Introduction

I just about rolled off my chair at the restaurant when Lola asked whether I had ever run into an unexpected situation that threatened to derail a project. As I wiped tears of laughter from my eyes, I wondered if she meant within the last hour. I eventually recovered myself and acknowledged that I often face unexpected situations that threaten the project.

In project management language, an unexpected situation that threatens to derail the project is called a risk and it is about as certain as the sun rising every morning. Thankfully, there are ways to address risks, but first of all we need to identify what they may be.

What is a Risk?

A risk is a potential, unknown event that can negatively impact the successful outcome of a project.

Huh? What’s that?

Basically, a risk is something bad that could happen, and it is a normal and ordinary part of any project.

Think of your everyday life. There are always risks involved. You might miss the bus and be late for that early morning meeting with the funder. You might get a flat tire and miss your child’s fifth grade music concert. It might rain and you will miss your opportunity to mow the lawn. These are all potential, unknown events that can impair your ability to achieve your intended objective.

What is Risk Management?

Risk management is the process of assessing and controlling risks. Risks cannot be helped. They are simply part of project life. However, you can identify what the most likely risks are and develop plans to deal with them. This is risk management. It is intended to help you manage emerging issues without letting them becoming full blown crises. If you find yourself amidst one crisis after another, you may want to reconsider your approach to risk management.

Identifying Risks

The first step in managing risk is to identify what risks threaten the project. I suggested to Lola that she should spend an hour or two with her project team and executive director brainstorming all of the bad things that could happen to the project. Optimism had no place in this meeting. It was all about identifying the bad things that could and probably would go wrong.

A meeting to discuss project risks is an important step for any project, including yours. Brainstorm with the project team members and other key stakeholders about what could go wrong during the project. Besides making everyone think you are paranoid, it will help them understand that the project might not go exactly as planned.

After the meeting you should have a list of statements that state the risk and how they would impact the project. Although each project is unique and the risks are dependent on the project, there are some common risks that are found in just about every project:

  • Changing objectives – The “why” or “what” of a project changes during delivery, resulting in a significantly increased schedule, effort, and budget.
  • Unachievable schedule – The project schedule is unrealistic because it is trying to achieve an impossible deadline, resulting in project delays.
  • High project team turnover – The schedule is delayed and knowledge leaves the project because of a high-turnover of team members, resulting in project delays.
  • Poor communication – Poor communication processes impair work efficiency or result in unclear project objectives.

 

These risks might act as some grease to get you thinking about the risks that threaten your project.

Prioritizing Risks

The next step is prioritizing the risks. Which risks are more threatening? Which risks are less threatening? Which ones would be most disruptive to your project if they were to occur? You have limited resources to manage risks so it is important that you prioritize them to help focus your efforts. Spend your time managing the more threatening risks and do not worry about the others.

The threat level comprises the likelihood and impact of a risk. Likelihood is the chance that the risk will occur. Impact is the amount of damage that it would do were it to occur. Look at the chart below. The threat level (represented in the boxes) increases as the likelihood and impact increase (represented by the axes). Choose a risk on one of your projects and decide how likely it is to happen and the impact that it would have. There are methods for determining the likelihood and impact, but do not worry about that right now. Simply make an educated guess as to whether it would be low, medium, or high. If you chose a risk that has a high likelihood of occurrence and a medium impact on the project success, the threat is high. This risk should be placed high on your prioritized list because it is threatening to your project.

threat level graph from low to critical

For example, let’s look at the following two risks from Lola’s project:

  • The programmer’s computer crashes and all of the programming work is lost. The impact is high and the likelihood is medium. Therefore, the threat level is high.
  • Every member of the project team decides to leave the project at the same time. The impact is high and the likelihood is low. Therefore, the threat level is medium.

 

In the above examples, each member quitting at exactly the same time would have devastating consequences for the project. However, the likelihood of that happening is so remote that Lola would not spend too much time worrying about it. On the other hand, the computer crashing is much more likely even though it would not be as devastating. Lola will spend more time worrying about the computer crashing because it is ultimately more threatening to the project. She will give it a higher priority.

Summary

The bad news is that risks are inherent to every project, but the good news is that they can be managed. The first step in managing a risk is simply identifying it so that it does not come as a total surprise. You also need to spend time prioritizing the risks by determining which ones are most threatening to the project. You have limited resources to deal with risks so you need to address the most threatening ones first.

Now that we have discussed identifying and prioritizing risks, we will focus the next article on developing a plan to address the risks.

Blair Witzel (blair@mcdoane.com) is a member of the Project Management Institute and a consultant with McDonnell Doane + Associates, an information management and technology firm focusing on the not-for-profit and public sectors. His work centres on managing multi-project portfolios and working with organizations to develop project management methodologies to more effectively deliver projects.