Project risk management is the art and science of identifying, analyzing, and responding to risk throughout the life of a project and in the best interests of meeting project objectives. A frequently overlooked aspect of project management, risk management can often result in significant improvements in the ultimate success of projects. Risk management can have a positive impact on selecting projects, determining their scope, and developing realistic schedules and cost estimates. It helps project stakeholders understand the nature of the project, involves team members in defining strengths and weaknesses, and helps to integrate the other project management knowledge areas.
Good project risk management often goes unnoticed, unlike crisis management, which indicates an obvious danger to the success of a project. The crisis, in turn, receives the intense interest of the entire project team. Resolving a crisis has much greater visibility, often accompanied by rewards from management, than successful risk management. In contrast, when risk management is effective, it results in fewer problems, and for the few problems that exist, it results in more expeditious resolutions. It may be difficult for outside observers to tell whether risk management or luck was responsible for the smooth development of a new system, but project teams always know that their projects worked out better because of good risk management. Managing project risks takes dedicated, talented professionals. In response to this need, PMI introduced the PMI Risk Management Professional (PMI-RMP)SM credential in 2008. (Consult PMI’s website for further information.)
All industries, especially the software development industry, tend to underestimate the importance of project risk management. William Ibbs and Young H. Kwak studied project management maturity in 38 organizations in different industries. The organizations were divided into four industry groups: engineering and construction, telecommunications, information systems/software development, and high-tech manufacturing. Survey participants answered 148 multiple-choice questions to assess how mature their organization was in the project management knowledge areas of scope, time, cost, quality, human resources, communications, risk, and procurement. The rating scale ranged from 1 to 5, with 5 being the highest maturity rating. Table 11-1 shows the results of the survey. Notice that risk management was the only knowledge area for which all ratings were less than 3. This study showed that all organizations should put more effort into project risk management, especially companies in the information systems and software development industry, which had the lowest rating of 2.75.
Project management maturity by industry group and knowledge area
Source: Ibbs and Kwak
A similar survey was completed with software development companies in Mauritius, South Africa. The average maturity rating was only 2.29 for all knowledge areas on a scale of 1 to 5, with 5 being the highest maturity rating. The lowest average maturity rating, 1.84, was also in the area of project risk management, like the study by Ibbs and Kwak. Cost management had the highest maturity rating of 2.5, and the survey authors noted that organizations in the study were often concerned with cost overruns and had metrics in place to help control costs. The authors also found that maturity rating was closely linked to the success rate of projects, and that the poor rating for risk management was a likely cause of project problems and failures.
KLCI Research Group surveyed 260 software organizations worldwide to study software risk management practices. The following points summarize some of their findings:
Ninety-seven percent of the participants said they had procedures in place to identify and assess risk.
Eighty percent identified anticipating and avoiding problems as the primary benefit of risk management.
Seventy percent of the organizations had defined software development processes.
Sixty-four percent had a Project Management Office.
Figure 11-1 shows the main benefits from software risk management practices cited by survey respondents. In addition to anticipating and avoiding problems, risk management practices helped software project managers prevent surprises, improve negotiations, meet customer commitments, and reduce schedule slips and cost overruns.
Figure 11-1Benefits from software risk management practices
Source: Kulik and Weber, KLCI Research Group
Although many organizations know that they do not do a good job of managing project risk, little progress seems to have been made over the past decade in improving risk management on a project level or an enterprise level. Several books and articles have been written on the topic. For example shortly after the fall 2008 stock market crash, Dr. David Hillson, PMP®, wrote about the importance of project risk management. Hillson said:
There is no doubt that all sectors of industry and society are facing real challenges in coping with the current fallout from the credit crunch. But risk management should not be regarded as a nonessential cost to be cut in these difficult times. Instead, organisations should use the insights offered by the risk process to ensure that they can handle the inevitable uncertainties and emerge in the best possible position in [the] future. With high levels of volatility surrounding us on all sides, risk management is more needed now than ever, and cutting it would be a false economy. Rather than treating risk management as part of the problem, we should see it as a major part of the solution.
Hillson continues to write articles and books, give presentations, and provide videos on his website at www.risk-doctor.com.
Many people around the world suffered losses as various financial markets dropped in the fall of 2008, even after the $700 billion economic stabilization act was passed by the U.S. Congress. According to a survey of 316 global financial services executives conducted in July 2008, over 70 percent of respondents believed that the losses during the financial crisis were largely due to failures to address risk management issues. The executives identified several challenges in implementing risk management, including data and company culture issues. For example, access to relevant, timely, and consistent data continues to be a major obstacle in many organizations. Many respondents also said that fostering a culture of risk management was a major challenge.
Executives and lawmakers finally started paying attention to risk management. Fifty-nine percent of survey respondents said the financial crisis prompted them to scrutinize their risk management practices in greater detail, and many institutions are revisiting their risk management practices. The Financial Stability Forum (FSF) and the Institute for International Finance (IIF) called for closer scrutiny of the risk management process.
Risk continues to be an important issue in the financial industry, and organizations are taking a more proactive approach by investing in IT such as cloud computing, big data, and analytics to help them identify and mitigate risk. “Worldwide, the capital markets, banking and insurance sectors will spend roughly $78.6 billion on risk information technologies and services (RITS) in 2015, according to a new study. What’s more, that figure is expected to grow to $96.3 billion by 2018.”
Before you can improve project risk management, you must understand what risk is. A basic dictionary definition states that risk is “the possibility of loss or injury.” This definition highlights the negativity often associated with risk and points out that uncertainty is involved. Project risk management involves understanding potential problems that might occur on the project and how they might impede project success. The PMBOK®Guide – Sixth Edition refers to this type of risk as a negative risk or threat. However, there are also positive risks or opportunities, which can result in good outcomes for a project. A general definition of a project risk, therefore, is an uncertainty that can have a negative or positive effect on meeting project objectives.
Managing negative risks involves a number of possible actions that project managers can take to avoid, lessen, change, or accept the potential effects of risks on their projects. Positive risk management is like investing in opportunities. It is important to note that risk management is an investment—costs are associated with it. The investment that an organization is willing to make in risk management activities depends on the nature of the project, the experience of the project team, and the constraints imposed on both. In any case, the cost for risk management should not exceed the potential benefits.
If there is so much risk in IT projects, why do organizations pursue them? Many companies are in business today because they took risks that created great opportunities. Organizations survive over the long term when they pursue opportunities. IT is often a key part of a business’s strategy; without it, many businesses might not survive. Given that all projects involve uncertainties that can have negative or positive outcomes, the question is how to decide which projects to pursue and how to identify and manage project risk throughout a project’s life cycle.
Some organizations make the mistake of addressing only tactical and negative risks when performing project risk management. David Hillson (www.risk-doctor.com) suggests overcoming this problem by widening the scope of risk management to encompass both strategic risks and upside opportunities, which he refers to as integrated risk management. Benefits of this approach include:
Bridging the strategy and tactics gap to ensure that project delivery is tied to organizational needs and vision
Focusing projects on the benefits they exist to support, rather than producing a set of deliverables
Managing opportunities proactively as an integral part of business processes at both strategic and tactical levels
Providing useful information to decision makers at all levels when the environment is uncertain
Allowing an appropriate level of risk to be taken intelligently with full awareness of the degree of uncertainty and its potential effects on objectives
In a 2014 paper, Hilson also described the importance of good working relationships as a best practice in managing project risk. “. . . management of overall project risk becomes a shared duty of both project sponsor and project manager, acting in partnership to ensure that the project has the optimal chance of achieving its objectives within the allowable risk threshold. Successful management of risk at this whole-project level therefore depends largely on the effectiveness of the working relationship between these two key players.”
Several risk experts suggest that organizations and individuals should strive to find a balance between risks and opportunities in all aspects of projects and their personal lives. The idea of striving for balance suggests that different organizations and people have different attitudes toward risk. Some organizations or people have a neutral tolerance for risk, some have an aversion to risk, and others are risk-seeking. These three preferences are part of the utility theory of risk.
Risk utility is the amount of satisfaction or pleasure received from a potential payoff. Figure 11-2 shows the basic difference between risk-averse, risk-neutral, and risk-seeking preferences. The y-axis represents utility, or the amount of pleasure received from taking a risk. The x-axis shows the amount of potential payoff or dollar value of the opportunity at stake. Utility rises at a decreasing rate for a risk-averse person or organization. In other words, when more payoff or money is at stake, a person or organization that is risk-averse gains less satisfaction from the risk, or has lower tolerance for the risk. Those who are risk-seeking have a higher tolerance for risk, and their satisfaction increases when more payoff is at stake. A risk-seeking person or organization prefers outcomes that are more uncertain and is often willing to pay a penalty to take risks. A risk-neutral person or organization achieves a balance between risk and payoff. For example, a risk-averse organization might not purchase hardware from a vendor who has not been in business for a specified period of time. A risk-seeking organization might deliberately choose start-up vendors for hardware purchases to gain new products with unusual features that provide an advantage. A risk-neutral organization might perform a series of analyses to evaluate possible purchase decisions. This type of organization evaluates decisions using a number of factors—risk is just one of them.
Figure 11-2Risk utility function and risk preference
Advice for Young Professionals
Young project professionals are sometimes more willing to take risks with unique or untested approaches than their more experienced counterparts. Project teams with less experience often believe that they can accomplish more than they are realistically able to do within a certain time period, or they might convince each other that apparent risks are not as much of a concern as they really should be. They may also fail to take into account some details of costs or quality that a more experienced person might include because they have not seen how such factors can be affected by unlikely events that actually happen. Years of experience in managing projects tends to build a sense of awareness or second nature about risk. So, take the time to find out what other, more experienced people might feel about the circumstances of a project before making up your mind about potential risks. Then, taking other views into account, you can determine how best to plan for the impacts that might occur while balancing the rewards of a potential payoff from a unique or untested approach.
The goal of project risk management can be viewed as minimizing potential negative risks while maximizing potential positive risks. The term known risks is sometimes used to describe risks that the project team has identified and analyzed. Known risks can be managed proactively. However, unknown risks, or risks that have not been identified and analyzed, cannot be managed.
As you can imagine, good project managers know it is good practice to take the time to identify and manage project risks. Six major processes are involved in risk management:
Planning risk management involves deciding how to approach and plan risk management activities for the project. The main output of this process is a risk management plan.
Identifying risks involves determining which risks are likely to affect a project and documenting the characteristics of each. The main outputs of this process are a risk register, risk report, and project documents updates.
Performing qualitative risk analysis involves prioritizing risks based on their probability of occurrence and impact. After identifying risks, project teams can use various tools and techniques to rank risks and update information in the risk register. The main outputs are project documents updates.
Performing quantitative risk analysis involves numerically estimating the effects of risks on project objectives. The main outputs of this process are project documents updates.
Planning risk responses involves taking steps to enhance opportunities and reduce threats to meeting project objectives. Using outputs from the preceding risk management processes, project teams can develop risk response strategies that often result in change requests, updates to the project management plan and project documents.
Implementing risk responses, just as it sounds, involves implementing the risk response plans. Outputs include change requests and project documents updates.
Monitoring risk involves monitoring identified and residual risks, identifying new risks, carrying out risk response plans, and evaluating the effectiveness of risk strategies throughout the life of the project. The main outputs of this process include work performance information, change requests, and updates to the project management plan, project documents, and organizational process assets.
Figure 11-3 summarizes the inputs, tools and techniques, and outputs of project risk management.
Figure 11-3Project risk management overview
Source: PMBOK® Guide – Sixth Edition. Project Management Institute, Inc. (2017). Copyright and all rights reserved. Material from this publication has been reproduced with permission of PMI.
The first step in project risk management is determining how to address this knowledge area for a particular project by performing risk management planning.