The Money Files

A threat is a risk with a negative impact on the project – so this article isn’t about dealing with bullying behaviour at work or anything like that. We often talk about risk as if all risks are the same, but they aren’t. There are ‘negative’ risks i.e. threats and ‘positive’ risks i.e. opportunities. The way we respond to each is different because you want a different outcome each time. With threats, you want the risk to go away. With opportunities, you want the risk to happen so you get the benefit.

In this article I’m talking about your options for responding to risks that are perceived to be a threat to the project.

There are 5 responses:

1. Escalate
2. Avoid
3. Transfer
4. Mitigate
5. Accept.

Let’s look at each of those in turn.

1.Escalate

Escalating means passing the risk up to someone else to deal with, because the team and/or the project sponsor believe it’s something that is outside of the scope of the project. Often projects will uncover risk or issues that are actually nothing to do with the scope of their work. In my experience, sometimes that means my project gets extended to also deal with whatever problem we’ve found, but sometimes the right thing to do is escalate to the PMO and let someone else deal with it.

This is also an appropriate strategy if the risk response you’re considering would need more than the level of authority you have within the team.

Basically, you’re passing the risk up to the programme or portfolio management team and while you’ll input to the response, it’s no longer your risk to track and manage.

I don’t remember this being an option when I first learned project management on an internal course my employer ran. I think it’s definitely a valid option and one we’ve used on my projects.

2.Avoid

You can avoid a risk if you change your plans so it couldn’t possibly happen. For example: there’s a risk of getting wet if you go out because it’s raining. You remove the risk and don’t get wet because you don’t go out that day.

Sometimes you can make this happen with project risk but often avoiding a risk is expensive and time-consuming so it might not be worth it.

However, some risks can be avoided simply by gathering more information like getting clearer requirements, hiring someone with particular skills who would know what to do or being better at stakeholder engagement.

3.Transfer

Transferring risk means passing it over to another party to manage and the example typically given is insurance. You can transfer the risk (in exchange for a fee) over to an insurance company who then take the risk on your behalf.

A similar thing happens when you write warranties and guarantees into contracts – the other party carries the risk in exchange for some kind of consideration on your part.

4.Mitigate

This is what we normally think of when it comes to risk management, and often internally – at least in my teams – we talk about risk mitigation instead of risk management because it’s what we do most often.

Mitigation is about reducing the impact and likelihood or a risk so that if it does happen it’s easier to manage the situation. We take steps to make the risk less likely to happen and less of a problem if it does.

For example, we might do more testing, add more resources to a project task, review more thoroughly, subject a process to internal audit or peer review and so on. We create back up plans, policies and build redundancy into the system so if something does go wrong, it’s easier to cope and get the project back on track without a major interruption.

5.Accept

Finally, you can choose to do nothing. This is an appropriate response to small, low level risks. It’s also a temporary response to risks that are likely to happen far into the future where it’s not necessary to spend time preparing a response yet.

You can put aside time or money to prepare for dealing with the risk as a minimum if you can’t do anything else. However, it’s important to monitor the risks where you have chosen acceptance as a strategy, because something might change in the future that makes it a less attractive option. Keep these risks under review and adapt your strategy as necessary to ensure you’re still doing the right thing for the project.

All risk responses could be combined if it’s appropriate to take two or three actions. You can even have different people responsible for taking different actions, although I’d stick with having one risk owner so that someone has a complete picture of what is going on.

Prioritise managing the most risky risks first and then invest the appropriate amount of time, resource and budget into reviewing and acting on the others.

Next month I’ll be looking at 5 strategies for dealing with opportunities – those positive risks we want to encourage.

Pin for later reading

Let’s say your company has entered into an agreement with a supplier and now the bills are starting to rack up. This could happen if your agreement is on a time and materials basis, or a fixed price plus extra costs for changes to scope.

Find out why the costs are overrunning. Is it because your team is putting through too many change requests, which is hitting a contract clause that lets the supplier charge more? Or is something else at play? Whatever the cause, pin it down and work from there. Involve the supplier as well, so that they know that you can’t afford, or choose not to afford, to put up with those costs going forward. You may end up renegotiating the whole thing, but better to do that early than to put up with overspends for too long.

This video explains more.

Pin for later reading

Have you used the Practice Standard for Earned Value Management? It’s another one of the documents and standards available to project managers who are members of PMI. Go to your members area and log in, then navigate to the standards section and you’ll be able to download a copy.

It’s a detailed guide to how to do earned value, but more than that, it also talks about scheduling elements that are so important to getting your project plans set up correctly from the beginning. Look at me, mixing up ‘schedule’ and ‘plan’ already. How many times have you heard ‘plan’ and known the person talking really means ‘schedule’ today?

Earned Value requires that you are all on the same page with terminology and it’s a good way to standardise your approach to managing project performance.

What’s in the standard?

The standard is a document that sits alongside the PMBOK® Guide and doesn’t replace it. You can use them both together. Think of the standard as a deep dive into how to make earned value work. Like all standards, it is not prescriptive in that it doesn’t tell you that you need to use certain software tools to do the processes. It’s up to you to work out the best ways to implement the guidance.

The standard covers the following areas:

• A general overview of EV: important for scene setting and context to help you decide if you really want to go ahead and implement EV on your projects

And then it goes through the process for running an earned value management, in exactly the same way as the PMBOK® Guide is laid out:

• Organise your project: the first process
• Assign responsibility so people take ownership for WBS elements
• Develop the schedule
• Establish the budget
• Determine the measurement methods you are going to use to track progress
• Establish the performance baseline
• Analyse project performance: this is the process where you track the project’s status and monitor performance
• Maintain the performance measurement baseline: in this process you review what is happening and course correct to bring the project back on track using rebaselining and change requests.

If you are used to using the PMBOK® Guide as a reference, then the format of the EVM standard will be familiar to you. Each section talks about the process as a whole, then covers the inputs, outputs and considerations, enabling you to map it to your current work.

There are some appendices that cover additional topics like how the standard was put together and how the subject of EV fits with risk management. There’s also a short system on deploying a full EVM system which is helpful if you are about to start software selection.

It’s much shorter than the PMBOK® Guide (thankfully!) so if you are wondering whether it’s worth diving into, I say go for it. What I liked about it is that it’s readable – in as far as any standard and set of processes is – and I felt like I could implement it if I wanted to. It’s not the same as the standard required if you are bidding for US federal contracts, but if you want a place to start with EV, then this is a comprehensive guide. Plus, it’s free to PMI members, so what have you got to lose?

I know that many PMP® students do worry about the earned value formulas and EV in general, especially if they don’t use the concepts day-to-day – and in my experience most of the people and companies I work with do not choose to use EV as a performance management method. So if you are going for the exam and want to build your confidence about EV, then this is a helpful read. It’s still basically a textbook though (maybe I find these things more interesting than the average person – certainly I’m the only one in my household who would pull out an EV book by choice).

The thing about EV is that you need to know a little about it to know that it is not relevant to your projects. It’s a topic worth learning about as a project manager if only so you can have the confidence that you and your PMO are making the right choice by not adopting this way of tracking performance.

Do you use EV on your projects? Let me know in the comments!

Pin for later reading:

Here are 5 ways to see the bigger picture in your work in order to make a bigger impact with what you do.

1. Go to internal networking events (virtual or in-person)
2. Read the annual report
3. Read relevant business press for your industry
4. Join an industry body (as well as a project management-related one)
5. Ask lots of questions!

There is more about each of these in the infographic below.

This article is the tenth part of my look into project risk management, and today the topic is how to plan risk responses. Who knew there would be so much to say about risk?

What does it mean to plan risk responses?

When you plan risk responses, what it means is that you are working out what to do about the risks you have identified. As you are doing the analysis, you’re probably talking to the team about the different options for addressing the risk, making judgements and plans as you go. The thing with all the risk management processes is that they can all happen in quite a short period of time, and often within the same conversation – especially for smaller risks and smaller projects.

However, for the purposes of our discussion today, we’re looking at making sure the risk responses are considered, selected and agreed by the people who matter. You’ll also allocate people to do the work of implementing the risk responses so that you actually manage the risk and don’t simply talk about managing it.

Inputs

The inputs to this process are:

• The project management plan – the resource management plan will help identify who is the best person to be the risk owner, although you’ll probably know this information already without having to resorting to looking it up in a document. You’ll also want to review the risk management plan and cost baseline (because it has information on the contingency fund that you can use for risk response).
• As we saw last time, there are a lot of project documents that can inform the risk management processes, and this step is no exception. We’ll be looking for information to support our plans in a variety of different documents
• Enterprise environmental factors like how much risk appetite the business has to respond to risks, and the same for individual stakeholders
• Organisational process assets like templates, databases of what happened on past projects and lessons learned reviews from similar projects and this current one if you’ve already done interim reviews.

What documents should you review?

The risk register and risk report are the most important documents because they give you information on what the risks actually are and how exposed the project (and/or business) is. That will inform your choices about how you respond to risk.

First, check the Lessons learned log – check to see if any past risk responses were particularly helpful or pointless so you can repeat/avoid the same things in the future.

The rest of the documents you may need to refer to are to do with the logistics of making sure the risks can be managed adequately.

The project schedule is helpful so you can fit in the risk response plans and make sure there is time to do the work. The team assignments and resource calendars will also help. The stakeholder register will give you clues about ownership if you don’t have volunteers to lead on risk response actions.

In practice, many experienced project managers won’t turn to those documents to find the answers – they’ll simply talk to the team and then update the schedule with any tasks that need to be added once the responses are agreed.

Tools and Techniques

Responding to risk is a lot to do with expert judgement, so in my experience, this is the technique you’ll use the most.

Rely on your subject matter experts and talk to them about how best to respond to threats, opportunities and how to manage contingent risk with the associated strategies and triggers in place.

Basically, you need information from the experts and you gain that through interviews and facilitation (data gathering and interpersonal and team skills).

Talk, talk, talk, and seek out the people with the answers.

You can also employ some data analysis techniques to back up what your experts are saying or to help you choose the best response if there are several options.

For example, alternatives analysis can help you compare the different options and select a course of action that will lead to an appropriate result.

Cost-benefit analysis is another tool. Some risks will cost more to mitigate than they would if they happened, so this type of calculation can help you decide how much budget to spend on risk responses and whether the benefit of that investment is going to be worth it.

Finally, you need to make a decision about what risk response plan to accept, so decision-making techniques for groups can be helpful. Consider the criteria for making the decision before you get to the actual decision-making part of the debate, as that will help give the team some structure.

Typical criteria for making a decision on risk response include:

• How much the response plan will cost
• How effective it is thought to be
• Whether people are available to do the work
• How the plan fits in with the rest of the project and whether the work can be completed in time before the risk materialises
• What the impact will be on other risks
• Whether this plan introduces other secondary risks or new risks

And so on. If your team doesn’t have much formal experience of making this kind of decision, I find it helpful to have the criteria available for us to review as we are discussing the risks.

Outputs

The outputs from this process are:

• Change requests
• Project management plan updates
• Project document updates.

In other words, there are lots of admin jobs to do once you’ve made your risk response plan because you’ve got a lot of paperwork to update – admittedly all of it is now electronic so it’s not so difficult to do.

Review all the plans: update the schedule to reflect what you’ve just agreed to do, update the cost management plan to include any money now being spent on risk response, and review resource plans to ensure they are still accurate. Update your baselines if necessary. If your risks affected suppliers, make sure any changes to the procurement plan are incorporated.

As part of your discussions and approved response plans you might have uncovered new assumptions, new lessons and even new risks. Make sure team assignments accurately reflect the work you are expecting people to do and make sure the risk register and risk report are updated with your plans.

Next month I’ll be talking about 5 strategies for dealing with threats.

In case you missed them, and to save you a job digging through the archives, here are the quick links back to the previous instalments:

Read part 1 here: An introduction to risk management

Read part 2 here: Trends and Emerging Practices in Project Risk Management (Part A)

Read part 3 here: Trends and Emerging Practices in Project Risk Management (Part B)

Read part 4 here: Tailoring Risk Management

Read part 5 here: Planning Risk Management

Read part 6 here: The Risk Management Plan

Read part 7 here: Identify Risks Process

Read part 8 here: Qualitative Risk Analysis

Read part 9 here: Quantitative Risk Analysis

Pin for later reading: