How is risk normally managed in organizations that don’t use a project or risk management method?
In my opinion, it’s not managed. When it comes to “uncertain events”, people don’t want to think about them. Rather, they want to focus on their ideal image of a risk-free project and manage that.
From my time working in oil and gas, I saw people whose every day job was risk management and their only goal was to engage the team in such activities. However, many organizations don’t have that luxury.
As a result, project teams tend to manage the issues that arise from lack of risk management rather than proactively mitigating them. In this scenario it is not unusual that after a project starts, you might think: “Oh, I need more time, resources, etc”. One cause of this additional work is directly linked to the fact that you didn’t account for uncertain events. Essentially, by avoiding managing risks you have been underestimating your project scope.
In 20 years of running projects, risk and the risk theme in PRINCE2® have always been the most difficult concepts for people to grasp. One problem is getting people engaged with risk events. To achieve this, in my organization I shift attention from the risk to the mitigation. Adding this to your project scope makes risk real. People will start to think about how to manage it – moving them away from the world of “what if?”.
Using PRINCE2 to manage risk
Why is having a method such as PRINCE2 – with dedicated guidance for risk management – valuable when running projects?
PRINCE2 tells you to define the risk management approach as one of the first actions to take during project initiation. This is fundamental as risk identification precedes the project plan definition.
It also recommends maintaining some form of risk register, depending on the complexity of the project. Having a simple risk register sends a very powerful message: it doesn’t need to be an endless series of columns and ratings; in some cases a simple, short list of risks and actions is enough.
And, as the project progresses, you and the team learn from experience and adjust the mitigations as needed, which works really well for risk management.
Managing risk: smaller vs larger projects
In smaller projects, your scarce resources are really precious. So, I recommend the project manager is the sole owner of the risk management process while the rest of the team focuses on executing work packages, which should contain risk management measures. The exercise of identifying risks can be done just once at the start of the project, before the project plan is finalized and work on products starts.
For example, in my organization, we had to re-design a process for invoicing in a particular country. To mitigate a specific risk the project manager decided to train part of the team on a new tool. Here, the cause and the risk were invisible to the team, who just focused on learning about the new tool and process. Similarly, when planning a new office project, the risks around having internet access and furniture delivered on time were solely for the project manager’s risk register.
However, with larger projects, the number of risks is greater, complexity is higher and visibility for the project manager is more difficult, so this needs to involve the team directly in risk reviews. For example, construction projects in our company have visible risk registers, include risk reviews and risks are reported as a key project control.
Risk management – reassurance for the project board
If you understand the key events that will change the risk profile of your project, for example placing a large order or obtaining an investment authorization, use these moments to engage the team in risk management conversations; then you are making risk real for the organization and can manage it better.
By engaging with the project team and board in these key moments, you understand their view of risk and what you capture should go straight into the project plan. Consequently, what the team sees day to day mitigation actions. This takes them towards an approach of carrying out tasks rather than involving them in the process of risk management.
This is especially important to gain credibility with the project board. Though its members may not be involved with a project day-to-day, they have a high awareness of the potential impact of risk on a business case.
Seeing that it’s being managed effectively gives them confidence and trust in the project manager and team.