No project is without risk. Ask any project manager, and they will have plenty of stories of unforeseen risks taking a costly project off the rails. Anticipating, estimating, and planning contingencies for your risks is essential for the success of a project. We have pooled our project management experience at Unwired Logic and created this guide to understand what project risk is and how you can prepare your project plan for it. There are five steps to project risk Identify, Quantify, Prioritize, Plan, and Manage. We will touch up all of them and share our tips.
What is project risk – Identify
To start, let’s review what risk is. In the context of a project, a risk is an event that will likely have a negative impact on the project. It could be a delay in the timeline or any other form of deviation from the project objective. Risk can arise from different categories, and identifying those is an important step. Typical risk categories can be scope, schedule, budget, resources, resistance, communication, and suppliers. This list is by no means exhaustive and can vary depending on the nature of the project.
Typically the project management team holds a ‘risk planning workshop’ with key stakeholders to map out and identify all potential and foreseeable risks. The experience of the project team is invaluable in this stage. Each identified risk should be described in detail within the Risk Plan.
Waterfall vs. Agile
Small differences exist in the approach to risk management between waterfall and agile. Both follow the overall process – Identify, Quantify, Prioritize, Plan, and Manage. However, due to the nature of the methodologies, in waterfall, you typically have more time to plan and prepare your risk plan. These projects take place in more stable environments where requirements don’t change frequently. Agile, an inherently more iterative methodology, has a more reactive approach to risk planning and risk management. The approach is more integrated into each sprint, as each has its own planning stage. It is possible to assess and evaluate risks unique to the current stage of the project and work around changes in the scope, environment, or project goal with more flexibility.
Evaluation of risk – Quantify, Prioritize, Plan
Once you have identified the risks, it is important to quantify them and prioritize those that pose more danger to the project. Many tools exist for this step, but we will focus on the ‘Probability and Impact’ matrix or statement. In other words, you want to estimate the likelihood of a risk manifesting and the severity of the impact that it will have on the project’s success. Several relevant factors impact the types of risks that can come up: the size of the team, the number of involved stakeholders, familiarity of the PMO with the technology, and complexity, among others.
In our projects, we score the likelihood from ‘Very Low’ to ‘Very High,’ with three more steps in-between. Keep in mind that even risks with low probability can manifest, and it is important to monitor them. Changes in the project environment can change the probability rating of the risk. Therefore it is important to review this matrix every time when a significant change occurs. In a similar approach, we evaluate the impact of each risk on the project objectives, rating from ‘Very Low’ to ‘Very High.’
Together these two should give you a heat map of your risks. The highest priority should be given to those rated as highly probable and highly impactful. Monitor risks that are low in probability and impact. As mentioned above, the scoring is subject to change.
How to manage project risk
Once you have identified and prioritized your risks, it is important to know how to manage them and plan contingencies. It will not be possible to eliminate all risks. Therefore it is important to be prepared. Through strategical management, risk can be reduced over longer periods. A risk management action plan should contain the following information:
- Description and assessment scoring results
- Concrete actions and countermeasures to reduce risks
- Owner of risk actions
- Committed deadline of the risk actions
Additionally, it is important to keep identifying new risks. Reassess existing risks if any of the risk conditions were triggered. Initially low-impact risks can become more critical over time, too. Through regular risk reporting and review, you can stay on top of them and avoid unpleasant surprises. Unforeseen risks can happen, but there is no excuse for foreseeable risks taking your project off course, or even worse, off the rails.
Remember that risk is part of any project, but it does not have to be the doom of the project. By sticking to the five steps – Identify, Quantify, Prioritize, Plan, and Manage – you can reduce the likelihood that an unplanned risk will negatively impact the outcomes of your project. At the same time, keep in mind that risk can be a good thing. To paraphrase the famous ‘It’s not a bug, it’s a feature’ – look at risks as ‘uncertainties that matter.’ In a project, uncertainty is not automatically negative, because it can also mean opportunities that have a positive impact on the project. Risk, too, can have a positive effect on your project, as long as you are prepared for it.