Risk is something that might happen, and an issue is something that definitely will happen or already has happened.
Projects, Programmes and Portfolio’s always carry risks, and deciding not to carry out some form of risk management will result in some of these risks turning into issues needing to be resolved, and some of these issues will eventually escalate into a change to the project impacting costs or benefits.
Risk Management is an essential and integral part of any Project, Programme or Portfolio as a way of keeping costs down, benefits high, and greater certainty in success of delivery.
A standard approach to risks could be:
- Identification of Risk
- Assessment Risk
- Decide how to deal with the Risk
- Manage the Risk
- Review the Risk
- Close the Risk
Identification of the Risk
Identifying risks can be carried out in numerous ways, and it is best to keep to a varied approach rather than a single way. Some of the ways to identify risks can be via:
- Past projects – get the used risk log from similar projects, review the costs and plans
- Benefits Review of other Projects and Programmes
- Workshop – with key people to brainstorm what events could happen
- Lessons Learned document – some past projects have a lessons learned
- Internet Research – it’s amazing what a google search throws up
- Project Plan – ask people what the percentage certainty of hitting a certain milestone is? (if they say 100% would they bet their home on that!!) If they answer anything less than 100%, then what is making them think this way?
Write all these down on a Risk and Issues Log (RAID).
The identification of risks should be carried out during the whole lifecycle of the project and programme (not just a once and done exercise), especially at the start of planning for a particular phase of the project or programme.
Assessment of the Risk
Projects and Programmes
Not all risks are the same in terms of impact and probability of happening. The assessment of a risk is carried out once the risk has been identified, but the risk should also be periodically reviewed because the risk could become more or less of a problem as the project or programme proceeds.
Most organisations assess risks based on the impact if it happens (usually a low, medium or high impact), and also a probability assessment on the same criteria (low, medium and high).
Other methods can also include proximity of the risk occurring (when / how soon?).
Within Portfolio Management, risks can also be evaluated on the breadth of impact to the organisation.
A common way of displaying the standard assessment (Impact and Probability) is via the High, Medium and Low placed on X & Y axis into a 9 box matrix; some organisations have now started with a 5 x 5 matrix by adding very high and very low.
Any risk seen as High Probability and High Impact is a top priority, hence falling into the Red areas on the 9 box matrix.
Portfolio Risk Management (Assessment)
The 9 box matrix (sometimes a 25 box) has one main issue if used in a Portfolio Management structure. If you look back to the 9 box matrix above, risk No’ 2 is the highest priority, and risk No’ 1 is the lowest.
This could be true within a project or programme, however, if all of these risks are collected from the various projects into one overall portfolio risk log or RAID, the initial focus would be on all of the High Impact / High Probability risks.
But in Portfolio Management, it is the risk exposure to the Portfolio which should be concentrated on, not just another level of hierarchy to report too.
Using the diagram above, Risk No’ 2 could apply to just one particular project, yet risk No’ 1 might impact the whole Portfolio of projects, or the whole organisation. Using the 9 box matrix would not flush up such small risks within a project, whereby the impact to the portfolio is great.
By implementing Governance level (or Organisational Impact) as an addition to Project Impact and Probability, using the table below this practice ensures anything medium, which hits the Portfolio, would be escalated as Red (the parameters can be changed for each organisation); this model can still be used in conjunction with the 9 box matrix (see RAID under templates). The challenge for Portfolio Risk scoring is that high project risks does not always equal a large Portfolio risk; the saying I’ve heard before is ‘no single rain drop was to ever be blamed for the flood’. So if a Portfolio has many projects, and Project Managers just focus on their risks, there is a ‘risk’ that the Portfolio just gets an aggregated ‘high’ project risks.
The Portfolio can implement the governance / escalation / organisational impact level into project risk scoring to help keep in the mind of Project Managers, that they may have lower priority project risks which may have a greater impact on the Portfolio (some of these can be resource specific risk, or repetitional damage etc).
A word of caution for all Portfolio Managers, this approach of aggregating project risks in to a Portfolio Risk log does not solve the identifying of Portfolio risks. There should still be the activity for the Portfolio Maanger to work alongside the Exec and Senior Leadership of an organisation to look at both delivery risks, strategic risks and operational risks together; spend time out to understand what bad things might happen, and how can we stop them happening.
Decide how to deal with the Risk
There are 4 R’s to dealing with risks in Projects and Programmes
Reduce, Review, Remove, Re-assign
Reduce – reducing the probability or impact of the Risk by placing an owner of the risk and an action for them to carry out.
Review – do nothing at the moment, and keep reviewing the risk to see if it gets any worse
Remove – remove the risk all together by either putting an action in place (with an owner and date to be completed by), or insuring against the risk happening
Re-assign – it becomes an issue, or it is handed over to another project or department to deal with. It then becomes their concern.
Once the risk has been identified and assessed, the action usually follows one of the above 4 R’s. Because risks are continuously reviewed, the decision on how to handle the risk can change as it is re-assessed.
Manage and Review the Risk
This is the point whereby regular updates and periodically reviewing the risk should be carried out. Using a document like a RAID (Risks and Issues Document), can help everyone keep track of the risk and if it is reducing in priority, or has become an Issue to be managed.
Some risks may never close, and some might actually happen and therefore become a risk, but, risk management is there to ensure greater success of your project or programme.
For a simple process, click on the process map picture below.