One of the joys of my job is that I get to work with lots of different organisations & project professionals. I frequently help organisations develop project management methods and deliver training to both new and experienced project professionals. A frequently admitted weakness (apart from cake and cookies) is that they don’t do any risk management. None. This article looks to explore the all-important rules of risk management.

Welcome to the school of “we just cross our fingers and hope for the best”.

But what if the risk happens and the project is delayed or becomes more expensive? Well, this just becomes the excuse the PM uses to explain it with a shrug of the shoulders…” all was going well until this happened, not my fault.” A harsh but fair assessment.

So any time risk management is mentioned everyone immediately falls asleep. Grab a strong coffee and read on.

Rules of Risk Management

  1. Risk management is not optional. All projects have some risks. If you identify things that might go wrong and avoid or reduce them you are actually doing yourself and the project team a massive favour.
  2. Risk management is not about using your imagination. We don’t want a huge list of highly improbably risks but a practical list of things that could impact time, cost, quality, scope, and benefits. Look at previous projects & what went wrong. Review each deliverable or stage of work in a structured way to make sure you have considered all the risks relating to the full scope of the project.
  3. Think “causes” not “consequences”. When identifying risks don’t just say there is a risk the project might be late. What causes this lateness? That’s the risk.
  4. Simple scoring. Score each risk for probability and separately impact. A scale of 1 to 3 is very common where 1 is low and 3 is high.
  5. Simple maths. Multiply these two numbers together to reach a risk score for each risk.
  6. Proximity. How soon could this risk happen? In the “short” term, “medium” term or “long” term.
  7. Prioritise. Those with the highest risk scores and closest proximity should be reviewed first.
  8. There are 5 formal responses to risks: Avoid, Transfer, Mitigate, Accept and Contingency. The key one here is mitigation. What are the practical steps you can take to reduce the impact and/or probability of each risk?
  9. Identify these mitigation actions with the team, set owners and deadlines just like any other project task.

Risk management does create more work in the short term. This is one reason why Project Managers don’t do it because they are busy enough as it is!

But risk mitigation is like placing a good bet. Let’s do £1k of extra work today as it’s likely to save £10k of extra work in the future. That sounds like a good bet. It’s worth the investment.

If you currently don’t do any risk management then use the word “concerns”. What concerns do you have with delivering the project timescales, budget, benefits, quality and scope?

Talk in these terms to the project team, identify the top 5 and agree actions you can take to mitigate these concerns.

Congratulations, you are now doing risk management!