Skip to main content

Save Your Project From These Seven Deadly Risk Management Sins!

One of the more popular articles I’ve written for ProjectTimes.com was my coverage of common, critical negative behaviors committed by project managers. As a sequel to that piece, this month’s article focuses on the PMBOK knowledge areas which I’ve found to be the weakest practiced, project risk management.

Ask almost anyone who has worked on a project whether they believe that risk management is important and you will be unlikely to hear otherwise.

So why do we continue to struggle with implementing risk management practices in an appropriate, value-focused manner?

Ineffective risk descriptions – your team might have identified a high severity risk which requires an immediate response, but if the risk description isn’t meaningful to your stakeholders, it is unlikely to generate the sense of urgency you were hoping for. When in doubt, share the descriptions of your key risks with a trusted peer who is not very familiar with your project and ask them if they perceive the need for a call to action.


{module ad 300×100 Large mobile}


Insufficient divergence or convergence – when identifying risks, you want to cast as wide a net as possible. A key expectation is that you will be able to transform as many critical unknown-unknowns into known-unknowns as possible. Having a broad, diverse set of participants and using techniques such as brain-writing can push past the inertia of just identifying obvious, low hanging risks. However, once it comes time to analyze and respond, focusing needs to occur on the vital few, leaving the remainder on watch-lists for occasional monitoring.

Addiction to mitigationI’d written previously about the benefits of considering all response strategies, especially when facing a particularly nasty threat. To channel Mr. Miyagi “Best way to avoid punch, no be there”. Trying to convince your sponsor to reduce scope early in the project to avoid a critical risk might not be a conversation you look forward to, but it’s likely going to be a lot more pleasant discussion than the one you’ll have if the risk gets realized.

Failure to refresh – the risk register must be considered a living document for it to provide any value. As your project progresses and changes occur, if you don’t iterate back through the identification, analysis, and response development processes, the efforts spent at the beginning of the project on these is wasted. A longer term outcome of this behavior is that team members and other key stakeholders will be even less likely to commit their efforts to risk management.

Assumptions don’t get analyzed – assumptions are an important input into risk identification. Until an assumption is validated, there is always the likelihood of it being wrong, and if so, this could impact the project. Not only is it important to capture key assumptions made while planning the project but it is a good idea to review them at a regular interval to test their validity so that appropriate responses can be executed. This is another good reason to have a diverse group of stakeholders involved in risk management procedures – the narrower the selection, the greater the likelihood that assumptions won’t get challenged or revisited.

Lessons don’t get learned – the issues which occurred on one project should provide a clear warning to future projects. As part of the preparation for a risk identification session, a review of some key lessons identified on completed projects which bear any similarity to yours might yield some gems to review with the team during the session. Empirical evidence of the realization of some risks on past projects can go a long way towards overcoming biases.

Letting risk owners of the hook – risk management is only marginally useful if it doesn’t result in any change. If you are unable to secure the attention of your risk owners and maintain it through to the successful development and implementation of response strategies, you’ll be as effective as Cassandra – foretelling doom without the ability to convince anyone to act on it. In addition, if your risk owners avoid their responsibilities without follow-up and escalation from yourself, the message you will be reinforcing is that there’s little value in risk management.

We all know that it’s in our best interests to eat a balanced diet, exercise regularly, get plenty of sleep, and avoid or at most moderately indulge in vices. It’s demonstrating discipline, focus, and persistence to put it into practice where most of us fail. This might happen because the returns of following good personal health habits like these don’t get earned immediately. The same can be said of project risk management – benefits realization lags behind the effort invested.

Johann Wolfgang von Goethe – “Knowing is not enough; we must apply. Willing is not enough; we must do.

Comments (6)