Risk Management FAQ

What is a risk?

There are many ways of defining risk but probably the best is “uncertainty that matters”.  The uncertainty can take many forms and the effect of the uncertainty could be positive or negative.  For the most though part when talking about risks in a project context a risk is an something which, should it occur, would have a negative impact on expected outcomes.

What is risk management?

Risk management is the process by which you manage uncertainty that may affect outcomes that are important to you.

Why is risk management important?

Risk management is important because it helps you to reduce the likelihood of negative outcomes, or loss.  Or, to put it more simply, to get the results you want, rather than the ones you don’t.

What is project risk management?

Project Risk Management applies the principles of risk management in a project setting, so that risk to projects can be identified and managed.  This includes identifying, quantifying, responding to and managing project risks and the process of communicating these risks to stakeholders of the project.  Critically, it helps to assess whether the project is viable and should go ahead.  This part of project risk management is often overlooked, which goes some way towards explaining why so many projects fail to achieve their objectives.

What is risk analysis?

Risk analysis is one part of the overall risk management process, the other being risk management.  Risk analysis allows us to identify and quantify potential risks.  Risk management goes on to explore and determine how best these risks should be treated – whether they should be avoided at all costs, transferred to another party, prevented / mitigated, or (if no other option is available) accepted.

Define qualitative risk analysis

Qualitative risk analysis assesses risks not based on real numbers (as in quantitative risk analysis) but instead using subjective criteria including previous experience and judgement.  Qualitative risk analysis could be said to be a lot more fuzzy than qualitative, but looks can be deceptive.  One of the drawbacks of the quantitative approach is that the hard numbers and pretty graphs may looks pretty convincing, but they are often no better than most peoples’ best guess of what might happen.

What are the steps in risk assessment

The key steps in risk assessment are risk identification, risk quantification, risk response planning and risk management.  Some have a five step risk assessment process, adding communication to this as the fifth step, others have a step prior to identification which covers understanding the scope of risk management, making it a six step risk assessment process.  Whether it’s a four-, five- or six step process, the analysis and management is common to all of them.

How do I perform a risk assessment?

This will often depend on the type of project you have and on the stage of the project you’re at and whether you want to perform a quantitative or qualitative assessment.  For most people a qualitative assessment is easier and quicker (and as I argue here in my White Paper) gives better results.  Start off by identifying the deliverables that you’re responsible for producing, identify potential risks for each one.  Then use the probability –Impact (P-I) method to assess the probability and impact on each potential risk.  It makes it easier to identify specific risks and it also helps you come up with realistic numbers for both the probability and the likelihood.

What’s the role of insurance in project risk management?

Insurance is just one potential risk response available to mitigate the impact of a risk.  Insurance is a form of risk transfer: by taking out an insurance policy against the outcome you want to avoid, you’re passing the risk onto some other party that either: has the resources available to deal with the consequences, or; will cover the costs you incur in the event of the outcome happening.

What is a risk management plan?

A risk management plan is a document that explains (for a given project or programme): how and when risks assessments will be performed, what the key risks are, how risks will be managed for the duration of the project and who will perform what risk management roles.  Some see this as a subset of the project plan but I don’t.  I see the risk management plan as a response to the original project plan; one that takes the plan ( which often has not taken risks into account) and then explains what the effect on the plan is of factoring in the key risks and risk management activities.  Many projects get the go-ahead because risk management has not been considered, let alone costed.  By developing a risk management plan you can confirm that you’ve thought the project through, have a plan for dealing with the risks and determine whether the project is achievable.

How do I  create a risk management plan?

If you’ve read my answer to the question above, then you’ll know that I see the risk management plan as a document that summarises your risk management activities.  So before you create the risk management plan you’ll need to do a fair bit of work, including completing a risk assessment, identifying and agreeing how the risks will be managed and assigning responsibility for managing the risks to members of your team.

If you’ve already done this and are looking for a good way to present the results to your stakeholders, you  can download my risk management template from here.  No signup needed!

How long does it take to write a management plan?

How long is a piece of string?  Seriously though, it can take anything from a few hours (to create the first draft) through to several weeks (to get the whole thing approved and signed off).

I have a Microsoft Project plan showing the key tasks and timescales for a typical project.  It’s free for you to download.  I also have a product description for the risk management plan and a template document (in MS Word format).  Again, they are free for you to download.

What are the costs of and benefits of  risk management?

The benefits of risk management are almost too many to list, but the main ones are: lower project costs, faster project delivery, more accurate estimates and budgets, higher project success rates, faster delivery of benefits and reductions in waste, delay and rework.

As for the costs, there are two ways to answer that question.  The first way is to consider the costs of managing risks.  These can include one-off costs of implementing risk management – including training and coaching.  Then there’s the cost of operating risk management.  You should consider this part of the cost of project management for your project, rather than an additional cost.  The second way is to ask yourself what it’s currently costing you not to manage risks, in terms of higher project costs, lower project success rates, the write off costs of abandoned projects, the lost opportunity costs associated with cancelled projects and the loss of benefits expected.  Once you start thinking about the cost of risk management, you’ll see why risk management is so cost-effective.

Do you provide one day project risk management training?

Yes we do.  We provide both classroom and distance learning.  We’ll deliver classroom training to projects teams so that they can learn how to apply project risk management techniques on their project.  That way the skills they learn can be applied immediately.  I also provide a  distance learning programme for those who want to learn at their own pace or who are just getting started in risk management.

Who should be involved in identifying project risks?

Your whole project team, your project sponsor, anyone who is responsible for working on your project

Who is responsible for managing risk in a project?

Everyone in the team.  Often as Project Manager, you are given responsibility for managing risk in a project.  The problem is that this leaves you trying to manage the plan and any risks associated with it.  This is too much.  A better solution is for the whole team to take responsibility for managing risks that can disrupt your project.  This way you have several people all working to support you and they’ll deliver a better result together that you can on your own.

What’s the difference between a project risk and a project issue?

The difference between a project risk and a project issue is about certainty.  With a risk there is a level of uncertainty – a chance that the outcome will not happen.  A project issue is something that either has happened, is happening or is going to happen.

What’s the difference between a project risk and a project constraint?

The best way to describe a project constraint is that it is a problem that exists at the start of the project and is likely to persist for some time.  Unlike a project risk, we know that the constraint is there and we have to plan around it.  A good example of a project constraint is the 5-day working week.

What are best practices in project risk management?

For me the most important practices are these:

  • Start off with a clear idea of what you’re trying to achieve.  You should be able to say what you’re trying to do on one sheet of paper.  If you can’t then your project isn’t worth starting.  If you’ve already started, you’re probably heading for a failure;
  • Use product based planning (where you identify the things that your project will create) rather than task based planning;
  • Don’t consider your planning complete until you’ve produced a risk management plan as well as a project plan.  Your project plan describes what you need to do. Your risk management plan describes what you need to do when it all starts to go wrong.  If you want to succeed you’re going to need both;
  • Prepare a risk management plan using your whole team, even if you have a very large team.  You’ll save the project and a small fortune.  Don’t try to produce the risk management plan on your own – this is a classic mistake that rarely has a happy ending;
  • Hold a review with your team once a week and review progress against every deliverable, your key risks, your key issues and everyone’s state of happiness;
  • Try to reduce the level of risk on your project every single day.

Where can I get risk management templates?

Right here!  You can get the same templates that I use on all of my projects.

Where can I get a sample risk management plan?

You can get a sample risk management plan right here.

When should I start managing risks?

You should start managing risks as soon as you start planning your project.  Remember, the sooner you tackle a risk the better your project’s chances of delivery.

Why would I need to use a risk management plan?

You need to use a risk management plan because it will increase your chances of delivering your project on time and within budget.

Why is risk management so important?

Risk management is so important because without it there is a very high chance that your project will fail to deliver on time and within budget.  In fact, risk management is probably the most under used technique in project management.  This probably explains why so many projects fail

Why do you say that 99% of risk management plans are useless?

  • 99% of risk management plans are useless because they are vague, incomplete and never followed up:
  • Most risk management plans aren’t plans at all, just a list of commons problems that might affect any project;
  • Most risk management plans don’t identify specific actions that could mitigate the risk;
  • Most risk management plans never get looked at again once the project starts because they are never followed up

How do you manage risk?

The best way to manage risk is by:

  • Having a clear set of actions to either prevent the risk from occurring or to minimise the damage if the risk does happen – your risk management plan
  • Following your risk management plan to eliminate your risks, starting off with the ones that are likely to cause the most damage
  • Reviewing your risks right the way through the project, so that as new risks are identified you plan a way to counter them
  • Making sure your whole team are involved in managing risks on your project.  That way you’ll have several people all working together and no risk can beat a well-prepared team!

What are the main steps to creating a risk management plan?

There are 4 main steps to creating a risk management plan:

  1. Identify likely risks
  2. Quantify each risk, in terms of probability (how likely is the event to happen), impact (how much damage will it do) and proximity (how much time do I have to act)
  3. Identify risk mitigation activities.  These can range from avoidance, transfer, prevention, acceptance, mitigation
  4. Collate your risk management actions and you have your plan!

What would be a good example of where project managers fail because of poor risk management?

Think of almost any project where a project team build something for a client, only for the client to reject it as “… not what I was expecting!”  Believe it or not this is a frequent complaint of customers  who are having software developed for their company or team.  The main reason why this happens is because the  team don’t check what the customer wants during development.  Had this been identified as a risk, then the risk management plan would contain specific actions to be taken to prevent this from happening.  Taking these risk mitigation actions prevents the client from getting something they didn’t expect.

Where can I get a sample IT project risk management plan template?

You can get a sample IT project risk management plan template right here!