Over the last few years we’ve worked with a number of government departments (state and federal), and large corporations who have engaged us to help develop their project management capability in various ways. Often, we find ourselves looking at the way organisations manage project risk and trying to ascertain if risks are being effectively managed though the project lifecycle. We see many different approaches and tools, matrices and scales. The key area of commonality is that many organisations treat managing risk as an administrative or overhead task rather than a key function of project control.
On some level organisations intrinsically know the value of managing project risk, that’s why most if not all project delivery organisations do it to some degree. The problem is that organisations that actively and consistently identify, control and mitigate risk in order to tangibly improve project outcomes are quite rare. The Project Risk Cycle diagram below is a helpful aide when examining how the process should work.
Some examples as to where organisations commonly fall down with risk are;
Company A has a dedicated risk management tool and project managers identify risks in the initiation phase of the project and ensure they are entered into the tool. On investigation we found that in 72% of projects no further risks had been entered in to the system after the initial entry. Where risks had been entered, the quality of the risk statement and the mitigation actions was poor, meaning it was unclear exactly what the risk was and what mitigations were.
Department B use a SharePoint register to manage risks. This means that the register is centrally located and quality management and reporting is done by the PMO. This worked quite well for a number of months. Unfortunately, the analyst with responsibility for managing risk has left the business. The analyst that took over does not have the same level of understanding around ensuring updates are done and what ‘good quality’ looks like within the register. This has led to conflict within the project as they had come to expect good data. The impact on delivery outcomes is difficult to directly measure.
Company C leaves it to the project managers to build a register and make sure risks are logged, although there is an expectation that key risks will be highlighted in the monthly report. We discovered that risks were often not logged or that details were unclear.
In all of these cases, our recommendations were to put executive level focus on managing risk and to standardise the approach, regardless of tool preference or framework. In essence, there is a need to ensure risk and is managed regularly and consistently. Often the organisational tools are already there. All that’s required is awareness, training, reinforcement and support. All these organisations reported better project delivery results over time when the right level of focus was applied.
If we can help you build your project management, governance or risk capability talk to us today!