Risk awareness and risk tolerance are only referred to in abstract terms when described with project management, but they can have a large effect on how project risk is managed and how decisions are made during the project. By increasing the risk knowledge and awareness of the project team members and stakeholders involved, the project manager can leverage their eyes and ears to a much greater extent and has a higher chance of project success as a result.
By looking at what factors influence risk awareness, we can see how these contribute to the overall performance of the project and what can be done to increase the level of risk awareness of your project team members and other project stakeholders.
Risk awareness and risk tolerance are only referred to in abstract terms when described with project management but they can have a large effect on how project risk is managed and how decisions are made during the project. By increasing the risk knowledge and awareness of the project team members and stakeholders involved, the project manager can leverage their eyes and ears to a much greater extent and has a higher chance of project success as a result. This paper seeks to define and analyze risk awareness, so that the overall performance of the project may be improved.
What is Risk Awareness?
There is no formal definition for “Risk Awareness.” Formally, there are no entries in dictionaries, standards, or even Wikipedia. Anecdotally, there is an assumption that it is the knowledge of a risk management. Within project management, this implies an awareness that risk exists within the project. By conducting an Internet search, we find a few examples from different sources.
From Associated Programme on Flood Management (APFM) (http://www.apfm.info/pdf/ifm_tools/Flood_Emergency_Management.pdf):
- To recognize the risk (accept the possibility)
- To understand the mechanism and the impact
- Not to forget or to repress it
- To take into account when acting
From Enterprise Risk Management – From Incentives to Control (James Lam, 2003):
- Proactively identifying the key risks for the company
- Seriously thinking about the consequences of the risks for which he or she is responsible
- Communicating up and down the organization those risks that warrant others’ attention
From The Owner's Role in Project Risk Management, page 20 (National Research Council of the National Academies, 2005):
- Unremitting attention by the owner's management and demonstration of the management's commitment to this issue at every opportunity
- To keep repeating the message over and over until it becomes part of the culture
Note that these definitions are not simply being aware of risks or being educated on risk management. There are several key points in the above definitions, namely
- Not to forget or repress risks
- Communicating risks that warrant others’ attention
- To become part of the culture
This paper proposes a definition specific to project management:
“Risk awareness is the raising of understanding within the population of what risks exist, their potential impacts, and how they are managed.”
The project risk management process of identification, analysis, response and monitoring and control is encapsulated within this statement; but, more importantly is the descriptor “raising the understanding.” “Raising the understanding” incorporates communication, cultural change, and accountability. This is more than simply knowledge; these are the additional behaviors that a project manager seeks in his or her project stakeholders, over and above management of project risks. Training itself can increase the knowledge of risk management, but not necessarily risk activity or action.
What Risk Awareness Affects
Risk awareness affects many project areas:
- Knowing the full process and risk strategy
- How to better recognize and identify risk
- Knowing to develop risk responses
- Taking risk ownership
- Normalizing group risk tolerance
- Communicating risk
- Having risk as top of mind
Although the project manager has overall accountability, this is not the same as overall responsibility. There are several areas in which heightened risk awareness can assist the project manager. First, it is important to remind ourselves who is responsible for project risk management. The project manager is ultimately accountable for risk management within the project, but there are several other stakeholders who must share responsibility:
- Project team –the team must contribute to the process
- Business analysts – this specific role has been highlighted from the team because of its typical relationship with end users or clients
- Project sponsor – the sponsor must not take a passive role for project risk management
- Customer – the customer must also take a more active role in the management of risks
These are the “typical” stakeholders on a project, but there are more that should be considered as necessary participants:
- Project Management Office – while many PMOs do collect project reports, it is strongly recommended that they review beyond the superficial and perform deeper dives
- Functional Managers – often functional managers' areas are a source of risk, since resource availability is always a major constraint
- Management – like the PMO, they must share responsibility for project risk management
- Risk Project Manager – if an organization has an Enterprise Risk Management function, a Risk Project Manager will be involved
The more a project manager can use these project resources in the risk management process, there is a greater likelihood of successful project delivery. However, there are many occurrences when these stakeholder groups have knowledge of a risk management process, but still do not contribute, thus leaving the burden of responsibility of performing risk management on the project manager.
The following lists the benefits of increased risk awareness among these stakeholders. (It is important to note of the assumption that these stakeholders have knowledge of the risk management process, and that they have a higher level of risk awareness).
By having a greater understanding of their specific roles and responsibilities in risk management, stakeholders will be able to understand their accountability; this is exhibited by increased participation in risk identification (below), increased assumption of risk ownership and more proactive thinking.
Typical risk identification efforts concentrate on an experience “burn list”; that is, all previous project risks that became realized project issues. While this is a good start, it is a limited view, whereas there are far more risks that can be identified. Having greater risk awareness will assist stakeholders at looking beyond their own experiences and find additional risks. Another improved trait is that stakeholders will be able to better recognize risks as they appear, instead of waiting until they become issues.
As risk awareness increases, it adds new risk experiences to each stakeholder's history bank, and subsequent involvement with other projects. Greater experience results in better risk assessment and judgment
Risks attributes are comprised of probability and impact. Having greater risk awareness allows for a higher degree of accuracy in assessment. Making proper decisions (although not necessarily right) is based on having the right data and information. Risk awareness assists in development of options for risk response.
This is a corollary of making proper decisions — knowing the context of risks within the project environment can shape the approach taken for scope and risk response.
Overall, better knowledge and management of risks lead to greater efficiency and performance of team members. Team members will see better project risk decisions being made, which will result in the decrease in issues and impediments.
Risk Awareness Factors
This paper has looked at the benefits of risk awareness, but there is still a lack of understanding of what exactly risk awareness is. The following areas listed show the components of risk awareness.
The more experience one has, the more history there is to draw upon for determining risk. For example, a senior team member has more to contribute to his or her “burn list” than another colleague in the same role/title who is more junior. Speaking in probability terms, there is simply a greater sample size to draw past events from.
Technical ability is different from experience. While experience deals with past historical exposure, technical ability is more an attribute of skill level. As an example, two developers may have the same amount of experience on projects they have worked on in the past, but one has deeper technical skills. The developer with more technical skills will be able to identify more risks than the other. Similarly, a person who has a high amount of experience but a low amount of skill will not be able to contribute in the same way as a person with a low degree of experience but a high amount of technical skills. A person with more skills is better able to assess potential pitfalls or opportunities. As part of the risk identification process, project managers must appreciate and facilitate participation from both of these angles.
The definition of risk tolerance is left very open ended in many publications. A Guide to the Project Management Body of Knowledge (PMBOK® Guide) states “organizations and stakeholders are willing to accept varying degrees of risk”, and that this is called risk tolerance. But this statement does not describe how varying levels of risk tolerance impacts risk management performance on the project.
A stakeholder with a higher risk tolerance will tend to NOT recognize risks, or be unconcerned with the risk response. It may be that the stakeholder was exposed to the same or similar risk on a past project, but the impact was small or never realized. Thus, the stakeholder would assign a bias toward this risk and may either assess it with a lower impact and/or probability, or not identify it at all, which will also affect the project decisions that are made.
A stakeholder with a lower risk tolerance will find more risks than others; however, he or she may spend more time on identifying low probability risks and/or more time preparing multiple risk responses than are likely needed. This stakeholder may also exhibit “analysis paralysis” in trying to identify all possible things that can go wrong before taking action.
Overall, having a greater range or risk tolerance among the team will lead to a higher amount of discussion on each risk before agreement can be reached. Also, if there is a difference in risk tolerance levels between the project team and with the sponsor or the customer, there will be disagreements on how to proceed with certain risks.
Even with the above factors, if a stakeholder does not or cannot communicate these risks properly, it is the same as not managing the risks. Communication is performed in written and verbal formats, informal and formal. A project manager who does not communicate risks well, will end up owning all the risks him or herself and risk management will become stagnant.
Knowledge of Risk Management
Many will assume that risk management knowledge is the only component of risk awareness. This paper places this as the last item on this list, as opposed to the first. Ultimately, knowing the risk management process, tools, and templates will aid stakeholders in identification, prioritization and ranking, response planning, and maintenance. Knowledge of the process alone does not increase the efficiency of risk management amongst the group — it must be combined with the above inputs
Risk Awareness Model
Now that the benefits and factors have been illustrated, a model can be created to describe risk awareness. The format is analogous to the ‘Input-Tools & Techniques-Outputs' structure that the PMBOK® Guide processes utilize.
Increasing Risk Awareness
Now that the model has been constructed and understood, we can now take a look at methods to increase risk awareness of our stakeholders. The area to focus on is the Tools and Techniques:
- Experience level
- Technical skill
- Risk tolerance
- Communication skill
- Risk management knowledge
Raise Level of Experience
The simplest method to raise the experience level of the project stakeholders is to staff with the most experienced resources; however, this is not always feasible, due to availability and cost concerns. There are still ways in which to raise this level of experience even without additional work experience:
- Case studies
- Lessons learned
Several of these techniques are described in more detail in the following section.
Increase Technical Skill
By increasing the technical skills of our stakeholders, they are able to identify additional risks. The methods to increase technical skills are as follows:
- Technical training
Increase Knowledge of Risk Management
Having risk management knowledge is understood in order to contribute but this method focuses on increasing that knowledge level. The methods to increase knowledge of risk management are as follows:
- Risk planning involvement
- Status meetings
- Risk identification sessions
Normalize Risk Tolerance
The key word in this tactic is “normalize.” Varying risk tolerance among is stakeholders are assumed, but in order to gain better assessment and consensus on risks, the group should have a tighter range or risk tolerance The methods to increase or decrease risk tolerance are as follows:
- Probability-Impact Matrix
- Risk level definitions
Enhance Communication Skill
The methods to increase communication skills are as follows:
- Status meetings
Tactics and Approaches
The following table illustrates where certain tactics can be applied across multiple ways to increase risk awareness in stakeholders. A particular approach may then be used efficiently to increase risk awareness.
Simulations, case studies, and examples are all very similar to each other. We are using some form of other experience, real or fictional, as a training method for stakeholders. The purpose of these approaches is to help stakeholders recognize similar situations to emulate or avoid. The topic of the simulation, case study or example can vary, depending on the area of focus. Examples of differing topics include: risk mitigation strategies, risk communications, dealing with issues and escalations, lessons learned, and ethical concerns.
While lessons learned may appear similar to the above category (simulations/case studies/examples), this specifically is geared toward the lessons learned process — i.e., brainstorming, discussion, and reflection. As part of project management best practices, as the project stakeholders discuss how the project progressed, the key elements are learned by participants. The purpose of the lessons learned approach is to add to each member's historical base and to carry that forward to other projects.
These are more of a “soft skills” approach to increasing risk management. Mentorship is used more for adding to a person's experience, as this transference of knowledge is of a more one-on-one basis — from mentor to mentee. Supervision, feedback, and coaching are used to develop more skills, from someone who is more experienced. The purpose of these approaches is to add to each member's historical base and to carry that forward to other projects.
Training (Technical/Communications/Risk Management)
Training is used to increase the skills of participants. Technical skills training will allow a team member to mitigate potential risk events prior to the training. Communication training will help a person understand what to communicate and when, and risk management training will aid in understanding the process involved, roles and responsibilities, and terms.
Risk Identification Meetings/Status Meetings
These are the more “traditional” tools that a project manager may use in the risk management process. While risk identification meetings and status meetings align to the PMBOK® Guide's Risk Management processes of Identify Risk and Monitor & Control Risk, these also serve to reinforce a culture of risk; particularly by way of team involvement in these processes. As this is repeated, risk awareness is increased.
These tactics aid mostly in the process knowledge and risk tolerance normalization. One of the biggest communication challenges in any project is having common definitions. Each person is unique and has his or her own internal definition of items, whether it be risks, estimates, changes or even what is meant by “done.” By using dictionaries, glossaries, and definitions specific to the project, we can mitigate the misunderstandings.
Checklists and questionnaires, on the other hand, can help modify or align risk tolerances to where we want. For example, in a subjective multiple-choice question with three possible answers, each answer may relate to an action dependent upon the person's risk tolerance. By suggesting a “correct” answer, we suggest to the person taking the questionnaire what course of action we prefer him or her to take, thus altering his or her original intent.
Even if the person answers “correctly,” we have essentially modified, even somewhat, the person's natural tendency, if it were different. The checklist or questionnaire can be based on previous projects, lessons learned, or standardized organizational process assets.
Probability-Impact (P-I) Matrix
The use of this tool, for risk tolerance normalization, is used in a similar method as the checklists/questionnaires above. Consider the two matrices presented below in Exhibit 4. The P-I matrix on the left could suggest a more typical rating within the organization. Perhaps there is a high priority project that might necessitate a greater amount of oversight and caution, in which case the P-I matrix on the right could be used. It would be important to show project stakeholders both matrices to reinforce that this project is different than others.
The objective of this tactic is to make stakeholders aware of the different levels of risk and how the project will treat them.
Project risk management is an area that many project managers need help with; they need the project stakeholders to actively participate in the risk management process so that the burden of ownership does not solely rest with the project manager. However, knowledge of the risk management process and not knowing the list of risks is not enough.
Increased risk awareness can share the load of the project manager with the broader team, while increasing efficiency and performance when performed well.