Unfortunately, the PM's path to success in this endeavor is riddled with a large number of “land mines”. While some of these are easily avoidable, others are a bit more cumbersome and rooted in management structure, company policy, ignorance and corporate politics, or some combination thereof.
With proper training and careful navigation, it is sometimes possible to diffuse these.
Below are seven “mines” to avoid (and tips for diffusing them) as you take the field of battle to your next project.
1.Lack of Risk Management Education
Unfortunately, you are likely the most educated person on your team in the field of Risk Management. This means that your sponsor and stakeholders likely do not have the same view of the strategic importance or management execution process. While some might argue that this is to be expected, having team members and management that are educated in basic risk management principles makes your job inordinately easier. Educated sponsors will likely secure more funding for risk-related activities, and will certainly be more tolerant of the time that the team needs to spend working through identification, documentation, follow on, and so on. Team members with a basic understanding of risk management process elements will more fully understand and appreciate your role and struggle.
Tip-> Suggest cost-effective security awareness items related to the risk management process to your senior leadership. Partner with your internal audit team or risk organization (if blessed with these) to present this. If successful in this step, navigating and diffusing each of the subsequently mentioned “mines” will be much more tolerable.
2.Unclear Risk Information
Basic IT project risk management usually entails working with the team to understand and capture risk and opportunity events. This can sometimes be a tedious process unless you’re blessed with co-location and the team’s undivided attention. In the case of a distributed team, the PM often receives risks written as broad and open statements or other indistinguishable blurbs. Taking the time to educate the team on the importance of creating individual and distinct “risk events,” with the goal of determining a specific and actionable strategy can be somewhat time-consuming.
Tip->Create a template with “call-outs” that spell out exactly what is needed for each section of your risk register, chart or heat map. Make time to discuss this with your team.
3.Lack of Organizational Drive
As mentioned earlier, you may be the Lone Ranger when it comes to driving the need for risk management on your project or program. If you are able to promote sound risk management practices and to educate folks, you may be the catalyst needed to get something meaningful initiated within your company. Practicing consistent Risk Management as part of your normal PM repertoire will strengthen
Tip-> Use this opportunity to strengthen your personal “Brand” (link to PM Times article on personal branding http://www.projecttimes.com/articles/project-manager-personal-branding.html)
4. Once and Done
It’s simply not enough to conduct a one-time session to identify risks, determine their probability, impact and response strategy. Someone needs to monitor each risk continually to determine changes to its probability and overall impact. This is particularly true in cases where the subsequent project requires completion of specific deliverables to enable the successor project to initiate.
Ownership and accountability need to be distributed across the project team and not just be the responsibility of the project manager. Creating an atmosphere of risk ownership and accountability is a necessary step in organizational risk awareness and evolution. Individual risk events identified must have individual owners. Risk-evolved companies do not rely on siloed heroics but on more integrated, strategic and proactive measures. Communicate to the team where the project fits, where it’s headed and ask them about opportunities that may be capitalized on as well.
Tip->Use this as an opportunity to reference and utilize the aforementioned risk register.
5. Disruptive, waste of time and resource cycles
Management’s prevailing view may, in fact, be that risk exercises are a waste of time and resource dollars.
Tip->Make a personal commitment to demonstrate ROI via presenting management with examples of cost and time savings via “team identified” mitigation strategies.
6. Lack of historical risk data
Many organizations that perform Risk Assessments do not have a stable and mature historical archive of risk information to draw from. This may well be because these types of exercises have not been historically conducted, or that efforts to archive Risk data and information has been inconsistently performed.
Tip -> Partner with your internal Audit Team/department or Risk organization to initiate an archive.
7. Flawed evaluation of effectiveness
What are the measures of success for the Risk Program and Risk management activities in general for the company? Chances are, there are none! If in its infancy, chances are program success has but one criteria for success, and that is adherence to corporate policy. If the policy states that a risk assessment needs to occur once a year and it does, that is the sole measure of success!
Tip ->Work to have the definition of Risk success tied to the program’s effectiveness in achieving company goals. Initiatives and projects are aligned with Corporate Strategy. Successful initiatives and projects then, enable the realization of Corporate Strategy. Effective Risk Management enables the planning, delivery and execution of the strategically aligned initiatives and projects.