Unusual Ways to Categorize Risk
The risk identification stage of any project is a great opportunity to brainstorm and review all the things that may present problems later on. However, what you end up with afterwards is a giant list of risks.
It’s even worse when you combine risks at program or portfolio level and try to prioritize. How do you know what to focus on?
A giant database of risks from multiple projects is hard to manage: they’ve probably been entered in a random order as project managers sent them to the PMO and it’s so tempting to start your risk reviews at the top of the list and work down. You already know that isn’t going to be the best use of your time.
The answer is to categorize risks and use that as a way to help prioritize them. Then you can spend your time on the risks that have the most potential to derail your projects, programs or portfolio. You’re probably used to grouping risk by owner, department affected, deliverable affected and so on. In this article, we’re looking at three more unusual ways to group risks to make them easier to manage:
- By the nature of the risk
- By level of risk
- By how much you know about them.
Let’s look at those in detail now.
By the nature of the risk
What kind of risk is facing the project? There are loads of ways to answer that question, but when we’re talking about the nature of risk, we want to categorize them in one of two ways:
- Pure risk
- Business risk.
A pure risk is where there’s definitely a negative outcome, should the risk occur. For example, your warehouse floods and all your stock is lost. There’s not a silver lining to that cloud.
Business risk is more speculative: where you take a chance on something and it might result in a loss, but you could also potentially gain something. At a portfolio level, this kind of risk is relevant to new and innovative product launches that may go well or that may flop.
This is one way to categorize risk at the PMO or portfolio level. The approach to dealing with each of these types is going to be different. For example, with a pure risk you will focus your energy on mitigating actions. With business risk, you can take more chances. Your action plan will prioritize doing what you can to make the risk a success, while also minimizing the chances of any potential loss.
You’ll have both types of risk in your portfolio, and you can create some useful dashboards highlighting the split as a way to start a conversation about risk appetite.
By the level
Next, you can categorize portfolio risks by the level to which they are affecting the work.
Create a list of levels – a hierarchy of impact. For example:
- Work package risk: a risk that only affects an individual work package. These would normally be managed by the project team but under certain circumstances they may be escalated so that the PMO is aware of them for aggregated reporting.
- Project risk: a risk that affects one project.
- Program risk: a risk that affects a program.
- Portfolio risk: a risk that affects the whole portfolio. It could be a set of aggregated risks from the other levels, or a risk that truly does have the potential to affect the portfolio.
When you look at what level of the project ecosystem is going to be affected by a risk, you can make smart decisions about how best to respond to and manage them. For example, you could have a project risk workshop to dive into risks affecting a single project. Portfolio level risks can be aggregated and reported on to senior leaders whereas work package risks would normally be managed without any escalation.
Use your risk management and portfolio management tools to flag and group risk so that the right audience gets information about the things they need to take action on.
By how much you know about the risk
Finally, you can look at how much you know about any given risk at this point in time. This way to categorize risk can help you invest the right amount of time in areas where more analysis is required.
Group risks by whether you have the full picture and have completed the analysis, whether analysis is ongoing, or whether you know nothing about the risk yet and have more work to do.
Risks are dynamic, and the PMO should keep them all under review at portfolio level. However, you can get to a point where the picture is clear for certain risks and is unlikely to change.
It’s also worth considering what risks you know nothing about – literally nothing, not even that they exist at all. You obviously can’t plan in detail for what you don’t know, but you could create a contingency plan at portfolio level for unknown risks: allocate a risk budget to deal with potential problems that might crop up in the future.
There are lots of ways to make portfolio risk management easier, and a risk management checkup is a good starting point for finding out if you are managing yours in the most effective way. The more you know about the risks facing your project portfolio, the easier it is to make the right decisions about how to balance and address them.