At a basic level, risk is uncertain. An event may or may not happen, and the consequences are not clear. It is this unknown element that strikes fear into people. “That’s risky business” or “sounds risky” are generally considered negative descriptions. But risk can have negative or positive outcomes. Making that judgment call – to take a risk or not – requires expertise, research and good management.
What is project risk?
Within project management, risk focuses on how something may affect the project. PMI’s Project Management Body of Knowledge (PMBOK Guide) defines risk as an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more of the project objectives.
At the start of any project, it’s crucial that your team agrees on what risk means. Some organizations don’t focus on positive outcomes when they define risk. If that’s the case, it’s important to create a team that will separately focus on identifying and grasping opportunities. In this guide we’re going to look at the negative impact risk can have on a project. We’ll also look at how planning can help to mitigate risk.
Project risk comprises three elements:
- the possibility that something could have a negative effect on the project
- the likelihood of this happening
- the consequences of this happening
10 common types of project risk
There are a number of risks that can derail a project. From lack of clarity to insufficient communication, here are 10 of the more common project risks.
- The purpose of the project and the business need is not clearly-defined
- The project deliverables are incomplete
- The project schedule is not clear
- Scope creep
- There is a lack of communication, which leads to confusion
- Conflicts within the project are not resolved quickly
- Legal issues delay the project
- Delay in early phases has a knock-on effect on the final deadline
- Insufficient testing results in a large defect list at the end of the project
- Customer is slow to approve deliverables or milestones, which increases pressure to reach the deadline
What is project risk management?
Project risk management focuses on identifying, analyzing and responding to risk factors throughout the entire project process. Risk management needs to be an ongoing effort as each phase of the project can throw up new risk factors.
The PMI has a useful guide to the risk management process. It lays out the steps organizations should take as they work through the process of identifying, analyzing and responding to risks.
- Risk management planning. This is where your team decides on the approach they will use to manage any risks.
- Risk identification. This is how your team identifies the potential sources of risks. This process should be ongoing as risks can emerge throughout a project.
- Qualitative risk assessment. This is how your team assesses the risks against the program assessment criteria.
- Risk response planning. Here is where your teams devise their risk response strategy. This is how they will handle each risk.
- Risk monitoring and control. Your team will continue to monitor the risk factors, the risk itself, and the response plan.
How to identify and evaluate project risk
A critical part of project risk management is identifying and evaluating each risk. This can and should be an exhaustive process. In its risk identification lifecycle paper, the PMI details its risk identification model. This is just one way of identifying and evaluating risks. There are different approaches or frameworks, and each organization should choose an approach that works for them.
There are several stages of risk identification. PMI outlines six stages in its guide:
- Template specification. This is where you define your risk statement, where you state what could happen, why, at what stage and what impact it could have. You should develop a risk statement for every risk.
- Basic identification. You need to ask two questions: a) why (or why not) us and, b) where have we seen this before. A SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis is a useful tool for understanding the why. Looking through past projects can offer insight into the second question.
- Detailed identification. This is where you examine the risk in more detail. PMI highlights five tools for this step: interviews, assumptions analysis, document reviews, Delphi technique and brainstorming.
- External cross-check. This is where you look for more pertinent information beyond the project.
- Internal cross-check. This is where you validate your list of risks against the defined scope of the project.
- Statement finalization. At this final stage, you will fill in any gaps in your initial risk statement. You can use all the information you’ve gathered from the previous steps.
How VisibleThread customers are mitigating risk
Chickasaw Nations Industries
Chickasaw Nations Industries is a US government contractor that uses VisibleThread across its proposal response process. They identify dictionaries in VT Docs as a key success factor in flagging potential risks in each proposal. Chickasaw runs every document through VT Docs in what they call their “shred process”.
With just the press of a button, VT Docs identifies keywords and phrases and assigns them into separate categories. The keywords relate to any potential risky language within the RFP. Each category relates to a team, for example, tax, legal, accounting and insurance. This means each team doesn’t need to manually search through multiple documents, looking for keywords. It reduces the time spent on this task, while at the same time, increases efficiency.
Importantly for Chickasaw, they use the time saved on reading and searching multiple documents to improve the quality of their response. And because their teams are seeing all pertinent keywords, they are in a better position to ask clearer questions in the initial Q&A phase. It also means they can be more specific in their response about what they can and can’t deliver.
Cherokee Federal uses a thoughtful and systematic approach to proposal management. In their recent webinar with VisibleThread, they shared some of their best practices for successful proposal management. This talk highlighted how Cherokee Federal integrate VisibleThread at key points to streamline their process and minimize risk.
Cherokee uses a risk dictionary in VT Docs to check for potential compliance issues. It also helps the team to ensure they’ve covered the critical concepts to their customer during the Red Team review.
When preparing subcontractor RFPs, Cherokee uses concept tracking in the FAR review process. For preliminary risk and compliance, they’ve saved valuable time by running a compliance matrix in minutes––sparing them hours of manual work. Cherokee uses VisibleThread to generate a responsibility matrix to draft subcontractor RFPs more efficiently.
Before release, they perform final checks for potential Quality Control (QC) fixes––identifying and correcting readability, bad language, and acronyms.
What are risk mitigation techniques in project management?
Mitigation is a strategic risk response wherein a project team takes active steps to reduce the probability or impact of a negative risk to a project. There are generally four risk mitigation strategies. All of these strategies require a project team to work together and communicate effectively.
- Accepting the risk. Your team analyzes all the risks and their consequences to see which risks are acceptable. These could be risks that may not have a significant impact on the project.
- Avoiding the risk. The goal of this strategy is to develop a plan that helps you avoid the risk. This strategy requires ongoing communication and monitoring. For example, if a project looks like it could incur extra costs your team should set strict budgets and ensure everyone sticks to these limits.
- Controlling the risk. If you cannot avoid the impact of the risk, another strategy is to control it. By understanding the risk and its potential impact, your team can come up with a plan to manage or limit the impact. For a project with tight deadlines, your team could schedule daily updates to flag and manage potential delays early.
- Monitoring the risk. This is where project risk management is so important. Risk can change throughout a project; new risks can emerge and some risks are managed and eliminated. This strategy involves keeping track of all the identified risks and consequences so that your team notices any changes immediately.