Identifying and Managing Project Risk 4th Edition: Essential Tools for Failure-Proofing Your Project

COPYRIGHT

© 2024 Tom Kendrick

All rights reserved. No portion of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopy, recording, scanning, or other—except for brief quotations in critical reviews or articles, without the prior written permission of the publisher.

Published by HarperCollins Leadership, an imprint of HarperCollins Focus LLC.

Any internet addresses, phone numbers, or company or product information printed in this book are offered as a resource and are not intended in any way to be or to imply an endorsement by HarperCollins Leadership, nor does HarperCollins Leadership vouch for the existence, content, or services of these sites, phone numbers, companies, or products beyond the life of this book.

Book design by Aubrey Khan, Neuwirth & Associates, Inc.

ISBN 978-1-4002-4000-5 (eBook)

ISBN 978-1-4002-3998-6 (TP)

Epub Edition JANUARY 2024 9781400240005

Library of Congress Cataloging-in-Publication Data

Library of Congress Cataloging-in-Publication application has been submitted.

Information about External Hyperlinks in this ebook

Please note that the endnotes in this ebook may contain hyperlinks to external websites as part of bibliographic citations. These hyperlinks have not been activated by the publisher, who cannot verify the accuracy of these links beyond the date of publication.

CONTENTS

Cover

Title Page

Copyright

Introduction

1. Why Project Risk Management?

The Risky Project

Risk

Opportunities and Risks

Benefits of Project Risk Management

Costs of Project Risk Management

The Project Risk Management Process

Anatomy of a Failed Project: The First Panama Canal Project

2. Planning for Risk Management

Project Selection

Overall Project Planning Processes

Defining Risk Management for the Project

Risk Management Infrastructure for the Organization

The PERIL Database

A Second Panama Canal Project: Sponsorship and Initiation (1902–1904)

3. Identifying Project Scope Risk

Sources of Scope Risk

Defining Deliverables

High-Level Risk Assessment Tools

Setting Limits

Work Breakdown Structure (WBS)

Other Scope-Related Risks

Documenting the Risks

Panama Canal: Setting the Objective (1905–1906)

4. Identifying Project Schedule Risk

Sources of Schedule Risk

Activity Definition

Estimating Activity Duration

Activity Sequencing

Documenting the Risks

Panama Canal: Planning (1905–1907)

5. Identifying Project Resource Risk

Sources of Resource Risk

Resource Planning

Staff Acquisition

Outsourcing

Effort Estimates Adjusted for Risk

Cost Estimates, Budgets, and Risk

Documenting the Risks

Panama Canal: Resources (1905–1907)

6. Managing Project Constraints and Documenting Risks

Analyzing Constraints

Managing Opportunities

Scope Modification

Resource Modification

Schedule Modification

Assessing Options and Updating Plans

Seeking Missing Risks

Creating a Risk Register

Panama Canal: Improving the Plan (1906)

7. Quantifying and Analyzing Activity Risks

Qualitative and Quantitative Risk Analysis

Probability and Impact

Qualitative Risk Assessment

Quantitative Risk Assessment

Panama Canal: Risks (1906–1914)

8. Managing Activity Risks

Root-Cause Analysis

Categories of Risk

Selecting Risks to Address

Risk Response Planning

Dealing with Risk Causes

Implementing Preventive Ideas

Dealing With Risk Effects

Documenting Your Risk Plans and Risk Owners

Managing a Specific Risk

Bow-Tie Analysis for Documenting Risk Responses

Panama Canal: Risk Plans (1906–1914)

9. Quantifying and Analyzing Project Risk

Project-Level Risk and VUCA

Aggregating Risk Responses

Project Modeling and Simulations

Integrated Schedule/Cost Assessment

System Analysis

Critical Chain Considerations

Questionnaires and Surveys

Analysis of Scale

Project Appraisal

Scenario Analysis

Project Metrics

Financial Metrics

Panama Canal: Overall Risks (1907)

10. Managing Project Risk

Project Documentation Requirements

Project Startup

Selecting and Implementing Project Metrics

Establishing Project Reserves

Managing for VUCA

Project Baseline Negotiation

Project Plan Validation

Specification Change Control

Panama Canal: Adjusting the Objective (1907)

11. Monitoring and Controlling Risky Projects

Don’t Panic

Applying the Plan

Project Monitoring

The Status Cycle

Project Archives

Managing Risk Reserves

Project Reviews and Risk Reassessment

Taking Over a Troubled Project

Panama Canal: Risk-Based Replanning (1908)

12. Closing Projects

Project Closure

Project Retrospective Analysis

Panama Canal: Completion (1914)

13. Program, Portfolio, and Enterprise Risk Management

Project Risk Management in Context

Program Risk Management

Portfolio Risk Management

Enterprise Risk Management

Panama Canal: Over the Years

14. Conclusion

Choosing to Act

Managing Your Risks

Panama Canal: The Twenty-First Century

Acknowledgments

Appendix: Selected Detail from the PERIL Database

Scope Risks

Schedule Risks

Resource Risks

Index

About the Author

INTRODUCTION

Your mission, Jim, should you decide to accept it . . .

So began every episode of the classic TV series Mission: Impossible, and what followed chronicled the execution of that week’s impossible mission. The missions were seldom literally impossible, though; careful planning, staffing, and use of the (seemingly unlimited) budget resulted in a satisfactory conclusion just before the deadline—the final commercial.

Today’s projects should also probably arrive on a tape that will self-destruct in five seconds. Compared with project work done in the past, current projects are more time-constrained, pose greater technical challenges, and rarely seem to have enough resources. All of this leads to increased project risk—culminating too often in an impossible project that seems overwhelmingly likely to fail.

As a leader of complex projects, you need to know that techniques exist to better deal with risk in projects like yours. Used effectively, these processes will help you recognize and manage potential problems. Often, they can make the difference between a project that is impossible and one that is merely difficult. This is what Identifying and Managing Project Risk is about. Throughout this book, examples from modern projects show how to apply the ideas presented to meet the challenges you face. This is not a book of theories; it is based on data collected in the recent past from hundreds of complex projects worldwide. A database filled with this information, the Project Experience Risk Information Library (PERIL), forms the foundation for this book. These examples are used to identify sources of risk, and they demonstrate practical responses for typical project challenges.

The structure of the book also reflects current thinking about project risk management, embodied in publications from the Project Management Institute (PMI®, the professional society for project managers), such as its Practice Standard for Project Risk Management. This book also addresses the related concepts of VUCA (Volatility, Uncertainty, Complexity, and Ambiguity) that complicate modern projects.

The first half of the book addresses risk identification, relying heavily on project definition and planning. The initial six chapters show the value of building a thorough understanding of the work in uncovering sources of risk. The remainder of the book covers the assessment and management of risk, at the detail (activity) level as well as at the project level—and above. These chapters cover methods for assessing identified risks, establishing an overall risk plan for the project, making project adjustments, ongoing risk tracking, project closure, and the relationship between project risk management and program, portfolio, and enterprise risk management.

It is especially easy on modern projects to convince yourself that there is little to be learned from the past, and that established ideas and techniques "no longer apply to my project. Tempting though it is to wear these hindsight blinders," wise project managers realize that their chances of success are always improved when they take full advantage of what has gone before. Neither project management in general nor risk management in particular is all that new. Broad principles and techniques for both have been successfully used for much more than a century. Even though many lessons can be learned from current projects (as the PERIL database illustrates), there is also much to gain from earlier work.

As a potent reminder of this, each chapter in this book concludes with a short description of how some of the principles discussed relate to a very large, historical project: the construction of the Panama Canal. Taking a moment every so often to consider this remarkable feat of engineering reinforces the importance of good project management practices—and may provide some tropical relief from what can be occasionally dry subject matter.

Risk in projects comes from many sources, including two that are generally left out of even the better books on the subject: (1) the inadequate application (or even discouragement) of project management practices, and (2) the all-too-common situation of wildly aggressive project objectives that are established without the foundation of any realistic planning. These risks are related, because only through adequate understanding of the work can you detect whether objectives are impossible, and only by using the information you develop can you hope to do anything about it.

Identifying and Managing Project Risk is intended to help leaders of today’s complex projects (and their managers) successfully deliver on credible commitments. Whether you develop products, provide services, create information technology solutions, or deal with complexity in other types of projects, you will find easy-to-follow, practical guidance to improve your management of project risk along with effective practices for aligning your projects with reality. You will learn how to succeed with seemingly impossible projects by reducing your risks with modest incremental effort.

CHAPTER 1

WHY PROJECT RISK MANAGEMENT?

Those who cannot remember the past are condemned to repeat it.

—GEORGE SANTAYANA

Far too many modern projects retrace the shortcomings and errors of earlier work. Projects that successfully avoid such pitfalls are often viewed as lucky, but there is usually more to it than that.

The fate of the Fukushima Daiichi nuclear facility on the coast of Japan is a well-known story. A massive offshore earthquake in March 2011 and the tsunami it caused led to a reactor meltdown that destroyed the facility and made part of the Fukushima prefecture uninhabitable. Unknown to most, another nearby reactor, the Onagawa nuclear power plant, was similarly situated near the water and was even closer to the earthquake’s epicenter. When the earthquake hit, it was inundated by the forty-meter wall of seawater and experienced the most violent tremors ever experienced by a nuclear power plant. Despite this, the Onagawa plant suffered no permanent damage.

The difference between these two vastly different outcomes, summarizing Juliette Kayyem’s The Devil Never Sleeps: Learning to Live in an Age of Disasters, was that the operators of the Onagawa plant saw this scenario as a possibility, and determined how to fail safely. In this part of Japan tsunamis have long been a recognized threat, with warnings carved high on the overlooking cliffs about the dangers of building below them. The power plant staff at Onagawa had extensive emergency training and had rehearsed for this scenario. When the disaster hit, they had the means to respond and quickly shut the plant down.

Preparation for risk can make a massive difference.

THE RISKY PROJECT

All projects involve risk. There is always at least some level of uncertainty in a project’s outcome, regardless of what the Microsoft Project Gantt chart on the wall seems to imply. Projects involving technology (and today that’s nearly all projects, to some degree) are particularly risky, for several reasons. First, technical projects are highly varied. These projects generally have unique aspects and objectives that significantly differ from previous work, and the environment for technical projects evolves quickly. In fact, the very opportunities that give rise to modern technical projects contain significant uncertainty, giving rise to much more difference from one project to the next than in past projects. In addition, today’s projects are frequently lean, challenged to work with minimal funding, staff, and equipment. To make matters worse, there is a pervasive expectation that, however fast the last project may have been, the next one should be even quicker. The number and severity of risks on such projects continue to grow. To avoid a project doomed to failure, you must consistently use the best practices available.

Good project practices come from experience. Experience, unfortunately, generally comes from bad project management. We often learn what not to do by doing it and then dealing with the consequences. Fortunately, we can also benefit from experience even when it is not our own. The foundation of this book is the experiences of others—a large collection of mostly plausible ideas that did not work out as well as hoped.

Projects that succeed generally do so because their leaders do two things well. First, they recognize that much of the work on any project, even the highest of high-tech projects, is never entirely new. For this work, the notes, records, and lessons learned on earlier projects can be a roadmap for identifying, and in many cases avoiding, multiple potential problems. Second, they plan project work thoroughly, especially the portions that require innovation, in order to understand the challenges ahead and to anticipate many of the risks.

Effective project risk management relies on both of these ideas. By looking backward, past failures may be understood and dealt with, and by looking forward via project planning, many future problems can be minimized or eliminated.

RISK

In projects, a risk can be almost any uncertain event associated with the work. Not all risks are equally important, though. Project leaders must focus on risks that can materially affect project objectives, or uncertainty that matters. There are many ways to characterize risk. One of the simplest, from the insurance industry, is:

Loss multiplied by likelihood

Risk is the product of these two factors: the expected harmful consequences of an event and the probability that the event might occur. All risks have these two related but distinctly different components. Employing this concept, risk may be assessed in aggregate for a large population of events (macro-risk), or it may be considered on an event-by-event basis (micro-risk).

Both characterizations are useful for risk management, but which of these is more applicable differs depending on the situation. In most fields, risk is primarily managed in the aggregate, in the macro sense. As examples, insurance companies sell a large number of policies, commercial banks make many loans, gambling casinos and lotteries attract crowds of players, and managers of mutual funds hold large portfolios of varied investments. The literature of risk management for these fields (which is extensive) tends to focus on large-scale risk management, with secondary treatment for managing single-event risks.

As a simple example, consider throwing two fair, six-sided dice. In advance, the outcome of the event is unknown, but through analysis, experimenting, or guessing, you can develop some expectations. The only possible outcomes for the sum of the faces of the two dice are the integers between 2 and 12. One way to establish expectations is to figure out the number of possible ways there are to reach each of these totals. (For example, the total 4 can occur three ways from two dice: 1 + 3, 2 + 2, and 3 + 1.) Arranging this analysis in a histogram results in figure 1-1. Because each of the thirty-six possible combinations is equally likely, this histogram can be used to predict the relative probability for each possible total. Using this model, you can predict the average sum over many tosses to be 7.

If you throw the dice many times, the empirical data collected (which is another method for establishing the probabilities) will generally resemble the theoretical histogram. However, because the events are random it is extraordinarily unlikely that your experiments rolling dice will ever precisely match the theory. What will emerge, though, is that the average sum generated in large populations (100 or more throws) will be close to the expected average of 7, and the shape of the histogram will also be similar to the predicted theoretical distribution. Risk analysis in the macro sense takes notice of the population mean of 7, and casino games of chance played with dice are designed by the house to exploit this fact. On the other hand, risk in the micro sense, noting the range of possible outcomes, dominates the analysis for casino visitors, who may play such games only once; the risk associated with a single event—their next throw of the dice—is what matters to them.

◼Figure 1-1: Histogram of Sums from Two Dice

For projects, risk management in the large sense is useful to the organization, where many projects are undertaken. But from the perspective of the leader of a single project, there is only the one project. Risk management for the enterprise or for a portfolio of projects is mostly about risk in the aggregate (a topic explored in chapter 13). Project risk management focuses mainly on risk in the small sense, and this is the primary topic of this book.

Macro-Risk Management

In the literature of the insurance and finance industries, risk is described and managed using statistical tools: data collection, sampling, and data analysis. In these fields, a large population of individual examples is collected and aggregated, and statistics for the loss and likelihood can be calculated. Even though the individual cases in the population may vary widely, the average loss times likelihood tends to be fairly predictable and stable over time. When large numbers of data points from the population at various levels of loss have been collected, the population can be characterized using distributions and histograms, similar to the plot in figure 1-2. In this case, each loss result that falls into a defined range is counted, and the number of observations in each range is plotted against the ranges to show a histogram of the overall results.

◼Figure 1-2: Histogram of Population Data

Various statistics and methods are used to study such populations, but the population mean is the main measure for risk in them. The mean represents the typical loss—the total of all the losses divided by the number of data points. The uncertainty, or the amount of spread for the data on each side of the mean, also matters, but the average sufficiently characterizes the population for most decisions.

In fields such as these, risk is managed mostly in the macro sense, using a large population to forecast the mean. This information may be used to set interest rates for loans, premiums for insurance policies, and expectations for stock portfolios. Because there are many loans, investments, and insurance policies, the overall expectations depend on the average result. It does not matter so much how large or small the extremes are; as long as the average results remain consistent with the business objectives, risk is managed by allowing the high and low values to balance each other, providing a stable and predictable overall result.

Project risk management in this macro sense can be useful at the project portfolio and enterprise levels. If all the projects undertaken are considered together, performance primarily depends on the results of the typical project. Some projects will fail while others achieve spectacular results, but the aggregate performance is what matters to the business’s bottom line. Chapter 13 explores managing risk for a collection of projects and the relationship of portfolio and enterprise risk management to project risk management.

Micro-Risk Management

Passive measurement, even in the fields that manage risk using large populations, is never the whole job. Studying averages is necessary, but it is never sufficient. Managing risk also involves taking action to influence the outcomes.

In the world of gambling, which is filled with students of risk on both sides of the table, knowing the odds in each game is a good starting point. Both parties also know that if they can shift the odds, they will be more successful. Casinos shift the game in roulette by adding zeros to the wheel but not including them in the calculation of the payoffs. In card games such as blackjack casino owners employ the dealers, knowing that the dealer has a statistical advantage. In blackjack the players may also shift the odds by keeping track of the cards recently played, but establishments minimize this advantage through frequent shuffling of the decks and barring known card counters from play. There are even more effective methods for shifting the odds in games of chance, but most are not legal; tactics like stacking decks of cards and loading dice are frowned upon. Fortunately, in project risk management, shifting the odds is not only completely fair, it is an excellent idea.

Managing risk in this small sense considers each case separately—every investment in a portfolio, every individual bank loan, every insurance policy, and, in the case of projects, every significant exposure faced by the current project. In all of these cases, standards and criteria are used to minimize the possibility of large individual variances above the mean, and actions are taken to limit adverse results. Screening criteria are applied at the bank to avoid making loans to borrowers who appear to be poor credit risks. (Deviating from this policy by offering so-called subprime mortgages led to a disastrous worldwide economic downturn in 2008.) Insurers either raise the price of coverage or refuse to sell insurance to people who seem statistically more likely to generate claims. Insurance firms also use tactics aimed at reducing the frequency or severity of the events, such as auto safety campaigns and programs encouraging fire prevention. Managers of mutual funds work to influence the boards of directors of companies whose stocks are held by the fund. All these tactics work to shift the odds—actively managing risk in the small sense.

For projects, risk management is almost entirely similar to these examples, focusing on specific aspects of each project. Thorough screening of projects at the overall business level attempts to select only the best opportunities. It would be excellent risk management to pick out and terminate (or avoid altogether) the projects that will ultimately fail—if only it were that easy. As David Packard noted many years ago, Half the projects at Hewlett-Packard are a waste of time and money. If I knew which half, I would cancel them.

Project risk management—risk management in the small sense—works to improve the chances for each individual project. The leader of a project has no large population, only the single project; there will be only one outcome. While in most other fields risk management is primarily concerned with the average outcomes of large numbers of independent events, for project risk management predictability matters most. For this we must strive to manage the variation of possible results for each project.

For a given project you can never know the precise outcome in advance. However, through review of data from earlier work and project planning, you can improve the results that you can expect. Analysis and planning will help you to better understand the odds and take action to improve them. The goals of risk management for a single project are to establish credible plans consistent with business objectives and then to shrink the range of possible outcomes, particularly undesirable outcomes.

One type of loss for a project may be measured in time. The distributions in figure 1-3 compare timing expectations graphically for two similar projects. These plots differ from the plot in figure 1-2, which was based on empirical measurements of a large number of actual, historical cases. The plots in figure 1-3 are projections of what might happen for these two projects, based on estimates and assumptions for each. These histograms are speculative and require you to imagine executing each project many times, with varying results. Developing this sort of risk characterization for projects is explored in chapter 9, about quantifying and analyzing project risk. For the present, assume that the two projects have expectations as displayed in these two distributions.

◼Figure 1-3: Possible Outcomes for Two Projects

For these two projects, the average (or mean) duration is the same, but the range of expected durations for Project A is much larger. Project B has a much narrower spread (the statistical variance, or standard deviation), and so it will be more likely to be completed close to the expected duration. The larger range of possible durations for Project A represents higher risk, even though it also includes a small possibility of an outcome even shorter than that expected for Project B. Project risk increases with the level of uncertainty, both negative and positive.

Project risk management uses the two fundamental parameters of risk—likelihood and loss—just as any other area of risk management does. Likelihood is generally characterized as probability and may be estimated in several ways for project events (though often by guessing, so it can be quite imprecise). For projects, loss is generally referred to as impact, and it is based on the consequences to the project if the risk does occur. Impact is usually measured in time (as in the examples in figure 1-3) or cost, particularly for quantitative risk assessment. Other risk impacts include increased effort, issues with stated deliverable requirements, and a wide range of other more qualitative consequences that are not easily measured, such as team productivity, conflict, and impact on other projects or other operations. Applying these concepts to project risk is covered in chapter 7.

Managing project risk depends on the project team understanding the sources of variation in projects, and then working to minimize threats and to maximize opportunities wherever it is feasible. Because projects of most types are unlikely to be repeated enough times to develop distributions based on measured, empirical data like those in figure 1-2, project risk analyses rely heavily on projections and range estimates.

OPPORTUNITIES AND RISKS

The topic of opportunities arises frequently when discussing risk. In the project environment, there are at least three types of opportunity management for projects:

Overall project goals and scoping choices

Project planning choices

Uncertain project events having potential benefits

The first relates to choices made concerning the specifications and other aspects of the expected project deliverable, and often this precedes the project. The second type of opportunity management for projects relates to decisions made as the work is planned and executed and involves evaluating trade-offs among project parameters (such as reducing a schedule by increasing the work done in parallel). A third type of opportunity involves uncertain project activities that may result in either damaging or beneficial results (similar to the duration estimates in figure 1-3). The first two are choices, not uncertainties, but all three types of opportunity relate to project risk management, and each is addressed in some detail in this book.

To a great degree, project risk management is necessitated by the first kind of project opportunity. Projects are always unique undertakings, so the results they are expected to deliver inevitably involve unknowns. The business case for most projects rests on the assumption that the value of the outcome will significantly exceed the project’s cost. Especially at the outset of the work, however, there are generally significant unknowns, so there will be a range of possibilities. If the ranges for cost and value are realistically represented by the curves in the upper portion of figure 1-4, then the expected net returns can be expected to look something like the distribution in the lower portion of the figure. The mean expected return will be approximately the difference between the average of the assumed values and costs.

This all assumes that the initial expectations are realistic, based on historical performance, some analysis, and reasonable assumptions. In most cases, however, the initial project assumptions may be based more on wishful thinking than on reliable, analytical analysis. For projects initiated based on stretch goals—with aggressive expectations outside of what might reasonably be expected—the picture changes. If there is pressure to assume that costs will be near the low end of the realistic range, and increase the expected value of project results to the most optimistic possibilities, the range for project returns will resemble figure 1-5.

◼Figure 1-4: Assessing Typical Return for a Project

Again, the assumed return is the difference between the assumed project value and cost, and on that basis it looks excellent. The range of possible net return outcomes, though, should cause great concern. When project sponsors and stakeholders impose aggressive stretch goals (based sometimes on no more than a lack of understanding), it steeply tilts the playing field. This creates an environment where all uncertainty and project risk is on the downside, and makes it almost certain that the project will be unsuccessful, or at least challenged. This type of project opportunity is based on choices for objectives and constraints. Chapters 3 through 5 explore identifying risks associated with unrealistic project constraints and questionable objectives.

◼Figure 1-5: Returns for a Stretch Project

A second type of project opportunity management also involves choices, this time in how you plan to do the work. It is common for projects to find that their bottom-up plans fall short on timing, cost, or other initial expectations. This may be a direct result of aggressively setting goals, as discussed previously. Striving to meet aspirational objectives, project leaders work to optimize the workflow by adopting alternatives that compress plans, save money, or use other trade-offs to better align with key stakeholder expectations. Even when these tactics appear to address project constraints (such as aggressive deadlines), the adjustments and tactics adopted will inevitably increase risk and create new failure modes. Chapter 6 explores the self-inflicted risks that emerge from managing project constraints.

The third type of project opportunity involves beneficial uncertainties associated with planned activities. There may be little opportunity of this kind, however, because on many projects optimistic expected results and aggressive constraints cause uncertainties to skew heavily toward adverse consequences. That said, considering these cases certainly falls to the project leader, and you can often find at least a few potentially beneficial uncertainties if you look. Chapter 6 explores uncovering such positive risks, and chapter 7 addresses techniques for managing them.

BENEFITS OF PROJECT RISK MANAGEMENT

Is it even possible to manage risk? This fundamental question is unfortunately not trivial, because uncertainty is intrinsic to project work, regardless of how we approach it. If managing risk means completely removing all risks and uncertainty, for projects this is certainly impossible. However, we can work to understand significant sources of risk and take prudent actions to reduce failure modes and increase our chances for project success.

Because our ability to manage risk is at best only partially effective, it’s fair to ask a second question: Should we even bother to try? As with any business decision, a good answer depends on costs and benefits. Developing a project plan with thorough risk analysis unquestionably involves effort, which some may see as unnecessary overhead. Project risk management can also provide many benefits, though. For complicated projects, the benefits gained from grappling with risk generally far outweigh the costs. A summary of the benefits of project risk management follow, and each is amplified in later chapters. Specific project risk management costs are outlined in the following section.

Less VUCA

In recent years the acronym VUCA has become part of the conversation around business risk. It originated with the military in the wake of the 9/11 terrorist attacks in 2001. Leaders at the Pentagon used VUCA to characterize the shifts emerging internationally. VUCA stands for:

Volatility: Unpredictable change

Uncertainty: Lack of predictability

Complexity: Difficulty understanding interactions

Ambiguity: Insufficient clarity

All of this relates generally to today’s business environment, and particularly to projects. The seventh edition of the PMBOK® Guide from the Project Management Institute (PMI®), while mostly de-emphasizing risk management, does define an Uncertainty Performance Domain containing "Uncertainty, Ambiguity, Complexity, Volatility, and Risk." Effective project risk management aims to understand these challenges and works to minimize them.

VUCA environments are chaotic, stressful, and demotivating, so reducing the effects of VUCA can lower the frustration caused by avoidable problems, and reduce the cost and effort of late project rework. Identifying root causes of potential project problems uncovers weaknesses and helps in constructing more robust plans. Deeper understanding of project challenges enables project teams to avoid pitfalls.

Justifying Project Reserves

Risk analysis quantifies project uncertainties, so it is useful in establishing reserves for schedule and/or project resources. It’s always more appropriate to define a schedule range (or budget window) than single-point fixed objectives for risky projects. Commitments for high-risk projects are best established with goals that reflect the risks. Setting a target date with schedule reserve establishes a project deadline further out. Having a range for acceptable project performance visibly communicates the uncertainty. For example, the target schedule for a risky project might be six months, but the committed schedule, reflecting potential problems, may be set at seven months. Completion within (or before) this range defines a successful project; only if the project exceeds seven months will it be considered a failure. Project risk assessment data provides both the rationale and the magnitude for required reserves. Chapter 10 addresses this in more detail.

Increased Project Control and Understanding

Risk management efforts build awareness of project exposures for the project team, showing when, where, and how painful the problems could be. This causes people to work in ways that tend to make project difficulties less likely, similarly to driving carefully in adverse weather conditions.

Risk data also provides deeper understanding of project exposures and more vivid and convincing messaging about possible consequences. Using information about the likelihood and consequences of potential problems can be very convincing in discussions with stakeholders, and provides increased leverage to project leaders in defining objectives, determining budgets, obtaining staff, setting deadlines, and negotiating project changes.

Improved Overall Management

Increased awareness of project risk also improves management of projects across an organization. Sharing risk assessment and status information among projects can materially raise the chances of projects achieving their objectives. Although there are never any guarantees, broader awareness of common failure modes and ideas that make projects more robust can significantly improve the odds for success. In addition, risk management processes help in identifying infeasible or otherwise problematic projects so they can be avoided, quickly aborted, or at least modified. Risk analysis can also reveal opportunities for improving projects and increasing the value of project results.

Effective risk management also helps in defining appropriate project priorities. Thorough, clear information makes setting relative priorities between projects more objective and logical. High-risk projects with substantial expected benefits may warrant increased support and attention. (High risk does often align with high reward.) You can raise your project’s priority by generating a thorough risk plan, displaying your competence and readiness for dealing with possible problems. Projects that gain higher priority significantly reduce their overall risk—doors are opened, obstacles disappear, needed resources are allocated, and queues for services shrink.

An additional benefit of thorough risk management will be better portfolio management for all ongoing and future project work. An appropriate mix of projects will include both lower- and higher-risk (and return) projects in proportions aligned with overall business objectives. Achieving and maintaining a suitable mix of ongoing projects requires realistic risk information. Chapter 13 covers the process for project portfolio management.

COSTS OF PROJECT RISK MANAGEMENT

Project risk management has many potential benefits, but it is not free. Managing risk entails work, and this requires investment in both time, effort, and funding. Directly confronting project risks can also temper the enthusiasm and performance of project contributors. Both of these factors are undeniable and must be considered (and managed) along with the benefits.

Incremental Effort, Cost, and Time

Done effectively, the overall investment for uncovering project risks need not be large. Risk identification is best done as part of overall planning, making note of risks, uncertainties, and challenges as you develop your plans. Throughout the process you can keep track of unknowns, worst cases, and other potential problems as a part of your efforts to understand the work.

Analysis of risks also need not be a major undertaking, especially if you have assembled a thorough risk register and apply straightforward assessment processes. Developing responses for key risks is similarly not typically a great deal of extra work—and in fact mostly falls under the category of doing your job as a project leader. (Ultimately, criticism after the fact for situations where you have run into major risks usually focuses more on your overall competence as a project leader than on your risk expertise.)

Determining how much effort is warranted and what specific risk management tactics to adopt involves judgment, as well as balancing the trade-offs between more thorough analysis and expected additional benefits. Chapter 2 provides ideas for justifying incremental investment for needed improvements in process maturity.

Effect of Risk Awareness on Team Motivation

Some project leaders avoid considering risks, citing the negative effects of exposing the team to a depressing, demoralizing wallow in pessimistic thinking. While focusing on project risks may seem demotivating, it can have the opposite effect. Before you articulate the specifics of project risks, situations may seem bleak, insurmountable, and confusing. Documenting and clarifying risks and their consequences allows you to uncover their root causes and develop both a deeper understanding of potential problems and tactics to deal with them. The devil that you know may well be less frightening than the vague general concerns that surround new projects.

When risk management is approached as a method for addressing past project problems and building resilience into plans, most team members will cooperate enthusiastically. Risk management work that helps to avoid or minimize catastrophes can be seen as a positive force that helps contributors see projects as realistic and doable. (And when the risk assessments reveal an overall project that is truly bleak, awareness of that up front—before investing a lot of money, time, and effort in a doomed undertaking—is invaluable and allows the focus to shift to better, more valuable projects.)

THE PROJECT RISK MANAGEMENT PROCESS

The overall structure of this book follows a long-established sequence of steps for project risk management similar to risk processes in many other fields. The topics are:

Plan Risk Management

Identify Risks

Perform Qualitative Risk Analysis

Perform Quantitative Risk Analysis

Plan Risk Responses

Implement Risk Responses

Monitor Risks

Chapter 2 covers the first topic, Plan Risk Management, exploring the role of project risk management during project initiation. Chapters 3 through 6 address the topic Identify Risks, focusing on scope risk, schedule risk, resource risk, and managing project constraints.

The next two topics, Perform Qualitative Risk Analysis and Perform Quantitative Risk Analysis, relate to risk assessment. This is covered on two levels, for activity risks in chapter 7, and for overall project risk in chapter 9. The topics Plan Risk Responses and Implement Risk Responses are also discussed twice, in chapter 8 for activities and in chapter 10 for the project as a whole. Chapter 11 focuses on the topic Monitor Risks, and chapter 12 covers the relationship between risk management and project closure.

These topics align with project management process categories as shown in figure 1-6. These categories are broadly representative of the phases in many project life cycles, and may be found described in PMI® publications such as Process Groups: A Practice Guide.

As in most project management literature, including many PMI® publications, most of this book aligns with project planning because this is where the heavy lifting of project risk management happens. The material here focuses on the how-to of effective risk management, from the practitioner’s standpoint. This book places particular emphasis on ideas and tools that work well in the real world and that can be easily adapted to complex and technical projects. Coverage of project risk management topics here is both broad and deep, and supports those who may be using this book to prepare to sit for the Project Management Professional (PMP®), Risk Management Professional (RMP®), or other certification tests.

◼Figure 1-6: Project Risk Management Topic Links to Project Management Processes

ANATOMY OF A FAILED PROJECT: THE FIRST PANAMA CANAL PROJECT

Risk management is never just about looking forward. Heeding the lessons learned on projects of all types—even some distant examples—can help you avoid problems on new projects. One such example, illustrating that people have been making similar mistakes for a long, long time, is the initial effort by the French to construct a canal across Panama. Although this project is far from recent, it offers many lessons in managing risk that remain valuable to this day.

The construction of the Panama Canal over a hundred years ago faced unprecedented technical challenges and was the risky, high-tech project of its day. There were no earlier similar projects of its scale to learn from, and much of the engineering required extensive innovation. It was, for its time, breathtakingly expensive. The Panama Canal represents the single largest project investment anywhere on earth prior to the late twentieth century. The construction effort stretched over several decades, required a series of project leaders, and provides a wealth of project management examples, both positive and disastrous. (Examples cited throughout this book are drawn from a number of sources, but by far the best single source is historian David McCullough’s first book: The Path Between the Seas: The Creation of the Panama Canal, 1870–1914.)

The story of the Panama Canal is especially instructive because it is actually the story of two projects that straddled the emergence of modern project management in the early twentieth century. The first project failed for many reasons, but lack of good project and risk management played a huge part. The second succeeded largely because of the rigorous and disciplined application of good project practices. The Panama Canal projects illustrate many of the points made in this book, and they demonstrate important concepts applicable to current projects.

First, successful project management practices are not new. They are well established and have worked effectively for over a century. Modern project management was developed in the late 1800s to deal with the increasingly enormous civil engineering projects of that era all over the world—the bridges, the transcontinental railroads, the dams, and other massive projects made possible by Machine Age technology. Many basic lessons learned on earlier projects can be usefully applied to your high-tech projects today.

Second, tools for managing projects have evolved significantly, but the fundamental principles have changed little. Henry Gantt, who