This is the fourth article of our series on Project Risk Management.
Background
Over the last few years SUKAD has conducted numerous risk management courses, some of them were about organizational risk management and others specific to project risk management. This article summarizes some of the comments from the participants of these classes; edited by SUKAD consultants. We raise these points to highlight gaps in the practice of project risk management.
These observations came as a result of this question: “what are some of the issues that you face today in relation to project risk management”. The importance of this question is that it is open-ended and applicable whether the organization has good project risk management practices in place or none at all.
The following are what the participants shared:
People “Practices” Gaps
- Inconsistency among practitioners in the same organization; some participants seems to be doing more than others in practicing/applying project risk management … and some have better understanding of the project risk management processes than others.
- Some do a good job in utilizing project risk management on larger projects but do not do it (or properly perform project risk management activities) on smaller projects.
- Not sure if “all” recognize the value of project risk management and if they do – are they willing to put the necessary effort that is appropriate to the value? In other words, do we have a gap between what we say and what we do?
- Workload does not allow the project managers enough time to perform proper risk assessments and management.
- It is difficult to gather all stakeholders for risk management activities. Further, technical stakeholders do not give proper value to project risk management.
Training & Development Gaps
- Some feel that they are practicing project and risk management in an “Ad Hoc” or accidental way and they were not properly trained for project management or project risk management (Accidental Project Manager syndrome).
- “We have an excellent tool in place”; but some could not answer specific questions about the tool and there is seems to be differences of opinion here.
Planning Gaps
- Need to incorporate project risk management and other project management activities into the overall planning effort (time and other considerations).
- Some say “we have good planning” but others says there is a gap, “not fully following all processes”.
Risk Identification Gaps
- It is common that team members limit risk identification to obvious project risks and they conduct the identification exercise in a brainstorming mode staying on the high level. They are not including other tools and techniques, including drilling down into a work breakdown structure (WBS).
- “Usually we identify a few risks on a project but sometime we could have a large number of risks.”
- It is important to have the right balance between quantity and quality of risks identified. The objective is not to identify hundreds of meaningless risks, rather to identify as many risks as possible in order to effectively manage the project and its risks.
Control Gaps
- Lack of proper follow-up during execution … “We do a good job in planning but when we go into execution …”
- There is no real enforcement for the project managers to do risk management and follow-up … so most projects still do the risk assessment but not the full “management” or follow-up.
Organizational System Gaps
- It is important to have a knowledge management system in place that includes lessons learned.
- The knowledge management system should be user-friendly and allows retrieving lessons learned readily.
- It also appears that there is no “standard” way for scoring risks; basically how to assign a 1, 2, or 3 to the risk probability or impact. Therefore, risk ranking is left to each team preferences.
- Availability (lack of) lessons learned on previous projects (especially for new type of projects). In addition to lack of experience on new type of projects (new services).
- There are differences between contingency reserve and management reserve but this is not clear within many of the organizations we work with and/or the concept is not fully utilized.
- It is not easy to reach a common view among stakeholders; no alignment. This may seem a people issue but the root cause is system issue and related to lack of standard way for scoring risks.
Miscellaneous Gaps
- Fighting fires, which might be a symptom of not doing enough risk identification and proactive management …
- In a client organization, project managers are quantifying even the medium and low priority risks, which might be acceptable but this is not a “preferred practice” and is an extra effort that might not be justified by the benefit.
- There should be a project classification system (typically 2, 3, or 4 project classes). If such a classification system exists it should be used for all project management functions; including risk management.
- In some cases, “we start early without contract”; this practice is leading to ambiguity of scope, which increase uncertainty, and obviously increasing risk.
- There are difficulties related to cultural and governmental issues in other countries or even in remote, rural areas.
We welcome your contribution in adding to the above factors.
If you are reading this article through LinkedIn or other medium, we ask you to please visit the blog itself and put your comments there; this way your comments and suggestions are visible to all and others can respond or build on your response.
This is a very good article. I think you point out a number of issues seen in the practice of project risk management.
I would add that for project, or risk management in general to be effective it need to be simple, supported and focused on goals, otherwise people just dont do it. http://www.activerisk.com/embracing-risk-to-build-value-practical-advice-to-help-you-take-smarter-risks/
As you point out at the top if your diagram, risk is about downside and upside and people need to understand what the value of risk management is to them.
Visibility, accountability and confidence drive project success, and what you have stated above is all part of this process.
Loren
@ERMStrategy
This comment was posted on LinkedIn Project Management Global Resources group
by David Bugg,
https://www.linkedin.com/groups/WhatAreCommonGapsin3688687.S.5949180497333608452view=&gid=3688687&item=5949180497333608452&type=member&commentID=discussion%3A5949180497333608452%3Agroup%3A3688687&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5949180497333608452%3Agroup%3A3688687
Some very common andwidespread views on project risk analysis highlighted there.
This comment was posted on LinkedIn PMLink – Project Management Link – Project, Program & Portfolio Managers, PMP, PMBOK, PMO group by Jed Simms,
https://www.linkedin.com/groupItemview=&gid=59531&item=5949147503529054210&type=member&commentID=discussion%3A5949147503529054210%3Agroup%3A59531&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5949147503529054210%3Agroup%3A59531
Firstly a clear, specific and measurable statement of the desired risk outcome – what are we trying to achieve thru managing this risk?
Secondly, a detailed risk management plan, not a sentence or two of things that
could/should be done
This comment was posted on LinkedIn ISO 21500 Project Management group by Mike Marian Burke CIOB MIET AISPE,
https://www.linkedin.com/groupItemview=&gid=96642&item=5944062172140163074&type=member&commentID=discussion%3A5944062172140163074%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5944062172140163074%3Agroup%3A96642
At the kick-off of a project the construction of a comprehensive risk register must be the order of the day. The register will cover commercial, corporate, health, safety and environment risks. It will provide a robust assessment of all the risks, the mitigating
actions required and each action priced for worse, probable and best case
scenarios. Ownership of each risk must then be apportioned. Post-project risks
get the same treatment, as does task based risk assessments in the day to day
running of an operation where operatives become the stakeholders and ownership
is again apportioned, and then the human factor kicks in such as stress,
competency and culture. In a nutshell it’s about ownership and mitigation.
This comment was posted on LinkedIn ISO 21500 Project Management group by Hemant Anand,
https://www.linkedin.com/groupItemview=&gid=96642&item=5935766307008970760&type=member&commentID=discussion%3A5935766307008970760%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5935766307008970760%3Agroup%3A96642
In my practice of project management, I have seen three different ways to measure risk.
• One is the bow tie approach – which is more a risk identification approach. It allows preventative measures to be combined with mitigative measures for the same risk
• The other is, the qualitative evaluation rating; identifying risks as high, medium low ( or on scale of 1-5).
• And the third is to actually collect the number of failures that have occurred in the past and use that to calculate the probabilities- so a quantitative approach If an organization uses all the three in right measure- it can derive maximum benefit. However, I have not yet seen any organization use all three.
This comment was posted on LinkedIn ISO 21500 Project Management group by Joe DeVoss,
https://www.linkedin.com/groupItemview=&gid=96642&item=5935766307008970760&type=member&commentID=discussion%3A5935766307008970760%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5935766307008970760%3Agroup%3A96642
@adrian. I saw your
questions. Apparently many companies have a large appetite for assuming risks!
Read on.
A surprising number
of companies–even large public utilities or consulting firms–simply perform
no formal risk analysis. I have clients who enter a standard “no risks
other than normal” sentence in a template/form while performing no formal
(or informal) risk identification.
At one professional
meeting (not in Texas) a utility company gave a presentation on a major public
utility (millions of customers) customer service implementation that required a
three-day weekend and a minute-by-minute implementation. When asked “how
detailed was the risk planning performed” they said “we didn’t have
any budget for risk management” which left the audience (mostly customers)
in a state of shock. The project implementation was a success–but until a
large failure occurs, they will likely continue to ignore risk planning and
management.
This comment was posted on LinkedIn ISO 21500 Project Management group by Stef Van der Made,
https://www.linkedin.com/groupItemview=&gid=96642&item=5935766307008970760&type=member&commentID=discussion%3A5935766307008970760%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5935766307008970760%3Agroup%3A96642
This is a topic where I will spend more time on studying to be even more effective. I do risk management, but some components I could grow by reading the article
This comment was posted on LinkedIn ISO 21500 Project Management group by Jim Fuhring, PMP, ITIL, RUP,
https://www.linkedin.com/groupItemview=&gid=96642&item=5935766307008970760&type=member&commentID=discussion%3A5935766307008970760%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5935766307008970760%3Agroup%3A96642
The main gap I see is that many PMO’s fail to continue to monitor and control risks as they after they are initially identified and there is a lack of the continual identification and management of new risk. I tend to focus my project status meetings on the
continual management and control of identified risk and on the identification
of new risk.