Many organizations give lip service to managing technical and programmatic risk. They say they are doing risk management, but of course they are not. This is more common than you might think, even for large enterprise projects. Managing risk as part of the project management process is the right thing to do. It is also a hard thing A simple motivation is o remember:
Simple words, but of course it's harder than just reciting a phrase. But a second motivation can be:
This can be the start of actionable outcomes for managing risks.
There are several good risk management process flows. The DoD version is the best. The PMBOK one is OK, but just OK. This months Harvard Business Review has two articles on risk. While these are targeted as business risk management, they have all the core elements of project risk management. One has a nice, simple, clear and concise set of processes:
- Identify and understand the major risks - many organizations confuse risks with issues. Which risks will actually put the success of the project in jeopardy?
- Decide which risks are natural and therefore which ones should be retired as part of the normal project activities and which ones should have mitigation plans shoudl they ever come to be true.
- Determine the capacity and appetite for risk- there is no sense scaring everyone if they don't have the appetite for dealing with the risks. The risks won't go away, but at the same time they won't be handled.
- Enable risk management in all project management and technical decision making processes.
- Align the project governance process and the organization management processes around risk. Build a system and infrastructure for monitoring and managing technical and programmatic risk.
