While no one would argue that risk management is a critical component of project management, most companies I’ve worked or consulted with consistently rank it as the knowledge area that is the worst implemented within their organizations.
Why does this happen? Here are a few of the key reasons:
1. Project risk registers are created early during project initiation or planning and are not reviewed or updated ever again.
2. Project risk events are too generic or non-actionable or of inconsequential impact for risk response owners to take notice.
3. Risk response plans have insufficient visibility to merit action and completion.
4. Risk biases are not normalized resulting in a lack of credibility for probabilities, impacts and response plans.
So what do I recommend?
Consider risk management as being an insurance policy for your project and invest a corresponding amount of effort into the practice as you would spend on the costs of an insurance policy. This could translate into 1-2% of the overall effort/costs of your project. With that kind of funding, you should:
1. Focus on a small, manageable set of critical risk events – ones that senior management will take seriously. Remember how valuable their time is.
2. Focus on business impacts when crafting risk event statements.
3. Build the risk response plans developed during project planning right into the project schedule so that their activities will merit the same visibility as in-scope project tasks.
4. Review and update the risk register at every second project team meeting as well as after every major project change.
To learn a lot more about pragmatic, value-based approaches to project risk management, visit Dr. David Hillson’s (“The Risk Doctor”) website.