7 Risk Management Metrics to Track
We all know that managing risk across projects, programs and your entire portfolio, is important. Risk management is something that’s embedded into the way businesses are run and into project management methodologies. However, beyond the risk log, what kind of tracking do you do on risk?
In this article we will share seven metrics you can use to track the way risk management is being managed in your project teams. First, let’s look at why you should bother tracking risk in this way at all.
Why Track Risk Management Metrics?
Typically, risk management approaches allow you to actively manage risk within a defined area of the business, like a project. That’s good, and necessary, and needs to continue. However, this kind of risk management doesn’t tell you how good the business is at identifying and managing risk overall. It doesn’t flag up areas where people managing risk might be struggling, and it doesn’t help you identify where your risk management processes might need a little work.
You need to look at and track how risk is managed to do that. This is where risk management metrics come into play. You can better understand risk exposure for a project, a program or the business overall if you have a sense of whether risk in the business is being effectively managed.
Risk Management Metrics & The PMO
The PMO has a role to play in aggregating information from all projects to provide a view of the risk exposure across the portfolio.
You can use project management software tools to surface risks and display them in a way that improves risk awareness. Tools like Adrega PI can extract information from P6 to show it in a dashboard format that executives can quickly scan. However, that kind of dashboard reporting generally looks at the highest risks themselves and not how risk management is being done. You can easily add reports to your reporting bundles to look at risk management metrics in a more granular way.
Before you can report on anything, you need to establish what it is that is valuable to your organization. The PMO should have some input into which risk management metrics (if any – your business’ risk management maturity levels may dictate that this isn’t something you can do right now) should be tracked at the department or portfolio level.
Here are seven measures that you could adopt to help you take a view of the effectiveness of risk management in your organization.
7 Risk Management Metrics
Before we list the metrics, take note that you won’t be able to track all of these all the time. Some of them are only relevant once a risk happens and becomes a real-life issue to the project.
1. Number of risks identified
This is a relatively easy measure. You can track number of risks identified per project or program. There is no ‘right answer’ to how many risks a project should have identified. It completely depends on the type of project. A project you have carried out many times before will be low risk. A project with multiple areas of complexity using a methodology that is new to the team will inherently be more risky. However, this measure is useful for comparing projects where the PMO can apply some basic principles. If you know that two projects are similar in many respects (like duration, priority, complexity) then you can assume they would have around the same number of risks. If one project manager has identified 90 risks and the other project manager has identified 19, you would be justified in comparing how robustly they are doing risk analysis on the project.
2. Number of risks that occurred (i.e. became issues)
You can also track the number of risks that materialize and turn into ‘real-life’ issues on the project. Hopefully there aren’t that many. However, this measure can also tell you that risk analysis is being done thoroughly. For example, if lots of risks are tracked that then turn into issues, you can give the team credit for spotting that these things might cause problems. If lots of risks are tracked but none turn into issues, this could be that the team are tracking the wrong things – issues pop up out of nowhere and never make it on to the risk log.
As with all of these metrics, you need to consider the narrative around the metric to get the full picture.
3. Number of risks that occurred more than once
This can be a sign that lessons aren’t being learned. If a risk occurs multiple times, across the same project or several projects, it can show you that teams aren’t learning from past experience.
4. Predicted Risk Severity compared to Actual Severity
When the risk occurs, and becomes an issue, you’ll be able to see how much of an impact it had on the project. Comparing predicted severity to actual severity can be a bit of a professional guess, but it’s worth giving it a go. It’s interesting to see whether your risk mitigating plans had the impact you expected in reducing the risk. You can look at whether residual risk was adequately identified and managed too.
5. Number of risks that were not identified
How do you track something you didn’t know was going to happen? This is a tricky one! Think of it as a way to track issues that occur that should have been flagged as a risk but weren’t. Look at the number of issues on the issue log that could have been foreseen but bypassed the risk stage.
6. Cost of risk management
You can track actual spent on risk management activities against forecasted spend. This is a really interesting one for future projects because it can help you estimate the cost of risk on new projects.
7. Number of risks closed
Track how many risks passed by without happening, whether you took active measures to manage them or not. This can be a counterbalance to the number of risks identified. If you identify a lot and close a lot, you can work out the key risks facing the project. This measure is also a sign that active risk management is happening during the project. A large number of identified risks and no closed risks shows that risk analysis was carried out at the start of the project and then not followed up throughout the project lifecycle.
You can include risk management metrics in your project closure report, and you should. However, to be able to take any practical steps to better risk management, or for spotting trends, you should be looking at your key metrics long before you write the project closure report.
Some of the metrics above can only be calculated at project shut down, but where you can track measures across a project or program on an ongoing basis, that is better. It gives you a chance to spot trends, compare projects on a more real-time basis and do something about the data you uncover to help improve risk management across the organization.