a review of project risk management lessons learned for increased project and organizational success
Retfalvi and Associates Incorporated
The ability to effectively manage risks significantly improves the chances of successful project execution and organizational success. Failure to do so may expose the project to unnecessary delays, negative financial impacts, and potential damage to the organization's reputation. For project-based organizations, this may further have significant impacts on strategic goals such as business growth, increased revenue, product introduction, and customer retention.
In today's environment with pressures for business growth and increased revenue, organizations must address how to ensure the proper management of project risks in order to succeed. To ensure this occurs, project managers and their staff must clearly understand industry risk management best practices, techniques, and critical success factors to achieve project success. Failure to do so may expose the project to unnecessary delays, missed opportunities, negative financial impacts, and potential damage to the organization's reputation.
A major challenge to most project managers is knowing when risks are active within their project and appreciating how to maximize opportunities among them and within the organization. The ability to distinguish and integrate the management of key or emergent risks within a project significantly improves the chances of successful program execution. The ability to further link these to qualitative and quantitative parameters increases schedule and cost confidence.
A common misconception is that risk management is supplementary to the project management set of processes. A more appropriate approach is to view risk management as core to the overall project management approach. By reviewing lessons learned from various projects, the insight gained from the derived critical success factors will assist the project manager in keeping the project team aligned and focused on the right things at the right time to increase the likelihood of project success.
The goal of this paper is to review key lessons learned from past projects and assist the reader in understanding how to incorporate these lessons and derived critical success factors as part of an overall project and organizational risk management approach.
Project staff are generally overloaded, especially at project startup, as they are actively involved in a number of simultaneous and critical tasks. Where possible, additional staff are assigned to assist the project and, due to schedule constraints or cost overrun pressures, begin supporting the project immediately to attempt to show progress and improve schedule and cost performance. As a result, project plans are generally often not read or followed.
Further, project staff tend to delay admitting that their project contains risk, as well as delay communicating risk and how to deal with the risk. The tendency is to identify risks that are outside the project manager's control because it's easy. There is also a general lack of understanding, identification, and effective management of the interrelationship and linkages between various risk areas within the project and the organization. The result is lack of focus on what is important to the project (Exhibit 1).
Exhibit 1: Project Pressures Lead to Project Confusion
Experience has shown that the previously mentioned behavior ultimately results in projects failing to meet their goals. To avoid this, it is critical that the project manager be able to understand what the key project issues and risk areas are and always be in a position to communicate these effectively to internal and external stakeholders. It is also important for executive management to be able to quickly determine where and when these concerns are active within a project.
Understanding the Basics
A Guide to the Project Management Body of Knowledge (PMBOK® Guide) (Project Management Institute [PMI], 2008a) defines project management as the application of knowledge, skills, tools, and techniques to project activities to meet project requirements. Inherent in all projects is uncertainty. Risk is generally viewed as a state of uncertainty where some possible outcomes have an undesired effect or significant loss. A more appropriate definition of a project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on project objectives.
It is important that the project manager be knowledgeable and fully versed on the PMI project risk management principles, concepts, and processes. The six risk management processes that are recognized as good practice on most projects most of the time are shown in Exhibit 2.
Exhibit 2: Project Risk Managements Processes
A common misconception is that risk management is supplementary to the project management set of processes. A more appropriate approach is to view risk management as core to the overall project management approach. An alternate method by which to view the six project risk management processes is shown in Exhibit 3. From the experience of the author, communications and consulting others are added to the project risk management processes as a reminder and to improve the probability of success. Effective risk management is critical to project success and must be forward-looking and continuous.
Exhibit 3: Project Risk Management Alternate View with Added Communications and Consulting
A number of references, handbooks, textbooks, and courses are available for project managers to become more familiar with project risk management processes, tools, and techniques. An excellent reference is the Practice Standard for Project Risk Management (Project Management Institute [PMI], 2009), which clearly builds on the principles underlying the six project risk management processes in the PMBOK® Guide—Fourth Edition (Project Management Institute [PMI], 2008a).
The Link between Project Success and Risk Management
All projects implicitly have associated risks. Organizations that adhere to strong project management methods, including in-depth evaluation of scope, schedule and cost, ongoing risk management, and measurement of project results, are consistently more successful than those that do not. Risk management processes go hand in hand with strong project management. Project management without proper consideration and integration of risk management, in the opinion of the author, is not true project management. Risk management is a continuous project process, as shown in Exhibit 4.
Exhibit 4: Risk Management as a Continuous Project Process
It is important that the project manager be able to understand what the key project issues and risk areas are and be able to communicate these effectively to internal and external stakeholders. It is also important for executive management to be able to quickly determine where and when these concerns are active within a project.
Following a structured project risk management method enables projects and organizations to predict and respond to risks, better manage costs, and deliver quality results that satisfy stakeholders. In the most mature project management organizations, these project goals and associated risks are directly linked to strategic business objectives, giving these organizations a powerful competitive advantage.
Unfortunately, risk management activities are often viewed by leadership as a project or organization expense with little or no return. A major challenge to most organizations is appreciating how project risks interact across the organization and how to maximize opportunities among them.
Risk management has to be embedded in the management philosophy right from the top, and it must support the realistic and open recognition of project risks even if they indicate problems with the project. Otherwise, stakeholders may develop a narrow focus on risks, exposing the project to unnecessary delays, negative financial impacts, and potential damage to the organization's reputation.
Key Lessons Learned in Application of Risk Management to Projects
The implementation of proper and effective risk management on projects can be a challenging undertaking. From the experience gained by the author over a number of projects, there are lessons learned that should be addressed to increase project risk management implementation success. These lessons learned are described in the following.
Plan for Risk Management on Your Project
Project managers need to ensure they plan the project's risk management activities. Do not rush this step. Project managers are encouraged to take the effort and time that it needs. Project managers need to clearly understand the required items in a risk management plan. Risk management is about understanding the challenges associated with the project and setting it up for success from the start.
Face Adversity Head-On
Project managers need to ensure that the project stakeholders clearly understand the importance of the risk management planning as part of the project. Project managers will have a higher chance of success if there is understanding and engagement by the stakeholders. At times, this may prove to be difficult or frustrating, but project managers are encouraged not to give up. You will succeed.
Ensure Adequate Training
The commitments of the project manager and staff to project risk management are dependent on their knowledge of the discipline of project risk management and should know how it integrates into the overall project management methodology. Training is a key element of project risk management success. Project managers need to ensure they are fully versed in the discipline of project risk management and ensure staff, leadership, and key stakeholders are as well. Having a common baseline and lexicon increases the probability of success.
Plan to Collect Risk Data
Project risk management success relies on the availability of high quality risk data. One form of this data is the review of lessons learned from previous projects and initiatives. This activity can help project managers and staff create a greater understanding of project risk management more rapidly than they would have otherwise achieved on their own. Project managers need to ensure that enough time is included in their plan to collect high quality risk data. This includes the review of past projects and/or lessons learned in the organization. If this is found difficult, relevant data or help may be found on the web or with online organizations such as PMI's Communities of Practice.
Project managers tend to forget that a project's risk management plan needs to align with organizational constraints and not be generated in isolation. A project's risk management plan must be developed in consonance with and comply with the organization's objectives, policies, and practices. Developing a plan that the organization will not support needs to be avoided. Project managers need to ensure any deviations are approved. This will also help increase the credibility of the project manager and project staff.
Hold Frequent and Regular Project Reviews
Project reviews offer an excellent forum in which to review the status of project risks and the identification of new risks. Project managers tend to shy away from reviews as it brings focus and attention to their projects, especially when the reviews include senior or executive management. Project reviews provide a key opportunity to review risks and communicate to the project team and stakeholders the management of these risks.
Watch for Risk Attitude Shifts
Project managers by definition tend to be risk adverse. Project managers want and need to follow a thought out project plan and schedule. Any deviation may be seen as risky unless carefully analyzed and alternatives reviewed. Project staff, however, may exhibit a different behavior, either singly or in a group. The risk attitude of project staff and stakeholder may also change as the project progresses or when the project encounters difficulties. Project managers need to be aware of this shift as it may affect the prioritizing and ranking the identified risks.
Reassess Risks after Staff Changes
It is not uncommon to have multiple project managers or subject matter experts on a project, especially when the project is large, complex, or lengthy. It is not realistic or fair to assume that the new project manager and /or staff will see the identified risks the same way as the previous project manager or that the project manager will easily assume the risk assessments and responses without review and buy in. New staff should be allowed the opportunity to review the work done to date and reassess the risks based on their experiences and viewpoints.
Aggressively Insist on Accountability
Project managers and staff need to understand the importance of properly completing their assigned risk actions in a timely manner. Risk actions are commonly viewed to as secondary to project actions and something that may be addressed later as issues and day-to-day project activities are seen as more important. Project staff as a result develop a false sense of security when it comes to addressing risks actions. This is not acceptable. The project manager must hold the members of the project staff accountable for their assigned risk management activities.
Listening is a key enabler of effective project risk management, especially risk identification. Listening is one of the most important things project managers need to do on a daily basis. Project managers listen to communicate, but listening is more complex than most project managers realize. Listening includes the ability to receive, interpret, and respond to both messages and body language. Listening is an attribute that everyone agrees is important, yet few project managers actually properly practice it. Project managers need to understand that listening is a key skill, which promotes and integrates risk management within a project by increasing risk dexterity.
Critical Success Factors that Impede Project Risk Management Success
Further to the these lessons learned, there are several factors in the opinion of the author that lead to successful project risk management implementation. These factors include are identified in the following and are based on the experience of the author and represents proven techniques which form the basis of no-nonsense project risk management which every project manager should address as part of their current projects.
Develop an Executive Project Summary
Clearly show understanding of your project by developing a single page high-level view with key activities and milestones identified. Without a clearly understood overview of the project, there is an increased likelihood of project rework and delays.
The executive project summary (EPS) is a composite event diagram that captures, on a single page, key events and considerations over the life of the project. This graphic representation provides project managers, project teams, and executive management with a comprehensive overview of a project, no matter how complex, and facilitates a common understanding of project goals. Without a clearly understood overview of the project, there is an increased likelihood of project rework and delays. A sample executive project summary is shown in Exhibit 5.
Exhibit 5: Key Components of an Executive Project Summary
The EPS is an extremely effective tool for communicating important project information to both the project team and to other stakeholders. It also offers the opportunity to shape constructive team dynamics to ensure focus on common goals.
The project manager's ability to seek agreement on the goals of the project among the key project stakeholders, including the project team, management, and the customer, plays a large part in the project's success. The EPS is a very useful tool in the project manager's toolkit.
One key advantage of using an EPS is that its format is much more intuitive and easily understood. In the opinion of the author, this type of view is much more powerful than a Gantt type chart for communicating projects.
Properly Document and Analyze Project Assumptions
A common item that often is overlooked or improperly addressed is how project assumptions and constraints are identified, reviewed, and documented. Experience has shown that the process of how to manage project assumptions and constraints is essential to clearly understanding project scope, minimizing project risk, and increasing project as well as organizational success.
Assumptions in project management refer to specific items that are considered to be true or certain when planning a project without necessarily having proof of it in reality. Unfortunately even the most carefully considered ones typically carry with them a certain element of risk and if not properly addressed, result is a false sense of security in the project, senior management team, and the customer. Project managers need to understand that project assumptions and constraints may contain key project risks and require careful review and scrutiny.
The project manager and the complete project team must always be aware of all project assumptions and constraints. Major assumptions and constraints must be clearly communicated to senior management and relevant stakeholders.
Determine the Appropriate Level of Risk Management
All projects have risk. Experience has shown that a limited number of organizations claim to be satisfied with the application of risk management on their projects, or be able to demonstrate it successfully. Improving project risk management involves two basic objectives; improving the ability to identify and influence risk while there is opportunity in the project life cycle to do so, and embedding the management of risk into the project environment itself.
The key is to keep the scale and cost of managing risks in proportion to the scale of the project itself and the types of risks that are presented to the project and the organization. Spending too much time assessing and managing risks when it is not warranted for the project at hand can divert critical resources that could be used more effectively.
Include Risk Activities and Events in the Project Schedule
Through the proper identification of discrete work activities required to complete the project and the relationship of those activities to one another, a proper project schedule allows for the determination of what activities and deliverables are critical to completing the project successfully.
A common mistake made by project managers is to not include the activities associated with the management of risk in their project schedules. Incorporate risk management activities into the project schedule and do not leave them in a separate risk register. This provides increased visibility of these activities and allows them to be more easily integrated into your project activities. By including risk response tasks in the project schedule, action plans progress and effectiveness can be reviewed on a regular basis and reported at project status meetings. This allows the allocation of resources and budget for these activities.
Another important item to include is the anticipated risk events that may trigger risks. These items need to be carefully monitored and managed and placing these in the project schedule provides an excellent method by which to do this.
A further worthwhile step is to map the project risks in the schedule to program activities through the project work breakdown structure (WBS). This mapping provides a method by which grouping of risks may be identified highlighting areas where further investigation by the project manager may be required. This forms the basis of the project's risk breakdown structure.
Break the Cult of Optimism
A key role of project managers is to motivate their team for increased project execution performance. Unfortunately, the level of motivation may result in excessive optimism and result in the project manager and the project team overestimating their degree of control of project activities and their odds of success. This is known as optimism bias and includes a tendency to over-estimate the likelihood of positive events and under-estimate the likelihood of negative events.
Project managers must temper optimism with reality and ensure that staff and stakeholders view their projects in a balanced and realistic manner. Failure to do so may result in unrealistic schedule and cost commitments significantly increasing risk within the project and the organization.
The Need for Schedule and Cost Risk Analysis
Many project managers rely too heavily on the critical path method (CPM) to provide the most likely completion date and not enough on their own past schedules or experiences. This results in schedules dates which most of the time are inaccurate and optimistic. Further, project managers simply add up estimates at completion for WBS components as a way to build up a project cost estimate. This results in cost estimates that are also inaccurate and optimistic resulting in projects overrunning their cost estimates. To make things worse, these two activities tend to be done separately without using the data from one to influence the other. The result is an inaccurate estimate of the project both from a schedule and cost perspective leading to potential schedule delays and cost overruns.
The typical project often overruns its schedule and cost estimates. One reason for this is schedule and cost estimating traditionally fails to take into account that the work may actually take longer (less) or cost more (less) than provided by even the most accurate estimates. Future estimates are not facts but statements of probability about how things will occur. Because estimates are probabilistic assessments, schedule and costs may actually be higher or lower than estimated even by seasoned project staff.
Schedule risk analysis (SRA) is the application of the Monte Carlo technique to the project schedule. The PMBOK® Guide)—Fourth Edition (Project Management Institute [PMI], 2008a) identifies the Monte Carlo technique as the typical method of modeling/simulating projects. Similarly, cost risk analysis (CRA) is the application of the Monte Carlo technique to the project costs.
These techniques are proven methods to better address the questions:
- “What chance do I have of finishing the event on time?”;
- “What chance do I have of finishing the event on budget?”;
- “Why does it cost that much?”;
- “Do I have adequate contingency to cover overruns?”; and
- “Can I defend and monitor the level of contingency I need?”.
SRA ideally requires that the schedule be built using three-point estimates, but this can be modeled based on global or specific assumptions. The principle of SRA is that a large number of schedule simulations are run, and the results of each iteration are statistically analyzed to provide confidence factors in meeting the planned dates of static schedules.
SRAs allow the identification of issues in project or schedule structures, of confidence factors for meeting event dates as planned, as well as of near-critical paths that might not be apparent.
One of the artifacts of the SRA process is the distribution chart plots that predict the finish date(s) of the selected event(s) for each schedule simulation. This will provide the project manager and the project team with an understanding of the likely range of finish dates; the confidence in meeting the target date; and the worst-case completion date.
Other artifacts include the early identification of issues in project or schedule structures, as well as identification of near-critical paths that might not be apparent. Exhibit 6 details an example of an SRA distribution chart showing the typical distribution of the projected finish dates against the probability of meeting those dates.
Exhibit 6: Sample Schedule Risk Analysis Distribution
In almost all cases, projected finish dates occur later than planned and need to be re-worked to be brought into the target range. SRA is an iterative process. Outputs are fed back into the development of the plan to get to an acceptable level of confidence. The goal is to have each event probability in the 80 percent to 90 percent range.
Similarly, CRA ideally requires that the project costs be built using three-point estimates. To determine the contingency to be allocated to the project, we need to define what confidence level we would like to achieve: The higher the contingency level, the larger amount of contingency needed. Exhibit 7 details an example of a CRA distribution chart showing the typical distribution of the projected project costs against the probability of meeting those costs. The chart shows that to have a 90 percent confidence factor on project completion costs, the required project budget is $94 million.
Exhibit 7: Sample Cost Risk Analysis Distribution
Benefits of Integrated Cost—Schedule Risk Analysis
Project managers and staff need to remember that schedule and cost are related. Although SRA and CRA may be done separately on a project, the optimized approach is to implement an integrated analysis of schedule and cost risk to estimate the appropriate level of cost contingency reserve on projects. This allows for the impact of project schedule risk to be determined on cost risk resulting on an improved estimate of needed cost contingency reserves.
Additional benefits include the prioritizing of the risks to cost, some of which may include risks to schedule so that cost risk mitigation may be conducted in a more cost-effective way.
Project Risk as a Driver to Organizational and Business Success
For project-based organizations, it is important that projects support the organization's overall business approach and strategy. The increased complexity, variety, and challenges of projects in today's organizations amplify the need for a clear overall project selection and implementation strategy. The successful execution of these projects contributes to the success of the organization. This is the basis of project portfolio management.
A number of references are available for project managers to become more familiar with project portfolio management. A recommended reference is the Standard for Portfolio Management (Project Management Institute [PMI], 2008b), which outlines a systematic approach to assist organizations in their project selection strategy, including how risk management is integrated into the project portfolio management approach.
As successful projects support the success of an organization, unfavorable projects may have a significant negative impact to an organization. These projects may expose the organization to risks affecting the organization's overall financial performance, legal standing, and reputation. What is troublesome is this may be occurring without the project manager and the organization being aware. The key in avoiding situation this is the implementation of a coordinated risk effort within the organization to allow it to operate with no surprises. This is the basis of enterprise risk management.
Implementing project risk management has distinct benefits to organizational and business success. These benefits are described in the following.
Improved Business Performance
Project based organizations rely on the performance of their individual projects to help achieve strategic and business goals. In mature organizations, there is a direct linkage between strategic and financial goals to individual projects. Each project, its project manager, and staff are a contributor to these goals. As project risk management increases the probability of a project meeting its objectives, it in turn increases the probability of an organization realizing its objectives by helping link growth, risk, and return.
Increased Organizational Effectiveness
A large number of projects with organizations operate in an isolated manner commonly referred to as “stove pipes.” Project risk management helps align and minimize gaps with other projects and within an organization by helping identify risks, which may affect more than one project, and the organization itself. Management of these risks helps create a culture that is more risk smart, sensitive to allocation of resources, and better equipped to align risk appetite to risk strategy.
Better Risk Reporting
The discipline of project risk management reporting forms the basis of risk reporting within an organization. By implementing a coordinated risk reporting approach for projects across an organization, there will be improved visibility of the individual project risks as well as improved identification of cross-project and organizational risks. Better risk reporting improves an organization's ability to determine the most appropriate risk responses in a coordinated manner.
The ability to effectively manage risks significantly improves the chances of successful project execution. For project-based organizations, implementing project risk management has distinct benefits to organizational and business success. A number of project risk management lessons learned and critical success factors have been presented to assist in these areas. These represent proven project risk management practices, which every project manager should address as part of their current projects and future projects.
Project Management Institute. (2008a). A guide to the project management body of knowledge (PMBOK® guide) (4th ed.). Newtown Square, PA: Project Management Institute.
Project Management Institute. (2008b). The standard for portfolio management (2nd ed.). Newtown Square, PA: Project Management Institute.
Project Management Institute. (2009). Practice standard for project risk management. Newtown Square, PA: Project Management Institute.
©2012, Laszlo A. Retfalvi
Submission for Review PMI Global Congress 2012 - North America
©2012, Laszlo A. Retfalvi
Published as a part of 2012 PMI Global Congress Proceedings – Vancouver, Canada