Project Management

Please login or join to subscribe to this thread

Project Risk Management

linkedin twitter facebook  
avatar
Peter Rapin Subject Matter Expect; Project Delivery| Independent Consultant Ontario, Canada
This is not really a new topic. We have addressed Risk Management many times in this forum and there have been some good discussions.

The purpose of a Risk Management Plan is to reduce the probability of a risk to the project (or enhancing a possible benefit) and mitigating the impact of that risk (or maximizing the benefit) should it occur.

I have two question I would like to hear discussion on. If you identify a significant risk but 1) have no influence on its probability of occurrence, and 2) have no means of mitigating its impact, do you track it in the Risk Register? If not, what do you do with it?
Sort By:
< 1 2 >
avatar
Kiron Bondale Retired | Mentor| Retired Welland, Ontario, Canada
Peter -

As usual, it depends. Knowing is of value so communicating it to relevant stakeholders is important and they might have the ability to influence the risk more so than the team. In an extreme situation, there might be the need for the sponsor or customer to terminate the project if the risk is one which they are unwilling to risk being realized.

Kiron
avatar
Abolfazl Yousefi Darestani Manager, Quality and Continuous Improvement| Hörmann-TNR Industrial Doors Newmarket, Ontario, Canada
As Kiron mentioned, it depends.
avatar
Mark Warner Project Manager| AURA Tucson, Az, United States
If it's a "significant" risk, then I would say the default is to absolutely include it in the risk register. You do this to keep your stakeholders involved/aware, and to ensure sufficient contingency is carried for if/when the risk occurs. Further, your response for now may be to simply "accept" the risk, but as time goes by you may discover ways to avoid, transfer, mitigate, or even exploit the risk. Keeping it front and center in your risk register keeps it front and center in peoples' minds. Otherwise, you are simply burying your head in the sand.
avatar
Aaron Porter
Community Champion
IT Director| Blade HQ Payson, UT, United States
Once a risk is identified, I add it to the register. Keep in mind that Mitigate is not your only option for responding to risks, and not all individuals, let alone companies, have the same risk tolerance or appetite. My job is not to prevent every risk from being realized, but to make sure that the right people know about it and choose how to respond. No choice can be a choice. I've been in situations where seemingly high probability and impact risks are ignored. When that has happened, I've made sure to document what I've done to raise awareness and and informed my leadership. Sometimes nothing happened. Other times there was a failure and we dealt with it. I did not point fingers when the latter happened, but I did have the information I needed to protect myself should the need arrive - personal risk management.
avatar
Rami Kaibni
Community Champion
Senior Projects Manager | Field & Marten Associates New Westminster, British Columbia, Canada
Peter

Being a significant risk, or even if not, once identified, you need to include it in the risk register and track it. Ideally, you need to formulate a risk response but in this instance, since you have no mitigation means, you need to make sure that it’s impact is accounted for in your contingency reserve and in your schedule.

RK
...
1 reply by Latha Thamma reddi
Apr 12, 2023 3:34 PM
Latha Thamma reddi
...
strongly agree
avatar
Verónica Elizabeth Pozo Ruiz RYLAI Access Control Quito, Pichincha, Ecuador
Even if you have no means of mitigating the impact of the risk, you should add this identified risk to the risk register, and determine the risk response as "accept", which states you acknowledge the risk, but do not stablish any action as a risk response.

If the risk weren't significant, it should be added to the "Risk supervision list", for risks of low priority.
avatar
Juan Carlos Blanco CESVIMAP Spain
When a risk is detected, it must be classified and managed, at least it must appear in the risk inventory and if it is minimally significant due to the possible scope or probability of occurrence, it must be valued so that it can be either accepted by the person concerned, transferred, or rejected, and can have its impact on the life of the project.
What we can't do is ignore it, that doesn't make it go away. If we have detected it, we are responsible for its management and assume the risk.

JCB
avatar
Sergio Luis Conte Helping to create solutions for everyone| Worldwide based Organizations Buenos Aires, Argentina
What I do is using the top ten risk approach to create the main view of risk register. But we take into account risk with the characteristics you mention in a watch list. Is similar than stakeholder management if you use an stakeholder matrix. Things can move from state and the reason for performing risk management is, in my personal opinion, is "don't come with surprises".
avatar
Peter Rapin Subject Matter Expect; Project Delivery| Independent Consultant Ontario, Canada
Thanks all. I agree that the all identified significant risks have to be included in the Risk Register and tracked. I also concur that such risk be shown as "accepted" or "tolerable" when there is no means of managing the probability or impact. An accepted risk is not one the be ignored as conditions change and opportunity may rise to 1) influence the outcome (mitigate), 2) possibly transfer of risk (through contract or insurance), or 3) project deliverable modified/cancelled if the risk is no longer tolerable.
avatar
Stéphane Parent Self Employed / Semi-retired| Leader Maker Prince Edward Island, Canada
Project risk management is not simply about reducing the impact or likelihood of project risks from happening. It is also about responding appropriately to triggered risks. That means identifying contingency and fallback actions/reserves.

Your mitigation actions and reserve should be part of your baseline schedule and budget. Contingency and fallback actions/reserves are usually added to the schedule once the risk is triggered.
...
1 reply by Peter Rapin
Oct 06, 2022 3:33 PM
Peter Rapin
...
Stephane, I don't disagree however budgets and delivery timeframes are typically set with the Business Case with contingencies based on percentages (Class E cost estimate with a 25% contingency) - the risk allowance being buried in there somewhere. When preparing a follow up Project Plan with Risk Management component I like to quantify the risk allowance based on what we predict may be appropriate at that time. If the risk allowance exceeds the available contingency, you attempt to mitigate further or request additional funding (or both). If there remains contingency after the risk allowance is subtracted the balance is returned or specifically designated so it doesn't disappear. Time contingency can be handled the same way.

The efforts (cost) to mitigate probability and pre-emptive efforts to reduce possible impact (before the risk is triggered) should be included in base cost and schedule. That effort is expended whether the risk is triggered or not. The residual impact of the risk once triggered comes from the risk allowance.

I think I'm saying the same thing as you just had to work it through in my own mind.

There is a school of thought that suggests the estimate contingency (usually expressed as a percentage) should be kept separate from the risk allowance. I believe that the estimate contingency, whether an estimating error or scope adjustment allowance, is actually a risk and should be seen and identified as such. It prevents people from seeing contingency as a "slush" fund or an encouragement to scope creep.
< 1 2 >

Please login or join to reply

Content ID:
ADVERTISEMENTS

"I have often regretted my speech, never my silence."

- Xenocrates

ADVERTISEMENT

Sponsors







Vendor Events

See all Vendor Events

Newsletters

Jun 3: The Career Problem Facing New PMs
May 20: Your PM Career as a Project Life Cycle
May 13: The Big Lie After Layoffs

See all newsletters