Risk management is so important when it comes to ensuring your project stays on track – both in terms of budget, which is what this column mainly talks about – but also in generally.
The graphic below shows the three levels of risk management to consider on your project (and beyond). If you aren’t working at the portfolio management level in your organisation, you can still take these into consideration because you can work with those who are managing your portfolio. Ask the right questions and help keep your project on track!
For more on this idea, check out this article.
The processes you have for project management – or lack of them – can add significant risk to your project. But you don’t often find them called out on the risk log.
Poor processes can add time delays, extra steps and confusion. They contribute to poor communication and overspending. They impact project quality. In short, processes that aren’t optimal can hinder your ability to deliver a decent outcome for the project.
Unfortunately, processes are often constrained by the company you are in. If you are mandated to follow certain processes, you have little flexibility to do anything about them. That’s not a good situation to be in – ideally you should be able to tailor the process to the size and complexity of your project.
I’ve highlighted three of the main process-related factors that influence risk on your project in the video below.
Pin for later reading:
The people in the project team, and the processes they use, are a risk factor to your project.
You might not have them on your risk register, but they definitely add risk.
For example: if you end up working with an inexperienced team, you’re in a more risky situation than one that’s highly skilled at the required work.
Poor processes across your organisation, or just in your team (say, people don’t apply the processes properly) can also add risk. A particular challenge, I think, is when projects are forced to use processes that can’t be appropriately tailored for the size of project. You get small projects forced to jump through governance hoops because that’s the process – even when it’s a ridiculous admin overhead. That adds risk to the project too.
Lack of people on the team is also a risk (one that is more likely than the other two to find its way to the risk register, in my view). You’re going to struggle to hit deadlines and delivery quality work if you don’t have enough people.
The risk profile of your project is hugely affected by the project team and the context in which you work. Unfortunately, you don’t always have a lot of control over those elements. You might find yourself being given project team members, instead of being able to pick the most able.
I’ve summarised this in the quick video below, which sets out three of the ways your project team and project environment can influence the risks faced by your project. Enjoy!
Pin for later reading:
Strategy plays a huge part in whether or not your project is going to be a success. Yes – things decided way above your pay grade influence the outcomes of your project.
That happens through risk. The corporate approach to strategy (or lack of it) massively shapes how your project is going to be carried out, implemented and delivered. The framework in which your project is being managed is of course influential – I’d say it was one of the enterprise environmental factors that shapes how you need to act on the project.
The risk profile of your project changes depending on your project’s context. A project in my company will have different outcomes to the same project (even if we hypothetically believed it would be delivered by the same project team) because the corporate approach to project management is different. The risk appetite would be different.
Strategy brings risk to your project in numerous ways. I’ve called out three of the main strategic factors that influence risk on your project in the video below.
Pin it to read later:
Project risk management is a team effort. As the project manager it might feel like you are taking the lead role, but overall it shouldn’t be a one-person job. You need to work together to identify the risks on your project and do something about them.
You can’t work as a team if you don’t have a team. So, you should identify your risk management team as early as practical in the project. That’s what textbooks would recommend, but in my experience you don’t always know who is going to be the right person to be the risk owner for a particular risk until it makes it on to the risk log – then you need that person on your team.
However, there are some common roles you will definitely need involved in risk management. Identifying who is going to fill those roles will save you time later. When a risk is uncovered, you don’t want to be waiting around trying to work out who is going to look at it. You want to know, broadly, who is going to help you deal with it.
Let’s look then at who does what in risk management on a project. These are the people you need to inform about the risk management processes and get them lined up to act when something is brought to your attention.
You might think this is obvious – many of you reading this will be project managers. But if you are an IT workstream lead or a Scrum Master, or Product Owner, then maybe you will be working alongside the project manager.
The role of the project manager is to create the risk management plan. The risk management strategy is likely to be set by the Project Management Office, but you might need one specifically for your project. It is more likely that you’ll take the risk management policies for the business and the PMO and make them actionable and meaningful for your project.
Another role for the project manager is to update the risk log. Unless you have a dedicated risk manager working alongside you, that job falls to the PM.
Finally, the project manager should take a role in the governance of risk. That involves ensuring risk management actually happens and that people take the process seriously. They should know what the process is and follow it. You can check that there is enough attention being paid to risk overall and provide oversight. For example, make sure you have risk management as a standing item on your project board agenda.
Second, we have the role of the project sponsor. They may not take a hands on role in doing mitigation actions (although they might, depending on what is required). However, they are going to be a huge influence on how risk is managed.
The sponsor will set the risk appetite for the project. That means they are accountable for the risk profile of the project (making sure it isn’t riskier than they would like) and ensuring it fits within the risk appetite for the business overall.
The sponsor also acts as the escalation point for the team. They are able to resolve risks that the project manager and team can’t. And if it needs to go even higher, the sponsor is the person to do that.
Next we have suppliers. This is shaping up to look like a list of people who are involved in your core project team and project board, and that is not a coincidence!
Suppliers and the work they do also carries risk. They have responsibilities around risk management, namely making sure that they flag anything important to the project manager. They may maintain their own project risk log, but they should also be passing up significant risks to the project manager.
If a supplier tells you that their work is creating no project risk and there’s nothing for you to be notified of, be very suspicious! That to me would sound like someone who doesn’t know what risk management is or what they should be doing.
Many risks relating to your supply chain are going to carry a financial risk. For example, if the supplier can’t source the correct parts for your machine, then you’ll have to get them elsewhere at a higher cost. Make sure you factor in risk management plans for supplier risks because they could leave you significantly out of pocket.
Your core project team are essential people to work with you on risk management. You’ll involve them in risk identification at the beginning of the project and throughout. You’ll rely on their expertise to put together risk management plans and own the actions. You’ll need them to help you spot new risks or to deal with risks that become issues.
The day to day risk management activities are going to be carried out by the team.
Project Management Office (PMO)
Before you get too far into a project at a new place, talk to the PMO. What they expect you to do for risk management is going to follow the normal pattern: identify risks, manage them, report the big ones, but there might be specific processes or templates they expect you to use.
You might also be subject to internal audit or project assurance. The PMO may get involved in this and it would be natural to expect them to see your risk logs as part of any review.
The PMO’s role isn’t all about governance and holding you to account. You may also be able to draw on them for support. Sometimes project coordinators sit within the PMO and can be ‘loaned out’ to project managers for project admin or support tasks. This could include coming to risk meetings to take notes, updating the risk log, chasing team members for updates and things like that.
Think about who you are going to need for risk management on your project, just like you think about what resources you need for every other area of your project. Identify the types of people who will need to know about the process. And then involve them early.
Let them know what you expect of them and what the process is going to be. The earlier you do this on the project, the easier you will find the later stages of risk management because everyone will know what the whole thing is about.
Pin for later reading: