“It is not the strongest or the most intelligent who will survive but those who can best manage change.”
― Charles Darwin
Controlling risks is a project management activity that is essentially about managing expected and unexpected changes in the project. While planning for risks you refer to various subsidiary plans in Risk Management planning project management activity, realizing that risks may materialize in any of the areas such as Cost, Schedule, Communication or Scope. You identify risk categories such as Resources, Technical, External, Project – because risks can appear in any of these areas as well.
Then you go ahead and identify very specific risks – actual risks, residual risks and secondary risks. And then you meticulously plan for dealing with each of them in Risk responses planning project management activity.
- Residual risks are the smaller risks remaining even after identifying responses for bigger risks
- Secondary risks are the new risks that come up due to responses planned to manage risks
All this effort is like preparing for the battle. The usefulness of it is determined in the way we monitor and control risks through the length of the project.
It is almost impossible to think about all the risks up front during planning stage itself. Environments change, stakeholders change, and even requirements change as project progresses. This leads to changes in the risks, their nature and planned responses.
Controlling risks involves looking out for identified, residual and secondary risks, identifying any new risks, taking quick corrective action when a risk materializes, planning further preventive actions when you identify a trend of a new risk, and measuring effectiveness of risk responses.
What do you need to control risks?
Project management plan
The subsidiary plan to put to use in this process is Risk management plan. This is a guide for project manager to understand how to deal with managing risks on the project. It defines approaches, tools and methodology to manage risks; roles and responsibilities of people who need to deal with risks, budget allocated for them, project specific risk categories, definition of risk probabilities and their impact on project objectives, and such.
Risk register is the single most important input. This comes from the project management activity to Identify Project Risks, and lists identified risks, their symptoms and frequencies, possible responses, and time and cost budget allocated for dealing with risks.
You would need status of each of the planned deliverables, schedule progress and costs incurred on the project.
Work performance reports
..indicate performance measurement metrics such as earned value, planned value, schedule variance, cost variance (EV, PV, SV, CV) as well as forecasting numbers such as estimate at completion (EAC), estimate to complete (ETC) and to-complete performance index (TCPI).
How do you do it?
Reassessing project risks
As the project progresses you find out that some of the risks are not relevant; probability or priorities of few risks are changed, and new risks are identified. All this can be found by regularly reassessing the risks in risk register.
This reassessment exercise is usually done as a team exercise and at regular intervals. Risk register is updated with the changes identified during reassessment exercises. Stakeholders are kept in loop on the risk status.
Auditing for risks
As the word audit suggests this exercise is a methodical examination of how effectively risks have been managed, including the way root causes are analyzed, timely corrective or preventive actions taken, how often risk reassessments are done and their effectiveness and such. These audits typically are conducted by a team outside of the project team.
Analyzing risk trends
In simpler terms this is about looking at project performance over a period of time, studying the trends of cost, schedule and scope variances from baselines, and then trying to forecast whether there is a risk of any of them going rough in near future. If the trend indicates possibilities of any of the risks materializing, then preventive actions are planned and put in place.
Performance variation measurement
This is about comparing project performance against planned performance. For instance, if you were to complete the high level architecture definition completed by certain period and the project did not realize this milestone, then there may be risks that are overlooked. These need to be analyzed and addressed immediately else they may create havoc for other milestones along the way.
Reserve budget analysis
Using Reserve Analysis tool you kept aside certain amount of contingency reserves from the project budget for realized risks during the project management activity to Determine Project Budget. This reserve is utilized only when certain risks materialize and you need to deal with them. As project progresses you need to keep an eye on remaining reserves. If there are less reserves remaining and more risks to handle then you may need to plan preventive actions to ensure they are not realized, and in addition might consider going back to sponsors for more budget.
Just like any planning exercise effective team meetings to go over risks and strategies to manage them is an effective way. This serves two purposes –
(a) team is aware of what risks may come up and so they will be equipped to look out for symptoms,
(b) they will be able to contribute to risk mitigation strategies and come up with good risk responses.
Project manager must ensure that these meetings are held at regular intervals such as every other week or at the beginning of a sprint (if you are using Agile methodology).
What’s the outcome?
By now you know that a monitoring process is expected to discover changes, and trigger change requests. Changes to risk management plan itself might be required to be changed. Preventive and corrective actions planned as a risk response on the project will need to be raised as a change request and run through change control board via Perform Integrated Change Control process.
Updating project plan and project documents
As we considered various subsidiary plans in the input of this process, the same stand to get updated as output. We looked at cost, schedule, quality, and scope management plans.
When any risk materializing has an impact on any of these project objectives the corresponding subsidiary plan has to be updated.
- Assumption logs
- Each time you assess risks you may get to know more about them. This knowledge may change certain assumptions you made about the risks and hence you will update assumption logs.
- Risk register updates
As a result of executing Monitor and Control process if your risk register has not changed then either your interval to execute this process is very small, or the process has not been executed effectively.
Some of the contents of risk register that get updated are –
- Actual outcome of materialized risks and risk responses
- Outcomes from risk audits conducted by external team, risk reassessment and status meetings to go over risks
- Technical documents
You put corrective actions in place when risks materialize, and when symptoms of certain risks start appearing you put preventive actions in place. Both these may very well alter technical approach to produce deliverables. These result in technical document updates.
Some of the documents such as risk breakdown structure, templates and procedures recommended for conducting risk assessment, and lessons learned are updated as applicable.
Controlling project risks is a very essential project management activity for the project manager. Come to think of it, even if a project manager does not know anything about risk management processes, she would intuitively be managing risks. May not be comprehensively, but definitely to some basic extent. Because we are built to look for risks for survival, and this instinct helps us keep dangers at bay. Having said this, following these systematic, scientific and proven approaches to handle risks ensures best possibility of project success.