Years ago, I had been asked to carry out a review of an organization’s project management framework. All was looking OK until it came to their risk log. It was the entries that caused concern. The first one under “Risk description” said simply “The project might be late”. The second entry followed a similar line. It said, “The project might run out of funding”. The third entry followed this pattern, “The project might not deliver the correct quality products”.
There were no more entries.
This unfortunately was not an isolated example. Risk logs for other projects showed a very similar style of describing and recording risks. But there are ways to ‘do’ risk management, and there are ways not to do it.
Let’s take a look at a few examples, and what we might do differently to become active managers of risk.
Generic risk descriptions
Entries such as, “the project might be late” are too generic as to serve a real purpose. It gives us no clue about what we might do about it and doing something has to be one of our goals of risk management.
Instead, it is good practice to describe the risk in terms that reveal the cause (the existing situation that gives rise to the risk), the event (the situation that might occur), and the effect (the likely impact arising from the event). This gives us a far greater understanding of the risk, as well as three distinct areas which we may be able to address.
Not all risks are negative
Describing all risks as ‘things that might go wrong’ creates an impression of risk management as a profession that only sees problems.
Instead, we should think of risks as either negative threats, or positive opportunities. In fact, one useful way to define the word risk is as, “an uncertain event, that should it occur, will have an effect on the achievement of objectives”. That effect can be positive or negative. Using risk management approaches to also identify opportunities can often lead to the creation of value for organizations (as indeed can the identification of threats).
Lack of risk analysis and prioritization
A simple description of a risk gives us only a broad idea of what could happen. But without the appropriate analysis and prioritization we may be either overwhelmed with the number of possible risks, or we stop when we have identified just three.
By asking a variety of questions, such as what is the probability of the risk occurring, what is the likely impact, when might this happen, we can begin to have some basis for which to prioritize them.
This is important because it facilitates leadership decisions about where to invest resources to increase the certainty around each risk (whether threat or opportunity).
Passive risk management
Simply describing a risk in a risk log or register is merely a passive recording of an observation. In order to become active managers of risk there are some important steps to take once a threat or opportunity has been identified, described, analysed, and prioritized.
A key step is to consider what options are available to us so that we can respond appropriately. There are a range of responses which can be used to alter the cause of the risk, perhaps avoid the event, or possibly reduce the effect.
Lack of accountability and responsibility
As mentioned above, the recording of a risk is a passive act. If we are to actually manage our risks, then we need to identify who is going to take action. Too many risk logs omit this vitally important information.
There are various roles we can identify:
- Risk author – the person who identified the risk, as they will be a key source of information
- Risk owner – the person responsible for managing the risk, ensuring that its status is monitored
- Risk actionee – the person who is going to implement one or more responses to a risk.
In many organizations there will also be specific risk specialist roles with a wider remit than a single project or programme.
Now, whether we work in project or programmes, or at a strategic or operational level in our organizations, we know that there are things called risks, and that there is something called ‘risk management’.
But more than ever before, we need to take a fresh look at our attitudes and practices, and determine that we will move away from poor practices and develop far better approaches to this extremely important area.