Principles of Project Risk Management

The following list of twelve principles is designed as checklist to identify significant gaps in a project risk management process. No matter what your project or process design, all these principles should apply.

1. Risk Management concerns the implications of uncertainty

In this context, uncertainty means "lack of certainty". A project is risky if its outcomes are uncertain and if this lack of certainty matters. You can also use this idea of uncertainty to contrast the purpose of the risk management process with that of the project planning process that uses deterministic estimates. These two processes should be aligned with each other, but not fighting for the same ground.

2. Risk management matters most during the earliest phases of a project

Uncertainty tends to reduce as a project progresses through its life cycle. It follows that the potential for risk management  add value tends to be at its greatest during the earlier phases. A problem with some risk management processes is that they are reliant on a significant level of planning detail to have been developed before risks can be identified and assessed. More capable risk management processes influence the development of project objectives as they are being firmed up into specific targets and commitments.

3. The process should investigate the most important sources first so that subsequent developments of detail are built on a sound foundation

This principle indicates that a multi-pass process is required, at least in the initial stages. Failure to use a top-down multi-pass process  frequently results in a detailed list of risks that distracts from what matters most. For example, although a contractor may have detailed risk register, if they lack  incentives to manage risk in the customer's best interests, their risk register is unlikely to be useful. Many detailed risk registers are also incoherent in the sense that risks cannot be combined to calculate overall project risk exposure.

4. The purpose of risk analysis is to support decisions

If the process does not affect decision making, it is a waste of time. At a high level, the decisions involved may range from strategic choices e.g. where project targets should be set whether or not the project should go ahead. At a lower level they may involve choices about how to treat individual risks. Decisions may also be related to the prioritization or escalation of risks.

5. The most effective risk treatments tend to be those that tackle risk at source

Prevention is often better that cure. It follows that a key purpose of risk assessment is to understand risks in a way that leads to pro-active risk treatment. For example, you can consider whether or not risk descriptions adequately capture the relevant sources of uncertainty and whether or not planned risk responses address these sources as appropriate.

6. To quantify overall project risk, one has to understand both source and impact

Quantifying overall project risk forecasts the potential effects of risk impact. However, the relationship between sources of risks and their effects may be complex. Thus, you cannot develop rational models for risk analysis unless the most important features of such complexity are understood. This is one of the reasons why including a top-down multi-pass process is best practice.

7. Each of the components of the core risk management process has an essential role

The various guides and standards available have tended to coalesce around a similar core process that involves 1) establishing context, 2) risk identification, 3) risk analysis, 4) planning risk responses, 5) implementing the responses and 6) management of the process itself. If any of this components are performed inadequately, the whole process is liable to be ineffective. For example, if key risks are not identified or if risks responses are not implemented, the overall process capability will be low.

8. There should be clarity about the ownership of process responsibilities

This really applies to any process; if individuals or organizations are not clear about their responsibilities, things tend to not get done. Decision makers, risk owners and the people responsible for implementing risk responses must know what is expected of them.

9. Leadership by the project sponsor and project manager is critical to process effectiveness

Overt management support for the risk management process is essential. Risk management is about acting on the things that could make the most difference to the project outcome. Senior people need to lead by example and be seen being active in their management of risk.

10. Risk estimates should be elicited in ways that avoid the effects of bias

Risk estimates are affected by the project environment and by the effects of heuristics (mental short cuts). Structured techniques can be used to to counter some of these effects. However, in circumstances where bias is not unlikely, the use of independent advice should be considered prior to major project decisions.

11. A culture of frank and open communication on risk is essential

Risks often concern inconvenient truths, which, if suppressed, cause more damage than they need to have done.A culture of frank and open communication which leads to people being told what they need to know is thus necessary if  risk is to be managed effectively.

12. The risk management process must add value to the project and complement its other processes

Data used to define or organize a project is usually managed in other processes such as requirements management, planning and cost control. These are core processes to which the risk management should be contributing decisions, but should not seek to replace. A smart process design will minimize administrative burden and focus on those activities likely to add the most value.