The APM defines risk management as
“a process that allows individual risk events and overall risk to be understood and managed proactively, optimising success by minimising threats and maximising opportunities”. (Source APM BoK 7)
Following the uncertainty of 2020, the industry has seen a rise in the interest for effective risk management in organisations.
This rise is echoed in our latest State of Project Management Report which shows an increase of 4% in the number of organisations that engage in risk management. Additionally, the value of risk management has seen a sharp rise placing it only second behind Stakeholder Engagement (which has also shot up the value chart demonstrating the need for better engagement in our projects).
New Rules for Risk Management
Axelos Management of Risk guidance provides seven principles that underpin an effective process, and we can utilise those to take a pragmatic view at our own risk management with a view to modernising how we identify, assess, respond, and measure risk.
1 Risk Management aligns continually with organisational objectives
Considering the current environment for projects and organisations, it is important to understand the current aspirations. Are we less risk-averse because of the level of risk our organisations have been forced to deal with or have the last year opened the doors to a ‘what’s the worst that could happen’ attitude? Has the organisation fundamentally changed its operating model or has battened down the hatches until the uncertainty blows over? Our risk approach needs to flex to the current reality of the organisation, its objectives, and its strategic view of the future.
Rule: Review the current appetite for risk management and identify the areas where you need to expand or contract touchpoints.
2 Risk Management is designed to fit the context
The amount of risk management delivery teams are expected to do may have grown from uncertainty or diminished due to the lack of consistency in the availability of key players over recent times. This is therefore a perfect time to review our approach to risk management and align it better to our level of maturity, risk capacity and appetite. Just like with governance, consider if different types of change activities need a different approach to risk?
Rule 2: Create a scaled approach that allows for more complex activities to benefit from enhanced risk management while others need less, thereby creating a dynamic process.
3 Risk Management engages Stakeholders and deals with differing perceptions of risk
Because Stakeholders play a wide range of roles there may be disparate views of the need and approach to risk management. The key here is to focus on the objective of getting consensus during the risk identification process. Ensuring it is thorough, and that differences are understood and resolved ensures that money and time are not wasted on unnecessary or over-engineered responses to risks.
Rule 3: Develop a community of practice that educates and supports those taking part in risk activities in order that they have tools and techniques available to them to gain consensus and obtain one view during the assessment.
4 Risk Management provides clear and coherent guidance to Stakeholders
Part of creating a coherent language around risk management is ensuring that the risk management approach is logical, consistent, and orderly. This requires information and education to be available to delivery team members (as well as others) so that there is a joint understanding of what risk is, how it is responded to and managed across the organisation.
Rule 4: Develop your PMO or PPM information systems to contain guidance that is clear for all users, easily accessible, and supported by learning events.
5 Risk Management is linked to and informs decision-making across the organisation
Risk management must help decision-makers understand the relative merits, threats, and opportunities. This means that the information collected and collated should be consistent and supportive of the governance arrangements of the change initiatives. The main mechanism to really achieve this is to understand the risk tolerance thresholds and applying them to the risk assessment process, as when exceeded they will trigger an escalation.
Rule 5: Develop risk tolerance thresholds with the Sr Team so that they understand their role in decision-making for risk events and set their expectations appropriately.
6 Risk Management uses historical data and facilitates learning and continual improvement
Actual data is key to risk management not just because it supports the inception of new initiatives, but because the historical records allow us to analyse and pass judgement on whether something can be improved or not. If it can be improved, lessons can be learned, planning and estimating can be improved (both of which continue to be challenges for organisations), and positive outcomes can be felt, seen, and communicated by delivery teams.
Rule 6: Create a mechanism to feed risk information into the improvement loops of the project organisation enabling clear change that benefits delivery in the long term.
7 Risk Management creates a culture that recognises uncertainty and supports considered risk-taking
Axelos say that zero risks are neither possible nor desirable. An acceptable level of risk is needed by organisations to understand its wins and losses, so creating a culture that transcends ‘tick-box compliance to risk management enables an open exchange, balance, and transparent control of risks, ensuring that it can attain the full value of the investment in the process.
Rule 7: Make risk management part of the day job. Every project board meeting provides an opportunity for new risks to be discussed in order that team members don’t feel self-conscious when bringing up potential situations.
The PMO Perspective
Over the last year, we have seen organisations take time out to understand what they can do better utilising the medium of maturity assessments. One of the consistent outputs of these reviews has been the need to improve risk management.
The PMO has a pivotal role in the design and dissemination of risk management into organisations and provides not just the framework but demonstrates the attitude to risk that ensures it is taken seriously by the Senior Stakeholders. Why? As a function that enables success, it often is overlooked when reviews of value-adding business functions occur meaning that many PMOs live every day with the uncertainty that their role will not remain in the organisation for the long haul.
For the PMO, bringing to life the seven rules for risk management for the modern world will enable them to be seen in this arena, and provide a measurable way to demonstrate that they do in fact add value and that they can support the mechanism to preserver Shareholder confidence in their organisations.
Since the identification of the need for this key process to be better established, Wellingtone have developed and piloted an Introduction to Risk Management course that provides the starting point for teams to bring the principles to life in a way that will support their organisations no matter what change is on the horizon.