In my previous post, I’ve addressed the first three questions on risk management and here I address the other two and, at the end, provide a list of take-home messages.
4. How many risks should be on your risk log and for how long?
It depends on the project size, type, complexity, and any other factor that could influence your project. However, in order to be on your risk log, a risk needs to be identified, analyzed (its probability and impact quantified), and mitigation measures applied. Assign a risk owner to each risk. This person is responsible and accountable for monitoring that risk and for defining and implementing mitigation measures.
As you can imagine, not all identified risks will be worth of listing in the risk log, as some risks are just too minor to be worth the cost, or time, of mitigating them. In general, the cost of mitigating a risk should be lower than the cost of the risk consequences if the risk does occur. Importantly, you should never delete risks from the risk log. Even a risk that has occurred can occur again, if not in this project, then in future projects of the organization. In this second case, the risk log becomes a lessons learned piece of documentation.
5. How do you manage project risks?
Risk management is something that needs to be done continuously, throughout the project, not only at the beginning. A project’s success depends on commitment to risk management. Make sure everyone is aware of risk management and appoint risk owners for each risk in the risk log. Regularly review risks, as any change to the project can add new risks or modify the impact and probability of the risks you previously identified.
Manage risks systematically using risk management techniques:
- Avoid risks. If the project is too risky, the sponsor might decide to cancel the project altogether or modify it to remove the major risks. For this, make sure the sponsor is aware of the risks to the project. Take into account that some sponsors might decide to accept the consequences of some risks.
- Soften the negative risks’ impact and maximize the positive risks’ consequences to the project.
- Transfer the risk to a third party (by insurances, guarantees etc.). The risk will still be present, but you’ll have mitigated its consequences by transferring it to another party, usually for a cost.
- Accept minor risks (those with low probability and low impact) and their consequences if the cost of mitigating them is too high.