Risk exists as a natural byproduct of the uncertainties that are present in all projects. The purpose of project risk management is to manage these uncertainties so as to reduce potential project & business impacts of threats and to be better positioned to exploit opportunities.
A novice project team faces the following classic paradox – while the ability to cost effectively manage risk is greatest at the start of a project, the magnitude of certainty about the project is quite limited. So although an attempt is made to identify all appropriate risks, this lack of certainty will likely result in key risks being missed or red herrings being identified. Qualitative assessment of these risks is done to prioritize and focus on a small set of risks and quantitative assessment is done to evaluate the cumulative impacts of the target set of risks on the project – both are important processes, but their basis is only a partial understanding of the project’s true uncertainty. This is why it is important that the project manager or an appropriate risk management facilitator monitors effort expended on these activities to ensure that they are “right sized” relative to the current level of project knowledge.
This dilemma is the main reason for applying a progressive elaboration approach to project risk management.
As new information about a project surfaces and early assumptions are validated or refuted, it is important that the project team repeats risk identification & assessment activities (albeit with less effort being expended as compared to the initial iteration). The timing for this process should be both scheduled regularly (e.g. at every second project team meeting) and also tied to specific events (e.g. assessment of a change request). Another method of avoiding obsolescence of risk data is to identify risk triggers as well as underlying assumptions – confirmation or elimination of these prerequisites can provide valuable input into the re-evaluation process.
Just as a project schedule must be maintained through a project’s lifetime to provide a realistic model of activity delivery, a risk register requires the same level of refinement otherwise it will be as ineffective as a blindfolded Tarot card reader!