The importance of risk management cannot be overemphasised. When you are proactive in identifying and mitigating potential threats for your project it means that fewer issues are likely to arise. High performing project managers don’t sit back and assume that the road to project delivery will be straightforward. They regularly take time out to assess everything that could impede the success of the project and actively do something to manage the situation.
One of the biggest secrets to good risk management is to not treat it as a mechanical process to be carried out in isolation behind your desk. Risk management works best when all team members collaborate and share their knowledge and insight. When risks are analysed, planned and assigned in collaboration, not only does it improve the process, it also reinforces accountability and ownership. Project managers sometimes assign themselves to most of the items in the risk register. But that doesn’t leverage the team or create a shared sense of responsibility. It’s important to have the courage to assign the right owners and to gain their buy-in and acceptance for fully managing a risk.
Let’s examine the steps involved in managing risks in a collaborative manner.
Step 1: Brainstorm all possible risks
The first step in collaborative risk management is to brainstorm all possible risks with your project team in a workshop. Give people a stack of post-it notes and ask them to consider anything that could go wrong on the project. As they think of potential pitfalls they should write down each risk on a post-it note and stick if on the wall. Help the team think through everything you are supposed to deliver, and consider your success criteria, assumptions, and dependencies. You can also review standard risk lists and lessons learned from other projects.
Some of the risks you think of will be specific to your project, while others will be generic risks that affect all projects—for example, user unavailability at the time of user acceptance testing. Pay equal attention to both sets of risks, as they could all turn into issues if not properly mitigated. Don’t make the mistake of deliberately omitting certain risks because they are too precarious to discuss. Remember, that it’s much easier to manage a risk than to wait until it becomes an issue.
Step 2: Analyse the risks
The second step is for you and your team to analyse the risks have you identified. To do this, consider the root cause of each risk by asking why, why, why? Keep digging until you find the ultimate source of a risk. This will make it much easier for you to determine how best to deal with it and mitigate it. For example, perhaps there is a risk of key team member moving to another team. You might think that the best way to deal with this is to cross-train staff and line people up to fill the vacancy. While that is definitely a good idea and will help lessen the impact of the risk, you will really only be able to lower the probability of this risk by investigating why the team member wants to move and doing something about the root cause.
Step 3: Determine Probability and Impact
Once you understand the root cause of the risk, the next step is to determine the probability (or likelihood) of the risk happening as well as the level of impact (or severity) in case it does happen. In other words, what will happen if this risk materializes? How will it affect time, cost, quality, business benefits, and resourcing of your project?
The best way to assess the impact and probability of a risk in a collaborative manner is to draw a risk matrix on a whiteboard with Probability along the horizontal axis and Impact along the vertical axis. Along each axis you can either use a numeric scale of 1 to 5, or a rating of High, Medium, and Low. You then look at each of the identified risks in turn and collaboratively place the post-it note on the whiteboard according to how likely it is to happen and how big the impact would be in case it does happen.
Step 4: Capture the risk response
The next step is to focus on the risks with the highest probability and highest impact and determine what the best risk response would be. You simply draw a line from the top left hand corner of your risk matrix towards the bottom right hand corner. Any post ‘it notes to the right of your line are the most severe and the ones you will be devising a strategy for. The ones on the left hand side of the line may not be important enough to even include in the risk register. Use your judgement to draw this line.
With your team you now look at what actions must be taken to lower the probability and lessen the impact of each risk in the top right hand side of your risk matrix. Listen to your team’s suggestions and log the actions in your risk register. The risk register can be a simple Excel file where you describe each risk and capture the risk action, the owner and the date by when the action must be completed.
Sometimes the only thing you can do is to accept a risk and prepare a plan B (i.e., a contingency plan) in case it materialises. An example of such a risk is the implementation of new government legislation that would change the requirements of your project. Although you will not be able to alter the probability of this happening, you will be able to lessen its potential impact by anticipating new legislative features in your project.
Step 5: Assign owner
Next, you need to assign an owner to each risk. The owner should be the person who is best suited to implement the risk response and monitor its progress. It could be anyone from within the team or steering committee as long as they accept responsibility. Many project managers make the mistake of assigning themselves to too many risks. As the project manager you are responsible for facilitating the risk management process, but that doesn’t mean that you should own each individual risk.
The best way to secure ownership for the risks is to collaboratively agree who owns what. Determining risk responsibilities in a workshop is much better than you assigning ownership on your own and hoping that people will accept it.
Step 6: Monitor and communicate risks
The final step is to continually monitor the risks you have identified along with the agreed-upon actions. Schedule regular risk reviews with your team and stakeholders to talk through outstanding actions, remove risks that have passed, and identify new ones. Also, be aware of any changes to the nature of a risk.
Remember to always mention your main risks and mitigating actions in your progress reports and to highlight them during steering committee meetings. Not only will this show your stakeholders that you are being proactive, you might also get valuable feedback that will help you do an even better job of managing and mitigating the risks.
But what about the unknown risks?
The above risk management process is great for risks that you can foresee, but what can you do about unknown risks that your team is not aware of? One of the ways in which we can get around this is to involve people in the risk identification process from outside the project. People who think in unconventional ways and have a different viewpoint may be able to spot the unknowns that we cannot spot ourselves. Some risks however cannot be spotted either by the team or by outsiders as they are inherently unknown. All we can do in those cases is to build contingency and flexibility into the plan so that we can cope with the impact of the unexpected, wherever it comes from.
Risk management is imperative to effective project delivery, as it is much easier to manage risks than waiting until they become issues. One of the cornerstones in managing risks is to be collaborative in your approach by brainstorming potential risks with key team members and stakeholders. It helps you identify and deal with potential threats and creates a shared sense of responsibility. You should also involve people from outside the project to help you spot the unknown risks.
After you have identified your risks with the team, explore the root cause and determine how to best mitigate the risks that have the highest impact and probability. Resist the temptation of assigning yourself to too many risks by jointly determining who the most appropriate owner of each risk is.
Encourage a discussion around the project’s main risks at the monthly steering committee meeting and remember to always communicate an important risk to senior stakeholders in person before they see it in writing.