“Risks, what risks? The project is just starting. We haven’t had time to encounter any risks yet!”This is a very common reaction I have experience when beginning a new project. People are excited about starting a new project and do not want to believe or consider risks might be present. The reality is that as soon as a project is envisioned, there are risks to be identified and managed. Without identifying the risks to a project, the project can become susceptible to potentially crippling events that the project team and business are not prepared to address. Exercising good risk management prior to, and during, the project will assist in ensuring a successful outcome.
The reason for the common reaction above is that many of us do not accurately differentiate between risks and issues.
It is very common for risks and issues to be confused during a project. The difference is a risk is something identified that MAY occur and will impact the project if it happens. An issue is something that HAS occurred and is impacting the project. I have found it is a good idea for all parties to meet to discuss the differences between risks and issues. This meeting ensures agreement throughout the project on the identification and handling of risks and potential risks.
Risk management is the process of identifying items that could impact the project that may happen and documenting the best steps to take to accomplish one of the following:
- prevent the event from happening, or,
- develop a plan to address the event if it actually occurs
I like to think of risk management efforts as the ultimate project insurance policy. By identifying and preparing for potential events that may negatively impact your project, the project team will be prepared, and not taken by surprise, if any of the events do occur. I have been on projects where the risk management was handled well enough that large, impactful events such as the divestiture of a large company unit or acquisition of a new company occurred with little or no impact to the project. The reason these large business events did not cause the project to fail were that we had anticipated the possibility of them happening, prepared our response in the form of resource, budget and timeline planning and ultimately executed the plan when the event happened. As a result, we were able to absorb the impact of the event and keep the project on track for a successful completion.
Standard risk management involves identifying and classifying project risks, determining the probability the event will happen and determining preventive or mitigating activities to address the risk. Common classification areas utilized in risk management include the severity and the category for each risk. Severity is commonly rated on a scale (Low, medium, high, extreme) that indicates how the risk impacts the project (budget, schedule, quality of work, etc.):
- Low – the event has little or no impact on project tasks and milestones
- Medium – the event has major impact on project tasks with minor milestone impact
- High – the event has significant impact on the project schedule
- Extreme – the event will cause the project to fail
Risk categories are used to classify risks and the area of a project that is impacted by the risk if it should occur. The category also assists in identifying the responsibility for addressing the identified risk. Some of the commonly used categories in risk management, and examples of their application, include the following:
- Project Management – aggressive or unattainable time or budget estimates; Lack of or inadequate resource commitment
- People – Lack of acceptance of the changes resulting from the project; unacceptable levels of communication
- Technical – Hardware components missing or unavailable; invalid or inadequate software designs
- Business – Funding shortages; acquisition or divestiture activities
While these are commonly used severity levels and risk categories for projects, any rating scale or categories may be used for a project risk management plan. I have participated on projects that used lettering (A, B, C, D) or numbering (1, 2, 3, 4) systems to label their risk severity, and projects that used many different categories for their risk management. The main requirement for these items is that all parties are aware of the values and understand their definition and application when executing the risk management activities. The key is that all of these projects performed risk management activities before and during the project and through that they enjoyed a reduced level of risk. In addition to the category and severity levels for an identified risk, it is helpful to estimate the probability that the risk will occur. This can be based on knowledge of the participants in the risk management process, business climate, previously announced intentions of the corporation etc. Next time I will share an example of how risk management allowed one of my projects to absorb a divestiture with no significant impact upon the project.