As we’re working through the previous plannings steps of “Who?”, “Why?”, “What?”, “How Good?”, “How?”, “When?”, and “How Much?”, we naturally begin to think about things that could go wrong. That is, we consider negative risks, or “threats” to our plans. What threatens our ability to carry out all the acquisitions plans we’ve established and documented in our schedule and budget? This is a critical step in our project management journey, where we roll up our sleeves and dive into identifying, analyzing, and responding to potential issues that could derail our carefully laid plans. It's not about being pessimistic; it's about being realistic and proactive. In my experience, every project worth its salt will have inherent risks. Our job isn't to eliminate all risks; that's impossible. Instead, our job is to systematically uncover likely and/or impactful threats, understand the damage they could cause, and develop strategies to mitigate them.
Ignoring risks—or even just not paying attention enough to them—is a common mistake of new project managers. Experienced PMs know better. Failing to perform risk management is essentially the same thing as embracing a “hope management” mentality: you put your head in the sand and simply “hope” things go well. Experienced project managers know this is a doomed approach.
The process of managing threats is straightforward if approached systematically. There are four basic steps we take when managing risk:
Identify. The first step is to identify all significant risks and capture them in a risk register, which becomes our central hub for tracking, analysis, and reporting. The key to this identification step is to involve your team and your stakeholders. Solicit individuals for their worries. Host brainstorming sessions. Ask stakeholders what’s keeping them up at night? Look at past/similar projects, assessing what went wrong and right on them.
Analyze. Next, assess and analyze each identified risk, considering its likelihood and potential impact on our project. If you have a lot of risks, it often helps to pre-sort the risks based on a cursory “qualitative” assessment before digging more deeply into “quantitatively” analyzing the most serious risks. The goal of this step is to determine which risks we need to pay the most attention to first, much like a doctor triages patients in an emergency room.
Respond. The third step is to develop specific responses to reduce the likelihood and/or impact of the identified and triaged threats. Some risks we can’t do anything about (i.e., we just have to accept them), while others aren’t worth applying time or money to lower the threat (i.e., the cost isn’t worth the reward). But often there are useful and cost-effective things we can do to reduce the overall risk exposure of the identified risks. Again, the key is to involve others in the process and not try to do this all by yourself.
Rinse & Repeat. Finally, we need to remember that risk management isn't a one-and-done process. To properly manage a project, we need to continuously monitor our project landscape, identifying new risks, retiring old ones, reporting on the current risk status to our team and stakeholders, and keeping our risk register up-to-date. And then do it again.
By proactively addressing risks, we're not leaving our project to fate. We're increasing our chances of success and avoiding the pitfall of simply "hoping" everything will work out. Identify risks, analyze them, respond to the ones requiring attention, and then do it all over again. Risk management is something all successful project managers do. They may hope for the best, but they proactively manage for the worst, too.