Project Smart ~ Exploring trends and developments in project management today

Calendar icon
Adobe PDF icon

The Seven Deadly Sins of Risk Management

~ By Kareem Shaker

Road warning sign - Risks Ahead

Risk management is the heart and soul of project management. Failing to practice it right can have fatal consequences on projects and programmes. Doing real effort in the planning stage can save the entire investment and will increase the likelihood of project success. However, planning alone is not enough if monitoring risks is not handled seriously. These are seven deadly sins of risk management and how to take preventive actions to avoid them.

1. Disregarding Enterprise Risk Management

Enterprise Risk Management (aka ERM) specifies the processes, frameworks, and methodologies an organisation uses to identify and manage enterprise risks of all types, such as operational, strategic, financial, compliance, etc. The project manager has to consider the enterprise-wide risks and study what threats the organisation is likely to encounter during the projects' lifetime. Consulting the Chief Risk Officer (CRO) before and while building the risk management plan can have a mammoth impact on the way the project management plan will be developed. The project risk management has to be congruent with ERM, since the ERM governance can impose certain documents to be delivered, probability/impact scales, risk appetite, and risk management software to be used. Project Management Institute refers to those as Enterprise Environmental Factors (EEF).

2. Using Incomplete Risk Breakdown Structure

Risk Breakdown Structure (RBS) is the catalyst to identify large numbers of risks. Risk management teams use it to identify risks and stimulate the minds of the stakeholders who will be participating in the risk identification stage. RBS can be developed by listing all the root causes of potential risks. RBS highly depends on the project domain. Every industry has its own associated risks. Risks that are valid to a software project may not be applicable to a construction project. The project manager can start with a template from a known body and customise it based on previous project history and project-specific risk categories.

3. Ignoring Subjectivity

Subjectivity can make risk management lose its essence. You will find that risk averse stakeholders will identify large numbers of risks; in contrast, risk takers may be oblivious to real risks. It is important to mediate these conflicts during risk identification.

The risk identification process is substantial for successful risk management. I believe that identifying risks will always get 60% of the job done, and the rest is sort of "Just Do It!" There are different information gathering techniques to solicit stakeholders' input. The perpetual problem of risk management information is subjectivity. Different people will perceive risks in different ways. For instance, a financial risk may not grab a technical manager's attention, and a technical risk is very unlikely to be deemed as a risk by a financial manager. It is the responsibility of the risk management team to remove subjectivity and ensure quality of risk information. Subjectivity can be avoided by using the Delphi Technique, as it keeps the views of different subject matter experts anonymous, even after finishing the identification phase.

4. Assigning All The Risks to The Project Manager

Successful risk management can never be a one-man army. The risk management team has to set clear expectations and inform subject matter experts, stakeholders, customers, team members of what is expected from them. The ownership of risks has to be communicated to the risk owners. The project manager has to follow up on the status of assigned risks, and the risk owner has to report risk status updates on a frequent basis. The project manager should not be the only individual who owns risks. Potential risk owners may be reluctant during risk identification stage, fearing that they may be responsible for the risks they will be identifying. Creating a risk management RACI Matrix (Responsible, Accountable, Consulted, Informed) will ensure roles and responsibilities are clearly identified and communicated.

5. Neglecting Risk Management Benefit Cost Analysis

Not all risks have to be managed; some risks just need to be accepted. Response strategies of negative risks (yes, there are positive risks, those are known as opportunities) are Avoid, Transfer, Mitigate, and Accept, but oftentimes the acceptance strategy is never considered. Risks have to be accepted for two main reasons; first is unfeasibility of the first three response strategies, and second is due to unfavourable benefit cost analysis. For instance, if the loss value is much smaller than the benefit gained, due to implementing a control, it would be rational to accept the risk; otherwise you would be paying $100 to save a $60 risk.

6. Misusing Contingency Reserve

Contingency reserve can only be determined after the project manager has had multiple revisions of the project management plan. Contingency reserve should only be used when a planned risk (aka known unknown) materialises. The contingency reserve should not be used for any unplanned risk (unknown unknown). The unplanned risk can only be handled by the management reserve. It is also not right to use the contingency quota of one risk at the expense of another risk, unless the latter has already become void.

7. Doing it Once

Risk management is an iterative process and should be practiced in all project stages, from inception to closure. It is not right to do it during the planning stage only, nor is it right to stop looking for new risks during the execution phase. Many project managers conduct risk identification at the beginning of the project, and shelve risks until they turn into issues. The project manager should elevate the culture of risk management and ask team members to report new risks. The new risks have to go through the process of analysis and response strategy planning. The project manager has to visit the reserve balance and make sure that no risk will have no contingency. It is also important to put risk management on the agenda of frequent progress and status update meetings.

These are the seven deadly sins of project risk management as I could identify them. It would be great if you can share your experience and articulate what could be a sin in risk management from your perspective and how to avoid it.

Kareem Shaker, PMP is a project manager at Dubai World, he has over 10 years of experience in IT projects, consulting, and pre-sales.


Be the first to comment on this article.

Add a comment

(never displayed)

What is the sum of 2 + 2 + 4?
Notify me of new comments via email.
Remember my form inputs on this computer.

10 Golden Rules of Project Risk Management

Three red dice reading: Manage your risk

The benefits of risk management in projects are huge. You can gain a lot of money if you deal with uncertain project events in a proactive manner.

The Mythical 50% Resource

Red blocks with the percent sign on a white background

Most managers of software development projects have had an encounter with a resource who is committed to their project some percentage of the time.

How to Initiate a Six Sigma Project

Six Sigma diagram scheme concept

Although one cannot have a project-specific vision right from the very beginning of a Six Sigma initiative, you can develop a comprehensive viewpoint.

Which Life Cycle Is Best for Your Project?

Life cycle written on digital touch screen

When choosing a development life cycle, don't just trust your feelings. Decide based on factors that really matter.

PROJECT SMART is the project management resource that helps managers at all levels improve their performance. We provide an important knowledge base for those involved in managing projects of all kinds. With weekly exclusive updates, we keep you in touch with the latest project management thinking.

WE ARE CONNECTED ~ Follow us on social media to get regular updates and opinion on what's happening in the world of project management.

Latest Comments

Brent Tucker commented on…
Just for a Laugh: The Lighter Side of Project Management
- Wed 23 September 6:30pm

David commented on…
- Sat 19 September 3:18pm

Stuart Mori commented on…
Use Your Whole Brain: Leveraging Right-Brained Thinking in a Left-Brained World
- Wed 16 September 6:01pm

Latest tweets

General Project Management • Re: Project management tools about 21 hours ago

General Project Management • Re: How to choose the right requirements management tool for managing projects? about 1 day ago

General Project Management • Re: Best Certification For Me? about 1 day ago