Risk Management – What’s the Big Deal, Written by Ed Santavicca, M.S., PMP
Does Risk Management Really Matter?
In the 2017 PMI Pulse of the Profession Survey, it was discovered that only 26% of projects always utilize risk management practices. This same survey reported that over 45% of projects surveyed did not finish within initial budgets or schedules. Is there a connection? It is likely, given the fact that “undefined opportunities and risks” was one of the top primary causes of project failure identified in the survey.
What do we mean by “risk”? A risk is “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.” The purpose of Risk Management is to identify possible future risk events, perform actions to avoid or mitigate the effects of those events and prepare plans to quickly recover from the effects of the events. Effective Risk Management is essential to prevent major cost and schedule increases due to unknown risks, at best, and to avoid major catastrophes at worst.
- In April 2010 the explosion of a BP oil rig in the Gulf of Mexico resulted in the death of 11 people, with numerous others injured. 210 million barrels of oil poured into the Gulf. The cost to BP was in the range of $55 billion. In 2011 a federal report concluded that “Risk management failures were a core factor leading to last year’s offshore oil well disaster in the Gulf of Mexico”.
- In 1963 the U.S. Navy Submarine Thresher went down, resulting in the deaths of all 113 who were on board. The resulting U.S. military investigations concluded that the most likely explanation is that a piping joint in a sea water system in the engine room failed, spraying water on nearby electronics forcing an automatic shutdown of the nuclear reactor. As a result, the Navy instituted a stringent design safety and risk management system known as SUBSAFE. From 1915 to 1963 the Navy lost 16 submarines to non-combat accidents. Since 1963, no SUBSAFE certified submarine was lost.
Why is it that Risk Management is so often ignored or minimized?
Well, for starters, it is hard work. The process of risk management planning, identifying risks, quantifying, etc. is very tedious. Another reason is that, when risk management is done effectively, no one notices. Organizations rarely give “kudos” for effective risk management, per se. Certainly, successful projects are recognized, but the hard work of risk management that underlies such success is typically not identified. Ultimately, we all like to be recognized. Other reasons for avoiding Risk Management include the fact that it takes vital time when many projects are behind schedule. Finally, while effective risk management ultimately is a major cost avoider, performing risk management takes both time and money. In a cost-cutting world, this may be seen as a problem. All of these reasons can be addressed with a strong Risk Management culture in an organization, where the ultimate benefits are clearly understood and valued.
While it may be a difficult and time/cost consuming effort, effective Risk Management is essential to prevent project failures of all kinds.
The fundamentals of effective Risk Management include the following:
- Risk Management Planning – A project risk plan structure is established, including plans for assessment, response, and on-going monitoring and control.
- Risk Identification – As many potential risks as possible are identified by a thorough and on-going process.
- Risk Qualification – Potential risks are evaluated based upon some non-numeric assessment approach.
- Risk Quantification – Risks are evaluated for their potential impact and probability of occurrence utilizing numeric techniques.
- Risk Cost and Schedule Assessment – Each major risk is evaluated for potential numeric cost and/or schedule impact.
- Risk Response Planning – For major impact and high probability risks, specific responses are identified and planned for in the event of the risk occurrence.
- Risk Mitigation Planning – Specific actions that can reduce the probability of significant risk events of occurring are identified and incorporated into the project plan.
- Risk Monitoring and Control – To insure effectiveness throughout the project, an on-going process of reviewing and updating the risk management plan is maintained.
The process can be visualized as shown below:
Scaling and Thoroughness
Understanding the fundamentals of effective Risk Management is just the start. Projects come in all shapes and sizes, as does Risk Management. Scaling and thoroughness are keys to effective implementation of the fundamentals.
A Risk Management plan must be scaled to be consistent with the size and complexity of a project. A multi-year and multi-million-dollar project which has a risk plan that has only a hand-full of potential risks identified will be ineffective. On the other hand, a small project may not need a plan that is extensive. For example, a qualitative assessment of the risks may be sufficient and quantifying them may not be necessary.
A risk plan that is thorough will engage each of the fundamentals mentioned above, avoiding short-cuts. Thoroughness is also revealed in the process of risk identification. An ad hoc process of identifying risks will likely result in major potential risks being overlooked. There are various risk identification approaches that ensure thoroughness. A task-based approach will have the subject matter experts identify risks for each of the work breakdown structure tasks. Another approach would be to call upon those experts, reviewing each phase of the project for potential risks. Useful tools include brainstorming, interviewing and the use of checklists. Also, the various risk categories could be screened for risks, such as external, internal, technical, legal, cost, schedule, etc. Whichever approach is utilized, it should be systematic and thorough.
Monitoring and Control
Once a thorough, appropriately scaled, risk management plan is in place, the plan must be monitored and controlled. This will involve an on-going review of the risk management plan, updating potential risks, utilizing variance and trend analysis, etc. A review and updating of the documentation of the pertinent risks should be part of each project meeting, with special focus on the risk mitigation actions. An indispensable tool for the control process is the risk register, which should be created as part of the plan. In a risk register each risk is listed, with associated causes, quantification, potential cost and/or schedule impact, etc. A key feature of the risk register is the quantification of potential impact costs for high probability/high impact risks. Such costs should be part of a risk reserve budget.
This is a risk register example that is utilizing qualitative assessments for probability (P) and impact (I):
Part of monitoring and control will of course be upper management project reviews. At some point, one or more of the identified potential risks will come into fruition and the project leadership must anticipate the logical question, “How are you going to recover the costs and schedule impact of the realized risk events?” This is where Project Opportunity Management comes into play and why it is considered part of an excellent Risk Management Plan. Project Opportunity Management is the identification and management of potential positive risk events; those events which will impact the cost and/or schedule in a positive way. Such events should be identified, quantified and monitored as part of the risk register.
Risk Management Does Matter
As a project manager, regardless of project size, you will be far ahead of the game with an effective, thorough risk management plan that is regularly updated, monitored and controlled. The probability of your projects being completed within budget and on schedule is greatly enhanced with strong risk management. And, depending on the type of project, you just might avoid a major crisis or catastrophe. Risk Management is of great importance . . . a very Big Deal.
1. PMI PMBOK, 6th edition 2017, Chapter 11 Project Risk Management.
2. PMI Pulse of the Profession, 2017,
3. Joint report by the U.S. Coast Guard and Bureau of Ocean Energy Management, Regulation and Enforcement
4. National Geographic Society
5. Frontiers of Project Management Research, D Sleven, D. Cleland, J. Pinto, 2002.