Hi Mr. Davis!
First, you’ve asked an excellent question. I think there’s really two parts to it. Some of the ones you list could affect the project only (resignation) but some of them are corporate level risks (cyber-attack).
There should be good risk-stewards at the corporate level, working with the accounting and general management folks to forecast and protect against hurricane, tornados, zombies, whatever. These risks are out of the project manager’s hands and are part of the overall business risk assessment. You *could* say these are “organizationally accepted risks.”
But! As a top-notch Project Manager, when you think of these ORGANIZATIONAL types of things, I believe it’s your duty to ensure that the general business folks have considered them. So, for instance, I had the sprinkler system come on over a weekend (no fire) and it stayed on until Monday. I never imagined that would happen. If I was just a bit smarter I would have, and would have politely asked the folks upstairs in the corner office if they had set aside funding to take care 2 feet of water from sprinklers. I don’t consider this to be a project risk, but an Organizational level risk
So, if you can imagine a business risk and it has some likelihood of occurring you have an honor-bound duty to inform the business risk people about it. If they don’t take care of it, then you must handle it on the project.
If it’s a commonly accepted risk taken at the project level (a late deliverable) then it should be in your project’s risk register and you’ll be the grass and the executives will be the lawnmower.
ATA (Ask to Answer) for the Risk expert Mr. Maynard.
I wonder if there is a formal explanation for something I call “Organizational Accepted Risk”. There are many risk items that I personally don’t call out in my risk mitigation strategy because the Organization automatically accepts the Risk and will deal with it when it occurs. I mention it in my governance document, but not in my Risk Plan. Some examples of these risks are listed below:
My question: “is there an accepted best-practice for handling Organization Accepted Risk” and could you direct me to it?