Tag Archives: Risk Management

A Practical Approach to Risk Management


Following up on my last blog post regarding project management predictions for 2016, I thought I would expand on each of the ‘predictions’ in my first few posts of the year.

Projects Will Still Have Issues in 2016

As I noted in my post, projects will always have issues. And though we know this to be true, that shouldn’t prevent project managers and team members alike from being diligent in anticipating risks (that can become issues) and plan for them – as we have a responsibility to do so.

Now, while I’m confident I can regurgitate content from the PMBOK in terms of processes, inputs/outputs and tools & techniques related to risk management as good as anyone, for the purpose of this post I thought I would outline a few practical strategies from my own experience and perspective.

Do a Pre-Project Risk Assessment

Risk management seems to always be a topic of conversation within the realm of project management, but I would argue that it should pre-date the project kick-off. Before a project team is engaged and deemed to be accountable for the delivery of the project, the organization should have already performed an assessment of the project. Some of the points, questions and analysis to be considered might include the likes of:

  • How does this project align with our strategy?
  • Who is the customer? What industry are they in? Do we have any experience in this industry? Is doing work in this industry aligned with our strategy?
  • Have we done business with this customer before? If yes, what was our experience with them? If no, do we have any partners or contacts that have done business with them before and what was their experience with them?
  • Do we have team members with the skills required to do the work? Are these team members available at the allocation required to complete the work in the expected timeline and budget?

Build in Some Contingency

Based on the pre-project risk assessment, the organization should have a good sense of the level of risk a project has before it starts. If the project is deemed to be aligned to strategy and within the organization’s acceptable risk tolerance, the project team can use the outcomes of the pre-project risk assessment for inputs for the project risk planning.

For example, if we’re working in a new industry or with a new customer, or with a customer where there had been issues on previous projects, contingencies can be incorporated into the project budget and/or schedule (and other areas alike) to mitigate risks. This could mean having additional budget set aside for risks and/or additional time factored into the schedule. On the other hand, if we’re working with a familiar customer where we have a strong relationship and an established process proven to be effective with this customer, there should be less of a need for these types of contingencies.

Apply your Lessons Learned

Most project management methodologies advocate for a post project lessons learned (or post-mortem) type of session to identify project ‘failures’ and ‘successes’. From a risk management perspective, ensuring that lessons learned on past projects result in actionable improvements that are incorporated into future projects, is key.

Someone famous once defined insanity as ‘doing the same thing, but expecting a different result’, so unless you’re planning for the ‘insanity defense’ when your project goes off the rails, understanding and applying your lessons learned will be a key strategy in mitigating risks on your project.



Leave a comment

Filed under Management, Project Management, Strategy, Uncategorized

Risky Business

In the world of Project Management, the topic of risk is HUGE. Massive. Behemoth, even. Ok, I might be getting a little carried away. The reality is though, that the amount of risk – and hence the level rigor applied to managing it – will vary with the type, size and complexity of your project.

If you have a small project with a well-defined set of requirements, a familiar technology, a long-time customer, the proper equipment and resources, your project is probably low risk so an informal process to manage your risk may be ok. If however, you’re staring down a project with, basically the opposite of any of the above noted items, you will likely want a more robust process for managing your project risk.

Before we go any further, we should probably take a quick step back to define what a risk actually is. The Project Management Body of Knowledge (PMBOK) – Fourth Edition, defines risk as: “Risk is an uncertain event or condition that, if it occurs, has an effect on at least one project objective. Objectives can include scope, schedule, cost and quality.”

Two things jump out at me with this definition, (1) it’s something that is uncertain, that may or may not happen and (2) it has an ‘effect’ on the project – though it doesn’t state specifically that it will be a negative effect. We’ll come back to these a bit later.

As there are so many facets of risk management, I suspect this will be a topic that I’ll post about often – rather than trying to cover it all in one ridiculously long, excruciatingly boring (hey, who said that?) post. For this post I thought I would touch on the topic of risk responses. Basically, what are you going to do about these pesky risks that you have identified?

Before I get into the various available responses, I’ll note that the impetus for this post – in addition to providing some exciting reading – is how the term ‘mitigate’ has become something of a ‘catch-all’ term when it comes to talking about risk. Mitigating risk is great, but it’s not the only thing you can do with it.

See below for a few additional strategies, as well as some notes on risk mitigation, based on the teachings of the Project Management Body of Knowledge (PMBOK) – Fourth Edition, and the world according to Evan.

Risk responses for negative risks (threats)


Why mitigate a risk when you can avoid it altogether? One strategy to avoid risks is to shut down the project; but that’s a bit drastic. Other strategies to avoid risks are to make adjustments to the project plans, be it schedule changes, requirements clarifications, updates to assumptions or what have you so that the threat can be eliminated altogether. These options aren’t always available, but when they are, keep risk avoidance on your radar as a tactic for managing your risks.


That’s not my risk; that’s your risk. Another strategy is to look at options for transferring the risk to a 3rd party. The example often given for this is in the insurance industry, where for the cost of an insurance premium, you transfer the risk to this 3rd party. Another way to handle this in a project related context might be from a contract types and terms perspective – e.g. Fixed price billing versus Time & Materials billing as each billing type has different levels of risk for the buyer and seller. (A topic for another day).


Risks tend to be evaluated on (1) probability – how likely is each risk event is to occur and (2) impact – if a risk does occur, how big will the impact be. Risk mitigation is about reducing one or the other, or both. Tools are available such as the aptly named ‘Probability/Impact’ matrix where risks can be evaluated on the basis of their probability and impact, and mitigation strategies can developed for each risk. Pro-tip: Risks that are high probability AND high impact; deal with these ones first!


For the risks you aren’t able to identify a suitable strategy for, or for ones where the cost of the mitigation strategy is higher than the cost of its potential impact, the strategy here is acceptance. Acceptance can be ‘passive’ – do nothing and deal with them if they occur or ‘active’ – establish a contingency reserve (money, time, resources etc.) to be better equipped to deal with them if they arrive.

Risk responses for positive risks (opportunities)

Intuitively, most of us think of risks as being threats, but this isn’t always the case, since where there are risks, there are opportunities (said some optimist somewhere). Here are a few strategies for turning risks on their head for the good of your project.


The enhance strategy is one whereby project teams take actions to try and realize an opportunity by taking measures to increase the probability, impact or both. A common example is where project scheduling techniques such as crashing (adding resources) or fast-tracking (performing tasks in parallel) are used in order to finish a project ahead of schedule.


Exploiting a risk, turned opportunity is a bit like the enhance strategy, except – as Yoda would say – “there is no try; only do!” Exploiting is all about making SURE that you are taking advantage of an opportunity that has presented itself. Using a similar scheduling example, some projects will have financial incentives for finishing early so project teams give top priority to exploiting this sort of opportunity any way they can.


Similar to how project teams will want to transfer the negative risks, they will sometimes want to share the positive ones. An example might include joining with another team or organization to deliver a project, each agreeing on their respective scope of work and how risks and rewards can be allocated.


Again, much like with negative risks sometimes the best strategy is to accept the risk. Related to opportunities, this strategy simply means being ready to take advantage of an opportunity if it comes along, but not taking steps to actively pursue it.

Well, so much for this NOT being a ridiculously long, excruciatingly boring (hey – it wasn’t that bad!) post. If you made it this far, I commend and thank you.

Be careful out there.


Filed under Project Management