Creating a risk management approach and culture in an organization can seem like a huge challenge. However, if you break it down it’s really all about getting these three layers in place for your business:
- Adequate management process
- Systems of control
- Governance
Once you’ve addressed those points, you’ll find that your risk management approach falls into place.
In this article, we’ll dive into those three areas and explain how each contributes to a robust way of managing project, program and portfolio risk across the business.
1. Management Processes
A strong risk management approach starts off with the basics. You need risk management processes in place.
This includes:
- A risk identification process: A way of project managers and their teams flagging up potential risks at the start of a project. The risk identification process should be flexible to be used at any point through the project life cycle so that risks can be identified on a rolling basis as and when they are uncovered.
- A risk assessment process: This is a way of categorizing and assessing risk so that the relevant decision makers can take the right action. The process will most likely use an assessment framework where risks can be assessed for their potential impact, probability and proximity. You may include other factors in the risk assessment such as proposed risk budget, departments affected or any other criteria that make sense for your organization. Whatever the framework for risk assessment, it’s important that the process is clear and followed for all risks at all levels of the portfolio.
- A risk management process: Once a risk has been identified and assessed, it should drop into the risk management process inherent within your project management methodology. Risks should be assigned an owner, they should have an approved action plan and the team should be clear on the next steps.
You may find that some of these processes exist already, perhaps in pockets of your project delivery community, or in other departments. The challenge is bringing them together for an enterprise-wide way of managing project risk.
Find out what is currently in use, and build your guidance and best practices from that.
2. Systems of Control
The next level of risk management is to ensure that the operational systems work effectively. Systems are a blend of processes, methods, tools, technology and approaches that work together in an organized way. There is no point in having individual processes if the whole risk management model falls apart at this level.
Control systems allow you to:
- Monitor risk effectively: With strong systems, you’ll have the tools required to regularly check in with risk owners. This could, for example, be risk management software tools. Combined with having risk owners and a process for reporting risk status against the action plan on a regular basis, you’ve got an approach for regular monitoring.
- Allocate the right resources: A system that lets you see who has the skills and capacity to take on risk ownership will help you allocate the right resources. You can layer onto that a process for identifying resources who would be instrumental in helping to address the risk. You might also need a process that trains team members in risk management principles and what they need to do. This will increase the pool of available skilled resources over the longer term and enforce the risk culture.
Project managers should be doing their own risk monitoring, regardless of whether there is a corporate system in place, so this is another area where you may find some team leaders doing their own monitoring and control activities. Again, gather information about what’s happening in the teams and then use that to inform the way you feel your risk management approach should evolve.
3. Governance
Finally, your risk management approach needs to have a layer for governance. Good governance in risk management is crucial for:
- Effectively managing risk escalations: When project teams can’t manage a risk by themselves, they need a process for escalating the risk. This gets the risk more attention and more support. There should be guidelines around what kind of risks get escalated and to who, so that top level managers aren’t swamped with risks that program managers are more than capable of resolving themselves.
- Defining the strategy for managing risk: How risky are you prepared to let your portfolio of projects get? At the governance level your portfolio management team should be deciding what level of risk is appropriate for the business. Then they can make better informed decisions about which projects to start (or stop).
Project Boards or Steering Groups may well be providing this level of governance, but a formal approach to what is required should enable many more projects to take advantage of a structured way to manage project risk.
People Make the Difference
Underpinning all of these three layers is the fundamental principle that your people are essential in managing risk effectively.
Without a culture that stems from the top, you’ll struggle to embed robust risk management approaches into the way you run projects and the business overall. It’s the people who make the difference when it comes to adequately managing project, program, portfolio and business risk.
Setting the culture for risk management and following through with creating the three layers described above is a big job. The Project Management Office will need support from executive level sponsors to ensure that the work is carried out effectively, comes together as a holistic approach for risk management and is adequately adopted across the business. In other words: it’s not easy to get a risk management approach embedded in a company where previously there was very little risk maturity.
However, it is possible, and hugely beneficial. If it feels like too large a job, always get a specialist opinion on where to start. Once you’ve started on the journey, you’ll see risk coming under control and projects delivering more benefits more successfully and you’ll wonder why you ever worried about creating a risk culture in your organization.