7 Ways to mitigate risk
In his book, Project Management for Musicians Jonathan Feist talks about several ways to mitigate risk, and they aren’t the ‘avoid, mitigate, reduce, transfer’ approaches that you are used to. Those are good, but they are approaches, they aren’t actual measures that you can take to mitigate a risk. Here are the 7 ways that Feist suggests you can reduce the likelihood that something will become a project issue.
1. Good project management
Yep, following good project management principles is top of the list. Of course, having a lovely Gantt chart and an up-to-date risk register won’t guarantee project success but it does give you the best chance of putting in place plans to mitigate that risk.
Make sure your risk management processes are up to scratch and that you are able to easily follow through on mitigation actions. Good project management also helps manage against risks of going over budget or missing milestones, because you’ll naturally be doing the things to stop these becoming a massive problem.
2. Written agreements
While you always have to factor in how someone else will interpret your written communications, putting things in writing can limit misunderstandings. It also gives you a sense of formality when it comes to contracts and agreements. Getting it all down on paper increases the chance that nothing is being missed.
I love checklists and I use them all the time. As Feist says, “Checklists help you remember important details: procedures, gear items, points for conversations, people who need certain information, and more. Checklists are among the most effective tools used to reduce risk.” I have recently written a peer review checklist for my team – one of the many ways you can use checklists on a project to look at potential areas of concern and do something about them.
This means calculating data in several directions to confirm that it’s correct. You add rows as well as columns on your spreadsheet, or check the data in a dashboard as well as a tabular report. Find different ways to double-check your maths or working, even if this is as simple as having someone else check for you.
5. Empowering competent people
If something does go wrong, you want your project team to be able to act appropriately and make decisions quickly, not sit around wringing their hands until you come in to the office to sort it all out. If you have competent people on your project team (and I hope you do) instil a culture where they can make their own decisions. Set levels to their decision-making power as appropriate so that they aren’t deciding to spending another million dollars on the project without anyone else approving it, but give them the freedom they need to do the right thing.
Feist says that the higher the risk, the more you want to make sure that if you are delegating tasks they go to someone who is a safe pair of hands. This isn’t the time to be delegating work to a junior colleague as a ‘learning opportunity’!
6. Developing emergency plans
Having a Plan B is important, and a traditional risk management technique that you are probably familiar with. Sometimes just having a back up plan is enough to make sure that the risk doesn’t happen. However, in case you do need another approach to dealing with a problem, it is useful to have already thought through what you will need to do in the emergency. Get everyone involved so that they can swing into action if and when they are required.
7. Written instructions
Like checklists, these are a great help if you need to distribute detailed instructions or have tasks that need to be done over and over again. Written instructions can also help clarify expectations. For example, on an IT project with a testing element, written instructions for the testers will help get standardised results and ensure consistency across several testers.
Have you used any of these methods on your projects? Let us know in the comments.
Managing risk with social communications
Social communication tools are about using web-enabled technology to get things done more effectively. You may already have web-based project management tools that enable you to collaborate and communicate with your project stakeholders. This is the way that much of project management technology is going, but it isn’t without risk.
Managing the security risk
The security of project information is probably the largest concern for many executives, especially if you choose to adopt cloud-based technologies that store project data outside the organization and enable it to be accessed from anywhere. Whatever solution you adopt, ensure that it has adequate security and authentication protocols for your needs. You will also want to carry out some awareness training so that users know what is and is not appropriate to share on the forum.
This is particularly relevant if you are sharing information with third parties. You may choose a tool that allows you to successfully ring-fence content that your partners can see, reducing the implications for privacy. Social communication tools with few or no privacy settings can be perfectly adequate, but ensure that you know who is using the tool so that sensitive project data is kept secure.
The risk of social communications tools is that they move everything to an online space, whether your company hosts a product or you use a cloud-based provider to store your project data. Ensure that whatever solution you adopt has adequate back up and recovery options in case the worst happens. This is the reason why it is essential to involve your corporate IT department.
Corporate IT teams can also help you establish whether your chosen social communications tool has an audit trail and how you can best access this within the legal boundaries of monitoring an employee’s work. Audit trails are useful for finding out who was the last person to log in, use a document, comment in a discussion, amend the wiki and so on. In a straightforward project environment you shouldn’t need to use the audit trail information but in certain circumstances, such as dealing with a disgruntled employee, it may become necessary to track who has used the tool.
Managing the information overload risk
Social communications do not replace ‘offline’ communications. The connected project manager will still have to prepare written board reports, use emails, produce presentations and everything else he or she did before. Today, social communications rarely replace the need for project managers to communicate through other mechanisms. As a result, it is possible to feel overloaded by the volume of discussion happening in social communication tools. This additional channel requires constant attention, and it can feel like you are losing control.
There are a number of solutions to dealing with this including using aggregation tools (where they exist) to consolidate feeds from multiple channels into one location for you to review at your leisure. However, the easiest way to deal with overload is to ignore it. Switch off the feeds and stop following the discussions. It may feel as if you are losing your grip on the detail of the project but unless you were a particularly command-and-control style project manager you never had this grip anyway. Social communication tools make visible discussions that would have previously happened over email between team members or on the phone. You would not monitor your team members’ phone conversations, so don’t expect to need to monitor everything on the tool. You can train your team to flag important items to you, or implement a categorization system so that you only have to read items tagged with particular words.
Managing personal risk
Managing personal risk is less of an issue at work, and more of a potential problem if you choose to use social communication tools outside the workplace, for example, for career progression and networking. Many social project managers choose to display their personal profiles on professional networking sites, or to extend the personal social networks to work colleagues. This can be a straightforward and positive way of keeping in touch with colleagues, and is now so commonplace that project managers without a presence online can be at a disadvantage when it comes to finding out about job or training opportunities.
However, social project managers need to remember that the internet has a long memory. If you choose to post personal information about yourself online, your employer could see it. That includes holiday photos, comments about your workplace and colleagues and the jokes you choose to share with your network. For the main, professional project managers should have nothing to fear from sharing a bit of their personality with their contacts online. But you need to know where to draw the line, and that line is usually at the point where you wouldn’t mind if your manager saw the information. If you would not share it with your boss, don’t share it online.
This issue is also a concern on corporate social networks where project team members can provide their own profile information. In your profile and in your communications with your team members, make sure that you act professionally and respectfully at all times, as you would with face-to-face communication.
Follow any social media or communications policies in use in your company and where they don’t exist, use your common sense!
This is an edited excerpt, reprinted by permission of the publishers from ‘Managing Social Communications’ in The Gower Handbook of People in Project Management, edited by Dennis Lock and Lindsay Scott (Farnham, Gower, 2013).
What is EMV?
Ask the Experts: Kevin Baker on improving project management culture at Airbus
In this instalment of my occasional Ask the Experts column, I spoke to Kevin Baker (pictured), Head of Project & Programme Management Operations at Airbus, about the work he has been leading to improve project management standards and culture at the company, including the improvement of project financial controls.
Kevin, you've enhanced the project management culture at Airbus. Has any of this work been around standardising project financial control or risk management? If so, what?
At Airbus we have been working to standardise all aspects of project management, and of course this includes financial control and risk management. Together with schedule management and quality, these form the pillars of a robust project management approach.
What have we actually done? The principles of financial management and risk management have been known in Airbus for many years, there is nothing really new here. What is new is to have a standard set of methodology and tools, so that all actors in the company start to work in the same way, and to use the same language. Over a period of a few years, and with a strong push from the senior management, this starts to embed the new way of working into the company.
Yes, it is really important to have that senior management support. Have you implemented any common tools for project managers to use for managing project budgets or project risks?
In Airbus we have a number of very large projects, like our new aircraft – the A350XWB. Their size and complexity requires a special treatment and we have developed our own toolset – it is called Unified Planning. This takes the schedule status and the cost status at work package level and then aggregates this up to give the overall picture at total project level, that is the status for the complete aircraft development. We also compare cost to schedule achievements to produce an Earned Value indicator. This gives the managers at all levels the visibility of where they are, and how they are performing. And it makes sure that everyone is working to the same information.
Do smaller projects use the same tools?
We also have many hundreds of smaller projects, and we have adopted a simpler toolset for these. But it follows the same basic principles – monitor cost vs budget, and schedule progress vs plan, then calculate earned value.
We cannot say that these new tools will overcome all the difficulties on our projects, but they make sure that we know where we are so that the project managers can quickly start a corrective action if necessary. We are not steering ‘blind’.
Data is a key part to making the right decisions. In order to get there, you’ve had to change the culture at Airbus. What was the biggest challenge in trying to get the company to embrace project management as an intrinsic part of how everyone works?
Airbus is just over 40 years old, and its strength comes from a determination to build the best performing products to the very highest standard of safety. The challenge now is to promote a project management culture alongside these existing strengths. That is to make sure that we not only build fantastic products which perform well but also that we make sure that we do it on time, and within the budget.
We know that the culture change is a long process. It is about making sure that we all think ‘project’. We have made good progress, but the journey will never end. So what is next? – it is more of the same. We keep pushing for a common way of working, a common mindset, a common language. We are deploying some levers to help here. For example we have a project management career path, which is linked to an internal project management certification process. This will help to make project management into a real profession in Airbus – to make more people want to be project managers, to be more proud to be project managers. We are also expanding our range of PM training focussing more now on soft skills.
About my interviewee: Kevin Baker is Head of Project & Programme Management Operations at Airbus. He spoke at Project Zone Congress in Frankfurt last month about this programme of work to enhance project management culture at the company.
Last time risk expert Wilhelm Kross and I talked about the soft factors influencing managing risk. Here is the second part of that interview, which looks at integrated risk management. Wilhelm is presenting next week at Project Zone Congress in Frankfurt, on the topic of Risk Management and he will also deliver a masterclass on the challenges of mega-projects.
Wilhelm, how do risk management and change management fit together to provide an integrated process?
Almost all so-called risk management processes which have been published in the last couple of decades have in common that they reflect what is commonly referred to as the controlling perspective, while neglecting considerable and important elements of the management perspective. Making trade-offs, designing short-term compromises, implementing short-term work-arounds and the like, are typical management challenges that seem to be ignored.
Admittedly these processes reflect the advantage that they are easily rendered compatible with the abovementioned advantages of static risk frameworks. In contrast, however, the implementation of such processes in dynamic risk frameworks poses the danger that the true complexities are severely underestimated, and inherently setup for failure. Change can and will happen as things evolve and in most real-life actions and initiatives it would be rather dangerous to assume that the base conditions at start-up will remain carved in stone.
Of course, the environment doesn’t stay the same while we are managing risk, so naturally things evolve. Although often our processes don’t reflect that. Are there any common weaknesses?
A common weakness in change management frameworks, including project management standards, is that risk considerations reflect the abovementioned weakness of predominantly focusing on the controlling perspective. The framework which was incorporated in PMI’s otherwise extremely useful Project Management Body of Knowledge is a good example. Any real-life organization which intends to focus on the interplay of risk controlling and risk management within its frameworks of change management would need to add a few steps between planning risk management action, and controlling and monitoring the effectiveness.
There are several additional considerations though which are often under-emphasized. First, common frameworks of change may assume that risk is simply one of the knowledge areas which need to be incorporated within change initiatives, while on the other hand risk intervention measures may become the main driver in the adoption to new circumstances as they evolve. The need to reduce risk factors to lower, acceptable levels may cause a significant deviation from what was originally planned.
Second, those standardized change frameworks which use projects as the predominant organizational structure usually tend to underemphasize that the scope of both change management and risk management usually commences long before a project is conceived, and can stretch far beyond the official close of a project, particularly when cultural change and multiple external stakeholders are involved.
Third, risk management efforts in real-life organizations are often setup and implemented somewhat half-heartedly until the true need arises to practice risk management more professionally. Once the establishment of professional risk management involves the triggering of turnaround and crisis intervention measures, of course, numerous additional factors need to be reflected including in particular the recognition of the fact that there is insufficient time available to design and plan all related activities thoroughly.
OK, so the best approach is to blend static and dynamic risk frameworks so you cover all bases. Integrated risk management seems a bit more than that though. How would you define it?
The expression “integrated risk management” commonly refers to static and dynamic risk frameworks in which risk management, often in multiple dimensions (i.e., cost, time, reputation, societal damage, environmental damage, toxicity, etc.), is fully incorporated into line function or change management activities and related decision making.
Thanks. What are the benefits?
Depending on what is truly done and how well, and what is at stake, the conceivable benefits usually include enhanced levels of transparency, a focus on what truly is important, a reduction of undesired negative impacts and side-effects, a protection of the organizational value at risk, time savings in the implementation of management action, and in some cases enhanced value creation as part of what is commonly referred to as systematic opportunity management. Given that numerous frameworks of change, and risk frameworks, authorize the implementation of risk management using predominantly qualitative approaches, in spite of the fact that any unquantified risk is by definition quantified with zero, the quantitative proof of the benefits of integrated risk management inherently remains underestimated.
Are there any limitations to implementing this risk approach in practice?
In my view many real-life organizational frameworks for risk management reflect some inherent limitations that can and should be considered avoidable. To name two typical misconceptions, real-life risk management improvement frameworks are often focused on reaching elevated levels of maturity, and ultimately thriving toward the royal discipline of enterprise-wide risk management. Both may be overly shortsighted. As Harold Kerzner pointed out, maturity can be a point from which onward everything goes downhill, at least when one builds on the analogy of the introduction of products into markets. Kerzner submits that organizational leaders should bank on the preparedness of knowledge workers to accept and adopt change on their path toward maturity; however, rather than maintaining the glass ceiling that often protects these leaders from criticism and emotional attachment, they should consider mapping out the path beyond maturity, which may consist of organizational excellence and ultimately the development of true competitive advantages.
The second aspect of enterprise-risk management as it is portrayed in risk textbooks poses the danger of underemphasizing rather significant factor in today’s real-life. Many organizations have heavily engaged in outsourcing activities and in some cases have even outsourced parts of their core business. Similarly to what is the case in the application of cost reduction activities in which the simultaneous increase in risk levels was simply ignored, the true implications are largely unmanaged. In today’s business environment larger scale investors may be able to purchase and redesign entire industry sectors. A supplier, who was believed to be a secure outsourcing partner, may no longer be available, even at short notice. The typical interface between the organization and its suppliers, the procurement function, may be wrongly focused and may lack the relevant skills to assess the likelihood of stability in the supplier relationship, in which case the evolving hazards for the core business of the organization may remain undetected until it is almost too late. And by the way, these considerations are of significance too in change frameworks, including standards for project management.
Find out more about Project Zone Congress here: http://www.projectzonecongress.org.
About my interviewee: Dr. Wilhelm K. Kross, Dipl.-Ing., MBA, Eur. Ing., PMI-RMP is an internationally recognised expert in the fields of risk and project management and a partner of Plejades and the Amontis Consulting network. His main focuses are the fields of applied risk management and related in-depth risk analytics and valuation techniques, (mega-)project structuring and financing, as well as operational crisis and turnaround management, particularly in complex larger scale crisis programs and projects.