Humans have been undertaking projects for millennia, with more or less formality, and with greater or lesser degrees of success. We have also recognised the existence of risk for about the same period of time, understanding that things don’t always go according to plan for a range of reasons. In relatively recent times these two phenomena have coalesced into the formal discipline called project risk management, offering a structured framework for identifying and managing risk within the context of projects. Given the prevalence and importance of the subject, we might expect that project risk management would be fully mature by now, only needing occasional minor tweaks and modifications to enhance its efficiency and performance. Surely there is nothing new to be said about managing risk in projects?
While it is true that there is wide consensus on project risk management basics, the continued failure of projects to deliver consistent benefits suggests that the problem of risk in projects has not been completely solved. Clearly there must be some mismatch between project risk management theory and practice, or perhaps there are new aspects to be discovered and implemented, otherwise all project risks would be managed effectively and most projects would succeed.
So what could possibly remain to be discovered about this venerable topic? Here are some suggestions for how we might do things differently and better, under four headings:
| 1. Principles | 3. People |
| 2. Process | 4. Persistence |
Problems with principles
There are two potential shortfalls in the way most project teams understand the concept of risk. It is common for the scope of project risk management processes to be focused on managing possible future events which might pose threats to project cost and schedule. While these are undoubtedly important, they are by no means the full story.
The broad proto-definition of risk as “uncertainty that matters” encompasses the idea that some risks might be positive, with potential upside impacts, mattering because they could enhance performance, save time or money, or increase value. And risks to objectives other than cost and schedule are also important and must be managed proactively. This leads to the use of an integrated project risk process to manage both threats and opportunities alongside each other. This is more than a theoretical nicety: it maximises a project’s chances of success by intentionally seeking out potential upsides and capturing as many as possible, as well as finding and avoiding downsides.
Another conceptual limitation which is common in the understanding of project risk is to think only about detailed events or conditions within the project when considering risk. This ignores the fact that the project itself poses a risk to the organisation at a higher level, perhaps within a programme or portfolio, or perhaps in terms of delivering strategic value. The distinction between “overall project risk” and “individual project risks” is important, leading to a recognition that risk exists at various levels reflecting the context of the project. It is therefore necessary to manage overall project risk (risk of the project) as well as addressing individual risk events and conditions (risks in the project). This higher level connection is often missing in the way project risk management is understood or implemented, limiting the value that the project risk process can deliver. Setting project risk management in the context of an integrated Enterprise Risk Management (ERM) approach can remedy this lack.
Comments