Risk Management for Complex Projects

Stakeholder involvement is a critical component of risk management, as it helps to ensure that all relevant parties are aware of potential risks and are involved in the risk management process. Here are a few factors to consider when involving stakeholders in risk management:

1. Identify stakeholders: Identify all stakeholders who may be affected by the risks and who may have an interest in the outcome of the risk management process. This may include internal stakeholders such as employees and managers, as well as external stakeholders such as customers, suppliers, and regulators.

2. Assess stakeholder needs and expectations: Assess the needs and expectations of each stakeholder group and how they may be affected by the risks. This will help to identify potential areas of conflict and to prioritize which stakeholders to involve in the risk management process.

3. Communicate effectively: Communicate effectively with stakeholders to ensure that they understand the risks, the risk management process, and the actions that will be taken to mitigate the risks. This will help to build trust and ensure that stakeholders are on board with the risk management process.

4. Involve stakeholders in the risk management process: Involve stakeholders in the risk management process by seeking their input and feedback on the identification, assessment, and management of risks. This will help to ensure that the risk management process is inclusive and that all perspectives are considered.

5. Empowerment: Empowering stakeholders to take ownership of risks and to be responsible for their own risk management efforts can help to increase their engagement and commitment. This includes providing stakeholders with the training, resources, and tools they need to effectively manage risks.

6. Provide training and support: Provide training and support to stakeholders to help them understand the risks and the risk management process. This will help to ensure that they are equipped to manage risks effectively and to identify potential risks in the future.

7. Monitor and review: Monitor and review the effectiveness of the risk management process, and the involvement of stakeholders, to ensure that risks are being managed effectively and that stakeholders are satisfied with the process.

8. Stay informed: Stay informed of the changing needs and expectations of stakeholders, and adjust the project data. 

9. Transparency: Being transparent about the risk management process and the risks that are being managed can help to build trust and credibility with stakeholders. This includes providing stakeholders with access to relevant information and data, as well as being open and honest about the risks and how they are being managed.

10. Alignment: Aligning risk management efforts with the organization's overall goals and objectives can help to ensure that stakeholders see the value of risk management and are more likely to be engaged and committed to the process.

Developing the risk response strategy is one of the most important parts of the risk management plan. This could include risk acceptance criteria, the development of action plans for risks deemed critical, or contingency plans for unforeseen events. The application of the risk response strategy must be carried out in parallel with the project control and monitoring to closely observe the effectiveness of the action plans on the project management plan.

The risk response strategy can be developed based on the organization’s risk acceptance criteria and the results of the risk analysis. When project risk impacts or the overall risk level of the project are evaluated, risk response plans can be proposed to mitigate negative risk impacts, avoid potential risk sources and risk triggers, and transfer project risks. Risk response plans can be proposed using brainstorming sessions, meetings, interviews with experts, or using data analysis techniques and tools.

A contingency plan is an action plan designed to help an organization respond effectively to a risk event. It is part of a proactive risk management plan and should include preventive controls and recovery strategies. Risk managers, while developing a risk management strategy, should consider contingency plans to protect their organizations and the project progress from potential negative impacts after an unforeseen event. I can give two examples of contingency plans from my professional experience:

The first is a PPP construction project. Just before the signature of the contract with the public client, the financial sponsor/bank withdrew from the project. As defined in the PPP contractual framework, the general contractor is responsible for project funding, design, construction, and maintenance of the project. With the bank’s withdrawal from the project at the last minute, the general contractor ran the risk of ending the project. Fortunately, strategic risk managers had developed a contingency plan for this risk event and proposed some alternative internal/ external funding solutions.

The second example is a Design-Bid-Build construction project. During the project execution phase of the project, a contractor defaulted. In the risk management strategy, a contingency plan has been developed for this type of situation. To complete the construction works, an alternative co-contractor was identified and for additional costs due to the change of the critical path, management reserves were set up.

How do we choose a risk response plan (avoid, accept, mitigate, transfer risks)?

According to the risk acceptance criteria defined in the Organizational Process Assets and strategic planning, for some identified project risk events, the negative risk impacts are not acceptable at all, even with the mitigation of the probability of occurrence and potential impacts. For these risk events, a risk-avoiding or prevention plan must be applied to eliminate the source of risk or risk factor and risk trigger factor.

Risk response plans can help mitigate negative risk impacts, or eliminate the source of the risk event. We can control and monitor the effects of the risk response plans after their applications, in parallel with the project control techniques, then update the risk data with a new probability of occurrence and impact values. The impacts of the risk events can be identified and assessed on the project objectives “cost, time, quality and safety constraints”. The risk acceptance criteria are defined in the risk management strategy to evaluate and sort project risks into “high, medium, and low” risk levels. The risk acceptance criteria of the organization and the risk assessment with the potential impacts on the project objectives are two major axes for developing the necessary action plans. As risk managers, we need to find a balance between these two axes, analyzing the potential impacts of the risk events on the project objectives and evaluating them on the organization’s risk management strategy.

One effective way to illustrate the effectiveness of the risk response strategies is to use project performance measurement techniques. It can be cost performance control, schedule control, quality control, or safety control. Using these performance techniques, we can assess the changes in the probability of occurrence of the risk events and in the impacts on the project objectives after the proposition of the risk response plans. Then, we can organize meetings, brainstorming sessions with project team members to discuss risk data, project data, and the effects of the risk response plans on the project objectives. The communication factor is essential in risk management. We can apply a risk management plan in parallel with the project management steps to integrate risk data into project management outputs and to observe the results of risk response plans on project progress.

In the development of a risk management strategy, all steps of the risk management process should be connected in a systematic way. The risk management process begins with the project analysis for identifying the risk factors, then potential impacts and probability of occurrence are assessed, and the risk level is evaluated. Finally, risk response plans are applied. The risk management process should be applied throughout the project life-cycle and run parallel to the project management process to monitor impacts on the project constraints. We need to improve the communication channels and the decision-making process in the project organization for the effectiveness of the risk management strategy.

For further information, you can check my risk management training content in the PMI Training Program: An Agile Approach to a Formalized and Systematic Risk Management Process for Complex Projects.

Thank you!

Dr. Esra Tepeli

Risk management (RM) is a dynamic process with an increasing demand for flexibility to adapt, and static approaches will continue to evolve. Due to the dynamic project environment, we can notice a fusion of old and new, traditional and innovative risk management processes, all coming together in new mixes. Multiple methodologies are often incorporated into custom blends within the scope of project management and risk management approaches will be more tailored to specific project contexts. In light of this, we aim to develop a hybrid risk management methodology, adapted to project characteristics, project environment, complexity, project life-cycle, stakeholders’ objectives, project team, and corporate strategies.

Many RM methods are more focused on a specific area: identification of risk factors, qualitative or quantitative evaluation, and proposition of action plans. Traditional methods can present a limited and unstructured risk management vision. Knowing that each project is unique and may have specific factors, a systematic analysis of the project characteristics and environmental factors is necessary for an objective and reliable risk management model. Risk management methods must also be adapted to the project management strategy such as Agile or Waterfall. Therefore, the development of a hybrid risk management methodology can be revealed, which is not only based on one risk management method but combines several of them, and is adaptable to determine the most convenient RM method (or combination of methods) for the project at hand. For example, in the overall project life-cycle or at a high level, the risk management process and tools may be traditional with milestones, but at lower levels (e.g., task level), they can be more agile. The hybrid RM methodology can offer a general risk management approach or model but can be flexible depending on project dynamics and business context.

Taking into account the features mentioned above, the Hybrid RM methodology aims to develop a risk management strategy that: (a) is adapted to project characteristics, life-cycle, complexity, environmental conditions, and business context, (b) covers the entire project life-cycle, (c) proposes a dynamic risk management approach, adapted to the evolving nature of the project, (d) is designed and developed in partnership with the end-users (project practitioners) to favor its use in real operating conditions. You can find the details in the PMI Training Program: An Agile Approach to a Formalized and Systematic Risk Management Process for Complex Projects.

Thank you,

Dr. Esra Tepeli