Use risk management as a vital tool for project success, advises Eric Pavyer

Unquestionably, fear of failure is now being felt at the highest levels in organisations. The demands on today's businesses to deliver, even in the toughest of economic climates, and to be knowledgeable of and accountable for what is going on internally are at unprecedented levels.

Company boards set strategic direction and all operations are directed to this end. Business-wide systems and processes are devised and many projects initiated to achieve the goals set.

But what happens if one of these projects starts to fail? Have mitigation steps been established to minimise the effect of a delay or problem within the project or will project failure turn into business failure? For many companies - notably in industries like aviation and defence and so-called 'big project' sectors - by any definition, the impact of project performance on the business is so profound that project risk is enterprise risk.

In addition, more and more executives running organisations outside traditional engineering and construction industries - like manufacturing and IT - are developing their operations as a series of key projects or programmes in an attempt to achieve the transparency and accountability that the discipline of project management can bring to their business. This is particularly prevalent in areas involving cross-functional teams from both within and outside the enterprise such as merger and acquisition activity and cultural change programmes.

Despite these trends and the growing appreciation of the need to install systems that not only analyse risk, but also alert senior management at an early stage of risk dangers, senior executives give surprisingly little attention to project risk management. It is not uncommon in mission-critical projects for executives with a primarily functional skill set to undertake risk management in somewhat perfunctory fashion. Equally, it is not unusual for detailed risk information on projects to remain within the project team. The elevation of the need for effective risk management has yet to become aligned with the devastating effect of not managing risk effectively.

A greater focus on managing project risk is now not only desirable but essential. Sarbanes-Oxley procedures, for example, lay out specific processes regarding management and reporting of both organisational and project risk. Increasingly, there is a need for senior executives to have real-time information not only on the health of a project but on the risks and opportunities it presents to the business going forward.

Such changes are forcing organisations to transform the way they conduct project risk management. Turning a blind eye to the unknown or a lack of understanding of risk management principles are no longer valid reasons for not implementing a risk management plan. Likewise, there is a growing recognition that early, up-front identification of project risk leads to a far better chance of project success than simply ignoring risks altogether.

Indeed, major risks must be identified before a project is approved and resources are committed. In summary: creating a deterministic project schedule and cost estimate is no longer sufficient when managing projects.

Art versus science

Project management can be defined as both an art and a science - and this approach is also helpful when considering risk management.

Estimating both the chance of a project risk event occurring, together with its impact on the project can be highly subjective in nature and prone to error and discrepancy among project managers and team members.

So the business requires a formalised, uniformly adopted means of identifying tracking and responding to project risks that can provide the framework and basis for a project risk management plan (RMP). The RMP is the 'risk management bible' and key to a successful risk management culture. It determines how risks are identified, into which classifications they should fall, how tolerant a business is to their occurrence and how it should respond to them.

Accentuate the positive

Historically, the focus of risk management has been based upon negative impacts on a project's success. More recently a growing trend has emerged that also recognises the benefit of potential positive risk in the form of opportunities within a project. Thus, risks can be viewed as either threats or opportunities and as such both should be fully accounted for when planning and controlling a project.

Additionally, care should be taken to distinguish between uncertainty about schedule and cost estimates and that of potential increases or decreases in these estimates as a result of project risk. The best project estimates are generated by adopting a two-stage approach. First, either deterministic or stochastic (for example, three-point) estimates for project tasks are produced using standard statistical techniques. Stochastic estimates can be then evaluated using risk analysis simulation methods such as Monte Carlo (quantitative risk management).

The second stage is to determine an expected increase or decrease in estimates based upon the anticipated level of threat or opportunity that will arise from risk events. This second process is best managed using a risk register ('qualitative risk management'). The risk register provides a structured means of identifying risks within sections of a project, accurately modelling and assigning a score to the risk based on probability and severity. It also provides the basis for mapping out a risk response plan.

Once the expected amount of risk impact has been determined a suitable amount of contingency can then be added to the area in question to generate a planned estimate (for both task costs and duration).


Risk response can range from avoidance to acceptance. Avoidance must be a serious option if the ability to mitigate risk is unacceptably low.

Clearly when team members have an interest in the project continuing, the need for a higher-level, more objective appraisal of project risk must be considered. But all business opportunities - which are what projects represent - contain risk and clearly an over-cautious approach will result in potential business benefits being denied.

More typically, risk response is in the form of risk mitigation, that is the pro-active reduction of risk scores by planning risk reduction steps. Mitigation steps often result in additional work being required and, as such, can actually increase the scope of work within the project, but it is additional worthwhile work without which the project - and ultimately the business - would inevitably suffer. Again, communication is an issue here; it's important to clearly record, assign and track mitigation steps defined for each risk and analyse their effect within the overall risk score on the project.

Methods for reporting and tracking risk vary in granularity and sophistication and depend upon how detailed is a company's analysis of the tasks and work packages that form the components of a project.

Risk examination generally involves bottom-up identification of risk and top-down analysis. Typically, a business might consider reporting via:

- risk matrices - immediately identifying areas of the highest and lowest risk through a probability/severity score
- waterfall diagrams, showing how a potential risk changes over time - indicating the effectiveness of risk mitigation activities
- mapping a risk tree against the project's work breakdown - enabling the identification of project-level risk scores as well as drill-down to detailed problem areas.

For significant projects, formalised risk management alone is not the silver bullet of project management. However, adopting a true risk management process from project start to end brings additional structure and process to the overall project management plan, thus adding even more science to the 'black art' of project management.

In addition, installing risk management processes carries a relatively low cost burden, with tools available that can help companies model risk categories, impact types and tolerance thresholds. Such tools also help overcome the issue of subjectivity in risk scoring by providing a knowledge base of the business's previous experience in this area. Importantly, too, they can often be configured to link not only with standard project planning software but also with wider corporate planning applications to ensure optimum visibility of project risks at all appropriate levels throughout the business.

This, of course, leads to the most important benefits of the process:

- an ability to make better-informed decisions on which projects to adopt, avoid or resource up as the business is driven forward
- the power to stay informed and to be confident that the best steps are being taken to achieve company goals
- the best chance of minimising project and enterprise failure.


1. PROTECT THE BUSINESS: As companies adapt to a project-based structure, they can only expect to realise benefits from identified initiatives if they control risks to project delivery. And this necessitates a structured project risk management process.

2. IDENTIFY WHO IS ULTIMATELY RESPONSIBLE FOR PROJECT DELIVERY: The input of those most actively involved in the project is key to process design. But installing - and enforcing - the risk management process are leadership issues. No major project should be approved without sign-off of the risk management plan at board level.

3. CONSIDER EVERY RISK MANAGEMENT ACTIVITY TO BE ITERATIVE: All too often companies carry out project risk management only as part of high-level project selection; or worse, as a reactive process akin to crisis management. The focus of the risk management plan will be at the beginning of a project - where mitigation opportunities are greatest. But every day will bring changes that can impact the project. As it develops decisions and commitments are made that reduce available mitigation options. Watch out!

4. KNOW THE SCORE: The essential dimensions of any project risk are the likelihood of its occurrence and the severity of its impact. A simple grid-style scoring system combining these elements - if effectively communicated - can help gain management attention and aid prioritisation of remedial action.

5. LIVE WITH UNCERTAINTY: There is a natural resistance to risk management but, like death and taxes, risk is always with us! No amount of risk planning can reduce uncertainty to zero. Otherwise there's no project to manage.

It follows that accepting risk is nothing to be ashamed of as long as it's a considered decision, part of an open, structured process that identifies potential impacts, the likelihood of occurrence and available mitigation options. What's more, project risk management - again, properly communicated - can help avoid the dangers of a blame culture and even liberate companies' creative resources.

- Eric Pavyer heads European operations for Welcom, a Houston-headquartered company that assists companies in optimising project delivery, Tel: 01707 331231.