Bruce Harpham
Business Analyst
Bruce Harpham, based in Toronto, is the author of “Project Managers At Work” and holds the Project Management Professional (PMP) certification. He holds multiple Salesforce certifications and has over ten years of experience in the financial services industry.
Projects always entail creating something new. The novelty makes the project work exciting and keeps us returning each week. However, that novelty has a downside—it creates uncertainty and the potential for loss.
How to define project risk?
Most stakeholders view risk as the probability of loss from uncertainty on a project. Uncertainty can sometimes lead to positive outcomes, such as better-than-expected sales when launching a new product. A comprehensive approach to managing project risks will consider the possibility of positive risk. However, the potential for loss (i.e., negative risk) tends to be a more significant concern.
Three reasons why project risk management matters
Setting aside time and resources for project risk management is easier when you can make a business case for why it matters. Identifying and managing risk in a project is essential for three reasons:
- Project risks can cause the project to fail, exceed budget or timelines, or fail to deliver the expected benefits.
- Project management methodologies and standards expect project managers to perform risk management. Skipping project risk management may hurt your reputation.
- Risk management is a top priority in specific industries. For example, risk management expectations are high in the financial services realm and have increased over time.
A project, especially a more extensive one, may negatively affect a financial institution’s operational risk. Beyond financial services, health, construction, and pharmaceuticals are a few additional industries where risk management is vital.
How to get started with risk management
Identifying and managing project risks starts on the project’s first day. In many cases, it may begin even before the project launch. For example, some projects include preliminary risk analysis as part of the business case to create the project. If an initial risk assessment is available, seek it out and use it as a starting point. If it is not available, keep reading to get started with project risk management.
What is project risk?
Risk identification entails listing all the possible risks that could hurt your project’s success. Let’s consider a past project I worked on regarding tax compliance at a large bank.
The project was focused on updating systems and processes to meet use tax requirements in the United States. Thomson Reuters states, “Use tax is a tax imposed on the use, storage, or consumption of goods and services purchased without paying sales tax.” This project involved analyzing tax requirements for more than half a dozen states and local governments and updating the bank’s processes to ensure tax amounts were calculated correctly and paid on time.
The identified risks included the following:
- Government penalties. Failure to comply with tax regulations may result in fines (or worse). This risk was at the front of my mind, leading to the creation of the project.
- Reputation risk. Banks rely on their reputation to attract and maintain customer loyalty. If the failure to pay taxes became public, it could negatively impact the bank’s reputation.
- Financial statement audit risk. Tax amounts impact the bank’s financial statements. If the tax amounts identified through the project turned out to be significant, they could hurt the financial statements. In an extreme scenario, the bank may need to issue updated financial statements. This could impact the share price and hurt investor trust in the company.
Project management risk assessment
The next step is to assess the project risks in terms of likelihood and impact. A low-probability event that will only cost the company $1000 may be insignificant. However, a high-likelihood event that may cause a system failure for over a day is unacceptable. Track your assessments of project risks in a spreadsheet so you can quickly review them.
Risk mitigation
Also known as risk treatment, this practice is the key to addressing risk on a project. Let’s consider reputation risk mitigation in this case. Several risk mitigation strategies were available to address this concern:
- Comprehensive analysis. Each state and local government has different tax rates and rules. Meeting these tax expectations was essential. Missing even one use tax requirement could seriously damage reputation. Therefore, the project mitigated the risk of reputational damage by following a comprehensive process to identify the tax jurisdictions and associated rates.
- Policies and procedures update. The following risk mitigation strategy comprehensively updated the bank’s policies and procedures to create awareness and drive change. This update meant that use tax payments would be applied systematically through the bank’s operations.
- The final risk mitigation to prevent reputational damage was to provide targeted training to the bank’s finance and accounting staff on use tax expectations.
These strategies significantly reduced the bank’s potential reputation risk exposure associated with tax compliance.
Risk management in project management
Project management risk analysis starts when the project is launched but doesn’t end there. Managing project risks is an ongoing process. Unfortunately, project teams tend to focus on deliverables and critical tasks. This sometimes results in neglect of project risk management work.
The alternative is to proactively choose your approach to project risk management as the project unfolds. In my experience, there are two common approaches to managing risk in a project once you are deep into project execution: streamlined and intensive.
Streamlined approach to project risk management
The streamlined approach to project risk management is best suited for small-scale, low-complexity projects. For example, if a handful of co-workers are building a new process for their team, a streamlined approach makes sense. It typically has two elements: planning and light monitoring.
- Address project risks upfront in the project planning by focusing on the top three risks. The mitigation strategy will generally involve more straightforward approaches like insurance and a contingency fund.
- Light monitoring. A light approach to monitoring means adding a project risk management agenda item to your meetings to ensure that you discuss it.
Intensive approach to project risk management
Intensive project risk management is best suited for large-scale projects that last months or years and have high complexity and large budgets. Assigning a full-time team member to manage project risks may be wise. That individual should have project management and risk expertise (e.g., experience managing insurance coverage, safety training, etc.). The intensive approach means using all the processes, tools, and techniques outlined in industry standards such as the PMBOK Guide.
Project completion
At the end of the project, your risk management effectiveness must be evaluated.
Additional review processes may be required if your project experienced significant risk events—especially injuries, deaths, or property damage. Project staff may have dealt with these issues urgently when they arose. As the project concludes, it is wise to take a broader view of the risks and identify what can be done to minimize them now and in the future.
Don’t assume that an accident-free project has no risk management lessons! Ask the following questions:
- Did we identify all the relevant risks? If we missed something, what was the risk?
- How accurate were our risk assessments in terms of likelihood and impact?
- How effective were our ongoing project risk management processes during the project?
Conclusion
Enhancing your project management risk management skills is vital for success as a project manager. By applying risk identification, mitigation, and monitoring skills, you will be positioned to manage project risks on significant projects successfully.
Download whitepaper
to learn more about project data protection
