Ignoring the still relatively large group of project stakeholders who want to pretend there is ‘no risk’ involved in the projects they are overseeing, very few stakeholders really appreciate the difference between a risk threshold, the aggregate effect of the total risk exposure created by the project, and the organisation’s ability to tolerate the risk exposure and the interesting effect of diversification within a portfolio.
Understanding these different aspects of risk is important for project professionals; once we understand the concept we have a foundation for communicating these ideas to our stakeholders in a way that can contribute to project, program and portfolio success.
Most organisations have a reasonable appreciation of the processes needed to identify potential risk events and then decide on the significance of the risk based on the probability of it occurring, and its potential impact. The real calculations are significantly more involved than the simple calculation described in the PMBOK® Guide but it is a start:
Severity = probability * impact
For more on the factors affecting the significance of a risk see: WP1015 Risk Assessment [PDF].
From this starting point the organisation can decide which risks to accept, which need to be transferred and which are unacceptable, requiring the project to be changed so the risk is removed or mitigated. When managed effectively, this process deals with the individual risk events within the parameters of the organisation’s (or more accurately the key stakeholder’s) risk appetite and defined thresholds; but it is only the beginning!
Project risk is different
What the management of individual risks fails to address is the overall project risk as “the effect of uncertainty on the project as a whole”. This is moving into a consideration of the ‘riskiness of the project’ and a consideration of the organisation’s ability to tolerate the consequences of a ‘bad overall risk outcome’.
As a starting point, the project manager is responsible for identifying, assessing and managing individual risks. But at a higher level the project manager is also required to account to the project sponsor, the project owner and other stakeholders for the overall risk of the project. As Risk Doctor David Hillson recently commented: “These two levels might be distinguished as the risks in the project and the risk of the project.”
The focus of portfolio management and organisational management should be on this ‘higher’ level, but very few organisations seem capable of assessing this factor, let alone holding serious discussions around the concept.
Managing risk requires action at both of these levels:
- Current project risk process that addresses the individual risks within the project, which are recorded in the risk register, is the foundation.
- The organisation then requires a structured approach to managing risk at the aggregate project and portfolio levels. Is the project too risky overall, even though none of the individual risks are unacceptable? How does this affect the overall portfolio risk?
This is a more complex process than simply adding up the net risk values. Portfolios, and particularly diversified portfolios have an interesting effect on uncertainty (for an overview, see Averaging the Power of Portfolios—you only need to read the comments to appreciate the problem).
Developing a sensible risk management approach needs several factors in play:
- You need access to real expertise!
- During the business case development, when the scope and objectives of the project are being clarified and agreed, the project sponsor or owner should define the benefits that the project is expected to deliver, together with the degree of risk that can be tolerated within the overall project (no risk is not an option).
- At project initiation, use traditional project risk process to address the individual risks within the project (the ‘risk register’).
- At key points within the project, revisit the assessment of overall project risk to ensure that the defined risk thresholds have not been breached.
Generally, by the time the project manager is appointed and starts working on the project’s risk register, the project’s risk profile has been determined. The overall project risk is both set and managed through the decisions made about the scope, structure, content and context of the project. Each of the decisions balancing the risks and the rewards should involve an assessment of overall project risk, its expected benefits and the premium needed to justify the risk exposure.
This holistic approach will help senior management understand the overall risk exposure of the business caused by projects as well as identifying any specific risks they need to address. Enterprise risk management (ERM) can only work properly if all of these factors are properly considered; the same is true for the risks associated with an operational portfolio or a functional department.
Given most project risks are associated with stakeholders, perhaps the biggest risk is these same stakeholders failing to understand and engage with risk. There are a lot of resources available that discuss risk: the challenge is making the information accessible and then starting the conversations within management. I hope risk practitioners will start the ball rolling by making their art more accessible!