The relevance of risk registers and matrices

The traditional way of applying risk management by making risk registers and matrices (heat maps) is still used in many projects across the world – and yet, project successes are still outnumbered by budget and time overruns, as well as scope creep. Something indicates the approach is inadequate at best.

To ensure value-adding risk management for projects, a number of prerequisites have to be ready:

• The project target/goal must be defined. This may seem obvious, yet I have seen numerous examples of projects, the target was to “implement system X” apparently for no other purpose than having this. Unless you are the System X vendor seeking a revenue – this can only be a means to an end, not the end itself. What is the real objective?

  You must know if/when you have succeeded and if/when you have failed.

• Project risk management must be fully integrated into decision making and project planning. The business case must include key risk and opportunity identification and assessment – as well as the planning of and resources to mitigate risks and pursue opportunities.

  This is far too often done after the business case has been approved, and hence mitigation is assumed within the resources allocated without mitigation.

• For risks especially, you must know what constitutes scaling on both impact and likelihood – and the measures must be consistently applied throughout the project to ensure valid prioritization.

  Too often risks are seen as “catastrophic” “severe”, “major”, “minor”, and “small” – without any definition of what the difference is between “major” and “severe” – whereby each risk is inherently assessed by whatever scaling is implicitly used by those assessing.

• Risk impact must be linked to project target metrics to enable relevant managerial reporting. With these in place, some shape or form – risk registers are still a relevant tool to use. Heatmaps/risk matrices are not, and were never really/any good in the first place. It does not help steering committees to know that we have four “red” risks – they wish to know what is the likelihood of meeting the project target (in time) and what to do about it. A heatmap cannot tell you that.

  To that end – and to accommodate for the fact that any one risk may have a million different outcomes, Monte Carlo simulation is the tool to apply.

  • It allows/is based on defining an outcome range for each risk as a distribution.

  • It enables consolidation across a portfolio of risks and opportunities.

  • It is an approach for which there are multiple excel-add on packages, some even free. The technology is half a century old, so still ignoring it is incomprehensible – yet many risk managers do.

The way to do this is to look at the spreadsheet behind your business case, and potentially your planning/scheduling.

• Look at all input parameters, and define the uncertainty ranges to these.
• Leverage your risk/opportunity register and add this to your spreadsheet model with the likelihood/impact distribution

Now you can run your project 10,000 tomes in a matter of minutes – and look at the outcome range for your performance metric. Suddenly, as a risk manager, you can answer questions like:

1. What is the likelihood of meeting my ROI target?

2. What is the likelihood of a negative ROI?

3. What is the likelihood the project will finish on time?

4. What are the key uncertainties, e.g. to ROI and time respectively?

And to the extent the result of questions 1-3 are less than what you desire – leverage the response to question 4 to define a further action to take. Be (pro)active rather than leverage random buffers.

There are a plethora of Monte Carlo simulation software packages that can help you, some are even downloadable for free. One of the most commonly used is @Risk from Palisades. This even has a version which enables direct Monte Carlo simulation on MS Projects.

As a risk manager, you need to be able to leverage this methodology. If you cannot already, make it your professional development target to learn within the next quarter (it’s not that difficult, and you are well behind schedule already).

Two approaches will further enhance the probability of a successful project:

• Being holistic in your risk identification – some risks may materialise from outside of the project and be seemingly unrelated to this. The most common of these are reallocation of resources due to change of managerial priorities.

• Address opportunities as well as risks. If your target is 100 – try ask your team and stakeholder what would have to be true to deliver 150 or even 200. Based on that – identify key opportunities and add these to your risk management 

Finally – as a rule of thumb – focus hard on delivery and less on costs and time. Project costs and time are temporary – results are lasting. This is leveraging the one thing I have learned about “quick and dirty” which is that “dirty” remains long after “quick” has been forgotten.

I was once told about a study (alas, I have never been able to find it) on large and successful building projects across the globe (as subsequently assessed by builders, sponsors and users alike). The study looked at what was special about these compared to others. It appears that without exception they were all over budget, over time but also (way) over delivery. The conclusion was so strong I remember it vividly.

I have worked with projects, where time was everything, and we did not even manage money – but were sure to deliver the specified outcome well on time. I have worked with others, where time was not that important, nor were project costs – but outcome (in terms of productivity) was pivotal. All focus was put on ensuring productivity – and the project still delivered largely within time and budget.

For some projects, liquidity is of the essence – address it in your risk management. Summing up:

• Risk (and opportunity) registers are still a valid tool as you still need to collect/have your data somewhere. However, it is highly recommended to embed this directly in project planning and modelling.

• Risk matrices/heatmaps are a waste of space – and were never good to begin with.

• Monte Carlo simulation is a “must use” tool and a “must have” competence for risk manager. Based on this, the risk manager can add significant value to the project and the business.