Getting Started In Risk Management

A client recently described an interesting situation – she had purchasing the new ISO31000 risk management standard, she had done the training with her team, conducted a risk identification and assessment workshop, and done the analysis and prioritization.  Yet no one seemed to be managing risks – they were something off to the side that people occasionally looked at.

What else could she do?

Risk management is one of the more overused, misunderstood and abused terms in project management these day.  There is a large body of work on risk management and a plethora of material available on the web to be used.

Yet many projects do not manage risk well.  They record their risks, identify the mitigations/treatments and review them during the project.  But for all of their planning, obvious risks seem to slip through the cracks.

Here are a few ideas that we can use:

Make sure everyone has a common understanding of what constitutes a risk, what constitutes an issue, and the difference between risks/issues and consequences/impacts.  This may seem trivial but different organisations have difference definitions of risk e.g.  “Only risks that we can influence”, “don’t include dependencies or constraints”, “the person who raises a risk deals with it”, ad infinitum

Keep it simple – have 3 ratings – negligible, moderate, project-killer – and review against schedule, scope, cost, technical and people.  Don’t have 5 ratings as it doesn’t really add value. And don’t have percentages as they are disguising a subjective guess with a number that makes it look quantitatively managed.

When introducing risks, don’t argue over the wording or structure – just make it understandable to stakeholders

Focus on mitigation/treatment actions.  These are the most critical component so you must make sure that every action has someone assigned and they understand the action and the deadline and that these actions are done just like any other project task.  Very often risk mitigations are seen as distinct and are reported separately.  No wonder they’re not afforded the appropriate focus.  Out of sight, out of mind.  Out of mind, out of time…

Set the bar lower to start, then as project management practices mature, you can be stricter when it comes to wording, ratings, severity etc.

This entry was posted in alignment, attitude, CMMI, Effectiveness & Efficiency, improvement, ISO31000, manager, method, metrics, organization change, PMO, project management, risk and tagged , , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s