Skip to main content.

Risk management for projects (notes on prompt questions)

Introduction

The project risk management effectiveness prompt associated with these notes is intended to stimulate discussion about key aspects of your project risk management. It is based on the international standards ISO 31000 Risk management – Principles and guidelines and IEC 62198 Managing risk in projects – Application guidelines, although some aspects of the standards that do not lend themselves to this short form are not covered explicitly. This guide sets out key points of good practice and common pitfalls in each of the topics the prompt raised.

Broadleaf offers a more extensive evaluation of the strengths and weaknesses of existing risk management practices based on the standards and our long practical experience of projects. A formal assessment generates a gap analysis that can be used to identify areas where you could improve and bring your risk management into line with established good practice. This means not only alignment with the standards but also the tools required to practice the management of risk smoothly and cost-effectively.

Comparing your responses to the prompt with the notes here should provide initial insights into the strengths and weaknesses of your existing practices. A formal analysis will provide additional advice tailored to your organisation’s current situation and aspirations. Please contact us if you would like a deeper evaluation of your project risk management framework and processes.

Guide

The numbering of points below corresponds with the numbering of the prompt. This does not reflect the importance of the items in the list. In fact, the last point in the list, the use of risk management to inform decision making, is a core principle that drives many other aspects of sound risk management.

1. Is risk assessed in the context of the objectives of the business, or is it confined to the immediate aims of a project?

Good practice

A project only has value if it advances the objectives of the organisation for which it is to be implemented, so risk should be identified and analysed in the context of the organisation’s objectives.

A project view can be useful for tactical priority setting but it must be consistent with the organisation’s objectives. Some matters, such as safety, environmental and ethical concerns, will only make sense in the organisational context.

Common pitfalls

Seeing risk only in terms of the project budget, milestone dates and an abstract notion of ‘quality’ can lead to outcomes that do not deliver the best outcomes for the organisation.

2. Before risks are identified and analysed, are internal and external factors that can affect the work thought through systematically?

Good practice

If the factors that influence an organisation and the projects it implements are not thought through systematically, important matters will be overlooked and attention will be monopolised by topical factors and recent wins and losses.

Common pitfalls

Allowing preoccupation with recent events, the latest failure or success, the personal interests of team members, or the boundaries of the team’s experience can restrict the focus of the team and limit the exploration of risk.

3. Do you communicate with stakeholders beyond those immediately involved in a risk assessment, either to gather information from them or to inform them about what you are doing?

Good practice

The identity of major stakeholders and their objectives and concerns are an important part of the risk management context and should be addressed systematically.

Common pitfalls

Confining attention to the concerns of line management and governance reporting requirements alone can lead to important matters being given less attention than they deserve, some of which may lead to limited acceptance of project outcomes.

4. Is the scope and purpose of a risk assessment well defined and understood in the same way by all concerned, including those not involved directly?

Good practice

The scope and purpose of risk management should be clear so that the work will be planned and resourced accordingly. The decisions risk management is to support often dictate the timing and the form of outputs and reports the process must generate.

Common pitfalls

Treating risk management as a symbolic exercise or no more than a compliance requirement fails to generate the best value from risk management.

5. Do you have a documented basis for describing the consequences (impacts) of risks and their likelihoods?

Good practice

Criteria used to describe the consequences of risks encapsulate an organisation’s attitude towards risk. The criteria should be closely related to the organisation’s objectives.

The method used to rate consequences, likelihood and the level of risk resulting from them in combination, are a core component of a sound risk assessment process. It must be specified clearly to avoid ambiguity and confusion as well as to ensure transparency and effective communication.

Common pitfalls

Using generic words without supporting explanations or definitions that may be understood differently from one person to the next (such as high, medium and low or catastrophic, moderate and negligible), or using terms to describe outcomes that might be interpreted differently because they are vague, ambiguous or abstract. (e.g. unqualified use of words such as severe, extreme, large or small), causes confusion and inconsistency.

6. Is the way risks are rated in terms of priority (high, medium and low or similar) the same for all projects within the organisation, or are the ratings assigned differently from project to project?

Good practice

Consistent terminology is very important both for clear communication and to enable decision makers to compare projects and understand the implications of resource allocation and other decisions they might make.

Common pitfalls

Using a rating scheme linked to the project’s budget and time scale alone (e.g. based on percentages of the base budget and duration), using different rating schemes for separate projects, or using a scheme that is different from the corporate risk framework, makes comparability between projects and with organisational matters very difficult to maintain.

7. Is risk identification an unconstrained brainstorming process or is it organised around a structure or agenda?

Good practice

The time devoted to risk identification and analysis can be appreciable and it is important that it be employed effectively. A structured approach can ensure a balanced application of time to separate areas of concern and ensure that nothing critical is overlooked.

Common pitfalls

A completely open, unstructured discussion about risk that dwells on topical issues and the matters on which the participants have the most to say can lead to important risks being overlooked.

8. Are people briefed for a risk assessment with notes about the context or do they rely on experience and background knowledge?

Good practice

The crucial structured thinking represented by the context will only deliver benefits if all involved start from the same position. A briefing document is the most efficient means of ensuring that this happens.

Common pitfalls

Workshops that are convened with no briefing or structure often fail to produce a comprehensive understanding of the risks affecting a project. They generate a false sense of security simply because it is known that a risk workshop was held.

9. Do you rely on the project team alone for risk identification and analysis, or do you draw on others such as subject matter experts or experienced people with no personal stake in your project?

Good practice

Failure to identify risks undermines the entire process. It is good practice to at least consider including people from outside the project team in the risk assessment so you can benefit from their independent experience, specialist knowledge and objectivity.

Common pitfalls

Risk assessments carried out by the project manager or a team member on their own, or a small team who all share the same experience, knowledge and view of the project, often fail to produce a comprehensive understanding of the risks.

10. Are risk treatments (actions to improve the consequences and likelihood of risks) formally documented and incorporated in the project plan?

Good practice

Any actions flowing from a risk assessment are actions for the project. They should at least command attention and, whether they require appreciable resources or not, they should be managed in the same way as any other project tasks.

Common pitfalls

Holding a set of risk-related tasks and actions separately from the rest of the project management systems or according them low priority because they are not seen as core work can lead to misallocation of resources and sub-optimal project outcomes.

11. Are responsibilities for risks, treatments and controls, assigned to named individuals?

Good practice

The principles of clear responsibility and accountability that apply to any other project task are just as important for tasks required to manage risk.

Common pitfalls

Risk-related actions that are not formally assigned to individuals, or assigned to organisational functions or groups, may not be implemented.

12. Are treatment actions monitored and reviewed in the same way as other project tasks?

Good practice

The principles of monitoring and review that apply to any other project task are just as important for tasks required to manage risk.

Common pitfalls

Risk-related actions that are not formally followed-up or reviewed regularly may be ignored.

13. Do you take steps to ensure that risks you think are well controlled will remain so?

Good practice

A risk assessment will often determine that some risks are well controlled. The effectiveness of this control can decline when pressure comes on, as a project progresses, allowing such risks to become much more serious than expected.

Common pitfalls

Risks given a low rating that are ignored may result in undesirable outcomes for the project as controls weaken or become less effective through neglect.

14. Are changes within your project or in its external environment, which might affect your risk, monitored actively?

Good practice

The factors that informed the initial risk assessment are rarely static. As they change the risk assessment must be updated.

Common pitfalls

A risk assessment that is undertaken once at the start of a project and never reviewed or updated will become out-of-date very quickly, leaving the project exposed to unforeseen changes.

15. Is your risk management backed up with organisational support such as policies, training and governance mechanisms?

Good practice

To ensure consistency across an organisation and through time, it is important for risk management to be governed by a clear set of principles and supplied with trained resources. Without this, the process will be patchy and liable to degrade over time.

Common pitfalls

Each project makes up its own risk management approach in isolation, leading to inconsistency across projects and across the organisation. Effort is wasted reinventing materials afresh for each project.

16. Are the outputs of a risk assessment used to inform business decisions?

Good practice

Risk is a central component of important decisions and the risk management of projects should be part of organisational decision making.

Common pitfalls

Decisions based on an informal understanding of risk, often at a senior level in an organisation, in isolation from the risk management carried out by projects lead to misallocation of resources and sub-optimal performance, both for projects and the organisation.

Formal review and gap analysis

Broadleaf offers a more extensive evaluation of the strengths and weaknesses of existing risk management practices based on the standards and our long practical experience of projects. A formal assessment generates a gap analysis that can be used to identify areas where you could improve and bring your risk management into line with established good practice. This means not only alignment with the standards but also the tools required to practice the management of risk smoothly and cost-effectively.

A formal analysis will provide advice tailored to your organisation’s current situation and aspirations. Please contact us if you would like a deeper evaluation of your project risk management framework and processes.