This article is part four of my look into project risk management, and today we are looking into tailoring considerations for project risk management, as determined by the PMBOK® Guide – Sixth Edition.
Read part 1 here: An introduction to risk management
Read part 2 here: Trends and Emerging Practices in Project Risk Management (Part A)
Read part 3 here: Trends and Emerging Practices in Project Risk Management (Part B)
You might think there isn’t much you can tailor in risk management: the processes we use haven’t changed much since risk management in projects was thought up, or at least that’s how it seems to me. While many project management topics have moved on in their thinking, risk management is still very similar to how it was taught to me many moons ago.
But you can tailor the risk management approach used on your project to better fit your organisation’s culture and practices.
Below are some of the ways you can tweak risk management to make it work effectively in your project environment.
Tailor for size
You can adapt the way you manage risk based on the size of the project. The larger the project – as with many PM practices – the more robust and structured your processes end up being. If your project is relatively small, a nimble and light process could be all that is required.
Maybe your PMO implements several ‘routes’ through the project risk management process, depending on triggers at the beginning of the risk analysis. For example, if the project is small, and the risk is assessed as low impact, the process could be very different from a large project with a high impact risk.
Size can be determined by amount of money allocated to the budget, duration, amount of stuff in scope, or the number of people or departments affected.
Tailor for complexity
Size is one thing, but you can have very large projects that are not complex. Small projects, on the other hand, can be very complex. Where you are dealing with very innovative projects, new tech, unusual commercial arrangements, many system interfaces or diverse and vast stakeholders with many external dependencies, all those things contribute to project complexity.
Complex projects may need to take a different approach to risk analysis, looking at different factors and considering impact in a more holistic, systems thinking kind of way. For example, you shouldn’t assume that a risk will have a simple impact on one team: the more complex the project, the more likely it is to work like a complex adaptive system, and you’ll have many (perhaps unforeseen) implications from one risk.
Tailor for significance
Not all projects are created equal. Strategically important projects tend to demand more oversight and governance. There might be a different bar for strategic, significant projects – in other words, less strategic projects can get away with applying less formal risk management. Whether you should or not is another debate, but you could apply different approaches for the less important projects.
Another consideration for strategic work is that the risk analysis probably needs to be broader and take different areas into consideration, not least impact on strategic objectives and overall business goals. The level of risk on this kind of project is also likely to be higher because the stakes are higher. Therefore you might want to take a different approach to reflect the increased project risk you are likely to face.
Tailor for delivery approach
Finally, consider how you tailor project risk management to better fit the delivery approach you are using. The risk management processes I alluded to earlier work well for predictive and waterfall type methods – at least, that’s what I was taught. But the risk process is rarely sequential, even on a sequential project. Some risks are starting while others have been realised or have passed. Others need a lot of work and some need a small check in that takes minutes once a month. Each risk has its own lifecycle and risk management is an ongoing activity.
However, the PMBOK® Guide – Sixth Edition does have some guidance on adapting project risk management for agile and adaptive environments.
It explains that high-variability environments incur more uncertainty and therefore risk – so far, so expected. The book recommends carrying out frequent reviews of what is being built. It talks about making sure teams share knowledge and talk about risk so they understand risk management concepts and can manage risk. It doesn’t specifically mention that risk can come from the process (as it can in a predictive environment) but that could be inherent in the suggestion that the content of each iteration is selected based on risk profile.
All project environments benefit from an ongoing review of risk, keeping the documentation up to date and making sure that there is a clear understanding of the current risk exposure so you can take action if that exposure feels too great at any one time.
Tailoring feels like making smallish changes to the way project risk management can be applied, based on the type of project you are doing and how you are doing it. Frankly, it’s not rocket science. You should have been doing this anyway, long before the Sixth Edition came out. All project management processes should work for you, not force you to jump through hoops for bureaucracy’s sake. So if you feel like your approach to risk management is too light or too heavy handed, it’s time to start tailoring.
Pin for later reading: