Introduction

Many concepts presented here build on a previous article by the same author. Read “Bad things that can happen to good people: Identifying project risks” for some more background.

As Lola sat down in the café where I was waiting, she pushed my coffee cup to the centre of the table, commenting that it had been perilously close to the edge. Although helpful, it did not prevent me from spilling coffee all over myself just a few minutes later. She threw me a few serviettes that she had picked up because of my known proclivity for coffee spills.

As I wiped myself off, she asked about risk management.

In the last article, I spoke about recognizing project risks — the process of identifying things that can threaten your project and categorizing them according to the potential harm they can do. Risk management is the next step, and involves developing plans to deal with them.

You are probably more familiar with risk management than you think. My spilling coffee is actually a very good example. Lola identified the risk that I might spill coffee so she tried to prevent it from happening. She moved the cup to the middle of the table. She also had serviettes in case it were to spill anyway. Lola was engaging in risk management.

So Many Risks, So Little Time (and Money and Resources)

There are limited resources to deal with project risks so you need to address those that are most threatening. Refer to the previous article in which I identified risks. Part of identifying them was categorizing how threatening they were to the project. My rule of thumb is to address the ten most threatening risks, and to deal with the others only if there is adequate money and time.

Two Approaches to Manage Risk

When managing risks, there are essentially two approaches that you can take. You can avoid the risk or you can mitigate against it (or a combination of the two). Risk avoidance means taking steps to prevent it happening. Risk mitigation is taking steps to minimize the impact if it were to happen anyway.

Risk Avoidance

A more relevant example of risk than spilling coffee is that of a funding cut. Not-for-profit projects are especially susceptible to this because funder priorities change or because other initiatives take precedence. Lola identified many ways to avoid a funding cut to her project. She met monthly with the funders to maintain a high profile. She developed a business case to demonstrate the project’s cost effectiveness and centrality to critical business operations. She promoted the project within her agency to garner widespread support. Lola took concrete steps to avoid a cut to her project funding.

Risk Mitigation

Despite her best efforts, there still remains the possibility that her funding will be cut. She should also consider ways to minimize the impact if that were to happen. One mitigation strategy might be to produce the most important deliverables first. If the project were cut, she would have already produced the most important part of the project. Another strategy might be to identify other revenue sources. If she were to lose funding, she could approach other organizations for money or sell the new application to other not-for-profits. There are several ways to mitigate the impact of the risk of funding loss.

Accepting Risk

Another way to address risk is by accepting it — not doing anything about it.

The risk might be so unlikely to occur or the impact might be so minimal that it is not worth considering. Or managing the risk might actually cost more than simply cleaning up the mess if it were to occur. For example, Lola’s database could become unavailable because the server crashes. Lola could install a backup server to have fully redundant systems, but this would be very costly. On the other hand, fixing the server and restoring from a backup would only cost about one day of a network technician’s time – much less costly than having fully redundant systems. Lola is not going to manage this risk. She is going to accept it.

Four Easy Steps to Managing Risk

After my little lecture on risk management, Lola asked, “so what do I do exactly?” Good question. It can be summarized in four steps:

1. Identify and prioritize the risks

  • Meet with your project team and other key stakeholders to identify any risk that may occur. Prioritize the risks by how threatening they are to your project.
  • See the previous article if you have forgotten how to prioritize the risks.

 

2. Identify strategies for managing the top ten risks

  • Create short work plans or task lists for avoiding or mitigating against each of the top ten.
  • Ensure that someone is responsible for executing the activity and provide a date by which it must be completed.

 

3. Update your work plan, budget and other project documentation

  • Most any avoidance or mitigation will have either effort or cost implications. Update the budget or project work plan to reflect the increased effort or cost.

 

4. Execute the avoidance or mitigation activities

  • Just like the other project work, the team needs to execute the avoidance and mitigation activities. Meet with the team periodically or include risk on your project team meeting agendas so that the tasks are getting done or to identify any issues with completing them.

 

Summary

By moving the coffee cup and having serviettes on hand, Lola demonstrated that risk management is a project management process with which we are naturally familiar. We practice it everyday of our lives without knowing.

This article gives you two key ways to approach project risks: preventing the risk occurring (i.e. avoidance) or minimizing the impact if it were to occur (i.e. mitigation). Another approach is not to do anything at all, but accept the risk. You might do this in situations where the cost or impact of doing something would be greater than cleaning up the mess if it were to occur. The article also presents four basic steps to manage risk as you move through the project.

The key to all of this is best summed up in this commonly quoted statement: “Hope for the best, plan for the worst, and expect something in between.” Good luck!

Blair Witzel (blair@mcdoane.com) is a member of the Project Management Institute and a consultant with McDonnell Doane + Associates, an information management and technology firm focusing on the not-for-profit and public sectors. His work centres on managing multi-project portfolios and working with organizations to develop project management methodologies to more effectively deliver projects.