Project Management

The Money Files

A blog that looks at all aspects of project and program finances from budgets, estimating and accounting to getting a pay rise and managing contracts. Written by Elizabeth Harrin from

About this Blog


Recent Posts

3 Levels of Project Work Authorization [Infographic]

What goes into a Control Account Plan?

2 unexpected benefits of risk management [Video]

Establishing the Budget in Earned Value Management

How to Monitor Risks

3 Levels of Project Work Authorization [Infographic]

Categories: earned value, process

project work authorization

How do you go from someone high up in a position of authority saying it’s OK to begin the work through to the individual team member knowing that it is OK to start a task?

That’s where different levels of authorization come in. This is important for projects using earned value management, because there are often formal approaches that require formal approval and sign off in order to accurately track performance.

According to the Practice Standard for Earned Value (2nd edition, 2011) there are four steps that are typically used to authorize the work:

  1. The project manager receives authorization for the work to begin
  2. The project manager authorizes each manager to begin work (typically, the control account manager)
  3. There might be an authorization level which is where the CAM gives approval for the functional manager to begin work with their team, but it depends on the individual processes and the scale of the project
  4. The team manager authorizes individuals to get started.

That seems like a lot of authorization, but it doesn’t need to become a bureaucratic of long-winded process. An efficient process wouldn’t take much time at all. You simply need to know who to inform and what to tell them, and the people responsible for doing the work need to have a clear brief of what to do so they can get on with it

The infographic below sets out the flow of authorization, and you’ll see that I’ve streamlined two of the bullets above to make it easier to follow.

How do you authorize work in your organization? Is it as structured as this? Let us know in the comments below!

project work authorization infographic

Posted on: June 16, 2021 08:00 AM | Permalink | Comments (1)

Plan Risk Responses: Process Overview

Categories: process, risk

plan risk response

This article is the tenth part of my look into project risk management, and today the topic is how to plan risk responses. Who knew there would be so much to say about risk?

What does it mean to plan risk responses?

When you plan risk responses, what it means is that you are working out what to do about the risks you have identified. As you are doing the analysis, you’re probably talking to the team about the different options for addressing the risk, making judgements and plans as you go. The thing with all the risk management processes is that they can all happen in quite a short period of time, and often within the same conversation – especially for smaller risks and smaller projects.

However, for the purposes of our discussion today, we’re looking at making sure the risk responses are considered, selected and agreed by the people who matter. You’ll also allocate people to do the work of implementing the risk responses so that you actually manage the risk and don’t simply talk about managing it.


The inputs to this process are:

  • The project management plan – the resource management plan will help identify who is the best person to be the risk owner, although you’ll probably know this information already without having to resorting to looking it up in a document. You’ll also want to review the risk management plan and cost baseline (because it has information on the contingency fund that you can use for risk response).
  • As we saw last time, there are a lot of project documents that can inform the risk management processes, and this step is no exception. We’ll be looking for information to support our plans in a variety of different documents
  • Enterprise environmental factors like how much risk appetite the business has to respond to risks, and the same for individual stakeholders
  • Organisational process assets like templates, databases of what happened on past projects and lessons learned reviews from similar projects and this current one if you’ve already done interim reviews.

What documents should you review?

The risk register and risk report are the most important documents because they give you information on what the risks actually are and how exposed the project (and/or business) is. That will inform your choices about how you respond to risk.

First, check the Lessons learned log – check to see if any past risk responses were particularly helpful or pointless so you can repeat/avoid the same things in the future.

The rest of the documents you may need to refer to are to do with the logistics of making sure the risks can be managed adequately.

The project schedule is helpful so you can fit in the risk response plans and make sure there is time to do the work. The team assignments and resource calendars will also help. The stakeholder register will give you clues about ownership if you don’t have volunteers to lead on risk response actions.

In practice, many experienced project managers won’t turn to those documents to find the answers – they’ll simply talk to the team and then update the schedule with any tasks that need to be added once the responses are agreed.

Tools and Techniques

Responding to risk is a lot to do with expert judgement, so in my experience, this is the technique you’ll use the most.

Rely on your subject matter experts and talk to them about how best to respond to threats, opportunities and how to manage contingent risk with the associated strategies and triggers in place.

Basically, you need information from the experts and you gain that through interviews and facilitation (data gathering and interpersonal and team skills).

Talk, talk, talk, and seek out the people with the answers.

You can also employ some data analysis techniques to back up what your experts are saying or to help you choose the best response if there are several options.

For example, alternatives analysis can help you compare the different options and select a course of action that will lead to an appropriate result.

Cost-benefit analysis is another tool. Some risks will cost more to mitigate than they would if they happened, so this type of calculation can help you decide how much budget to spend on risk responses and whether the benefit of that investment is going to be worth it.

Finally, you need to make a decision about what risk response plan to accept, so decision-making techniques for groups can be helpful. Consider the criteria for making the decision before you get to the actual decision-making part of the debate, as that will help give the team some structure.

Typical criteria for making a decision on risk response include:

  • How much the response plan will cost
  • How effective it is thought to be
  • Whether people are available to do the work
  • How the plan fits in with the rest of the project and whether the work can be completed in time before the risk materialises
  • What the impact will be on other risks
  • Whether this plan introduces other secondary risks or new risks

And so on. If your team doesn’t have much formal experience of making this kind of decision, I find it helpful to have the criteria available for us to review as we are discussing the risks.


The outputs from this process are:

  • Change requests
  • Project management plan updates
  • Project document updates.

In other words, there are lots of admin jobs to do once you’ve made your risk response plan because you’ve got a lot of paperwork to update – admittedly all of it is now electronic so it’s not so difficult to do.

Review all the plans: update the schedule to reflect what you’ve just agreed to do, update the cost management plan to include any money now being spent on risk response, and review resource plans to ensure they are still accurate. Update your baselines if necessary. If your risks affected suppliers, make sure any changes to the procurement plan are incorporated.

As part of your discussions and approved response plans you might have uncovered new assumptions, new lessons and even new risks. Make sure team assignments accurately reflect the work you are expecting people to do and make sure the risk register and risk report are updated with your plans.

Next month I’ll be talking about 5 strategies for dealing with threats.

In case you missed them, and to save you a job digging through the archives, here are the quick links back to the previous instalments:

Read part 1 here: An introduction to risk management

Read part 2 here: Trends and Emerging Practices in Project Risk Management (Part A)

Read part 3 here: Trends and Emerging Practices in Project Risk Management (Part B)

Read part 4 here: Tailoring Risk Management

Read part 5 here: Planning Risk Management

Read part 6 here: The Risk Management Plan

Read part 7 here: Identify Risks Process

Read part 8 here: Qualitative Risk Analysis

Read part 9 here: Quantitative Risk Analysis

Pin for later reading:

plan risk response pin

Posted on: January 12, 2021 08:00 AM | Permalink | Comments (7)

Why are your governance processes failing? [Infographic]

Categories: process

Are you finding it hard to get governance working right on your project? Governance, in the widest sense of the topic, is everything that helps you manage and control the project, so strong processes are part of that.

And when your projects let you down, it’s impossible to provide the level of governance you need.

The infographic below shows reasons why project processes might not be robust enough to support good project control.

When processes are too informal, no one really knows what to do to get things done, or how to record that they happened.

Posted on: June 27, 2020 12:00 AM | Permalink | Comments (4)

That's the true spirit of Christmas; people being helped by people other than me.

- Jerry Seinfeld