Risk management is the process of planning how the team will manage project risks. Risk management activities include identifying project risks (risk assessment), and deciding how to respond to risks. Risk responses may include avoiding risks, mitigating them, or even just ignoring the risks if they're not significant or if they're extremely unlikely to occur. Risk management is a key part of a project manager's role. One of the most important project management activities is to monitoring the status of identified risks and ensure they're dealt with appropriately.
Risk Identification: Active, effective risk management requires that the team identifying risks early and make sure someone is responsible for watching or addressing them. But risk identification doesn't just happen early in the project. Schedule slips, budget variance, and scope creep may all point to risk items that weren't recognized during project planning. It's important to keep reviewing progress and risk status throughout the project to identify these overlooked risks and deal with them early.
Risk management strategies: Risks may be managed through four key strategies: avoidance, acceptance, mitigation, and transfer.
- Risk avoidance is self-explanatory: Find a way to keep the risk from happening. This covers everything from dictating processes or components that make the risk impossible to simply refusing to do the project if the risk is unacceptable.
- Risk acceptance means exactly what it says: The team accepts that a risk may occur, without developing any specific strategy for coping with it. This may be an appropriate strategy for high-impact but highly unlikely risks. For instance, it's possible that a meteor strike might demolish the primary development location at a key point in the project, but unless your project is the protection of a head of state, it's probably not worth worrying about or planning for. That would represent an accepted risk.
- Risk mitigation strategies reduce the likelihood of the risk, the potential impact of the risk, or both. The team should plan these strategies to some extent: What tasks should be included in the schedule to handle these risks? When should they be triggered or completed? Once these plans are developed, whoever is assigned to monitor that risk (it may or may not be the project manager) can keep an eye on things, and take appropriate action if and when it's appropriate.
- Finally, risk transfer strategies simply shift the burden of assessment and mitigation to someone else. If a primary risk is that a blizzard could shut down the town during a key project phase, you could transfer the risk to your project team members by requiring them to have a remote working setup in place and tested by October. You have now transferred the risk to your team members: it is officially Somebody Else's Problem.
So a project manager's primary role in risk management is to help the team identify risks and develop appropriate strategies. With that done, the project manager can review risk management activities regularly and make sure things are under control. Have any identified risks happened? If so, were the right risk responses triggered? Where they successful? Have any identified risks become unimportant because they were avoided or eliminated? Are any risks or risk responses triggering important changes in your project plan? The earlier you identify impacts like these, the sooner you can react.
Our Product and Project Risk Assessment and Mitigation Tables provide an overview of the risk process and tools to help you find and manage your project's risks. Our Review Meeting Planning Worksheet will help you develop good agendas and improve participation in your risk reviews, or integrate risk mitigation into your regular project progress reviews.