12 Project Risk Management Strategies You Can Only Learn From Experience
Mitigating risk in real projects often results in some innovative solutions, tricks, and workarounds that you won’t read in any textbook. This list is by no means comprehensive, but here is a list of twelve project risk management strategies I’ve learned over the years.
1. To start, know what risk management looks like
Take a step back. I know you know what risk management looks like. But if team members and other stakeholders don’t know what effective project risk management looks like, how can they be expected to improve? If there is no coaching to help teams improve their capabilities, improvements in risk management will rarely happen organically.
Competent risk management requires exceptional interpersonal skills in addition to some basic technical skills, so hands-on practice with feedback from seasoned practitioners is needed to improve.
2. Use the “avoid” option
There are multiple strategies to respond to identified negative risks including avoidance, transferral, acceptance, escalation, and mitigation. You’d assume that risk owners would select the best risk control response for each risk, but most of the risk registers I’ve ever reviewed usually reflect only two responses: accept and mitigate risk. It’s very common to see risk mitigation strategies in project management, but far less common to see risk avoidance being employed as a strategic option.
Here’s a risk avoidance example: if a highway is to be built spanning multiple cities in a developing country, yet I know that the region between two of the cities is plagued by insurgent activity, I might propose that the project’s scope be reduced to skip connecting those two cities until order is restored to avoid incurring any labour-related safety concerns. It is also possible to avoid a risk by changing your approach to delivering scope—in this highway construction example, while the straight path between two cities might be the shortest, if that would result in the destruction or disturbance of some ancient ruins, significant stakeholder risks could be avoided by taking a longer route.
3. And don’t forget the “transfer” option, either.
How do you transfer risk? Well, with a transfer strategy, the objective is to shift the risk to a third-party. While the common method of doing this is to purchase insurance, outsourcing a subset of your project’s scope to a subcontractor who assumes full risk of quality or schedule issues is also an option. One of the key benefits of risk transfer strategy is that it can completely eliminate specific risks which is an ideal outcome in those cases where risk severity is extreme. Important caveat: I know that I say to look at risk avoidance and transfer response strategies. However, keep in mind that the efficacy of these tends to diminish over the lifetime of a project. During initiation and planning, they can be quite effective, but once scope and approach are nailed down, it can be a much costlier proposition to avoid or transfer risks.
As with all risk responses, neither of these strategies is free so it is important to balance the cost of avoidance or transfer against the expected financial and non-financial (e.g. reputational) impacts of risk realization before making response recommendations.
4. There are more than five risk responses: watch out for “Deny” and “Bury”
I made these response terms up, but they are very real. “Deny” is a common risk response—for every risk which a stakeholder is willing to accept or actively respond to, there is at least one which they will deny exists. Just like acceptance, this denial could be active or passive. With active denial, there’s no doubt that the stakeholder disagrees about the nature of the risk whereas with passive denial they might not confront you but they’ll ignore your attempts to get them to own the risk. These tend to be the same stakeholders who will take a strong “that won’t happen to us” stance when reviewing lessons from similar past projects. Likewise, you’ll come across what I call the “Bury” risk response. This happens when we face risks on our projects which we really don’t want to communicate as we assume that certain stakeholders will not react favorably. However, as we can’t pretend that they haven’t been identified we document them in our risk registers in such a way as to make them extremely difficult to locate or to comprehend.
These are just a couple of the “risk response anti-patterns” I’ve witnessed. If you’ve encountered any which aren’t listed above feel free to contribute in the comments below
5. Talk about individual impacts
Through a series of experiments focused on positive and negative risks, the authors of a study published in the Harvard Business Review determined that a person is more likely to make an objective, logical decision when a single significant impact is presented, as opposed to being presented along with a number of other lower impact outcomes. Counter-intuitive as it may seem, simple communication that conveys the more important impact—and that only—can be more effective than providing a whole slew of impacts. Recognizing that risk owners are frequently reluctant to commit time or political influence to actively respond to a risk, we might be tempted to stack the deck in our favor by communicating multiple potential impacts resulting from the risk getting realized. By doing this, we might actually diminish the perceived threat or opportunity presented by the risk resulting in risk owners responding in the exact opposite manner than what we had hoped for.
To avoid this, while it is a good idea to capture complete information in our risk registers, when presenting risks to stakeholders, focus on communicating the single impact which presents the greatest threat or opportunity. Then, if you don’t get the buy-in you were hoping for, add weight to your argument by sharing other potential impacts.
6. Get your eternal optimism in check
It’s hard to think about negative risks, much less plan for them, when you think that everything will be fine. Optimism is good—just not blind optimism. If such optimism is the prevailing mindset within a company, it can be difficult for risk owners to envision things not going according to plan. What has always intrigued me is how the same leadership teams that can be moderately effective at implementing operations or business risk capabilities will be weaker when it comes to project risk management. A risk averse culture will take a long time to change for an overall organization, but a project manager should be able to influence it within the ecosystem of their projects.
7. Use data to show how risk management is working
We work hard to manage risks. But all of that doesn’t mean much to the outside person unless we can demonstrate, with numbers, that all of this risk management is producing real, beneficial effects. To be meaningful to stakeholders, executives, clients, and teams, part of your risk management effort needs to include analyzing the risks and the effort spent on risk management.
Show the positive correlation between effective risk management and successful project outcomes. In the absence of supporting internal empirical data or strong pressure from the outside to create a valid sense of urgency, senior leaders and project teams will be unwilling to sustainably invest in the required behavior and practice changes.
8. Managing risk takes time, so make sure your team has it
Too often, unhealthy levels of multitasking by project teams and stakeholders result in those practices perceived as unnecessary being jettisoned or being given lip service only. If a team barely has time to deliver the scope of their project, how can they or equally busy risk owners be expected to expend any real efforts on considering or responding to potentialities which may never be realized? And, if we combine this limited availability with “one size fits all” approaches to project risk management, it is no wonder that many teams will do the absolute bare minimum required to meet onerous governance requirements.
9. Put stakeholder engagement higher on your priority list
This is not to say that you must wait until all stakeholders have been identified, engaged and analyzed before commencing risk management activities. Like most project management practices, risk management is iterative—it’s perfectly fine to do a high-level risk assessment with your core team in the early days of a project before you’ve met with all key stakeholders. That said, I still cannot overstate the importance of ensuring that stakeholder engagement ranks high on the list of prerequisites for conducting a detailed risk identification and analysis session.
Ignore this and you can safely add stakeholders as a key source of risk to your project!
10. Give regular updates on the status of risk responses
Just because you’ve had a meeting with the response owner and they’ve bought in to the need for their action doesn’t mean that you can wash your hands of the risk. This is the “reinforcement” part of managing risk, and you can’t omit it. Regularly reporting on the status of implementing risk responses to your sponsor and key stakeholders as well as following up with response owners will be needed to increase the likelihood of follow-through.
11. Mine your risks for opportunities
Companies invest in projects not to meet the triple constraint, but to achieve expected business outcomes. As such, a myopic focus on delivery excellence can still result in poor returns. You can use a benefits risk review to evaluate the threats and opportunities affecting the realization of project benefits. It doesn’t need to be frequent—the effort required to do a quality job and the availability of the external stakeholders required to make this exercise a success would restrict it to once a month at most. Review the risks, responses, issues, and impacts that arose—and mine those risk registers to improve outcomes of future projects.
12. Make your risk prevention efforts visible
Word of an issue spreads like wildfire, and many pairs of eyes begin to closely monitor the situation. Then, when unnatural acts save the day, there are lots of people to recognize and reward the heroes. I can’t count the number of times I have witnessed “on-the-spot” awards being awarded to individuals or teams when a critical issue has been successfully resolved.
Risk management is like an effective security agency—you usually only hear about them when something bad has happened, but you rarely hear of the multiple tragedies which they deterred. The probability and timing of risk realization is always uncertain, hence the ease of recognizing good risk management behaviors in the moment is much harder than with issues that have readily visible resolution times.
Comments
Post a Comment