Project Management Institute

What every executive needs to know about project risk management


Executives, even those who are in control of project-oriented organizations, do not need to know the PMBOK® Guide (2000) processes of project risk management, how to conduct a SWOT analysis or what software will simulate a schedule in MS Project. They hire assistants for these purposes. Executives do need to know, however: (1) that there is a discipline of project risk management that will help assure project success, is not optional, and can be learned, trained or hired, (2) what risk management can do for their organization, (3) what will happen to their projects if they do not use risk management, (4) how can they make risk management successful in their organization, (5) what are the barriers to successful risk management in their organization, (6) what do they tell the customer about project risk, and (7) what should they do first?

There is a Discipline of Risk Management

Many executives of project-oriented organizations do not even know that there is a project risk management discipline. They would know what a physicist, professional engineer, doctor or even accountant is supposed to know. But, many project-oriented organization executives are a little vague on the term “professional” as it applies to project management. That term is even further removed as it may apply to project risk management.

Organization executives appear to be willing to let their project managers (PMs) muddle through their projects leaning on the force of their personality. The PMs are learning, on the job, the partial lessons from others who did not really get a good grounding in project management as a discipline in the first place. The idea of a sound Project Charter, Statement of Work, Work Breakdown Structure, CPM Schedule, Earned Value—basically, the items presented in the PMBOK® Guide—are mysterious and a little too advanced, organized or hard for them. Project management does not seem to be too difficult, certainly not like brain surgery for which you need to go to school, have mentoring and then practice, study and continue to learn. Executives also expect brain surgeons to take responsibility for their mistakes, although that concept is foreign to some as they apply in the project management world.

These same executives may have an appreciation that project risk exists and it may have even caused a project or two to fail in the past. They know that they should identify and handle risks, and that doing so in advance would be a good idea (except for the “fire fighters” who thrive on project emergencies). Still, the idea that there is an organized body of risk management processes, tools and techniques is vague at best to many executives.

The first item on the executive's project risk management agenda, then, is the recognition that there is a discipline that includes processes, tools, techniques, a mind-set and organizational approach (see below for examples of these). It is the understanding that there is a body of knowledge that is established but always moving, that practitioners can learn and practice this profession and that they can get professional help in identifying, analyzing and mitigating their risks. It includes the notion that they can expect something from the discipline, which it is not yet nor may ever be perfect, but that it is not optional for their projects. These same executives do not need to know the practice of risk management in detail, but they need to be aware that it is a serious effort and expect it to help achieve better results.

Knowing that the discipline exists, the executive will insist on assurance that risk management is being conducted in a disciplined and professional way early in the project and that the project manager and teams are pursuing those mitigating actions indicated. The executive will make the organization pursue an explicit risk management strategy. Knowing that risks are being dealt with, not dealing with individual risks, is the job of the executives of the organization. They need to know that the questions are being asked and answered honestly, clearly and in advance of the problems.

What Can Risk Management Do for the Organization?

Project–oriented executives need to recognize that risk management helps improve project performance. Risk identification and analysis look ahead and provide the explicit framework within which to answer the questions that executives, and even many project managers, typically fail to ask: What would make us fail? Will we pass this test and what would be the consequences if we fail? How can we improve our chances of passing or reduce the impact of a failure if it occurs? What are our major issues that would cause the project to miss the plan? What should we do about these risks? What are our backup plans if the first plans fail?

Risk management addresses these questions and helps the project manager identify what to do to combat threats to project success and to capture for the project those opportunities that will help. The organization needs help to get where it is going (project success) by using risk management to identify where you are now (how deep is the swamp?), where you might go in the future (is the water rising or falling?) and what is causing you to go off course (which alligators are closest?).

Early and continuous application of risk management provides the greatest chance that risks can be dealt with. A couple of examples may add to the anecdotal evidence that risk management helps provide success.

In one Y2K project, the problem was, of course, schedule, i.e., completion on time. That project had failed in two prior attempts to hold to schedule. An experienced PM who was then assigned was given the charge not to fail the third time because the consequences were too severe. He ordered a schedule risk analysis and the steering committee concurred. The results indicated that even the new schedule was 75% likely to be overrun, but that an additional few months would reduce that figure to 25%. The steering committee was pleased with the disciplined approach and granted the relief. The project completed, not without major effort, within the new deadline, and the PM was promoted.

One aerospace contract was following a seriously failed project for the same customer. The PM ordered a risk analysis of the schedule. It brought some reality to the assessment of the first project deliverable that was 2.5 years away at the time. Instead of two months of float the PM had been told he had (and was suspicious of) the schedule had perhaps a five-month “problem” at some level of certainty. With that information, and the identification of where the schedule was most at risk, the PM took risk mitigation steps and ordered the team leaders to develop others in their own areas. As a result, the project finished within a month of schedule and under budget. The PM was assigned to manage more, larger projects in trouble (this is a reward?).

Unfortunately there is not an agreed upon body of research that tests the notion of a return on investment (ROI) for project risk management. Anecdotes will help, but sometimes the executive just has to believe.

What Will Happen if I Do Not Deal Effectively With Project Risk?

Project plans very rarely incorporate the possibility of failure even when the project is new, challenging and crucial to the organization's future. The practice of project management by “crossing your fingers” is practiced too frequently. Major decisions are often made by instinct or “seat of the pants,” often with disastrous results.

Often projects are underbid by organizations that believe that somehow things will work out. The results may be, somehow, worse if they lose the business by submitting a realistic bid. Competitors are out there to get the business if we don't, and a realistic bid will just not win the job. Organizations forget the risk they are creating from the very beginning of a project if they estimate a bid what will win, whether it is practical or a hope or dream. Or, the customer has just so much money and if the company does not bid that amount it will not get the business, its resources will be idle, and it will lose market share. Companies need to promise “the moon” even if they have no clue how to deliver the performance, and we must agree to finish the 24-month project in 15 months or we won't win.

When sales people are involved in creating the contract the outcome may be even worse. The sales person understands the project and the company's capability. But he or she also receives a commission on signing the contract rather on the successful technical and financial completion of the project. The typical reaction of the project performers is that the contract that was sold and signed is so optimistic as to be unachievable. When this occurs, the risks are all on the negative side and failure is in the air from the beginning.

The typical organization gets into trouble bidding inconsistent objectives (the triple constraint) and risk management would help identify those problems. Without conducting risk management, any of these projects are headed for disaster and cannot be completed successfully from the very beginning. If the organization does not examine the risks up front, it may accept the wrong projects at unreasonable budgets and schedules and not even know it until it is too late to do anything about it.

Risk management cannot work if the PM does not take action based on the findings and recommendations of the risk management process. One anecdotal report can make this point.

A cost risk analysis report was presented to the PM. It identified that some 30% of all the cost risk was in one area of the project. The PM was told of this, and that the risk was real. He indicated that he would do something about it, but did not. In fact, the risky segment of the project was greatly overrun and the other project segments were “taxed” to fund the overrun. The manager of that segment was fired, when it might have been more appropriate to fire the PM who ignored the results of the risk analysis.

How Can I Make Risk Management Successful in My Organization?

The main ingredient in making risk management successful is the commitment of top management to professional, disciplined risk management. After that, other things can be accomplished. It is clear that many organizations view risk management differently than cost estimating, scheduling, scope change control and the other more traditional project management disciplines. Risk management may be viewed with suspicion as being mysterious, using unfamiliar concepts, looking too much like college statistics, being too specialized, too advanced or just plain optional.

Risk management maturity requires a culture that is committed to honesty and probing inquiry on the subject of project risk and acting on the recommendations. This is not as easy as it would appear. Still, organizations need to have some time, coaching and mentoring in risk management in order to be successful in implementing a new way to look at projects.

One thing executives can do is to make sure the practice of all processes of project management is as professional and seriously pursued as appropriate. Organizing for project success is an important step in risk management. For large projects or an organization with many projects, this may require a professional Project Office. For smaller projects the PM and staff will perform the project management disciplines by themselves. The knowledge areas of the PMBOK® Guide form a good framework for the practice of professional, effective project management. A respected, experienced member of PMI once said that good project management is good risk management. Failure in applying the disciplines of project management other than risk management will greatly increase the risk of failing to achieve the project's objectives.

Project risk analysis presents a special case of organizational issues. Risk analysis, whether qualitative or quantitative, is an exercise in honesty and objectivity (even if dealing with data about the future—remember, there are no “facts” about the future). Unfortunately, many PMs are notoriously optimistic about their projects, to the point of denying that risk exists. It is hard to assess risk if the source of the data or the manager of the risk analysis is in denial. Other PMs are committed to trying to bias the results of the risk analysis so they can temporarily look good or in pursuit of other agendas. The executive may have to consider tasking an independent organization, say the corporate engineering department, with risk identification and analysis (quantitative or qualitative) function. This department should report to the Board or a corporate project portfolio committee and have the power and responsibility to override the objections of the PM in gathering data about his or her project. Of course, planning and executing risk mitigation actions has to be in the PM's job description.

Executives need to understand the difference between a plan and certainty. They should be modest in their appraisals of the quality of the data, plan or commitment the staff and other project participants produce. Sometimes the project will not go according to plan, even with the best efforts, because the project has more risk or different risks than anticipated. Project management by punishment does not reward hard work and loyalty any more than it rewards blind luck.

Risk identification, analysis and mitigation can be accomplished best in an organization where risk management is a part of the job. Make risk management just as much a part of the job as any other project activity. Establish a charge number for risk management activities so project participants do not have to do risk management tasks after hours, or if they do risk management during the workday they do not have to stay late to complete their “real work.”

Establish a culture in which risk management is part of the periodic meetings, briefings and interviews the top management conducts. In addition, an executive should show the project teams that the risk management work is taken seriously by making project decisions based on the results of the risk management processes.

What are Some of the Barriers to Successful Risk Management?

The first barrier an executive encounters is that most people view “risk” as a four-letter word with only adverse consequences. Most people or organizations do not like to discuss “bad news.” Advanced company executives will make risk management a search for opportunities as well as threats. If so, the organization can capture opportunities and that is potentially good news. Could the reallocation of resources, or insulating the participants from outside distractions shorten the project? Have we assigned our best PMs to the riskiest tasks or projects? Are there opportunities that require executive decisions? Have we made those decisions in a definitive and timely way?

Many executives and PMs play “shoot the messenger,” making it very unpleasant to bring up bad news. The organization catches on quickly to this practice and stops communicating about risky issues to the PM and the executives. Most people do not want to hear of problems if they will have to do something other than what they had planned, such as reallocate resources or make difficult decisions (go to Plan B) in response. They may have to tell some superior or even the customer that there are problems, and this will lead to unpleasant discussions, penalties and lost business. For many executives, the customer will get angry and shout at them, literally, making the knowledge of bad news a bad idea. If the customers react badly to unpleasant news, immature executives and project managers may avoid the news or shade it in ways to make it unintelligible.

Even when people want to discuss project risk honestly, if they do not have experience doing it they may not be good at it. One barrier to good risk identification and analysis is that risk is often a new concept for the staff. People who try to discuss it for the first time usually underestimate the risk in the project. For instance, they may estimate that the risk of failing a test is 3% when, on reflection and after more experience and thought, it should have been assessed at 30%. If the project executive is not mature in the risk management area, this change in data may be unsettling and a cause to get cold feet about the whole process, feeling that it is fundamentally flawed. The mature executive will see that, just like the other professions mentioned above (doctors, engineers, accountants) some training and learning is needed to make risk management successful.

Another barrier to good risk management is that most organizations do not have risk management expertise or units dedicated to addressing risk in the project. Resources are scarce and risk management, while a bona fide PMBOK® Guide process, is often viewed as optional and sometimes a bad idea. Relying on luck to get us through a risky project is also a bad idea.

What do I Tell the Customer (Internal or External)?

Many customers “do not want to hear bad news” or they react badly when they hear about project risks that remain after mitigation. Because of this, some executives will specifically request a risk analysis and then not use its results. Executives often do not disclose the results but this is not because they believe them to be false or the process unprofessional. Often the executive will not discuss risk with the customer because there is so much risk that it will cause trouble with customers and other stakeholders.

Some customers just react badly to adverse news, and it is the executive's role to prepare them for it and to make the communication effective.

In other cases, competitors may hide their own risk. In many of these cases the executive may fear that the customer can be fooled about the risk or will accept the lowest bid whether they truly believe the estimates or not.

One of the response options, of course, is to accept the right risks, those that cannot be economically mitigated within the organization's risk acceptance. So, the executive may also have to tell the customer, internal or external, about the accepted and real problems of the project instead of hiding the results. To do this effectively, the executive needs to know that the risk management practiced is appropriate and rigorous.

A mature executive will go on record with the customer and other stakeholders about the true risk in the project, preferably after the mitigation plans have been agreed to and funded. The executive will educate them about the risk identification, analysis and mitigation processes and convince them that these processes are helping the project. The data collection processes are also explained. Once this is done, the results are more understandable. Often the customer (internal or external) becomes a believer when the process and results are carefully and fully presented. Sometimes the external customer requests to become part of the risk analysis process in order to learn how to do it on subsequent projects. Internal customers may choose to apply the processes of risk management to their own projects.

What Should I Do First?

The first thing to do is to make the organizational commitment to do risk management. Then, identify and fund staff to develop the risk management process and establish standards and procedures. The process should be adapted to the organization and then made a standard operating practice. Budget and training will be required to make this unit effective. As risk management becomes part of the process the organization becomes more proficient at it and can move into the more sophisticated quantitative analytical practices. Always, the organization must be grounded on a complete set of processes, from Risk Management Planning to Risk Monitoring and Control.

The next action would be to identify a project manager who wants to be a champion for risk management in the organization. The project chosen for piloting the new process should not be the most visible and risky “show stopper” in the organization. Use this project as an example to: (1) develop, test drive and debug the risk management process, and (2) establish a success story for the rest of the organization.

Project managers will adopt something that they know works more easily than something they are told to adopt by the executive. Roll out the process to the entire organization only after it has had its trial and has helped. Make sure it is tailored to the different types of projects the organization sponsors. Finally, establish the practice of collecting data on project risks from the beginning for the benefit of projects in the future.

Plan carefully for the introduction of risk management to the organization. Do not expect to be proficient in risk analysis and management the first time it is attempted. Remember that engineers, scientists, teachers, doctors, and other professionals needed both formal training and practical experience to become good at what they do. This is not brain surgery and people will become accomplished rather quickly, but provide both an expectation of excellence and a supportive environment within which to achieve it.


Executives play a pivotal role in making risk management work in a project-driven environment. They have to understand that risk management is a required discipline, even a profession. They have to understand what risk management can do for their projects and what might happen, or is already happening, without that formal risk management process. They need to know what they should do to make risk management successful in their organization and the barriers to such success, which they have to overcome. They will have to handle risk management externally, too, with artful and candid presentations to the customers and other stakeholders. Finally, they have to introduce risk management to the organization in a way that is likely to succeed.

Project risk management is a powerful tool on the level of cost, time, and scope management for assuring project success. The organization or company executive plays a pivotal role in making it effective.

This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI or any listed author.

Proceedings of the Project Management Institute Annual Seminars & Symposium
October 3–10, 2002 • San Antonio, Texas, USA



Related Content