The concept of risk management is not a foreign one to most people who have encountered a project. Of course, we have all seen risk registers and spoken of the risks in a project, but we sometimes fail to make the distinction between things – often negative things – that are already happening, and risks that ‘might’ happen, but which could yet be managed by taking preventative action. For example, saying, ‘hmm, I think we might miss that milestone’ when you know that you are already behind is an issue and you should take ‘corrective’ action. However, saying, ‘hmm, I missed that last milestone…what can I do to ensure I don’t miss the next one?’ is a risk and you should take preventative action against this.
If you find yourself referring to something that you know is going to happen as a risk, then a quick run through the standard process might be a useful reminder. The risk management cycle (found on p.123 of the official PRINCE2® manual) details the steps that all good project managers should take to ensure that they identify and proactively manage any risks early on, to avoid the problems growing and seriously affecting the project or programme.
So, the first step in the cycle is identifying any potential risks – these include both threats to the project’s objectives, and opportunities (remember risks can be positive, too). Before doing this, it’s good to remind yourself of the wider context of the project – what the objectives are, what the scope is, who the stakeholders are, where the project fits inside the organisation, etc. By doing this first, you can then identify risks more logically and formulate responses more appropriately.
The next step is to assess these risks you’ve identified. This can be broken down into two activities: estimating the risks’ probability, impact and proximity, and evaluating their effect on the project. Having this assessment at the beginning can help you to monitor the combined level of risk that the project is facing as it goes along, as well as helping to keep track of smaller risks that could build up into larger obstacles.
The third step is planning based on this early assessment. Planning allows you to devise responses to the risks that you’ve identified to, ultimately, address all the threats and maximise the worthwhile opportunities. It can also never really hurt to plan as much as you can, at least in part, as it lessens the possibility of your team being entirely flummoxed if one of your risks becomes an issue!
The final step in the risk management cycle is implementation. Essentially, this step ensures that all of the other steps are acted upon – the risks identified, assessed and planned for actually have actions assigned to them that are monitored and corrected, if necessary. It helps further if there are members of your team whose roles are dedicated to these areas of risk management; for instance, a risk owner, who is responsible for managing, tracking, controlling and reporting all of the risk management actions, and the risk actionee, who is responsible for actually implementing these.
We can see both in our projects and in our daily lives that the human mind is not an efficient instrument for assessing risk – the closer we get to the risk event the more we struggle to believe it will happen. For example, California is a really popular holiday destination and housing stock is in high demand there, but the San Andreas fault line has been overdue for a massive earthquake for many years now.
There’s lots of complex evolution behind our innate ability to overlook threats, but it seems to boil down to a simple experiential data point: if it didn’t happen to us in the past it is hard to convince ourselves it will happen in the future – other people get caught in earthquakes, not me. And of course, that statement is absolutely true…right up until the point that it isn’t.
So, how can we benefit from this knowledge in our projects and not let our bias overcome our evaluation? Simply put, don’t do it alone. Risk workshops, where you follow the simple process set out above, are far more effective when you do them as a group, as you will benefit from your colleagues’ different personal experiences. Ideally, the group will include neutral observers who can bring a detached view of risks, helping you to see the threats and not let misplaced confidence impact your project objectives.
Our PRINCE2 & MSP® courses teach you how to integrate the risk management cycle into the day-to-day running of your projects and programmes, so that you can proactively manage risk across your organisation and maximise potential.
Visit our website to see our full range of PRINCE2 and MSP courses.