Undertaking any project, whether in-house or in partnership with a professional services firm, entails risk. Project risk is defined as any area of concern that could prevent a project from achieving all of its benefits. Project risk requires careful management and involves identification, assessment, and mitigation.
It is important at the beginning of any project to go through the risk identification process. Not all project risks are obvious. When identifying risks, look for areas in the project that are based on:
- Insufficient or unreliable data
- Insufficient preparation
- Inadequate resources
- Lack of control
Some areas to pay close attention to are:
- Requirements identification
- Involvement of project sponsorship
- Level of project management experience
- Third-party involvement
- Political/cultural environment
- Change control procedures and management
- Complexity of the technology
Risk identification is only the first step. Risks need to be assessed to quantify and prioritise them according to their impact on the project. Keep in mind significant professional judgment is required during the assessment process to quantify the magnitude of potential negative impact and to develop risk control measures. The assessment process should determine the (1) likelihood of the risk occurring, (2) range of outcomes, (3) estimated timing of the risk, and (4) the frequency with which it will occur. It should also determine the warning signs of the risk that will forecast that the occurrence of the risk is imminent. The prioritised risks provide the basis for establishing Project Success Factors (PSFs). Specific action plans are developed to address each PSF. For example, assume that required key policy changes are a high risk. An action plan must be developed to:
- Focus on thorough and frequent communications
- Implement a steering committee structure
- Obtain strong support for the project team from executive management
- Stress the benefits of the project
- Identify training needs early
Once risks have been identified and assessed, mitigation plans should be developed. The plans document what the response will be when a risk event occurs. Keep in mind a mitigation plan might be to do nothing to mitigate the risk. The need is to accept that a risk exists and be prepared to deal with the consequences when and if it happens. This type of action plan typically applies to low priority/minimal project impact risks. A mitigation plan should outline plan B for the project area impacted by the risk. Knowing what plan B is prior to having to execute it will greatly reduce the probability of increasing the negative impact of the risk event or causing other unknown risks to occur.
An effective risk project management process means choosing and implementing risk-control strategies that work. Identifying, assessing, and developing mitigation plans are not one-time events. These processes need to occur throughout the life of the project. As the project progresses and project risk changes occur, documentation resulting from the identification, assessment, and mitigation planning processes need to be updated. The risk management process must be continuous.