So you’ve created a great risk log, worked out what your risk responses are going to be and made a plan to get those actions done. But how do you check whether your risk response plans are having the desired effect?
The thing I see a lot of project managers doing – especially early on in their careers – is setting up the action plans for risk management and then not going back to check that the risk is actually being addressed. It’s one thing to ask people to take action. It’s another thing entirely to check they’ve done it, and to make sure that the actions you planned have actually addressed the risk in the way you want.
The thing with risk is that even if you do address it with an action plan, you might still end up with residual risk – potential problems left over after you’ve done your ‘main’ actions. And you need to understand what those residual risks are and what (if anything) you are going to do about them.
Last time in this occasional series on project risk management, we looked at how you implement risk responses. Today we’re looking at the monitoring part: the step in the risk management process where you double-check to make sure that your action plans are effective.
What to look for
The point of doing this process (the Monitor Risks process) is to make sure that the current level of risk exposure, taking into consideration any actions you are doing, is still OK overall. You’re looking for new risks, changes in risk status (because some might be getting more serious or less impactful for your project).
Also look out for:
- What assumptions did you make about project risks that need a review? You might have more information now or you may need to include new assumptions.
- What risk management policies do you have and are they being followed? Would it help to update or revise procedures in some way?
- Are stakeholders still happy with the level of risk? The overall level of risk might change (and often does) as the project progresses because more risks are uncovered and that shifts the balance. Check in to make sure you are still in line with stakeholders’ expectations.
- How much contingency or risk management budget is left? Is it being used in the way that you expected? Do you need to ask for more and if so, how are you going to justify that?
The inputs to this process are:
- The project management plan, and in particular, the risk management plan section
- Project documents including the issue log, the lessons learned register, the risk register (because this is where you will have written down what you are supposed to be doing) and risk reports (if you create them – I typically don’t, I just write down the details in a column on the risk log)
- Work performance data and work performance reports – in other words, have the action plans been implemented?
Tools and Techniques
The tools and techniques for assessing whether the action plans have had the impact you expected are going to depend on how you can judge success.
However, there are some common things you can do to review and the kinds of tools and techniques you can use include:
- Data analysis techniques like technical performance analysis (to compare what you have done against what was planned in a tangible way) and reserve analysis (to see how much money you’ve got left).
- Audits - my recommendation is that you get an impartial person to run this for you instead of trying to review your risk processes yourself. Ask the PMO or a trusted colleague.
- Meetings (because who doesn’t love a good meeting to discuss all the things that might go wrong on the project?)
Pick and choose the tools that will let you assess the impact of the risk (again) to see if it’s all squared away or if there is more you can do.
The outputs of this process are:
- Work performance info
- Change requests (because your new plans might involve adding or removing tasks to your project schedule, for example, to do a few more risk response actions)
- Project document updates, especially to the project plan, assumption log, issue log, lessons learned register, the risk register and risk reports
- Organizational process assets that might need updating e.g. risk template or your IT system, workflows etc.
Another output is doing the tasks to address the residual risks or any other actions you’ve uncovered to make sure that the risk responses are getting implemented as planned.
This process is something you can do on a regular basis. I put time aside in my diary to do a review of risk, normally once a week as I’m updating my project documentation. Then once a month I’ll try to work a risk conversation into our project team meeting – sometimes we only talk about one or two risks, the ones that are the most important at the time or that are likely to happen soon.
Use your judgement – this process is only there to prompt you to constantly keep your risks and management activities under review. If you keep risks front of mind, you’ll be fine.
Pin for later reading