Scope, Time, Cost used to be the big 3.  Then Quality and Communication joined the priority list.  Now it seems the only true priority knowledge area that takes priority in management Risk.

Business and Project Management is all about risk.  As humans, we take risk every day in personal and work life.  Our ability to learn, grow and advance in how we deliver work is constantly evolving.

It is common now for all roles (front line to exec) within an organization to have training  about the basics of business and project management.  We live in a highly interconnected, collaborative world and it is the future. This is the path to true success and we are rapidly getting better at this.  

We are getting to a point where we all generally understand the steps how to properly deliver work but we still have challenges dealing with uncertainty and mis-aligned expectations.  There is so much info at our finger tips related to methods, systems and tools how to get work done.  However, there is still a shortage of tools that deal with unknowns and the abstract (and humans are not comfortable in that zone). Risk is where things may or may not happen, how we manage that and be proactive as possible, is the essence of risk management.  This will be the next knowledge area that has large gaps and opportunities to pursue in terms of achieving success.

We have found good methods and supporting details from the Software Engineering Institute (SEI). Their website is: http://www.sei.cmu.edu/

A good sample of a Risk Wheel which is general enough to use for all types of projects and roles and help them be on the same page of understanding, is included below.

Risk Management
Included below is an example of a risk monitoring and controlling process (please reference the Software Engineering Institute, for further details).  The process is represented as a circle to emphasize that risk management is a continuous process that will evolve throughout the project life cycle.

Communication is placed in the center of the circle because it is both the conduit through which all information flows and is also considered the most influential risk activity.

See diagram below:




 A brief summary of each risk management subprocess is further defined as:

·         Identify - Before risks can be managed, they must be identified and logged (e.g. logged into the Issues and Actions Log). Identification helps to prevent risks from becoming problems and adversely affecting a project.  Project managers must continually urge the project personnel to raise questions, concerns and issues for subsequent analysis.  Meetings should be held on a regular basis, (frequency dependant on complexity and duration of project), in order to facilitate the identification of risks.  An effective way to identify risk is to identify the process, break down the process into steps and associate each step with the level of risk.  Note:  when risk identification occurs, the pre-control level and the post-control level should be identified.


·         Analyze – Information is analyzed, validated, prioritized and quantified in order to provide a platform to base overall project risk management plans on.  Analysis allows the PM to convert risk data into risk decision-making information and hence provide the basis to work on the right risks at the right time with the right people.  Note:  risk should be assessed in relation to the value from the controls being in place, e.g. how much of a change in level of risk from pre-control to post-controlled (how much residual risk remains),

·         Plan – response planning transforms risk information into risk management decisions and actions (both present and future). Planning involves developing actions to address individual risks, prioritizing risk actions, and creating an integrated risk management plan and responding to the risk by acting on the plan. 

Study the risk further to acquire more information and better determine the characteristics of the risk to enable decision making.  The key to risk action planning is to consider future consequences of a decision that is made today.
Note:  how is residual risk addressed, all risks do not have to be mitigated, they must however have a response strategy

·         Track - Appropriate risk metrics are identified, tracked and monitored to enable the evaluation of the status of risks themselves and of risk mitigation plans. Tracking serves as the “watch dog” function of management.  It is essential that a tracking plan is included in the overall Risk Management plan.  Note:  levels of risk will continually change and must be tracked

·         Control - Risk control corrects for deviations from planned risk actions. Once the risk metrics and triggering events have been defined and agreed upon, there is nothing unique about risk control. Rather, risk control, validation and mitigation will meld into project management and will rely on the already established project management processes to control risk action plans, correct for change and variations from plans, respond to triggering events and improve risk management processes and planning.  The level of effort associated with risk control should be adjusted throughout the project life cycle but should never be stopped.  Note:  risk control is an ongoing process from start to end of the project

·         Communicate - Risk communication lies at the center of the model to emphasize both its pervasiveness and its vital importance. Without effective communication, no risk management approach can be viable.  While communication facilitates interaction among the elements of the model, there are higher level communications to consider as well.

To be analyzed and managed correctly, risks must be communicated to and among the appropriate organizational levels and entities. This includes levels within the development project and organization, within the customer organization, and most especially, across that threshold between the developer, the customer, and, where different, the user. Because communication is pervasive, the best approach is to address it as integral to every risk management activity and not as something performed outside of, and as a supplement to, other activities.  Note:  involve as many stakeholders as possible in risk management processes and ensure all workers are aware of the risks they face for each individual job