The risk dynamics of a project change throughout the project and risks enter and leave a project as time passes.
So, the risk management process is not a one-time-and-then-forget-it process. You must continue to identify, assess and mitigate risk associated with the project in order to stay on top of changes. The Project Risk Profile is a communication tool and worksheet.
As the PM, you should coordinate or lead efforts to quantify, assess, and develop potential risk mitigation actions for high impact/high probability project risks. This will often require the performance of a trade-off analysis to identify the most cost and schedule effective risk mitigation approach. A matrix similar to the one shown in this Table can be used to analyze each mitigation alternative.
Here is an outline for a more detailed risk assessment report and a detailed checklist:
Project Risk Assessment Report Outline & Template (Word document)
Risk Assessment Detailed Checklist (Word document)
With the input from the client and industry partner’s, you recommend courses of action and implement those courses of action within the constraints of time and costs as specified by the project budget. Should any risk mitigation action require significant cost or time to implement, then a written request must be developed and submitted to your manager and, eventually, to the client. Any scope changes must be communicated by your Company Contracts Administrator to the client Contracting Officer.
Here are a few examples of common risks and mitigation actions:
- Budget management reserve – mitigates cost risk
- Schedule slack/lag – mitigates schedule risk
- Parallel development – mitigates technical risk
- Propose an incentive fee – mitigates cost risk
- Interim Progress Reviews – mitigates cost, schedule, and technical risks
You should review all risks documented in a risk log (risk register) such as shown in this table with senior management and, where appropriate, with the client during the respective progress reviews and reports.
L = Low M = Medium H = High
Some of the common risk status descriptions are:
- Risk documented, but analysis not performed
- Risk analysis done, but response planning not performed
- Risk response planning complete
- Risk trigger has occurred and threat has been realized
- Realized risk has been contained
- Identified risk no longer requires active monitoring
The project duration and complexity will usually prescribe whether risks should be re-evaluated at a minimum of once a month, bi-weekly, or whatever is deemed appropriate.
Periodic Assessments are conducted at predetermined intervals, normally during milestone reviews. This may be appropriate for projects with limited resources. However, with this approach low risks could develop into higher project risks if not identified early enough in the project.
Continuous Assessments are a more proactive approach, allowing project risks to be identified early and mitigation strategies to be developed before risks impact performance, cost, and/or schedule.
Independent Risk Assessments are accomplished by a subject matter expert (either from a different company group or an industry partner). This is especially useful when an unbiased review of the project risks is needed coupled with expert recommendations. On higher risk projects, the cost of an independent risk assessment might be included in the project budget baseline.
– Mike Lisagor