sessions will also help members plan future integrations or collaborations during project implementation.
Risk identification should focus on areas that require improvement and may inform changes in budget and hiring. Targeting specific bottlenecks and addressing previously encountered issues can help identify new areas that pose risks to project management and implementation. If, for example, an IT team requires additional competent staff for a project, the project manager needs to flag these needs to hiring and finance teams well in advance.
Project managers can identify risks by evaluating what-if scenarios, where they ask 'If this event occurs, what is its impact on the project objective?' An example of a what-if scenario is "what if a crucial resource becomes unavailable at this particular stage of project implementation?"
Asking what-if allows project managers to identify variables that can affect the bigger picture. The goal of what-if is to understand the implications of small changes to the large-scale of a project, and to map the process of how small variables can cascade into a larger event affecting project performance.
Once the project manager has a master document of identified risks, they can establish a risk management process to address each risk category.
However, risk identification is an ongoing process, and is not limited to the initial stages of a project. Instead, project managers may appoint team members as 'risk owners': experienced team members who identify and monitor risks at key milestones throughout the project.
The process of identifying and assessing risks, and then taking steps to control and mitigate them, is known as the risk management process. Here are 5 steps to setting up a project risk management process within your organization.
A project risk register is a tool that lists the risks you've identified, logs their incidence and tracks the response plan. It is a centralized repository that helps to track risks across multiple levels of a project as it evolves and develops.
Once a risk has been identified, the risk owner or project manager should immediately update the project risk register to reflect the risk assessment, so that the risk will be monitored correctly.
The risk register categorizes each risk, rates its impact and evaluates its likelihood. Project managers find risk registers to be useful tools while measuring the performance indices of a project and the project team.
Risk analysis helps prioritize and rank risks, helping project managers hone in and facilitate immediate course corrections necessary to ensure the smooth running of a project. The impact of a potential risk can be assessed in either quantitative or qualitative terms.
For example, recurrent and prolonged downtimes in data recovery may impact a project and its delivery deadlines. The negative impact of breakdown in services can be measured quantitatively, using model simulations, to understand the far-reaching consequences of the event.
A qualitative risk analysis maps the risk and its impact in words. For example, the immediate risk of climate change and its impact is difficult to quantify, but needs to be considered on the risk register.
Once you've identified and evaluated your risks, the next step is developing a process to mitigate the risk and keep the project on track. A response plan is the first step in controlling the risk.
For example, as a response to potential resource risk, project managers work out resource allocation strategies to ensure resources are available at the right place and at the right time at each stage of project performance. Equally, in a response plan to counter cyber threats, key personnel may be required to undergo training sessions to improve security awareness.
A risk response plan often involves multiple stakeholders, including senior team leaders, upper management, and sometimes even the client. These stakeholders would be notified if a risk occurred, and are involved in considering the solutions to mitigate it.
Not all risks can be avoided or mitigated as well as we'd like, so project risk owners need to monitor risks as the project progresses. Real-time risk monitoring and reporting lets different teams know what is happening across the project board.
As well as keeping the teams up to date with risk alerts, project risk monitoring helps managers evaluate future risk potentials and their impact on business performance. This is often done using key risk indicators (KRIs), which are tangible metrics for evaluating the impact of potential risks encountered during a project.
Finally, a risk management plan needs regular reviews and updates to fortify the risk management process.
A risk review involves the project manager and members across different teams, who meet to evaluate and improve the risk response plan, identify any bottlenecks in its implementation, and make sure rigorous risk control processes are in place.
A risk review process recognizes the changing scope of a project and identifies areas of shifts so that project implementations can be protected from risk scenarios.
Project risk management planning is complex: it involves multiple stakeholders from different teams, and includes complex internal and external variables.
While the process of developing a resilient risk management strategy is time consuming, the reality is that it's just not worth avoiding it. If something goes wrong, having the right risk management in place can be key to ensuring that the project can get completed regardless.
Do future you a favor, and get your risk management plan in place.
Use what-if scenario analysis to evaluate and compare multiple paths forward in an unbiased way to make better decisions.
By using parametric estimating, you can quickly determine if a project is worth pursuing and what its cost will be.