Editor’s note: This article was originally published on December 6, 2002.

Once my company identified the need for a risk management program and defined the threat and developed the framework, we focused our efforts on implementation.

The implementation of a risk management framework across my company has proven to be a success with a significant increase in the level of awareness associated with risk management concepts, tools, and techniques. Risk management has increasingly gained acceptance within our organization, and we have fully integrated risk management with project management. We haven’t met all of our objectives, but we are making progress. The goals we have achieved include:

  • We have a clearly documented risk glossary. This glossary has streamlined the communication process. It has promoted the use of consistent terminology, which increased the effectiveness of exchanging information about risk across the enterprise.
  • We have a systematic set of risk management processes for identifying, analyzing, developing responses, monitoring, controlling, documenting, and communicating risks. There are numerous tools and techniques available to support these processes. These processes have proven to be flexible enough to cater to a wide range of projects and business scenarios.
  • We have identified and documented many risks that would have been otherwise unforeseen. This proactive approach has enabled us to take actions early in the project life cycle to avoid and mitigate threats before they materialize and become problems. This is evident by the sharp decrease in the number of issues and problems that we are facing on projects. Obviously, we will not be able to prevent problems from occurring, but we can minimize them.
  • We have access to consistent, reliable, and accurate historical data. It allowed us to enhance our products and processes.
  • We have improved the ability of our organization to manage risks across projects rather than make decisions in isolation. A program manager can now assess the risks across several projects rather than deal only with risks on a project basis.

Resistance to change

Any project like this is associated with a change. We need to take special care to accommodate the psychological needs of those going through change. Failure to do so may lead to a negative impact on an otherwise successfully implemented project.

We used the following techniques to manage the change associated with the introduction of the risk management framework:

  • Communication: We communicated the purpose, the intent, and the logistics of the framework often and in various forms.
  • Front line support: To facilitate the transition to the adaptation stage, we offered users support, advice, access to information, tips, training, tools, etc.
  • Management support: Top-level support was very essential. Upper management made it clear that the organization was fully committed to this endeavor. Finally, we had to reward users once we achieved our objectives. The rewards were in the form of a party, letters of achievement, etc.

Lessons learned

Like any project, the risk management framework has successes, failures, and lessons learned. The project showed us that:

  • We underestimated the amount of loyalty that people have to their old tools and work habits. It took us a considerable amount of time to convince several individuals of the benefits of adopting the new tools and techniques.
  • We assumed incorrectly that all business areas were ready to implement the framework. We had to spend a considerable amount of time on preparing some units.
  • We needed to better manage the expectations during the piloting phase. We had to constantly remind people that these pilots were designed to enable us to assess the framework. We learned to state these objectives upfront.
  • We assumed that all members of the steering committee were committed to the project. This assumption was not valid, as we learned when people left the committee and new people came on board, creating a certain amount of confusion and uncertainty.
  • We adopted the wrong strategy by pushing the use of certain tools and techniques to maintain consistency across the organization. Not all risk management tools and techniques would be applicable on a specific project. Users should select the most appropriate tools and techniques from the risk management toolbox.

Continuous improvement

We believe that, to successfully manage risks, we need to continuously improve and maintain the same level of commitment to the risk management framework. This strategy will enable us to further develop the framework as the business environment changes.

Our first challenge was to maintain the same level of commitment. We knew that the real benefits are long-term ones. We intended to maintain a high level of awareness by continuously reminding people about the importance of the risk management framework. A special section in our in-house bulletin was fully dedicated to the framework. Each issue contained a message from a top-level manager about his own positive experiences with the framework.

We are continuously updating the tools and the techniques used in the framework based on feedback from participants and are continuously revisiting these tools and techniques to ensure their effectiveness and applicability.

We are utilizing the problem and issue logs to enhance the framework and produce an assessment of our identifying and planning processes. When a threat materializes, it becomes a problem. This means that either we missed it in the identifying phase, or we did not plan for it effectively in the planning phase.


We can reasonably estimate the amount of time spent by the project team (project manager, technical writers, and consultant). It took us (the project team) 180 man-days from the development of the glossary to the implementation of the first pilot. We spent 100 man-days on piloting exercises. We consumed 120 man-days of consultancy work, including time allocated for knowledge transfer.


By being proactive rather than reactive in managing risks, we are able to deal with threats before they become problems. We are able to pursue opportunities as early as possible. This enables us to be flexible and effective in an environment characterized by continuous change and intense competition.

Get weekly PM tips in your inbox
TechRepublic’s IT Project Management newsletter, delivered on Wednesday, offers tips to help keep project managers and their teams on track. Automatically sign up today!