Perceptions and practices of project risk management
aggregating 300 project manager years
Project risk management practices, tools, and techniques are one of the newly emerging knowledge areas with great interest in the project management community. Originally evolved from the financial sector, project risk management encompasses all aspects of project risk including financial, technical, managerial, and organizational risk. However, there is a need to assess where the current risk management practice stands as it is still rising in the field of project management.
People have negative impression of the words “Project Risk Management” because of the word “risk”. Practitioners and researchers in the project risk management community have been substituting Risk Management to “Uncertainty Management” (Chapman 2000), “Surprise Management” (Smith & Merritt 2002), or “Failure-Proof Management” (Kendrick 2003) to make the discipline more appealing. As a course coordinator of project risk management courses at project management program at the George Washington University, the author has been actively facilitating discussions related to all aspects of project risk management. This paper reports the perceptions and practices of project risk management by collecting more than 300 years of project managers’ experiences. The goal of this paper is to identify opportunities for further improvement in implementing practices of project risk management. The paper will conclude with suggestions and future directions of project risk management to make the discipline strong and prosper.
Project Managers’ Risk Management Stories
At the beginning of the semester, the author asks the graduate students to share their risk management stories. This provides you a good picture of project managers understanding of risk management. Following are some of the quotes from the students.
No Risk Management Infrastructure
- No risk management practice exists in my organization. As a result, we often only react to the boulder after it begins to fall.
- When I led product development for data services, we had one product launch that took over 3 years. The reasons for the delays were many, but not understanding the risks (costs, schedules, skill sets, culture, etc.) played a big part in the project exceeding the original goals.
- I have been in the web applications development field for a few years now, and it never ceased to amaze me how little, if any, risk management is applied in my field of work. Project managers get no support whatsoever with regards to risk management. Even after witnessing projects fail time after time, senior managers always feel that risk management is a waste of time and money.
- There is little if any real risk management. We typically work off of a single, best guess. In addition, there is usually no request to demonstrate that the project manager has a risk management plan. If a risk management plan was in place, there is no request for this information from management.
- In my experiences in the generic pharmaceutical industry, I‘ve never seen a structured, risk management approach to the selection and development of “new” products. There's always the discussion about what might go wrong, including some statistical analysis, but hardly a proactive process. There is a lot of fire fighting when it comes to handling problems that occur, either anticipated or not.
- There seems to be an inordinate amount of time spent in re-scheduling project tasks primarily due to the lack of adequate planning up front. Unfortunately, we have jumped into the many projects and then end up explaining “unplanned or unknown occurrences or events” thereby necessitating more rescheduling.
Difficulty Justifying Benefits of Risk Management
- I have found it difficult to sell risk management to our clients in my organization. A lot of them do not see the value in this discipline and we most of the time have to explain it in monetary terms.
- I think the biggest issue is discovering the risks. Brainstorming has been the method most used but this is sometimes difficult if the team members are not committed to make the RM process work. Use of historical records of risk associated with past products has been minimal. I believe once team members see the usefulness of a RM program then they will be more eager to participate.
Lack of Senior Management Support
- There hasn't been much support for adopting the principles of risk management.
- The biggest challenge is to get support from senior management and business managers when it comes to risk management on the projects.
- We are working on a software development project and have met resistance in identifying and quantifying risks related to a particular initiative. The Director of development is “uncomfortable” that we are raising potential issues in advance, which may alarm a few stakeholders.
No Risk Management Culture
- My organization does not have a clear risk management strategy.
- Many times the project manager sees certain type of risks, but is not communicating to the senior management because of the fear or lack of risk awareness culture in the organization. As a result, the project often gets hit with surprises.
- There are no apparent consequences for poor project performance. If the project flops, or there is a major flaw in the implementation or release, then it is considered to be a learning experience.
- My experiences in aerospace and defense reveal that executive management and many subordinates are preoccupied with the master schedule development and an inadequate amount of effort is spent up front to adequately assess all aspects of risk and to prepare a comprehensive risk analysis. The lack of a strategic plan and a comprehensive risk assessment will, invariably, impact the premature scheduling and cause major elements or tasks to slip due to extremely poor planning and risk assessment.
Positive Risk Management Practices/Experiences
- We actually had a very structured risk analysis program. It was a fairly useful system that helped you determine acceptable risks. A risk management system was also used by our budget keepers for briefing project status.
- My company does have a risk management process that is modeled after the PMI® risk management process. This process is owned by our Project Management Center of Excellence and is a standard process all Project Managers are trained and instructed to use on their projects.
- IBM collects intellectual capital from our projects for reuse in future projects. The intellectual capital is submitted and reviewed to determine if it is suitable for reuse. If it is, it is categorized and posted in intellectual capital databases for reuse by other project managers. We are reusing tested methodologies as one way to manage risk.
- My company had a certain set of procedures on how to do risk identification and plan for risk mitigation. I was given a checklist of areas of risk with samples and also sample mitigation plan for each type of risk.
- During the planning phase for my current project, we made a list of all the items and examined each one to see if it would put us at risk if the product or service was not provided on time. We transferred some of the products and services to the contractor because any failure on our part would affect the contractor's critical path.
- There is a risk tool we use on our services proposals to assess the risk of the contract. We go through a series of questions, rating the likelihood of occurrence, and the impact, if they do occur. These questions are categorized in the different phases of our engagement process (resources, technology, customer's ability to manage solution, etc.). Once all of these questions are answered, the project is given a rating. Depending upon the rating, contingency reserves may be put into the contract prices, and if the risk is too high, it may take a VP approval to even present the proposal to the customer. We have said “no” to some opportunities because the risk rating was too high.
- We have introduced “Six Sigma” into our everyday process improvement activities. Perhaps the most significant contribution to project management has been the introduction (as a result of Six Sigma) of analytical tools to the discipline and awareness of how they help us to first identify risk and then to manage it. In our organization, “On average…” is no longer an acceptable explanation for example.
No/Poor Risk Management Real World Examples
The author also asked the graduate students to provide real world projects that had no risk management infrastructure/practices that ended up in a disaster. These real life projects become a catalyst to discuss various aspects and processes of risk management. The following is a compiled list of real world projects that had poor or no risk management infrastructure.
- Crash of Concorde (2000). Problems with the fuel tanks and fuel lines not being adequately protected from debris from a catastrophic engine failure or other source, including the explosion of a tire on the landing gear. Unfortunately, the risk of such an occurrence apparently was considered acceptable and no action was taken until after the crash.
- Three Mile Island Nuclear disaster (1979).
- The disaster at Quecreek Mine in Pennsylvania (2002). Had risk management planning been practiced, the trapped miners would have had an updated map of the mines and would probably not have ended up trapped for over three days.
- Challenger (1996) and Columbia Space Shuttle Disaster (2003).
- World Trade Center Tragedy (2001): It appears that chain of communication was not well established so that each department has pieces of the puzzle but there wasn't a way to put the puzzle together. It also appears that no one department took the threat seriously. Unless something is put down on paper, it is often hard for others to clearly gauge the risks and the significance of the impact.
- Boston Central Artery Project (1998).
- Motorola's Iridium Project (1996): The satellite phones worked and provided capabilities that no one else could. However the spread of cell phones around most of the world (if by that you mean anywhere business takes place) meant there was a cheaper and better alternative to the international businessman - namely to rent a cell phone in whatever city they visited. The profitable market went away, but the project continued.
Successful Risk Management Response
- Johnson & Johnson Tylenol Scare (1982): Johnson & Johnson management however, handled their unthinkable (or at least the undesirable) event in a positive – proactive manner by recalling all Tylenol in the market. This attitude was well received by the public and resulted in little or no loss of confidence in the prime area of business concern (the stock price).
Effective Risk Monitoring and Control Method
Risk monitoring and control is an iterative and continuous process to ensure that current risks are being mitigated, new risk are being identified and prioritized, and risk database being structured and stored to be used in current and future projects. The project teams use various tools and techniques to monitor and control the risk including tables, graphs, figures, and templates. The followings are some of the testimonies of innovative risk monitoring and control practices from the graduate students.
- The FDA has a rather structured system in place to monitor risks of new drugs that are on the market. Basically, the FDA and pharmaceutical companies share in the risk monitoring and control process (somewhat innovative). Roles assigned to drug makers are statutory. Manufacturers are required to submit to the FDA “adverse events reports (ADR‘s)” on any and all reported cases of complications with a drug. In addition, drug companies must submit either error and accident reports or drug quality reports when deviations from regulations occur in their manufacturing process. If a pattern of adverse events is detected, that exceed an acceptable level in the judgment of the FDA, the product is taken off the market. (US Department of Health & Human Services, 1999).
- The first thing the new PMO did was create a project tracking database. This database is for team collaboration, project tracking and change control (risk mgmt). Clients must enter work requests into the database, then they are reviewed by the project manager and assigned to the appropriate team member. This avoids the issues of clients bombarding individual team members with requests and allows the project manager to review each request to ensure it is within the scope of the project.
- We have two groups that perform risk monitoring and control. One is the traditional financial/audit tracking. This group has created a “4 box business model” and placed various initiatives in each of the quadrants. The expectation is they will work on the high probability of risk and high impacts ones first. All of the initiatives must be audited in a five year period. The other group that performs risk monitoring is proactive in nature. They engage, when called in by the project management group/product house, to participate in projects early in the life cycle as products are being developed or later in the lifecycle when products are installed. They rely on qualitative methods versus quantitative methods to assess risks to the business.
- US Navy's Air Systems Command had several (and redundant) means of tracking risk in the various programs. At the lowest level, bi-weekly reports went to the department heads, with outstanding trouble areas, and a simple traffic light system to update status. After that, more formalized quarterly risk review boards were involved. Next, much formalized Design review boards were involved. These were attended by representatives from almost all competencies and contractor representatives. Senior management would review in great detail all risks associated with the program - engineering and program type risk. If the risk was not being adequately addressed or mitigated, the program office would have a lot of explaining to do!
- IBM has an in-house product that we sell to clients called “Project Office”. This product allows us to track, post, monitor and resolve actions items, issues, etc. This is done through the internet which allows all users to be on/off site to monitor their issues and resolve them. A user is able to post to this site, which will automatically email a copy of the risk to the assigned person and this can be updated and tracked by both the PM Team and the user who posted and assignee to act upon.
- My company's risk monitoring and control practices method is the internal corporate audit. Annually, the company will randomly selected certain small, medium and large contracts for each division and have an internal independent group (not within the division) of auditors to audit the process and practices of the contracts. They check whether the division has the correct procedure or process in place and whether they follow the procedure. The result is the audit report which identifies potential risks, the actions the division has to do in order to lessen or eliminate the risks and scheduled a follow-up session to evaluate the division again.
- Motorola has a process called M Gates that has been implemented across the corporation. It is a process that has broken down new concepts or business ideas into 15 gates that need to be “cleared” prior to moving forward. Each gate has its own unique purpose and at each gate there is various risk mitigation tools used where participants in the process identify and assist in brainstorming up possible solutions.
- We use a fairly well established process for systems development that has set quality control points at designated hand-off points in the flow of project deliverables. These control points occur at intervals about 30 days apart throughout the life of the project. These quality gates require specific standards to be met for each deliverable. If any one of the standards is not, met we immediately force the reworking of the deliverable for resubmission. These quality gates are augmented by frequent “check-in” sessions (daily, weekly, monthly) at different levels of management, to identify potential problems. If the issue threatens a due date (or quality checkpoint date) we put a more senior manager or experienced team on the problem to see what it will take to get the deliverable back on track.
- On our major projects, we have a well defined risk management process to identify risks. We have been less stringent in our monitoring of these events. We have recently established standard reporting templates to be used for monthly reporting that prioritizes the highest ranked risks occurring in/over a shortened period. These templates support a high-level “dashboard” for current monthly status on several areas of project management to be submitted to the most senior level management. Good monitoring and control had been practiced by some projects in the past, but not all. There is now an expectation of how all major projects should be managed, and risk will certainly get its share of visibility from now forward.
THE Value of Qualitative Risk Analysis
For a qualitative risk analysis, assessment of likelihoods and consequences are done according to a classification scheme specific to the project that is well defined prior to project initiation. Risk tolerance should also be clearly understood and communicated among firm, project managers, and stakeholders to have a meaningful qualitative risk analysis.
- I had a chance to interview two vice-presidents that manage “risk” for BellSouth. The individual responsible for the interaction with the marketing teams (projects and products), said he only uses qualitative tools (ratings on a 1-5 scale) because he thinks people in the past have relied too heavily on the quantitative tools and “misled” senior management in terms of accuracy.
- The key benefit of qualitative risk analysis is in its ability to represent complex information in simple terms. Qualitative risk analysis is an excellent communications tool. Most people do not deal with probabilities, Monte Carlo analysis results and other black box approaches. But they certainly understand low, medium and high. Nothing communicates more easily and effectively than qualitative risk methods.
- Many senior managers often prefer just a qualitative assessment of risk in their program. You can still apply the issue to a risk matrix and assign a value to the issue, or prioritize the risk. As a briefing tool or snapshot assessment of risk issues, qualitative methods can be very effective.
- Qualitative risk analysis is a driving force behind our ability to stay ahead of the competition. Market forces that are not necessarily quantifiable, but as or perhaps more important to those items that can be measured, drive both the strategic and tactical decisions across our organization. Forces such as competitive pressures, status of the economy and customer/intermediary expectations are all important factors taken into consideration when formulating and executing business strategies.
- The best way to convey risk probability and impact to senior managers is by using numbers. Senior management likes to deal with numbers (money loss/gain) and if you can convey what this risk(s) means in the form of money, you can convince them of this value. This doesn't have to be done by applying sophisticated quantitative analysis. Simple qualitative analysis is proven to be equally effective.
- Rapid application development projects often make use of qualitative analyses as experienced members of the project team are called upon to evaluate risks that have many dimensions and would otherwise require a prohibitive amount of time to translate into a quantitative analysis.
- In order to quantify the performance of a project from the perspective of risk to cost and schedule overruns, one has to determine the risk characteristics, variables or attributes that affect cost and schedule. In doing so, one is performing a qualitative risk analysis so that later the variables and attributes can be quantified. In this sense, qualitative risk analysis is as important as quantitative risk analysis because if one or more risk variables are overlooked, then the quantitative risk analysis will have diminished value.
- Examples of qualitative analysis could be expanded to include risk impact analysis. Qualitative risk analysis can be used to change the level of urgency of a management response and so it does have business value.
Creativity Complements Effective Risk Management
When we discuss and preach about project risk management, we usually focus on risk identification, quantification (soft and hard), risk analysis, and risk control. These are all good risk management processes that could result in positive project outcomes. However, oftentimes creativity greatly complements systematic risk management process. Recent literatures also discuss the importance of balancing between structural and analytical approach with creative and out of ordinary thinking that could have great impact in better implementing risk management. The followings are some of the discussions from the students.
- The Japanese construction industry has been on the forefront of designing earthquake resistant buildings for years. I believe they were the first to use “shock absorbers” at the foundation of buildings. They continue to strive for new ways to manage risks associated with earthquakes.
- Shell Oil, in the 1970s, introduced scenario planning; constructing scenarios where current trends of unlikely, but still possible events, are extrapolated to generate different scenarios for future business environments. Using such techniques help develop contingency plans for potentially devastating situations.
- Verizon Wireless was dealing with the opposition from communities on erecting cell towers in residential areas. Their concerns were based on the potential health risk to nearby residents and also the visibility of the towers. The towers were obvious eyesores. To address the latter concern, Verizon creativity designed the towers to have the appearance of pine trees. This helped Verizon erect towers that were necessary for a more complete rejection from the communities and avoided revenue loss from customers lost to competitors.
- IBM used to have the majority of revenue from sales of mainframe hardware. The demand of the mainframe hardware diminished through time and also the price of the mainframe hardware dropped drastically. The management, creatively, looked for other source of revenue by changing the focus on providing management and consulting services to the customers instead of the manufacturing and sales of hardware. Through management creativity, the company reduced the risk of loosing revenue, and found alternative source of revenue.
- I appreciate the creative thinking and suggestions related to NASA‘s Apollo 13 mission. Where engineers were able to overcome near disaster by recalculating energy consumption which enabled the astronauts to return safely. For those that remember this flight, creativity was never more apparent as when the air purification system was breaking down and they had to create an air filter out of duct tape and the mission count-down procedure manual.
- Breaking taboos is an example of creativity. The pharmaceutical industry and genetic research are both areas where taboos have been broken to further research projects. The pharmaceutical industry use of animal research and genetic research has gone into the embryonic tissue areas. This research has allowed risks to be managed more effectively when introducing new medicines.
- In several Sprint conference rooms in Dallas, there are models that have been placed in the rooms to encourage out-of-the-box creative thinking. For example, in one room there is a model of a mountain (about 3 feet wide and 1 foot tall), complete with trees and snow. In another room a 3 foot model airplane is suspended from the ceiling. In yet a third room, large geometric designs hang from the ceiling. All these items are designed to inspire creative thoughts. These models help the folks in these meetings not just with risk management, but with all kinds of other creative thinking problems. One can think of everything that can go wrong with an airplane or mountain in a brainstorming session for risk identification.
- DPR construction has reputation for meeting scheduled dates and making a hefty profit, unlike many of their competitors. Their way of dealing with uncertainty is through creative thinking and more importantly collaboration. Realizing that El Nino would potentially cause the loss of working days due to rain, DPR decided on to do things in a different order to mitigate the impact of rain on the Novell construction site back in 1998. They built sewer systems, parking lots and drainage facilities ahead of schedule to be prepared for the rain they expected. It turned out that it was the right decision, allowing them to complete the project on time and on budget.
Recommendations for Better Project Risk Management
Changing Organizational Culture and Practices
The challenges and realities in applying effective risk management processes are difficult, especially, integrating the risk management processes into the organizations. However, the benefits of implementing effective risk management tools and techniques in the organization are equally great. Implementing effective risk management process will succeed by changing the organizational culture. The followings are lessons learned for implementing project risk management tools and practices (Kwak & Stoddard , 2003).
- A project manager does not always have the time to implement a formal process into the system. The project manager must be able to train team members “on the fly” when the need arises.
- This is where a project management can add value to a project. Anyone can pay lots of money to hire consultants and take training classes, but usually only bureaucratic institutions like the federal government can afford it.
- Senior management holds the key to establishing an organization that encourages risk management infrastructure, culture, and behavior.
- A documented process does not guarantee the process will be followed.
- As the size and complexity of the project increases, the effort for risk management increase exponentially.
- During project “crunch time”, the tendency is to focus solely on short-term objectives while neglecting long-term risks. These actions cause problems and cost more than anticipated and put the organization into a reactive mode that is difficult to reverse.
- The people that are actually doing the development work on the project team must be empowered as well as have knowledge and motivation to change practices. Throwing a manager or a “focus group” at a problem is not effective in solving the issues of poor risk management practices, unless they are empowered to affect organizational changes and train project team members in better risk practices.
Understanding Project Risk Tolerance
Understanding project risk tolerance is a crucial part of any risk management plan. While it is at the heart of decision-making, it is all too often overlooked. The levels and perspectives of risk tolerance are dynamic throughout the life of the project. Risk tolerance has three different perspectives when you are involved in a project: Firm, project manager, and stakeholder. The firm's risk tolerance varies according to the firm's financial stability and project diversification. A project manager's risk tolerance is affected by job security and corporate culture. The stakeholders’ risk tolerance is influenced by project objective.
Unfortunately, failures in communication between the stakeholder and project manager are quite common because there are few applicable tools available to support the process. The project success will depend on agreeable level of risk tolerance and support of compensation policies, corporate culture, performance reviews, and early risk management planning.
Although risk management is a daunting task, organizations that implement effective processes proved to be successful, while those that fail in this effort will be unsuccessful. The nature of complex projects creates many risks that must be managed diligently to avoid the common drawback of many projects. The perceptions and attitudes towards risk management activities compound difficult challenges for implementing a risk management strategy. Formal risk management process is recommended to manage complex issues. Many risk management processes have been created to aid organizations, but integrating the processes into organizations was not successful. The theoretical aspects of the process must be reconciled with the practical challenges of the organization to implement risk management successfully. Effective risk management process will succeed by changing the organizational culture to motivate the individual. Cultural changes require time and repetition before they are firmly embedded into the organization.
The author would like to sincerely thank all the former alumni and current graduate students who took Risk Management course at the Project Management program at The George Washington University and contributing their valuable insights and comments to better understand and promote the principles, practices, processes, tools, and techniques of Project Risk Management.
Chapman, C. (2000) Project risk management: The required transformations to become project uncertainty management. Proceedings of PMI Research Conference 2000, June 21-24, 2000, Paris, France, pp. 241-246.
Kendrick, T. (2003) Identifying and managing project risk: essential tools for failure-proofing your project. New York: AMACOM.
Kwak, Y.H. and Stoddard, J. (2003) “Project risk management: lessons learned from software development environment”, Technovation, In Press. January 2003.
Smith, P.G. and Merritt, G.M. (2002) Proactive risk management: controlling uncertainty in product development. New York: Productivity Press.
United States Department of Health & Human Services (1999, May). Managing the risks from medical product use: Creating a risk management profile. Washington D.C.: Federal Drug Adminstration
Proceedings of PMI® Global Congress 2003 – North America
Baltimore, Maryland, USA ● 20-23 September 2003
This standard focuses on the “what” of risk management, including: core principles; fundamentals; and life cycle.