Project Management

The problem with project risk management

Michelle Symonds argues that risk management fails to effectively address the real project risks: the unknown unknowns.

Risk management in projects involves identifying, quantifying, and managing risks. All projects have some measure of risk. Projects using new technology face the prospect of that technology failing to deliver on expectations; highly complex projects deal with the problem of being able to accurately estimate time and costs; and even the smallest and simplest projects have some element of risk.

It is impossible to remove all risks, so we try to identify and manage them to prevent project failure. A risk plan is the only way to obtain project approval, as it presents the risks as well-defined and, therefore, controllable.

But what about the unknown risks that take you by surprise and knock a project completely off-track? Risk management is considered a major part of the project management process, but can it help with such events? And if it can't, why do we expend time and energy trying to predict and control the unpredictable?

It is convincing to argue that having a risk plan enables a project manager to factor in contingencies (financial and otherwise) that help outline what might happen during the course of the project and to be prepared if those events do occur. But it could also be argued that, if the risks are known and can be anticipated, then the likelihood of them occurring is high, so why not simply include additional tasks within the project schedule to deal with them? For example, you should allocate time to review specifications part-way through the project to avoid the problem of incomplete or inaccurate specifications; or, you should allocate time to improve client communications at regular intervals.

Many risk management plans are little more than a standard template that lists the same risk factors for every project: un-documented assumptions, failure to estimate tasks accurately, key team members re-assigned, etc. Surely by now we all know that these uncertainties exist in every project.

If we know about potential risks, why are we even calling them risks -- aren't they simply the inherent uncertainties present in doing anything new? Indeed Stephen Ward and Chris Chapman argue against using the term "risk" in their paper "Transforming project risk management into project uncertainty management."

So does risk planning and management serve any practical purpose, or is it simply designed to provide a get-out when problems start to occur, or an explanation of why the budget is over-running? Has the project been approved on minimal costs just to get it through the approval process even though there are "risks" attached to it that are certain to occur? Or is it not about cost at all? Are the risks of failure so high that there would be no appetite for that level of risk-taking if it was fully exposed, but there are senior executives still driving the project forward? Real-life projects are influenced by so many conflicting factors that it is sometimes difficult to see why a certain project was ever approved.

There is an upside to taking risks: It is often the only way to achieve something truly groundbreaking -- many would argue it's the only way, and can often present great new opportunities. So we use risk planning and management to persuade ourselves that we can understand and can control the risks even when we know the real risks are those that we are not prepared for: the unknown unknowns.

Another problem with risk management is that many potential risks are predicted by past events, yet any stockbroker will tell you that you cannot predict future financial markets by looking at historic trends. The best that we are doing is guessing -- until a risk event actually occurs, we cannot say with any certainty that it will happen. Sure, we perform analysis, look at past trends, add some contingency in time, cost, and human resources, but at what point does all this effort start to outweigh the benefits?

If risk management could prevent projects from failing or being adversely affected by external circumstances, all projects would be successful, and, clearly, they aren't. So should we bother expending time and effort planning for predictable risks that are a natural part of most projects? Would it be more effective to simply deal with the problems when they occur. At least that way the problems are tangible, so the solutions will be easier to devise; and if we accept that problems occur in projects, then we shouldn't be taken by surprise when the inevitable happens, whether that is a new technology not living up to its promises, incorrect assumptions, changed priorities, or any other factor that can negatively affect a project's outcome.

And if we know that risks are certain to materialise (even if we do not know what they are), we can accept problems or uncertainties as part and parcel of every project and deal with them in a measured way instead of overreacting and assuming the project is doomed to failure just because it has hit a bump in the road.

Risk management may seem like a sensible process, and maybe it is useful for a novice project manager, but it fails to effectively address the real project risks -- those factors that cannot be anticipated. Yet we continue to see risk management as a necessity and one of the building blocks of good project management. Who among us is courageous enough to embark on a project with no risk management in place, simply some contingency for unspecified tasks? That is perhaps the hard bit to sell to senior management.

Share your feedback

I would like to hear your opinions on why you use risk management as part of the project management process, and whether you think it adds real benefit, or if you have used a better approach. 

About

Michelle Symonds has many years of experience in IT and IT Project Management in the oil industry and investment banking, working on complex global projects and managing overseas project teams. She is now a freelance consultant working with a Project...

33 comments
williama.willis
williama.willis

First and major, cup work stations are efficient. For a digital workplace, they can be ideal - they typically feature at least a composing area and a key-board plate, so working from the pc will be no problem. 

http://gamblingmoneyline.page.tl/

williama.willis
williama.willis

Although the right of developing white-colored brand casino is expensive, its significant part is came back out of the soulmate's preliminary transaction, and then the casino started out starts to get earnings without promotion expenses. http://casinofantasiadf.yolasite.com/

b k mahapatro
b k mahapatro

contd... from previous comments

C) Risk Not Perceived and unknown:(unknown-unknown): since it is unknown, it cannot be assessed and Mittigation plan cannot be put in place in advance.but many things do happen: social/ political/ economical etc which can become a bottleneck for the project

Dilema: To provide for it or not??, how much?? what action plan?? and how far the Project Viability can be steached???

resolution: "Allertness" of Project Management appear to be the only solution. Project team must Remain allert and initiate control action at the first indication of  signal of Disturbance (noise). It is here that the adherence to the principles of "project management" i.e "plan-implement -Review/ Audit- Report and Regulate" comes to play. PM /PERT net works, S curves,  Multy layers of Review and Exception reporting are to be extensively used to "Identify, Assess, and Inintiate" corrective action to steere the boat on Course.We  have experienced this in depth and the above is out of mere experience. Trust it adds value to the topic under discussion.  (can give more on request..  mail me at (bkmahapatro@gmail.com)

b k mahapatro
b k mahapatro

Good topic, Michelle. As a PM professional I recommend Risk Assessment is essential  and is to be done continually, not mere one time.But it is seldom done with due diligencei will add another dimension to your thought "the  Dilema " factor in Risk Mittigation. There are three variety  in   Perception of Risk  A) Risk   perceived as   mostly occuring:Ac count and Provide for.B)  Risk perceived as   Rarely occuring: (partly unknown) .provide partly as -contigencies(..contd)

frankcox
frankcox

Good article, Michelle.  Certainly risk management is necessary in projects; unfortunately, however, the area gets too little attention too infrequently.  My initial purpose in the area is to distill the six standard risk management processes to develop a sense of what can be done to integrate advance, proactive risk remedies into planning, including into the project schedule, to minimize genuine risks that jeopardize the project or elements of it.  To this end I use Excel (but of course not only this software) as a risk capture / characterize / quantify and prioritize / monitor / and management decision support tool.  My point is that in the process risk triggers also get determined and assigned to appropriate monitors, along with one or more plausable remedies for each identified risk.  This is key because it enables me to then analyze the worksheet results to ALSO identify risk management activities and tasks that may be logically sequenced into the schedule and other elements of the project plan.  Will this help with the so called unknown unknowns?  No, perhaps, but it does enable a hands-on method for managing identifiable risks, which by the way need to be revisited and updated as a normal part of progressive elaboration in planning in order to keep the risk register and overall plan current.  Again, great article on an important topic.

CAU_Pegasus
CAU_Pegasus

A project risk template is a great starting point but a thoroughly lousy place to declare victory. Standard project risks or categories make sense but you have to spend the effort to "instantiate" the risk position for a specific project. As pointed out in other comments, there are known risks that are best addressed by contingency processes and tasks (or at least periodic "how goes it" reviews) as well as the unknown unknowns that are the province of management reserve.

Risk number 1 in my template is: "Inadequate or perfunctory risk management plan that poorly identifies and assesses risks, consequences, and mitigations."

mwarton
mwarton

It is true that not every risk can be identified up front.  This is why we have two different types of reserve in a project, contingency reserve for things that can be identified and planned for, and management reserve for those unknown unknowns.

simple risk management plan doesn't have to take long and if applied intelligently can potentially save a lot of time and cost on the project.  I think that for any but the smallest projects risk management is a good idea.

adla.jan
adla.jan

Well, some risks are general and you can copy them from one project to another, but some of them not.  They are unique for each project. Also the maturity of your team – knowing and understanding of the general risks (repeated on each project) are not usually the same. For both of them – existence of unique risks and not-the-same-level-of yours team maturity – is very important to step out of your daily execution, address risks, each team member has chance to know them and – as a project manager – draw a plan how to mitigate them. Yes, and finally bring a peace in the sponsors’ mind that you have a control over the project :-).

payson
payson

The language of your article suggests you doubt the efficacy of risk management, but I suggest what is ineffective is BAD risk management.  When it becomes a box checking exercise, when risks are not actionable, when it is done once and forgotten, it IS largely a waste of time - but that isn't effective risk management.  

Effective risk management is valuable.

During planning (or re-planning) it should guide the approach to minimize the likelihood of risks occurring, reduce the impact of risks if they do occur, and/or establish early warning mechanisms for risks that can be anticipated.

During execution, it helps teams anticipate and watch for early warning signs that risks are imminent and react according to a well thought out strategy rather than react in the moment.  Fire drills may be a boring way to spend 15 minutes per year... bit if they mean you know how to get people in wheelchairs down from the 15th floor without supervision or hesitation then they are a good investment.

Your point that we cannot anticipate all risks is important, but that is part of the message that an effective project manager should deliver on a regular basis to the project's sponsors as part of status.

Risk management helps people learn from the mistakes of others.  It helps educate sponsors and teams.  It helps people recognize one of your points that I agree with: All projects have some measure of risk.

MarkCichonski
MarkCichonski

Risk management will always be a topic and a challenge in regard to projects.  It is of course impossible to predict everything.  However, a good risk management analysis uses a variety of sources to identify risks.  Those risks then have to be put through a variety of filters to make them meaningful to the business.  One way I look at this, is that in addition to providing whatever it is that the project delivers, the mitigation or solution to the critical risks identified ends up improving the business as well.  Then risk and project management are seen as a value add vs. just going through the motions.  If you can add value through your project management processes, the management team will look for more engagement from the PM team.  See my blog article at: http://executionengines.com/gettingitdone/2013/08/01/its-like-gambling-somehow/ for more.

dpickles53
dpickles53

Including a Risk Management plan for the likely risks or usual suspects is helpful - especially when they lay out things that management can control (resource allocation for example). Then they know that if they don't play by the "rules", they will have an impact on the project. But I've long ago given up trying to cover as many bases as possible in a risk plan. Based on the complexity of the project, I build in some contingency and then I document a process for how project impacts that arise will be dealt with. That way we all know that when the unexpected happens, we have a way to work through it and identify the appropriate response.

RMSx32767
RMSx32767

One must plan but be able to modify the plan and adapt to the reality of "battle" after the first shot is fired. The objective can be met even if the tactics/strategy need to be modified.

dittouk
dittouk

Thanks for all the comments - the general tone seems to be that some Risk Management is better than none but often it is not adequate for it's intended purpose, can become a tick box exercise and take up too much of a PMs time.

cpritchard - I love your "doctor" analogy: 

Doctors tell many patients, "Your blood pressure is high, increasing the probability of a fatal heart attack."  Since we know that's part of their mantra, should they drop the admonition?  I think not.  

I agree - but maybe just as a doctor could better help their patients by offering practical solutions for reducing blood pressure instead of just an admonition, so a PM could make their risk management processes more effective.  

herselman
herselman

If Risk Management is not well done then the argument to not bother doing it is true. The problem is actually that Risk Management is not well done. Risk identification and analysis (likelihood and consequence) are only part of the story. The important part is the Evaluation - what is my risk appetite or what is tolerable. If likelihood and/or consequence are high enough then the risk will not be tolerable and I will take steps to improve it. However, if the risk is deemed as tolerable then I won't take any further action. The other point is that  Risk Plans makes sure that ALL actions to deal with risk are documented, part of the work of the project and understood by all stakeholders.

DavidHarrisLH
DavidHarrisLH

My experience with Risk Management is that the risks that actually occur are quite often not the ones considered in the RM plan. However, being risk aware (not risk averse), having an active Risk Management Plan with documented responses for the risks that had been considered usually makes it possible to take some action when one of these unknown unknowns occurs. 

What I believe is essential is to get the management of risks into perspective: be constantly aware of things that might go wrong but don't get obsessive about it. So often Risk Management is seen as a bureaucratic exercise to get a tick in the box. In the UK many people and organisations talk about "Risk Assessment" which is only part of the exercise. I've even been told by a student organising an X Factor event in school "don't worry about the Risk Assessment, the office is doing this" - in other words the organisers weren't considering risks! I pointed out the risk in this approach!

I've started running simple workshops for volunteer organisations to get them to adopt simple management techniques including Risk Management - see www.dmharris.com

DBRem
DBRem

Michelle; your article raises many good points and identifies the inability or ineffectiveness of traditional Risk Management in identifying the unknown risks. But with regards to the known risks, whether "canned" or not, what you've described is only a component of Risk Management, which is the identification and assessment.

To your point, once there is an understanding of the significant Risks, their relative likelihood of occurring and their potential impacts to cost or scope or schedule (among other items), the next step is to plan and execute risk mitigation - what are the things that need to be done to reduce the likelihood or impact of the risk. It's this last step that is often ignored, which is where the value of Risk Management is obtained.


I'd agree that "risk management" as it's commonly practiced is largely a waste of effort, other than to prepare excuses for the inevitable issues that will arise.

UltimateConsumer
UltimateConsumer

To those who say it’s better to have a plan vs. no plan, and that it’s better to have risk management than not, who can’t agree?Of course, a literacy vs. illiteracy frame offers little room for debate on just what the risk management processes and content are, which is the point of the article.

The problem with project risk management is that it adds its own risks:

-The illusion that risks are quantified and mitigated.

-An implicit de-emphasis on learning throughout the project, as replaced by risk management.

-The diffusion of responsibility from the PM and upper management.

-The replacement of issue escalation / resolution with risk management, especially from an upper management bandwidth and accountability perspectives.

Templated risk management, often done by a content-free PM as a check-the-box activity and passed off as something more, will never replace true shareholder discussion and deep understanding, regardless of how many 3 or 4 character accreditations appear after their author.  Upper management should not be looking at the risk management plan, but should firstly be questioning the biggest risk: the PM, about their project plan, the approach, what they've learned, and what they need.  Far too often "risk management" ends up being a discussion about the wrong things (wasting upper management's and everyone's time), giving the illusion that the major risks are quantified and mitigated.  Unfortunately, project results don't support this. 

D2KK
D2KK

Our company recently started using risk management on larger, more complex projects.  The biggest benefit I've seen is that reviewing it weekly or montly gives visibility to all stakeholders of the risks and their proximity. Previously only the people most intimate with the project knew about them until they turned into issues and it was too late to recover gracefully.

cpritchard
cpritchard

The only heartburn I have here is that the article assumes that project teams are doing a half-hearted effort at the risk management process, ergo, we should abandon it altogether.  I don't believe that's the case for many of my clients and in many organizations.  The "same risks" that are identified over and over have a different impact on each project.  The sample risk statements identified here are incomplete...including only the event.  For many organizations the simplest, fastest way to improve their risk process is just to start stating risks as full sentences including both cause and effect.  And just because organizations fail to heed risk admonitions doesn't make the admonitions any less valuable.  Doctors tell many patients, "Your blood pressure is high, increasing the probability of a fatal heart attack."  Since we know that's part of their mantra, should they drop the admonition?  I think not. 

parallelproject
parallelproject

Alex I like your mention of "real risk". This is a term used by one of my clients to describe exactly the unknow-unknown risks that might crop up during the project. These are often hidden from the view of the view of the project manager and the team. The fist part of any risk review is the open up the Johari window do that we can see the project from the perspective of other stakeholders. Often this need research and exploring the project from different perspectives and ass you say the support of all the key stakeholders. To often it it just a matter of getting the risk review done so that we can move on to the next task.

joecamaro
joecamaro

I have to agree with the author that if you identify risks, you should consider those risks in your plan. I used to be one of those PMs that produced detailed project plans that spelled out everything to the Nth degree. I spent more time updating those plans as the project went on than managing the project. Now I'm managing  an Agile software development project that has more risks that you can shake a stick at. Sure, we fill out the top risks forms, but, for us, the top risk is stakeholder involvement and buy-in. Everything revolves around that.

alex
alex

I like this thread. The issue with risk management is that often the risk being managed is project risk. The real risk is the risk of the project on the organisation, its people and customers. Risk is too often though of as the risk of not meeting the original specification, financial constraints and timescales. Real risk management in defense, health care and banking are far more complex. Projects need to manage risk with full buy in by all participating stakeholders.

nargundkarshekhar
nargundkarshekhar

To say that Risk Plan is only a way to obtain project approval, means that you do it only once and forget about it. Risk planning, like all other project planning processes is a continuous affair. So the risks which were not apparent at the time of project approval would become clearer now. It is also not correct to say that just because you can identify a risk, the probability of its occurring is high. In a continuous risk planning process, the probability value may increase or decrease at a later stage and so also the risk impact value. The picture is dynamic and hence has to be updated regularly. It is project manager's job to scan environment both for opportunities and risks.

And to argue that unknown risks do occur inspite of risk planning and therefore risk planning should not be done, is like abandoning entire project planning because projects do deviate from plans. Any such events of unanticipated risks materialising, should make project manager think as to why he/she could not read the risk warning signals in time and should be better educated for the next projects. This is how project manager's skills and competence increase with every project.

Alan Townsend
Alan Townsend

Good comments one and all. I like that PM is risk management - yes. In the IT field we seldom have Disasters but Disaster Recovery Planning makes any disaster much easier to face and overcome - as Adam stated  - anybody with a plan is better off than anybody without one. 

Adam Shrug
Adam Shrug

The building of a risk assessment often starts by looking at previous risk assessments and using many of the same risks.  But just because they are copied does not mean they are not legitimate and it is the exercise of risk assessment as a part of a larger planning process (risk in conjunction with communications, change management, schedule and cost control) that is beneficial.  Simply put, anybody with a plan (including a risk management plan) is better off than anybody without one.  

The PMP version of risk management is pure feel good.  Any project manager using the PMP version of risk management just hasn't matured.  The public (the PMP 'canned' risks) is one list, and there then is the Project Manager's risk assessment (that includes the risks imposed by management/sponsors/customers/team members and the thought processes associated with the mitigation of those issues).  

Of course it's the 'unknown/unknown' risks that impact the project by surprise.  Duh.  The more risk assessment you do in your project, the more exploration of potential mitigation strategies you've undertaken and the more prepared you are for any type of risk/issue materialization.  

Project management is risk management.  What do you think created the evolution of the project manager in the first place?   Project managers themselves are a risk mitigation.   

Anybody that thinks doing continuous risk assessment is for a novice project manager is either deluded or self-aggrandized.  

robinfgoldsmith
robinfgoldsmith

Thanks for being another voice in the wind articulating important points that I’ve been emphasizing to my consulting clients and seminar students for years.Risk has to involve uncertainty.I contend that much of what shows up on the standard project risk templates is ineffective management which is certain to happen, and thus not a risk, but unfortunately seldom is addressed as ‘risk’ or otherwise.That does not mean that risk management is a total waste of time (although often much of it is perfunctory paper shuffling), because it often can identify and hopefully address other causes of project risk.

Typical project risk is only part of the story.Testing also deals with risks, but a different type—risks that the project’s products will not provide necessary value.Thus, testing involves identifying potential product risks and determining appropriate testing techniques to detect said risks that occur and give confidence that said risks are not present.My Proactive Testing™ methodology uses a number of special techniques that identify many ordinarily-overlooked (unknown unknowns) large, medium, and small product risks.

mark1408
mark1408

Oh I like this. What you say is common sense and a breath of fresh air. Having said that, I'm sure I'll continue adding a "risk assessment" section to my project definitions, but perhaps with a few added phrases based on your article.

In general I value IT risk management and believe it really can help protect an organisation. (I've written about it - see http://www.techrepublic.com/blog/smb-technologist/smb-it-risk-management-in-action/.) But you're absolutely right that we're fooling ourselves to think we can plan for everything.

angel_
angel_

Interesting post Michelle! 

When we analyze with a company their risks, we always try to explain them that "zero risk is just a tale" and after define different controls for a risk, you can reduce their impact or probability but is difficult to think that you eliminate it. Risk Management help you to have a better strategic vision of your company but doesn't work miracles.

Editor's Picks