With any type of project management, risk is a guarantee. That’s not a message of doom and gloom: any undesired event or situation that could hurt (or help) the progress of the project is a risk, and there are plenty of situations that can pop up on any project.
Just as risk is a given when it comes to project management, risk management must also be a core facet of project management. Through risk management, project managers use a strategic approach to identify, analyze and assess, and ultimately manage and monitor the risks that could impact a project. Risk management in project management shouldn’t only be a response to problems, but should also become a proactive part of the planning process, which identifies the potential risks long before any actually occur.
Depending on the project, risk management may be as simple as a list or as complex as developing detailed mitigation strategies. The goal is to increase positive risks (also called opportunities) and eliminate or manage negative risks (also called threats).
The Importance of Project Risk Management
Risks can wreak havoc, the PMBOK Guide® – Sixth Edition warns: delaying timelines, extending costs beyond the budget, reducing performance or even damaging reputations. The iterative practice of project risk management is critical to solve for risks not otherwise addressed in project management approaches, whether the risks that be foreseen or they occur during the lifecycle of the project.
Individual and General Risk (Event vs. Project)
Multiple types of risk can occur on a project.
Individual, or event, risk is an isolated circumstance or event that impacts the project’s goals. For example, this could be a technical expert leaving the organization, or a necessary machine stops working and delays the timeline. Generally speaking, event risks are easier to manage. For example, a project manager can ensure a backup resource or machine is available if this event is identified as a likely risk.
General, or project risk, is more challenging. This type of risk often occurs out of the project manager’s control, and may be unforeseen. For example, an economic crisis may cause the client to cut the budget for the project, or executive turnover may reprioritize the project. In this case, while some of the risks can be planned for in advance, their resolution may be outside the project manager’s control.
Positive and Negative Risk: A Comparison
Risk isn’t always a bad thing in project management; a risk is simply a factor that impacts a project. A positive risk benefits the project. For example, the project may be completed ahead of schedule, the customer base served by the project may be larger than anticipated, or a delay may actually create a better selling opportunity. A negative risk damages the project or a facet of the project.
Of course, it’s not always cut and dried when it comes to defining these types of risks, because a negative risk can become a positive risk or vice versa. For example, while more customers than anticipated may initially be a positive as it means more revenue, this factor could also develop into negative risk if the software is not ready for the additional customer load. Similarly, a missed deadline from a supplier may open up an opportunity to renegotiate and reduce the project costs, which may be more important to the client than the timeline.
Risk management then becomes more about guidelines, striving to manage negative risk within an acceptable range and increase positive risk to ensure the best possible project outcome.
The PMBOK Guide® – Sixth Edition breaks down risk into four different categories:
- Technical risk – Technology issues, requirements, performance challenges or concerns, or quality concerns
- Management risk – Challenges planning, estimating, communicating or scheduling
- Commercial risk – limited (or insufficient) budget, logistics challenges, resource shortage
- External risk – Issues from stakeholders, suppliers, market factors or contractors
Risk Management Steps
While some guides break down risk management more granularly, overall, steps to risk management are to identify the risk, analyze the risk, and then strive to manage the risk.
Identify: Project managers can identify risk by reviewing historical information from colleagues, the industry or experts. In addition, or if that information doesn’t exist at all, risk can be identified by reviewing specific categories. One additional option is to use a risk breakdown structure, where the overall work for the project is broken down into specific details, and potential risks or impacts noted at each detail.
Analyze: The project manager must now evaluate each risk for the probability that the event will occur and what impact would be associated. This step is important because not all risks are as likely to occur, nor are they all equally impactful. This helps to narrow down the full list of risks to understand which are most critical, and which most need to be managed. For example, the project manager may chart each risk on a table of low to high likelihood of occurrence and low to high impact. Risks that are highly likely and highly impactful are most critical. Some approaches separate prioritizing risks as an individual step.
Mitigate: The actions taken to mitigate the risk will depend on the analysis of each risk. In general, project managers practice risk management by avoiding, sharing, reducing or transferring the risk. To avoid risk, a new approach or technique may need to be applied. Shared risk requires partnership, either from another company, department or expert. Reducing risk most often means reducing the amount invested in a project or assigning the most skilled professionals to the riskiest areas of the project. Mitigating risk is an active, ongoing process, and some approaches to risk management distinctly separate responding and monitoring to emphasize this.
Finally, project managers often develop contingency plans in the event a risk does occur that requires a change of direction for the project.
Multiple frameworks can be applied to ensure all possible risks are considered, including:
- PESTLE (Political, Economic, Social, Technological, Legal and Environmental)
- SPECTRUM (Socio-cultural, Political, Economic, Competitive, Technological, Regulatory, Uncertainty and Market risks)
- STEEPLE ( Social, Technological, Economic, Ethics, Political, Legal and Environmental. Note that this is the same as PESTLE, with the addition of ethics).
- TECOP (Technical, Environmental, Commercial, Operational and Political).
Team Risk Tolerance
Although ideally, no risks occur on a project, flawless execution is unlikely, which means it is also important for project managers to establish their team’s risk tolerance. Sometimes referred to as a risk threshold, this guideline establishes what degree of risk both the stakeholders and the organization are willing to accept, and outlines how much the project’s objectives and outcomes can vary.
Project managers need to have a detailed understanding and clarity from stakeholders on the amount of risk acceptable before the project must be abandoned, including when stakeholders should be informed of risks occurring and if the project manager is authorized to act immediately or requires stakeholder authorization. Transparent, clear communication is critical at this step to ensure all parties have the same expectations.
Benefits of Risk Management in Project Management
Although risk management in project management requires investing additional steps and time, this process pays off in many ways. Benefits of risk management in project management include:
- Helps the project avoid significant disasters
- Reduces expenses, thereby boosting overall revenue
- Ensures the project is completed successfully
- Can offer a competitive edge over competitors
- Increases responsibility and accountability when risks have been pre-identified
- Allows the project manager to explore new approaches
- Increases the transparency for stakeholders and contributors throughout the process
Risk Management Culture
After all the heavy lifting for risk management, the project manager needs to ensure a system is in place to manage the risk throughout the project. Communication needs to be regular and clear, and may be best as stand-up meetings, emails or through a software depending on the type of project and number of stakeholders. Not all organizations have embraced risk management. Project managers in organizations that don’t have an established approach should be sure to communicate clearly with stakeholders and leadership about risks. When it comes to risk management, transparency is much more effective than reactionary avoidance without a plan.