A client recently described an interesting situation – she had purchasing the new ISO31000 risk management standard, she had done the training with her team, conducted a risk identification and assessment workshop, and done the analysis and prioritization. Yet no one seemed to be managing risks – they were something off to the side that people occasionally looked at.
What else could she do?
Risk management is one of the more overused, misunderstood and abused terms in project management these day. There is a large body of work on risk management and a plethora of material available on the web to be used.
Yet many projects do not manage risk well. They record their risks, identify the mitigations/treatments and review them during the project. But for all of their planning, obvious risks seem to slip through the cracks.
Here are a few ideas that we can use:
Make sure everyone has a common understanding of what constitutes a risk, what constitutes an issue, and the difference between risks/issues and consequences/impacts. This may seem trivial but different organisations have difference definitions of risk e.g. “Only risks that we can influence”, “don’t include dependencies or constraints”, “the person who raises a risk deals with it”, ad infinitum
Keep it simple – have 3 ratings – negligible, moderate, project-killer – and review against schedule, scope, cost, technical and people. Don’t have 5 ratings as it doesn’t really add value. And don’t have percentages as they are disguising a subjective guess with a number that makes it look quantitatively managed.
When introducing risks, don’t argue over the wording or structure – just make it understandable to stakeholders
Focus on mitigation/treatment actions. These are the most critical component so you must make sure that every action has someone assigned and they understand the action and the deadline and that these actions are done just like any other project task. Very often risk mitigations are seen as distinct and are reported separately. No wonder they’re not afforded the appropriate focus. Out of sight, out of mind. Out of mind, out of time…
Set the bar lower to start, then as project management practices mature, you can be stricter when it comes to wording, ratings, severity etc.