‘Risk management is a systematic process of identifying, analysing and responding to project risk.’ This may be broken down into a number of sub-processes are used as the basis for the five-stage model in this guide:
- Risk identification
- Qualitative risk analysis
- Quantitative risk assessment
- Risk response planning
- Risk monitoring and control
A precursor to all of this is risk management planning in which you identify the overall approach to be taken to risk management. Where you have a developed project management framework you may have an organisation-wide approach that is adapted as necessary for each project.
An excellent example of a risk management plan is the one developed for NASA’s Project Zeus. You can also view HEFCE’s approach to risk.
We stated earlier that risk is inherent in everything that we do and that risk management is simply helping us to take better decisions. In plain terms risk management is helping us run projects in the ‘real’ world. Too often plans are formulated on the basis of an ideal situation where everything goes according to plan. This may be a result of naivety, optimism or what we term ‘macho management’.
By this we mean a push for what a manager sees as the ideal without taking account of the risks involved. This manifests itself in pressure to prepare and ‘freeze’ plans too quickly and pressure to deliver too early. This usually means skimping on the analysis and planning phases of the project.
Senior managers may push project managers to have a more ‘can do’ attitude but this is merely shifting responsibility. If a project manager undertakes an analysis and comes up with a justifiable and realistic estimate of timescale and costs then one or other is cut, the senior manager responsible must bear the blame when the budget is exceeded or the project overruns. Similarly any project requires adequate scoping and definition but organisations don’t like this overhead.
As learning organisations we are notoriously reluctant to fund thinking and planning time. Once again, senior management must take responsibility for project failure where the initiative was poorly conceived in the first place.