PMOs are often asked to provide leadership and best practice in risk management. They do this by blending corporate standards, best practice and a degree of oversight. Where a PMO can really provide value is by helping to change behaviour and culture.
I have seen a number of project managers who have done formal studies and/or read AS4360. They use the right words, they have the workshop, they have the risk management document, and they point to the risk log and declare they are managing risks. Sorry guys, risk management isn’t about tracking the risks, it is doing something about them!
Identifying risks is important, assessing risks is important, having a risk management culture is important. Standards, controls and tools all have an important place too, they show that organisations and/or people are focused on risk. It is just so frustrating to see where project managers fail to actually manage the risks or worse still, where senior managers do not fund the risk response plans.
Managing risks, once they are identified and assessed, is about coming up with plans to reduce their likelihood and/or reduce their impact, hence reduce their overall ranking. Some plans we will do now, other plans we may do later. The plans need to be practical and they need to be integrated into the grand plan. We need to factor in the effort and hence cost into our budgets, the tasks into our schedule.
Here is a classic example. In IT application development we do testing. Why? Well, we know there are bugs, we just aren’t too sure what they are and where they are. Some plans for IT projects fail to factor in rework as a result of testing and the likely need for a second iteration of testing. It is fascinating!
You know there will be bugs, you know you will need to fix them. It is just accepted you don’t include the time or the effort or the budget for some reason. Worse still, you reduce the testing time because the project is running late and then you wonder why there are so many bugs in production. It shouldn’t surprise people then, when these projects result in an ‘unplanned’ maintenance release to fix the bugs.
Another great misunderstanding is the concept of contingency. It is interesting to see some project managers declare the forecast has no contingency as “we have used it all up”. Okay, so that means there is no more risk to the project does it? Of course not, you don’t use up contingency. There is always a need for risk allowance of some sort regardless of what was in the budget.
So PMOs have a role to play, by setting the standards, providing independent review and asking fundamental questions about the plans and cost estimates. Do they include risk? How certain are we about forecasts? Why does your status report not highlight risks? What are project managers actually doing about the risks?
PMOs can and should guide senior management and push back on illogical behaviour such as cutting time and/or budgets and removing or not allowing contingency use.