By definition, projects are organised actions aiming to achieve a specific goal. Projects are temporary and are created to provide one or more business products. Therefore, they are unique and can prove risky by nature. There are no risk-free ventures. Even if we protect ourselves with all means possible, we cannot be sure that we will avoid risk. How to deal with that nature of projects, what is the project manager supposed to do with threats which may be encountered, are we supposed to always follow one method and if so then when and how? Smart risk management starts with identification, assessment and detailed analysis and ends with actions and developing a method of operation.
There are many definitions of project risk. All of them aside, risk is any potential threat, hazard or circumstance which may make it impossible to achieve project goals. Threats in the project, as mentioned above, are a natural phenomenon; this is why they can and should be controlled in a well-thought-out and systematic manner. In small projects, well known to the project manager, we will not use such elaborate methods like probability estimation, Delphi methods or assumptions analysis. On the other hand, in large projects in a large organisation, in IT projects, projects including many stakeholders, the method of intuitive risk management based on estimates and project manager’s experience will not do the trick. This would in and of itself present yet another project risk.
In complex projects, threats may arise from different directions. The source is typically unwillingness to change, supplier’s competence and their selection, no support from the management, deadlines, costs, change in requirements, no support for key persons, poor technical/organisational support. Many potential risks will also appear when the project team is large (several dozen and more people), when the team members come from different companies (organisational cultures) and when the significant part of the team carries out a project of that type for the first time.
Facts with which a project manager needs to come to terms:
- Complete elimination of risk is impossible.
- While planning the project, it is impossible to foresee all potential problems.
- During the project, new problems will arise which you do not expect.
- Reduction of risk to “almost zero” is too expensive.
In situations like those, it is worth starting with determination which risks may affect the project and documenting the characteristic features of those threats and their roots. Depending on the needs, the participants of the risk identification process are such people as the project manager, project team members, recipients and users, experts from outside the project team or, possibly, other project managers and experts in the field of risk management.
Another step is to specify the possibility of risk occurrence. There are different ways to do this, but what most often works is the method of superficial determination of probability instead of determination regarding the percent of its value. Not at all less important is checking what degree of impact a given risk has on the project. Those may be serious, carrying over the entire project and its environment, e.g. potential lack of acceptance of the key user, as well as less important or even not important at all from the viewpoint of the project. Having the degree of impact as well as the probability, one may determine the entire magnitude of risk and, consequently, plan the manner of conduct and remedial actions for the threat not to occur or for its effect to be as marginal as possible.
The most frequent mistakes in risk management:
- Too general identification of threats.
- Risk identification without sufficient knowledge regarding the project.
- Omission of certain categories of problems.
- No teamwork in risk management.
- Taking risks into consideration only at the planning stage.
- No identified approach to risk management.
I will talk about how to manage project risks in practice, how to determine the degree the impact and how to classify the threats in the future.