Have you ever walked out of the house in a tee-shirt and shorts, only to find it rain mid-day and you are left soaking wet without a jacket or an umbrella? Have you ever gotten home from work or school and realized that your keys were not in the bottom of your purse or backpack? Have you ever waited at a bus stop only to learn that you forgot your bus pass? I have. These are all examples of risks that can occur anytime, anywhere – day or night. Whether you are building a start-up, working for a billion dollar corporation, going on vacation to the Bahamas, or driving to your friend’s birthday party, you should always feel the need to assess the situation in order to determine how you will achieve your end goal if, for some reason, things don’t go as they are planned. Much of what we encounter through life is not always predictable. These “unknowns” are what frighten some people. However, we don’t always have to refer to them as the “show-stopper” in an event, especially if we are prepared to respond to the situation. Working some time into the schedule to plan for risks and developing an action plan is critical in realizing the outcome of an event or a project whether the risk is considered a threat or an opportunity.

Risk Actions

What is a risk and what are some ways we can help ourselves feel more confident about facing these unknowns? In the world of project management, a risk can be defined as an uncertain event or condition that if it occurs, has a positive or negative effect on time, cost, scope or quality (PMI 238). Missed deadlines, change of scope, accelerated timelines and miscommunication of project objectives are only a handful of risks we face in the work field. These uncertainties can rub us the wrong way if we are not prepared to address them, especially since they are associated with varying degrees of likelihood and impact. While there are many ways to manage risks, whether it is determined by the executive team, delegated to a risk committee, or transferred to a consultant, it is important to have a process in place. The Project Management Body of Knowledge (PMBOK) introduces five processes – Planning, Identification, Qualitative Analysis and Quantitative Analysis, Response Planning, and Monitoring and Controlling – to help us manage risks.

Planning is one of the most essential processes, yet it has the reputation also as being one of the most overlooked and oftentimes, “forgotten” processes within an organization. Time constraints, accelerated timelines, and insufficient resources are just a few of the reasons that feed into planning as a forgotten process. Because people may not always carefully plan or strategize prior to executing a project, they find themselves in quite the conundrum when they encounter a bump in the road. Thus, before we can manage the risk itself, the project team must plan in order to determine how they will conduct risk management activities. Some of these risk management activities might include how to identify the risk, assign ownership, provide visibility, document, and provide mitigation strategies. Similar to playing football or basketball, guidelines must be established before the team can begin.

There are some important factors that people should consider in order to encourage them to plan. A few that come into my mind is viewing planning as it relates to the attitude and responsibility of the project team. In regards to planning attitude, are project teams taking more of a reactionary stance or a proactive role in managing risks? For the companies that I have worked for, I have not witnessed a clearly defined risk management process in place, nor have I often seen people really taking the time to sit down and plan – not to say that people do not plan – they just don’t take enough time to plan. Oftentimes, people dive right into the project and “plan as they go,” since there are usually significant time constraints associated with each project. In many instances, this “plan as they go” strategy may cause more uncertainties in the project and fluster the project team since they may not be prepared to handle it. Or it might have caused the project team choose an alternative response that might not have been as effective as a well thought out mitigation strategy. In essence, companies will probably be more successful if they allot the time to plan an approach to manage risks, identify the potential unknowns, and strategize an appropriate response to mitigate the impact to the project if a challenge should arise.

As important as it is to have the right planning attitude, it is just as important to regard planning as a project team’s responsibility or as a “social responsibility” as Eric White might call it (White). In the article, “Retail to the Rescue,” White emphasizes the notion that if and when a natural disaster occurs, the responsibility to coordinate relief efforts falls not only on the government’s shoulder, but also the society’s and local community’s shoulder. Organizing food drives, collecting donations, and soliciting volunteers in preparation for a natural disaster is very much like identifying potential risks and mitigation strategies to alleviate stress down the line from a project management standpoint.  Similar to how the responsibility to prepare these relief efforts belongs to the society, the responsibility to plan belongs to the project team.

Once the project team has established the guidelines for risk management, the next step in the process is to identify the risks. The objective is to generate a list of potential risks that could impact the project and document their characteristics (type of risk, such as market risk, budget risk, technical risk, etc.). There are a variety a techniques to gather this information, including brainstorming; Delphi technique, reaching a consensus among a team of experts through a questionnaire to gather their feedback anonymously; interviewing; Root Cause Analysis; SWOT Analysis, identifying the strengths, weaknesses, opportunities and threats; and various other techniques (PMI 247-248). My personal favorite is brainstorming because of its simplistic nature – marker, white board, and free-flowing ideas – and its effectiveness. When introduced in the 1930’s, this technique was intended for use by groups, but can also prove to be more effective when done alone according to Darren Bridger, author of Think Smart Act Smart (Bridger pg 30). The first step to brainstorming is to generate as many ideas as possible and get them down on paper.  The second is to evaluate the findings and narrow down which ideas or risks pertain to the project. Whether brainstorming or any of the techniques above are done with a group or alone, the intention is to open your mind to options that you may not have considered and ensure they are on the project team’s radar should the team come across this type of challenge down the line.

Risk Matrix

After these risks have been identified, the risks are usually analyzed in both a qualitative and quantitative manner. Qualitative Risk Analysis refers assessing the likelihood and impact of each risk as it relates to the project objectives and tolerance level, while Quantitative Risk Analysis refers to prioritizing and mathematically assessing which risks require a response (PMI 249, 254). These usually go hand-in-hand. In my previous job where I worked for a large healthcare company, there was no formal risk analysis process for marketing project managers. Instead, each project manager was responsible for assessing the probability of risks pertaining to their projects. Many of the risks I encountered derived from government mandates that required a language change in regards to pricing and product offerings. The probability of these mandates occurring was low; however, the impact was significant because the language touched multiple projects across various lines of businesses. Oftentimes, I found myself assessing my active projects, while also evaluating existing and neighboring projects. This is a classic example of a risk bearing the characteristics of low probability and high impact, thus pushing the priority level of this type of risk to the top. I’ve also experienced the opposite, high probability risks with a low to medium impact. Some examples include late stakeholder review, additional proofing stages for print collateral, and delayed legal signoff. While these risks have a high probability of occurring, they are oftentimes manageable because buffers and contingency plans are built into the schedule. The impact levels are not so high, since print collateral in this healthcare company usually has several iterations every six months. Thus, these risks are not likely to make the top ten watch list and flagged for senior management, though they should not be discounted or taken off the radar for the project team.

All risks that have been identified are usually put into a Risk Register as a means of documentation and knowledge share among the project team. A Risk Register is a document that defines the tactical strategies to reduce or eliminate risks and usually includes a risk description, category, impact and probability level, mitigation strategy (avoid, transfer, mitigate, accept), and owner (Bronstone Module 1). In the healthcare industry, my stakeholders and project team relied on documents similar to the Risk Register for frequent status updates. Similar to how Microsoft shares risk management tools and best practices on the intranet, my company did the same and relied on access to the share drive as a means for communications between multiple lines of businesses (Barton 129). The act of documenting the characteristics of risks is important within status meetings and also outside of meetings. One should be able to pick up the document and understand the current and existing conditions of risks within a project. This tool also comes in handy down the road and can be referenced for historical context, while keeping in mind that projects as well as risks may be similar, but cannot be grouped into the one-size-fits-all category.

Risk Chart

The act of identifying risks and documenting their characteristics is a cyclical undertaking that requires continuous monitoring and controlling. Monitoring and Controlling is an important process that should not be taken lightly. Assessment and re-assessment of risks as it pertains to scope, schedule, and budget is required as businesses, technology, and environmental factors are constantly changing. But how do we know that our monitor and control process is effective? One way distinguish the efficacy of this process is to perform risk audits, similar to Unocal Corporation which allocated a decent amount of time to understand the risk-reward characteristics of oil and gas exploration, and the root cause to problems as they transitioned into workable solutions (Barton 176, 183). While my market research company cannot presently outnumber Unocal’s 1,500 audits, we’ve developed a process to perform internal audits on project managers. Currently, we use a project management program called @task for project documentation, scheduling, and project team notifications. The Director of Project Management performs bi-weekly audits on project managers to ensure that a uniform framework exists among project managers across global labs. Some of the topics that we get evaluated on are consistency with project naming conventions, ensuring project schedules align with client contract dates, assigning all tasks to project owners, and including dialogue within the comment field for important notifications, status updates, and issues. Opening the lines of communications, where each lab can access project details provide transparency within the company and serves as a preventative measure for the likelihood of risks, particularly those pertaining to miscommunications since they are on the project team’s watch-list. Especially as the company continues to scale, it is important to have these processes in place and open up these audits to include those outside of the project team. The sooner we can implement the process, the better. As noted by Austrian Entrepreneur, Daniel Mattes “Processes, controls and structure have to be in the DNA of a company from the beginning. It’s a lot harder to inject project management later on if people become accustomed to working without structure” (Gale 42).

While each company may have its own processes in place, we can’t escape the notion that companies are becoming more and more sophisticated each and every day. Organizations cannot afford to compromise their business to due to mismanaged risk processes or laziness when it comes to planning. Far too many times have I seen project teams attempt to survive without a formal risk management plan. Risk Management Planning cannot be seen only as a reactive precautionary measure in response to challenges that arise. Emerging companies are just waiting to feed off of these mishaps which aren’t so inconsequential. When it comes to managing risks, “Effective risk management is not optional in the twenty-first century: Stakeholders will demand it and the best managers will embrace it” (Barton 224). Those who take a proactive stance in managing risks will protect their company’s assets and become change agents for the future. It is critical that we, as representatives and ambassadors for our companies, shift our paradigm in the way we view risk management to become proactive change agents.

Works Cited

Barton, Thomas L., and William G. Shenkir. Making Enterprise Risk Management Pay Off. New Jersey: Financial Times/ Prentice Hall PTR, 2002.

Bronstone, Madeleine. X440.4 Project Risk Management (844241). UC Berkeley Extension, Spring 2010: Module 1.

Bridger, Darren, and Davis Lewis. Think Smart Act Smart. London: Duncan Baird Publishers Ltd, 2008.

Gale, Sarah Fister. “A Closer Look: JaJah.”PM Network. September 2008: Volume 22, No. 9: Page 42.

Project Management Institute (PMI). “Project Risk Management.” A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Third Edition. PA, 2004: Section 11.

White, Eric C. “Retail to the Rescue,” Risk Management. http://bit.ly/1mL90BJ. June 2010.