Project Management Central
Is it correct because we are so busy dealing and managing with what we know than we don’t know … so risk management not addressed in the proper manner ? of yes or no … why ?
My feeling is that people do little but identify risks during the planning stage. That's because, if you really do all the analysis up front, you will increase the project costs with your mitigation, contingency and fall back plans. (Think insurance, escrow, ...)
It's the old problem of not having enough money to do things right up front, but having money to fix it later in the project. Saving Changes...
there's many causes for why risk management is poorly practiced. The one you've provided is a common one but my usual response is "You seem to always find time to fight fires, so why can't you find time to prevent them!".
Other causes are:
- Poor lessons learned capture and sharing
- Lack of tailoring/scaling/flexibility to risk management practices
- Lack of risk management awareness among key stakeholders
- Lack of ownership & follow-through of risk responses by risk owners
- Insufficient exploration of response strategies beyond mitigation
- Subjective or inconsistent use of reserve analysis
Agree with comments from Stephane and Kiron. Often risk management is done at the planning stage and forgotten. It is important to have risk management as team meeting topic on the agenda every time and whole team understands and lives the responsibility for continuous risk identification/ assessment during the project. This helps at least to reduce the abovementioned firefighting needs. Saving Changes...
I used to believe that once a risk' trigger event happens, you have an issue on your hands to manage.
I've come to realize that if you properly manage the risk with well defined contingency and fall-back plans, then you will never have an issue. An issue is something for which you haven't planned. (My opinion, not necessarily PMI's.) Saving Changes...
There is definite merit in Qualifying Risks using a Priority/Impact Matrix and concentrating on the High Priority Risks, including setting up contingency funds for those risks , appointing an owner to manage the individual risks and putting away the low priority risks in the watch list for monitoring. Weekly visits to the risk register to discuss the high priority ones and maybe monthly visits to the watch-list may not be too onerous.
Interesting point you raise there Rand....Cost of Quality is an important focus in the PMBOK but Cost of Risk necessarily isn't....
Having said that , by looking at the cost of quality you may actually be planning and costing risk responses to the majority of the risks in your risk register. Saving Changes...
Over the years, in reviewing project status with teams, it becomes clear that significant risk is there, but not considered. This can be because:
(1) the risk was not identified during the planning stage or perhaps did not exist at that point
(2) When a problem or roadblock arose, it was not recognized as a risk by the team. In that case, and often the case, the team was simply directed to follow a path that management wanted to pursue, without realizing it might have considerable risk.
(3) A risk was identified early on, but considered minor at the time, and not reviewed for potential upgrading as the task progressed, or
(4) The team chose to 'hope' that the risk would get larger, and chose to proceed without further considering where that decision might take them.
Overall, risks are often underestimated, unconsidered, or avoided in order to get moving with the task, only to come back later, larger and more powerful--requiring a far larger response than would have been the case. Any team which does not periodically review risk, and update the risk register is seeking problems and barriers to success. Saving Changes...
You should get the money for the cost of risk, if it is justified during the planning stages and you clearly demonstrate the impact if that risk occurs and the portion of the budget was not implemented to manage that risk. If you show that Risk A has a 20% chance of occurring and the impact is $100,000, yet only costs $5,000 to mitigate, transfer etc. that risk, then it becomes a judgement call from whomever approves the budget. If the risk is serious enough, you could use a sliding scale of risk responses, each with varying costs and degrees of impact. As Stéphane said, if you do the proper planning and analysis upfront, you will reduce a lot of the risks and/or have the appropriate response plans in place. If you (and the team) don't know what you don't know, it could be a reflection of the planning and analysis you didn't do. Saving Changes...