All project management professionals of all levels need to develop a deeper awareness of risk management, to tackle effectively risks in their projects, and to learn how to achieve greater credibility with their organization as experts in project management risk management.
Today, organizations are using projects as a primary mechanism for institute changes, and its popularity can be felt in all aspects of life. From the advancements in products we use (e.g., iPhones, multi-functional clothing, newly constructed roads and bridges, transportation machines, etc.), the impact cannot be overstated. Consequently, its failings are also becoming more prominent and impactful. Let’s illustrate using three recent examples:
- In 2017, Samsung’s Galaxy Notes 7S was banned globally on planes, trains, and automobiles due to exploding phones. Worse, when the fixed phones (after the original recall) also exploded, Samsung lost the market confidence and eventually recalled ALL Galaxy Notes 7Ss. This one device neutered all the profitability of Samsung’s mobile division for that year.
- In 2018 and 2019, the recent tragedies of Boeing 737 Max crashes are fresh in everyday news. There are multiple causes, ranging from the reliance on the single sensor as the trigger for the anti-stall mechanism on the Max planes known as MCAS, or Maneuvering Characteristics Augmentation System, or the undermining of training required for Max operations are just examples of extremely poor project risk management. The financial cost to this disaster is still being played out, and nothing can soothe the pain of losing 346 souls
- In the past decade, the amount of data breaches has increased, and as a result, most people have lost confidence in the security of their data. What started as a trickle of hackers attacking larger organizations now spread to all sectors, and the sense of helplessness is everywhere.
What do these examples have in common? The answer is simple – poor risk management. These organizations and the people working on them either had poor risk management practices OR even when they have a strong understanding (e.g. Boeing and FAA), somewhere in the decision tree, there are a systemic failure of applying good and sensible risk management policies and practices to safeguard their customers – sometimes resulting in fatal outcomes.
The Ubiquity of Risk in Complex Projects
A four-year field study that was performed on risk management practices of 35 large projects in 17 high-technology companies concluded that around one-half of the risks are not detected before they cause an impact (Thamhain, 2013). It should be noted that risks themselves are neutral – meaning they can be positive and negative and do not impact projects equally. The examples above highlight the negative risks or threats, as it is generally difficult to highlight highly positive risks or opportunities. But opportunities do exist. For example, given every tragedy, such as the Boeing 737 Max incidents, we now have an opportunity to place greater emphasis on the role of independent bodies for approval and inspection, such as a reinvigoration of the FAA or more emphasis on training of pilots.
Processes of Identifying, Evaluating, Planning and Executing Risk Response
Managing risks is one of the critical aspects of project management that requires management interferences beyond traditional analytical approaches. Ambiguity and surprises can affect everything in the project from costs to technical feasibility to the performance and timing.
- Identifying Risks – To be able to manage the project risks, we have to know what our risks are. Some of the best practices refer to the importance of identifying risks at an early stage. This gives a higher chance for the project manager to analyze and plan for the possible mitigation techniques. One of the tools that help in keeping track of the risks is the risk register. A risk register shows the details of the risk such as duration, impact, priority, and status.
- Evaluating Risks – Most of the time evaluating risks can be a difficult process especially in an early project stage. The details are not always available, and the picture is not yet complete. This is one area in which having an outstanding project manager can be so valuable. In addition, there must be a prioritization process to the list of risks to have a clear view of what to start with. Qualitative and quantitative risk analysis is one of the techniques that is used to analyze risks. It results in risk factors according to the impact of the risk on the project in various metrics. Risks can be evaluated on a broad range of parameters. We will discuss the top six evaluation parameters in the next section.
- Planning Risk Response – Following the evaluation process, a risk response plan should be put in place for the high priority risks. Ideally, there should be planning for all risks, but most projects do not have the resources to focus on all of them. In addition, project managers should assign a risk owner to each high-priority risk whose responsibility is to develop a risk response plan, which can include corrective actions. This proactive planning will provide an action plan whenever the risk occurs. Depending on the nature and priority of the risks, owners may also identify early warning signals and triggers to alert the team should the risks emerge. Next comes the monitoring part where project managers and risk owners have to keep track of the status of the risks and update the risk register accordingly.
- Implementing Risk Response – The final process is implementing a risk response should the risk occur. By definition, risks are probable events, which means that many of them dissipate. But when they do occur, these risks become issues. Project managers and risk owners can apply risk response plans. Of course, not all issues have a detailed plan, and project managers and risks owners would have to apply their business acumen, ingenuity, and other skills to tackle the risks. After the issue is well under control, it is often worthwhile for the project managers, risk owners, issue owners, and other stakeholders to perform a post action analysis to see what was done well, what could be improved, and if there are newly identified risks that can result from the issue resolution.
Risk Evaluation Parameters
In Section 220.127.116.11 of the PMBOK® Guide – 6.0 Edition, there is a comprehensive list that includes: probability, impact, urgency, proximity, dormancy, manageability, controllability, detectability, connectivity, strategic impact, and propinquity. Naturally, there can be other parameters of consideration, depending on the type of projects and its environment. Of this list, the top six parameters that are most commonly used include the following:
- Probability – The likelihood of the risks occurring
- Impact – The potential effect on the project, positive or negative, should the risk occur
- Strategic impact – The potential effect on the organization that’s beyond the project impact
- Manageability – The ability of the risk owner (and other project stakeholders) to tackle the risk effectively
- Detectability – The ability of the risk owner (and other project stakeholders) to recognize the risk when it occurs
- Urgency – The window of time available to effectively respond to the risk
The other parameters can be important too, and here is a short description:
- Proximity – The window of time in which a risk can effect one or more of the project goals and objectives
- Dormancy – The window of time in which the risk has occurred, but its impact went undiscovered
- Controllability – The ability of the risk owner to influence the risk impact and outcome
- Connectivity – The interconnectedness of this risk in relationship with other project, program, and portfolio risks
- Propinquity – This is an interesting factor as it is subjective. Propinquity is the perceived importance of risks by the stakeholders
How risk management credentials enhance the credentials of all project professionals, especially those already with PMP?
PMP holders are professionals who are involved in the project management field and need to learn and apply the PMI project management methodology and work using a process-oriented approach. The PMP is usually the first educational step in the project management industry. Risk management credentials are a great plus to any PMP holder specifically. This is because risk and crisis management is a huge factor in complex projects and as any project manager grows in the business, the projects become more complex and risks are higher in impact.
New – The Standard for Risk Management in Portfolios, Programs, and Projects
In late April 2019, PMI just released the latest development of risk management for projects, programs and portfolios as a “principle-based” standard in which the primary focus is on a set of important “truths” about project management. The six principles include the following:
- Striving to achieve excellence in the practice of risk management
- Aligning organizational strategy and governance practices with risk management
- Emphasizing the need to focus on the “right” risks
- Finding the optimal balance between risks and rewards
- Nurturing and promoting a culture that adopts risk management practices
- Navigating complexity to enable successful outcomes through the practice of risk management
In addition to presenting the important principles that guide risk management, the standard strives to emphasize the “p-p-p” (project-program-portfolio):
- Benefits and aims of risk management
- Conceptually how risk management permeates across projects, programs and portfolios
- Life cycle of risk management
Note: Our CEO, Dr. Te Wu, is one of the core team members on the standards committee that created this new standard. For more information about the new risk management standard, visit https://www.pmi.org/pmbok-guide-standards/foundational/risk-management.
About Project Management Institute’s Risk Management Professional (PMI-RMP)?
The PMI-RMP certification is a specialty certification focusing on project risk management certification. It is a competency-based certification in which the credential owners can effectively identify risks, evaluate them, develop risk response plans, and tackle risks. The credential highlights a project management professional’s ability to handle risks, especially on high risk, elevated uncertainty, and complex projects in which crises are more likely. The exam is a 3.5-hour exam with 170 multiple choice questions. To maintain the certification, 30 PDUs must be earned in risk management topics every three years.
There are multiple factors that contribute to the difficulty of the exam. But the two most important factors, assuming the test takers have sufficient experience with risk management, are the rapid pace of the exam and the challenge of selecting the best answers on experienced-based and scenario-based questions:
- Rapid pace – 74 seconds per question
- In technical materials, an average person reads about 50-76 words per minute.
- The question then has four answer choices which are about 80-120 words. (The six principles contain 64 words).
- 74 seconds may not be enough to read most questions and answers.
- Thus test takers practice and learn to read quickly and think on their feet.
- Experienced and scenario-based questions
- Complicating the matter, most questions are also experienced and/or scenario-based, such as interpreting a Monte Carlo simulation output.
- In many cases, the goal is not to find the “correct” answers. Rather, it’s important to find the “best” answer.
As professionals interested in pursuing the PMI Risk Management Professional credential, you essentially have two choices: self-study (which requires more time but less expensive) or attending a course (which shortens the study time, reduces the risk of failing, but more expensive).
- If you have time, experience, and confidence, you can self-study and pass the exam. While challenging, it’s clearly possible.
- Our suggestion is to allocate a window of at least 90 days and dedicate an average of 10-15 hours per week (preferably spread out the time evenly throughout the week).
- Focus on these PMI publications:
- Practice Standard for Risk Management
- The Global Standard for Risk Management in Portfolio, Program, and Project
- A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition – Chapter 11 on Risk Management
- PMI also provides a reference list that contains additional books. Our suggestion is to review them ONLY if you have time. Even though these are excellent resources, most of the questions are derived from the first three documents.
- For busy professionals whose time is very valuable and for those that require extra help from authoritative resources, consider joining one of our upcoming courses.
- PMO Advisory is a PMI R.E.P., and one of the few firms that train PMP, PgMP, PfMP, PMI-ACP, and PMI-RMP
- Our PMI-RMP Intelicamp is based on our tried-and-true method of blending multiple methods of learning:
- Real-time, instructor-led <- 12 hours total (about 3 sessions of 4 hours each)
- eLearning <- supported by videos, course materials, practice questions
- Course also earns 12 PDUs for those who are PMP certified.
- Examples of failed projects with poor risk management are everywhere. Just imagine that Boeing actually implemented better training or relied on two angles of attack sensors instead of one for such mission critical systems.
- The emphasis on risks can be seen everywhere.
- In PMBOK® Guide – Sixth Edition, the word “risk” is mentioned 2,078 times versus 1,206 for cost and financial. See the image below for the word count of all the knowledge areas.
- PMI spent two years creating a new global standard for risk management. This new principle-based standard, The Standard in Risk Management for Portfolios, Programs, and Projects will guide the profession for the foreseeable future.
Do you need more convincing? Just look at the world around us. We have always lived in a risk-adjusted world, but now from the rise of terrorism to data breaches, we are all on the edge. It’s time to take charge of the situation, both professionally for self-development and at work.
- Thamhain, H. J. (2013). Managing risks in complex projects. Paper presented at PMI® Global Congress 2013—North America, New Orleans, LA. Newtown Square, PA: Project Management Institute. https://www.pmi.org/learning/library/managing-risks-complex-projects-5946
- Ray, S., & Ray, S. (2019, April 05). The Risk Management Process in Project Management. Retrieved April 30, 2019, from https://www.projectmanager.com/blog/risk-management-process-steps
- PMI Risk Management Professional (PMI-RMP). (n.d.). Retrieved April 30, 2019, from https://www.pmi.org/certifications/types/risk-management-rmp
- The Standard for Risk Management in Portfolios, Programs, and Projects. (n.d.). Retrieved May 5, 2019, from https://www.pmi.org/pmbok-guide-standards/foundational/risk-management