When Risk Management becomes a Check the Box Exercise
While adding structure is good as it leads to consistent results and the ability to measure progress and quality, when it starts to become a “check the box” exercise, specifically around risk management, an organization may suffer from lost opportunity and complacency.
While there are no fast rules of when, or if this lackadaisical oversight occurs, problems develop in organizations with a centralized PMO coupled with matrixed subject matter experts (SMEs) required for specific projects. They act like hummingbirds and zoom in and out of the project. The SMEs have multiple projects to attend to, and the program administration is seen as an unwelcome intrusion. The project managers are working on multiple projects and their greatest desire is consistent oversight across projects.
Challenges observed, include:
The PMO depends too much on leveraging project artifacts and tracking systems (SharePoint being an example) that may not be readily applicable to the project. Often the easiest solution is to replicate the webpage or document from a previous project and use this template for subsequent projects; consequently some force fitting results, and occasionally a replication of risks from previous efforts.
The team does not do a “post mortem” of the program documents or risk management system to identify what worked, what needs to be modified, and what should be discarded as extraneous.
The layout of the documentation drives how the risk is identified, how the solution is defined, and the identification of risk “owner”. (Rare is the risk that cooperates and only impacts one work stream), yet the data capturing mechanisms are set up to capture it in just that fashion.
Risk ownership is frequently given to an absent team member who is either not notified of his or her new ownership role, or based upon the description of the risk does not understand what it is.
The team does not understand the distinction between risks and issues (with risk being an adverse event that could happen, and an issue is a risk that’s come to fruition, it is happening, the probability is 100%)
Lack of consistency in definitions and monitoring. Many PMO did not define what constitutes a "high", "medium", or "low" risk, and consequently these definitions are arbitrarily applied. Additionally, I've seen where leadership raised concerns about the number of high and medium risks, and the project team rather than addressing the causes for that volume, reduced a significant number of risks to either a low status or closed.
Suggestions for an improved risk program:
Training on risk and issue management at the project/program kickoff so that everyone understands its importance and what should be captured and why. Do not leave risk management as a metric tracked solely to pacify leadership. Clearly identify what constitutes each level of risk.
Continual validation of the risk management approach with buy-in from everyone involved is critical – they have a voice, and a more compelling reason to participate. Insure that tracking is not done in a silo, but across work streams to best capture its potential impact and identify the most viable mitigation strategies. If a lot of cutting and pasting of proposed solutions from other risks is done, program leadership needs to recognize that the commitment is lacking and, at a minimum, a conversation to understand the disconnect and perhaps some remedial training is necessary.
Before assigning a risk owner, insure the right person is identified (and they agree). Include in that confirmation that person understands both the risk and what is required of them. Also do not make this a PMO exercise that is pushed out to the broader team, because that’s “what’s required”, or “what we always do on a project” Risk management is very much a team effort and needs commitment from everyone to succeed. Its also beneficial to get broad team support from all levels as participation is a great way to provide face time for rising employees.
Consistent definitions of types of risks and rankings, how risks will be tracked and closed. I’d also suggest that the risk owner is the only one that can “close” a risk, or adjust its ranking. A risk need not remain high throughout its life, but the reason to change its ranking or close the risk should not be inquiries from leadership.
The team should meet regularly to discuss the program risk. By sharing this information the level of awareness is raised increasing early risk identification of risk.
While the steps are relatively easy, they require commitment and adherence, which is not something that happens overnight. Further, a well done risk management system is useful for planning future similar programs, and allows an organization insights into areas they may be able to reduce risk at a broader level.