Of course the best risk planning in the world isn’t any use unless you have a clear picture of how the situation in your project is developing in reality. You need to keep track of the identified risks, monitor the effectiveness of your risk responses and identify new or changed risks. This means having effective reporting mechanisms in place and ensuring that risk is covered in all key reports and reviews.
Most of the key issues are covered in the section on managing project phases in the project management guide.
You need to be on the lookout for the early warning signs or ‘triggers’ you identified. The classic project risk trigger scenario is of course your most casual employee coming to work in a suit and asking for the afternoon off…
Effective monitoring and control also involves creating the right conditions for openness and transparency in the project. If you have a tendency to ‘shoot the messenger’ then people will try to hide problems until the last possible minute by which time your range of response options may have narrowed.
A key role of the project managers is also to communicate risk to the stakeholders. Senior managers hate surprises so you need to keep reminding them ‘these are the top five risks we are facing at the moment…’ so that when one of the risks occurs they are prepared for it.
When a risk does occur – and it will – ‘don’t panic!’ Implement your planned response and communicate the fact that the risk was anticipated and plans were in place. Those of us who dislike documentation be warned – the details in your risk log may be of critical importance if you are called to account for your assessment of, or response to, the risk. This should have been reviewed by your steering group or equivalent so you are able to say ‘this is what we agreed.’
On the upside your review may reveal risks whose time has been and gone without them ever occurring. In these cases you may be able to hand back contingency funds to the organisation.
At various points in this guide we have returned to the business case behind the project. Risk analysis and management is an important part of assessing whether the business case for a project really stacks up. Your risk identification may show more serious risks than had been anticipated – this means the business case must be reviewed.
The emotional or subjective element in decision-making comes to the fore here. As a project manager you may be pushing your organisation to undertake a risky project because otherwise you won’t have a job. Conversely the organisation may be so risk averse that it is missing opportunities.
Your analysis of acceptable and unacceptable risks may reveal one or more potential ‘show stoppers’ in the unacceptable risks. In this situation the project shouldn’t go ahead until the risk has been addressed.
You may also need to review the business case in the event of a lot of risks being realised. Say you have assumed that one in five of the identified risks will occur but in practice most of them are happening – maybe external factors have changed and the business case doesn’t stack up any more. You mustn’t lose sight of the bigger picture for organisational risk management.
Creating a risk-robust culture
Changing our organisational cultures to be more risk-robust isn’t going to happen overnight. However the more we talk about risk in relation to projects and try to give concrete examples of how risks will impact then the more likely it is that our stakeholders will begin to have more realistic expectations of real world projects.
Risk won’t go away simply because we choose to ignore it or fail to plan for it. If we can start to create plans and budgets with risk factored into them then our organisations will develop a greater degree of confidence in their own abilities to manage projects and will be in a better position to evaluate their own risk tolerance.
We must not lose sight of the fact that risks can be turned into opportunities and a proactive approach to risk management is a first step in creating new opportunities as an organisation.