A risk is defined as “an uncertainty that could have an adverse effect leading to loss, harm or damage”.
In practical project management terms, risks have the potential to increase the project cost and/or schedule, reduce quality and/or delivered scope, and even to derail the project and Customer satisfaction.
Obviously, not all risks are equal. Neither are all projects.
One of the key findings from the 2012 McKinsey study of large IT projects is that fully 17% percent go so bad that they can threaten the very existence of the company. These unpredictable high-impact projects are called “Black swans” in popular risk parlance.
Risk prioritization is the process step in Risk management where the Project team assesses the probability, impact, speed of onset, and vulnerability of each risk. In order to do this effectively, the Project organization would need to define acceptable thresholds of risk probability, impact, speed of onset, and vulnerability for the organization in general, and each project in particular.
The thresholds may be higher or lower depending on several factors such as:
- The criticality of the Project outcomes to the organization, its brand, its profitability and longevity, its customers, and its employees.
- The depth of insight that the Project team has into the Project problem and the proposed solution.
- The Organization’s preparedness/ maturity to handle different scenarios/ outcomes.
- The level of risk impact that the Organization is willing to accept (or is capable of accepting) in general for the overall organization as well as for the specific project in question – typically due to budgetary constraints, resource constraints, etc.
Risk management – “The why & why not”
Risks, by definition, may or may not occur. Risk mitigation activities would need to be planned well ahead of the Risks actually occurring. Further, certain Risk mitigation tasks may need to be executed ahead of time, in order for the mitigation to be effective. Hence Risk mitigation planning & execution activities entail expenditure of hard-fought project funds.
Further, in many projects where Risk Management is applied, it is applied by the Project manager with the best of intentions during project initiation & planning phases, but this interest and focus loses steam midway into the projects as they run into constraints of schedule, quality, scope or budget and the resulting pushback from project stakeholders.
Hence Risk management is frequently thought of as an unnecessary expense with low or no returns.
Risk management – “The how”
Only in mature organizations with a stable adoption of the Risk management process do we see projects strongly leveraging Risk management.
The major difference here is that Risk Management is perceived as an investment with potential for significant returns.
This evolution to a mature organization requires the following changes to be in place:
- Executive stakeholders have to recognize the importance of Risk management
- Executive stakeholders have to be prepared to allocate funding to build a culture of risk awareness
- Executive stakeholders have to be prepared to lead the Organizational risk culture implementation from the front, and
- An Organizational Risk awareness culture initiative has to be launched by means of Executive communications to the entire Organization.
- The Organization’s Software development processes & Project management processes have to be enhanced to incorporate actions relating to Risk management, and these new processes to be rolled out at the Organizational level. Rollout progress reports to be reviewed at Executive level.
- Risk management training to be rolled out to various categories of Stakeholders. Training progress reports to be reviewed at Executive level.
- Project Managers to be given authority to enforce Risk management directions. Project Manager escalations to Senior Management & Executives to be supported.
- Audits to be implemented, to ensure adoption of Risk management directions. Audit report summary to be reviewed at Executive level.
- Periodic (preferably semi-annual) Executive communications sharing progress of the initiative as well as the value / benefits realized from the initiative.
The following images depict a 10,000-foot perspective of the Organization and its Operational context, as well as the Organizational Risk culture initiative components.
This article was first published in LinkedIn Pulse under the Title: “Building a culture of Risk awareness in Organizations”.