Project Management

The Money Files

A blog that looks at all aspects of project and program finances from budgets, estimating and accounting to getting a pay rise and managing contracts. Written by Elizabeth Harrin from

About this Blog


Recent Posts

What goes into a Control Account Plan?

2 unexpected benefits of risk management [Video]

Establishing the Budget in Earned Value Management

How to Monitor Risks

How to ask for additional PMO staff [Video]

2 unexpected benefits of risk management [Video]

Categories: risk

risk management

The risk management process is helpful for more than simply sorting out your risks and stopping potential problems (and, I know, capitalising on the positive risks). Did you know it also contributes to managing expectations and dealing with a culture where talking about bad news has everyone running for the hills?

In this video I explore the hidden benefits of risk management and how it can help you keep everyone on the same page. Plus, we talk about how sharing risk info can contribute to a positive workplace culture where it’s OK to bring up worries and concerns.

There’s more in the video.

What do you think about this? What other hidden benefits of risk management have you seen while working on projects? I’m sure there are more unforeseen positives to holding risk workshops and talking about risk with the wider team! Let me know in the comments.

Pin for later reading

Posted on: June 02, 2021 08:00 AM | Permalink | Comments (4)

How to Monitor Risks

Categories: risk

So you’ve created a great risk log, worked out what your risk responses are going to be and made a plan to get those actions done. But how do you check whether your risk response plans are having the desired effect?

The thing I see a lot of project managers doing – especially early on in their careers – is setting up the action plans for risk management and then not going back to check that the risk is actually being addressed. It’s one thing to ask people to take action. It’s another thing entirely to check they’ve done it, and to make sure that the actions you planned have actually addressed the risk in the way you want.

The thing with risk is that even if you do address it with an action plan, you might still end up with residual risk – potential problems left over after you’ve done your ‘main’ actions. And you need to understand what those residual risks are and what (if anything) you are going to do about them.

Last time in this occasional series on project risk management, we looked at how you implement risk responses. Today we’re looking at the monitoring part: the step in the risk management process where you double-check to make sure that your action plans are effective.

What to look for

The point of doing this process (the Monitor Risks process) is to make sure that the current level of risk exposure, taking into consideration any actions you are doing, is still OK overall. You’re looking for new risks, changes in risk status (because some might be getting more serious or less impactful for your project).

Also look out for:

  • What assumptions did you make about project risks that need a review? You might have more information now or you may need to include new assumptions.
  • What risk management policies do you have and are they being followed? Would it help to update or revise procedures in some way?
  • Are stakeholders still happy with the level of risk? The overall level of risk might change (and often does) as the project progresses because more risks are uncovered and that shifts the balance. Check in to make sure you are still in line with stakeholders’ expectations.
  • How much contingency or risk management budget is left? Is it being used in the way that you expected? Do you need to ask for more and if so, how are you going to justify that?


The inputs to this process are:

  • The project management plan, and in particular, the risk management plan section
  • Project documents including the issue log, the lessons learned register, the risk register (because this is where you will have written down what you are supposed to be doing) and risk reports (if you create them – I typically don’t, I just write down the details in a column on the risk log)
  • Work performance data and work performance reports – in other words, have the action plans been implemented?

Tools and Techniques

The tools and techniques for assessing whether the action plans have had the impact you expected are going to depend on how you can judge success.

However, there are some common things you can do to review and the kinds of tools and techniques you can use include:

  • Data analysis techniques like technical performance analysis (to compare what you have done against what was planned in a tangible way) and reserve analysis (to see how much money you’ve got left).
  • Audits - my recommendation is that you get an impartial person to run this for you instead of trying to review your risk processes yourself. Ask the PMO or a trusted colleague.
  • Meetings (because who doesn’t love a good meeting to discuss all the things that might go wrong on the project?)

Pick and choose the tools that will let you assess the impact of the risk (again) to see if it’s all squared away or if there is more you can do.


The outputs of this process are:

  • Work performance info
  • Change requests (because your new plans might involve adding or removing tasks to your project schedule, for example, to do a few more risk response actions)
  • Project document updates, especially to the project plan, assumption log, issue log, lessons learned register, the risk register and risk reports
  • Organizational process assets that might need updating e.g. risk template or your IT system, workflows etc.

Another output is doing the tasks to address the residual risks or any other actions you’ve uncovered to make sure that the risk responses are getting implemented as planned.

This process is something you can do on a regular basis. I put time aside in my diary to do a review of risk, normally once a week as I’m updating my project documentation. Then once a month I’ll try to work a risk conversation into our project team meeting – sometimes we only talk about one or two risks, the ones that are the most important at the time or that are likely to happen soon.

Use your judgement – this process is only there to prompt you to constantly keep your risks and management activities under review. If you keep risks front of mind, you’ll be fine.

Pin for later reading

Posted on: May 18, 2021 08:00 AM | Permalink | Comments (11)

How to Implement Risk Responses

Categories: risk

This is an occasional series on project risk management, and last time we looked at what options are available to you as part of your risk response strategy. Today, we’re looking at how do you actually implement risk responses.

There’s a whole risk response process in the PMBOK® Guide that helps you work out how to approach this part of managing your project.

The Implement Risk Responses process is where you take your response plans and actually do the work to make them happen. The execution of risk response plans is important because you can’t always rely on talking about a potential problem as enough to get it remedied.

There’s no single time to be doing this – you’ll be identifying risks the whole way through your project, so as and when you’ve come up with a new one, you’ll prepare the risk response plan and then implement it. Make time during the project to ensure you think through how to do the implementation part of the risk response strategy – incorporate it into your regular risk meetings.


The inputs to this process are:

  • The project management plan, and in particular, the risk management plan section
  • Project documents including the lessons learned register, the risk register (because this is where you will have written down what you are supposed to be doing) and risk reports if you have them
  • Organisational process assets.

The risk management plan will include the names of people responsible for the risk management process, and that’s helpful for assigning ownership of the management actions. You may also have info in there that relates to the level of acceptable risk – this is what you are trying to achieve by doing your risk management activities. It’s not always necessary to remove the risk completely; sometimes just reducing it to a level that’s acceptable to the project or the business is enough.

The OPAs are things like the corporate lessons learned repository which might give you insights into how other risk management approaches were implemented and what were effective techniques at doing so.

Tools and Techniques

The tools and techniques are going to depend very much on what kind of implementing you are doing. How to implement the ‘acceptance’ strategy is obviously very different to an approach where you are going all-out to mitigate it with a huge action plan.

However, there are some common threads to what kinds of tools and techniques you can adopt here, including:

  • Expert judgement (drawing on the expertise of your team leaders and your own knowledge about how best to implement the plans)
  • Interpersonal and team skills, especially influencing – that’s mainly going to fall to you to ensure that the work gets done
  • Project management information system (document and record what you are doing).

Basically, use your PM knowledge to ensure that the planned actions for risk response actually happen.


The outputs of this process are:

  • Change requests (because your plans might involve adding or removing tasks to your project schedule, for example)
  • Project document updates, especially to the issue log, lessons learned register, team assignments (as people’s work assignments need to be updated to reflect their new tasks), the risk register and risk reports.

And, of course, the work of doing the risk responses – built into your To Do lists and action logs, and discussions with team members.

As you get more experienced with project management, you won’t spend much time thinking about ‘doing’ this process. It just happens naturally as part of the things you’re doing on the project. It becomes an integrated part of how you manage risk, and so much aligned to the other parts of risk management that it all flows together. I don’t have meetings where I sit down and say, “Today we are going to do the implement risk responses process.” That’s just not a called out part of how we make risk management happen… but the process does happen. It’s simply integral to everything else and a natural part of how we work together as a team.

The process exists to remind you to make sure that risk responses aren’t something that you simply talk about. You want to avoid that issue of writing down risks and having a lovely risk log, but all the risks sit on there and nothing happens to actually take action on them.

Next time I’ll be looking at how to monitor risks to ensure that your action plans are being carried out as you would expect and are having the right impact on your project.

Pin for later reading

Posted on: April 07, 2021 09:00 AM | Permalink | Comments (2)

5 Strategies for Managing Opportunities

Categories: risk

Opportunities are positive risks – the risks we don’t spend much time thinking about because everyone assumes risk is bad!

However, if we use Dr David Hillson’s definition of risk as being uncertainty that matters, then some uncertainty could most definitely lead to a positive outcome for the project. Those are opportunities, and we handle them in the same way that we do the ‘negative’ risk or threats.

There are 5 strategies for responding to opportunity risk and they are:

  1. Escalate
  2. Exploit
  3. Enhance
  4. Share
  5. Accept

Let’s look at each of those.


Escalation is also a tactic to use for threat risk and the same approach applies here. When the opportunity is bigger than the project and falls outside of the scope of your work, escalate it up to the programme manager or portfolio manager, or simply pass it on to your boss. There’s nothing you can personally do about it as the opportunity falls outside of your level of authority. Your job is to make sure that the information you have is passed on to someone who can best act on it.

You can continue to support whomever picks up the information but you don’t have to track and manage the risk any longer.


This strategy is where you basically force the risk to happen so you benefit from whatever good things are coming your way. You want to increase the probability of occurrence to 100% because it’s worth it.

That might include spending money or changing the direction of the project to make sure that you get the outcome you want. For example, you could pull resources from other projects on to your project to make the work take less time, you could upgrade some infrastructure to take advantage of technological advances by being able to use new solutions and so on.

I don’t really use this strategy much because I tend to think that if we take steps to make something happen, it’s not a risk any more, but that’s just how I think – I know the literature talks about this as a particular, specific strategy. For me, I wouldn’t ever have it on the risk register, it would be something we discuss as a team and then adapt our plans via a change request to make it happen. What would you do? Let me know in the comments below.


The Enhance strategy is similar to Exploit in that you want to make the opportunity happen, but here all you are doing is influencing the outcome – you aren’t forcing the probability to turn to 100%.

What you try to do is increase the likelihood of it happening or increase the impact it would have if it did happen. You don’t have a guarantee of the outcome but you are influencing and negotiating your way to being able to capitalise on that fab opportunity.

I think this is hard to articulate because your response plan relies so much on what the opportunity is. We identify opportunities throughout the project life cycle and don’t always record them as risks. For example, if something came up in a team meeting where we could potentially complete a task more quickly if we had an extra pair of hands, we would decide there and then to do it and hope for the return, without necessarily formally documenting the risk.

Perhaps that tells you more about my lackadaisical approach to opportunity management than it does about the Enhance strategy!


Sharing is a little bit like transference for threat risk. It’s where you split the benefit with a third party on the proviso that they help you try to get the opportunity. For example, you might share resources for a better outcome, you might set up a joint venture or create a specific team. All of those things might mean sharing the risk and therefore the benefit between several entities or teams, but overall may make the potential benefit larger.


Finally, the classic strategy of do nothing. This is also a valid response and useful when there isn’t much to be had by way of opportunity. You basically sit it out and wait to see if the benefit occurs and you might want to have a contingency approach in place in case it happens and you want to act then.

However, as with accepting threat risk, make sure that you are constantly monitoring the situation and actively discussing these risks with their risk owners and the team. You don’t want to be in a situation where you miss an opportunity because the context or environment changed and your risk response plans weren’t updated as a result.

Which of these have you used? Share your best tips for managing opportunity risk in the comments below.

So far, all we’ve achieved in the risk management process is working out how to respond to risk, but it’s all been about talk and planning. Next time I’ll be looking at how to implement risk responses and make sure the work to deal with risk actually gets done.

Pin for later reading

Posted on: March 10, 2021 08:00 AM | Permalink | Comments (11)

5 Strategies for Dealing with Threats

Categories: risk

A threat is a risk with a negative impact on the project – so this article isn’t about dealing with bullying behaviour at work or anything like that. We often talk about risk as if all risks are the same, but they aren’t. There are ‘negative’ risks i.e. threats and ‘positive’ risks i.e. opportunities. The way we respond to each is different because you want a different outcome each time. With threats, you want the risk to go away. With opportunities, you want the risk to happen so you get the benefit.

In this article I’m talking about your options for responding to risks that are perceived to be a threat to the project.

There are 5 responses:

  1. Escalate
  2. Avoid
  3. Transfer
  4. Mitigate
  5. Accept.

Let’s look at each of those in turn.


Escalating means passing the risk up to someone else to deal with, because the team and/or the project sponsor believe it’s something that is outside of the scope of the project. Often projects will uncover risk or issues that are actually nothing to do with the scope of their work. In my experience, sometimes that means my project gets extended to also deal with whatever problem we’ve found, but sometimes the right thing to do is escalate to the PMO and let someone else deal with it.

This is also an appropriate strategy if the risk response you’re considering would need more than the level of authority you have within the team.

Basically, you’re passing the risk up to the programme or portfolio management team and while you’ll input to the response, it’s no longer your risk to track and manage.

I don’t remember this being an option when I first learned project management on an internal course my employer ran. I think it’s definitely a valid option and one we’ve used on my projects.


You can avoid a risk if you change your plans so it couldn’t possibly happen. For example: there’s a risk of getting wet if you go out because it’s raining. You remove the risk and don’t get wet because you don’t go out that day.

Sometimes you can make this happen with project risk but often avoiding a risk is expensive and time-consuming so it might not be worth it.

However, some risks can be avoided simply by gathering more information like getting clearer requirements, hiring someone with particular skills who would know what to do or being better at stakeholder engagement.


Transferring risk means passing it over to another party to manage and the example typically given is insurance. You can transfer the risk (in exchange for a fee) over to an insurance company who then take the risk on your behalf.

A similar thing happens when you write warranties and guarantees into contracts – the other party carries the risk in exchange for some kind of consideration on your part.


This is what we normally think of when it comes to risk management, and often internally – at least in my teams – we talk about risk mitigation instead of risk management because it’s what we do most often.

Mitigation is about reducing the impact and likelihood or a risk so that if it does happen it’s easier to manage the situation. We take steps to make the risk less likely to happen and less of a problem if it does.

For example, we might do more testing, add more resources to a project task, review more thoroughly, subject a process to internal audit or peer review and so on. We create back up plans, policies and build redundancy into the system so if something does go wrong, it’s easier to cope and get the project back on track without a major interruption.


Finally, you can choose to do nothing. This is an appropriate response to small, low level risks. It’s also a temporary response to risks that are likely to happen far into the future where it’s not necessary to spend time preparing a response yet.

You can put aside time or money to prepare for dealing with the risk as a minimum if you can’t do anything else. However, it’s important to monitor the risks where you have chosen acceptance as a strategy, because something might change in the future that makes it a less attractive option. Keep these risks under review and adapt your strategy as necessary to ensure you’re still doing the right thing for the project.

All risk responses could be combined if it’s appropriate to take two or three actions. You can even have different people responsible for taking different actions, although I’d stick with having one risk owner so that someone has a complete picture of what is going on.

Prioritise managing the most risky risks first and then invest the appropriate amount of time, resource and budget into reviewing and acting on the others.

Next month I’ll be looking at 5 strategies for dealing with opportunities – those positive risks we want to encourage.

Pin for later reading

strategies for dealing with threats

Posted on: February 10, 2021 08:00 AM | Permalink | Comments (2)

"Once, during prohibition, I was forced to live for days on nothing but food and water."

- W. C. Fields