What Is Risk (and Why You Should Care)?

Nothing ventured, nothing gained"You can't get anywhere unless you're willing to take a risk. The saying dates back to Chaucer (c. 1374) and is similar to the late fourteenth-century French proverb: Qui onques rien n'enprist riens n'achieva (He who never undertook anything never achieved anything)."

Random House, Dictionary of Popular Proverbs and Sayings

What often confuses people is the difference between a risk and an issue. As defined in Webster's Collegiate Dictionary, risk is the "possibility of loss or injury." Risks differ from problems or issues because risks refer to anticipated problems, uncertainties, or potential for adverse outcome or loss in value, control, functionality, quality, or timely completion of a project. Problems and issues, however, are conditions or states of affairs that exist in a project at the present time. Risks can, in turn, become problems or issues if they are not addressed effectively.

Most individuals associate the concept of risk with the potential for loss; risk can adversely affect project outcomes. Inadequate handling of risk can depreciate project outcomes and likely results in the failure of a solution to achieve its full potential.

Although a risk presents the possibility of adverse project impact, when handled correctly, it also presents an opportunity for gain. As such, MSF broadly defines a project risk as any event or condition that can have a positive or negative impact on the outcome of a project. This wider concept of speculative risk is used by the financial industry where decisions regarding uncertainties can be associated with the potential for gain as well as loss, as opposed to the concept of pure risk used by the insurance industry where uncertainties are associated with potential future losses only.

What does it mean to handle risk correctly? How should a team handle uncertainty and what might happen? Will valuable time be wasted on what might never be realized? MSF attempts to address these questions in its risk management approach.

Managing Risks Throughout a Project

Effective handling of risk increases the likelihood of success in a project by minimizing the potential for failure and maximizing the potential to use risk for gain. Effective handling of risk involves having a good approach (i.e., risk management process) and accomplished execution of that approach (i.e., risk management discipline).

Managing risks throughout a project does not need to be hard or complicated. Risk management is a process of proactively identifying, analyzing, and addressing project risks. A goal of risk management is to maximize the positive impacts (opportunities) while minimizing the negative impacts (losses) associated with project risk. An effective policy of understanding and managing risks ensures that effective trade-offs are made between risk and opportunity.

Before discussing the MSF Risk Management Process, it is necessary to explore elements of risk management and how the MSF foundational principles apply to risk management.

MSF Risk Management Discipline

So what does it mean to have risk management discipline? It means successfully handling and approaching risk on a few different levels, namely, these:

• Comprehensive Address all elements in a project (people, process, scope, technology, and environmental elements)

• Systematic Incorporate a structured and repeatable process

• Continuous Apply throughout a project life cycle

• Proactive Seek to prevent or lessen impact of risk occurrences

• Flexible Accommodate a wide range of quantitative and qualitative risk analysis methodologies

• Practical Focus on those risks that most affect a project

• Cost-effective Ensure maximum return on risk management efforts

• Future-oriented Commit to individual and enterprise-level learning

To be successful at handling risk, these characteristics of risk management need to be internalized and adapted to each project. For instance, what does it mean to handle risk proactively? It could mean anticipating problems rather than reacting to them. As part of anticipating problems, problem resolution plans are prepared before problems occur (most often for high-impact risks that are likely to occur). However, being proactive also could mean using preventative measures whenever possible to minimize and potentially avoid risks from being realized. The point being there is wide latitude for how to handle risks, and as such, a team needs to reach agreement and plan out what is appropriate for their given project constraints. The following section explores this topic further.

Risk Management Planning

At the beginning of a project, a team should develop and document how they plan to handle risk within the context of a project. Because risk management seems the least understood area, here are some questions to help you get started thinking about risk management:

• What are the assumptions and constraints for risk management?

• How will the risk management process be implemented?

• What are the process steps?

• What are the activities, roles, responsibilities, and deliverables for each step?

• Who will perform risk activities?

• What are the skill requirements?

• Is there any additional training needed?

• How does risk management at a project level relate to enterprise-level efforts?

• What kinds of tools or methods will be used to track and analyze risk?

• What definitions are used to classify and estimate risk?

• How will risks be prioritized?

• How will contingency and risk plans be created and executed?

• How will risk control activities be integrated into the overall project plan?

• What activities will team members be doing to manage risk?

• How often will risks be reassessed?

• How will status be communicated among a team and project stakeholders?

• How will progress be monitored?

• What kind of infrastructure will be used (databases, tools, repositories) to support the risk management process?

• What are the risks of risk management?

• What resources are available for risk management?

• What are the critical dates in a schedule for implementing risk management?

• Who is the sponsor and who are the stakeholders for each area of risk?

• Are resources (time, money, and people) set aside to research and address risks?

Risk management planning activities should not be viewed in isolation from the standard project planning and scheduling activities, just as risk management tasks should not be viewed as being "in addition" to tasks team members perform to complete a project. Because risks are inherent throughout a project, resources should be allocated and scheduled to manage risks actively. The next section discusses this topic further.

Integrating Risk Management in a Project Life Cycle

Risk management should be seamlessly integrated into the overall project life cycle. Risk assessment should begin at the beginning of a project as a project team and stakeholders begin to frame a project vision and begin setting constraints. With each constraint and assumption that is added to a project, additional risks will begin to emerge. A project team should begin risk identification activities as early in a project as possible. As a project continues, risk mitigation and contingency plans, discussed in detail later in this chapter, should be built directly into a project schedule and master plan. Progress of the risk plan should be monitored by the standard project management process.

In general, risk identification and risk tracking are continuous activities. Supported by the open communications principle, team members should be constantly looking for risks to a project and surfacing them for a team to consider, as well as continuously tracking the progress against specific risk plans. Analyzing and reanalyzing risks as well as modifying risk management action plans are more likely to be intermittent activities for a team, sometimes proactively scheduled (perhaps around major checkpoints or weekly project status reviews), and sometimes as a result of a unscheduled project event (discovery of additional risks during tracking and control). Learning is most often a scheduled event occurring around major checkpoints and certainly at the end of a project.

Over the course of a project, the nature of risks being addressed should change as well. Early in a project, business-, scope-, requirement-, and design-related risks dominate. As time progresses, technical risks surrounding implementation become more prominent, and then transition to operational risks. It is helpful to use risk checklists or review risk classification lists at each track transition within a project life cycle to guide risk identification activity.

Managing Risk Across a Portfolio of Projects

Not all projects have equal priority and importance. As such, risks associated with those projects are also not equally weighted. When dealing with a portfolio of projects, be it within a program or an enterprise, there needs to be a means to assess and manage risk across that portfolio. For example, how much effort should be spent on a high risk on a low-priority project as opposed to medium risk on a critical project? There is no one answer because it is situational. However, a team needs to have a clear means to resolve this. Remember, a goal is to achieve maximum return on risk management efforts across a portfolio.

But why should an organization spend extra effort managing risks across a portfolio? It seems like a lot of extra work. Yes but...many benefits at a portfolio level would not be realized unless portfolio-level management occurred. For instance, here are a few benefits:

• Resources and effort might be assigned to projects across a portfolio according to the risks they face.

• Each project's risk manager has an external escalation point to provide a second opinion on a team's assessments.

• Project teams can learn more rapidly from experience elsewhere.

• Quality assurance on the risk management processes is applied within each project.

Depending on the size of a portfolio, an organization might have resources dedicated, even if part-time, to work with project leads to manage risk across a portfolio. This dedicated team often is referred to as a Risk Review Board. Note that portfolio risk review complements risk assessments undertaken by each project team. A review team typically does not have enough project knowledge to help identify risks, nor does it likely have the time available to undertake risk mitigation actions. However, it can contribute to risk analysis and planning.

Because a review team normally contains more experienced practitioners, its members often call on that experience to advise a project team on the significance of certain risks, helping a team to prioritize risks. These experienced people are good resources who can recommend mitigation and contingency strategies that they have seen used effectively in the past. Based on their experience, they are well suited to help spot trends across projects that might identify an underlying problem, triggering some root-cause analysis.

The following are successful practices that have been applied in portfolio risk management:

• Secure executive support for a portfolio review process. Maintain this by regular reports on findings and lessons learned.

• Schedule meetings well in advance; ideally make meetings recurring, regular appointments on a day when many of project leads are expected to be present. Issue invitations to a review board well in advance; good reviewers have many other commitments.

• Select projects for review carefully. Expect to review large, high-profile, mission-critical, and/or complex projects every month, but ensure that a broad cross section of other project types is also reviewed.

• Follow a standard agenda for each project so that project leads know what to expect from the meeting. For example, have 20 minutes for presentation of a current risk assessment, followed by 20 minutes discussion of mitigation and contingency strategies, followed by a 5-minute review of any lessons learned to be shared with other project teams.

• Use standard documents for project status reporting and risk assessment.

• Ensure both documents are updated and distributed to all attendees in advance of a meeting; this enables a team to reduce time spent in a meeting.

• Encourage project team leads to attend reviews, either in person or on the telephone.

• Ensure that a project team gets value from a review. Often this is achieved by reviewing progress on issues that might not technically be risks, but where the experience of review board members can assist a project team.

• Avoid attributing any blame for a project situation.

Creating a Risk Management Culture

Although few project delivery organizations argue against managing risks on their projects, many find it difficult to fully adopt the discipline associated with proactive risk management. What often happens is that a team initially assesses risk at the start of a project, but fails to continue to manage risks as a project proceeds. Two reasons are frequently put forward to explain this:

• Pressure of time on a project team

• Concern that focus on risks will undermine customers' confidence or present a negative impression

Often, a root cause for these beliefs is that managers themselves do not understand the value that risk management delivers to a project. As a result, they are reluctant to propose adequate resources necessary for risk management (and indeed other project management activities). Conversely, they might sacrifice these activities first if a project comes under pressure. It is therefore especially important to ensure that all stakeholders appreciate the importance of managing risks to establish a culture where risk management thrives. The following activities have been found to be effective in establishing risk management as a consistent discipline:

• Secure management sponsorship.

• Seek advice and mentorship from a risk manager who brings personal experiences and knowledge of failures.

• Educate all stakeholders about the importance of managing risks and costs incurred from failure, much of which can be avoided through effective risk management.

• Train a core set of risk management practitioners who can provide role models and mentorship for others; an effective training approach is to combine a workshop on the theory of risk management with real exercises based on a live project.

• Invite key project stakeholders to risk review meetings and ensure that status reports are circulated to them.

• Introduce a recognition scheme for project team members who effectively identify and/or manage risks.

• Ensure that project teams consider risks in project scheduling and making key decisions.

• Seek feedback from stakeholders on the effectiveness of a risk management process and review it regularly to ensure that it is shown to add value.

Foundational Principles Applied to Risk Management

The MSF Risk Management Discipline is founded on a belief that risk must be addressed proactively, part of a formal and systematic process that approaches risk management as a positive endeavor. This discipline is based on foundational principles, mindsets, and practices that are central to MSF. The following principles are especially important for effective project risk management.

Foster Open Communications

MSF espouses an open approach toward discussing risks, within a team as well as with key stakeholders external to a team. All team members should be involved in risk identification and analysis. Team leads and management should support and encourage development of a no-blame culture to promote this behavior. Open, honest discussion of project risk leads to more accurate appraisal of project status and better-informed decision making both within a team and by executive management and sponsors.

Work Toward a Shared Vision

All aspects of delivering a solution are fraught with risks. Part of having a shared vision is making sure everyone understands how to identify, classify, communicate, and manage those risks. That way, a team makes informed decisions throughout a life cycle. Also, a team can choose to avoid risk(s) by adjusting a shared vision.

Empower Team Members

Empowering team members involves a degree of trust and personal safety. That is, any team member can raise a risk in a constructive manner without fear of retribution or distaina blameless environment. Team members should be comfortable enough to know that raising a risk associated with their area is a sign of needed maturity. As such, the quantity of risks associated with various teams and individuals should not be used as assessment/evaluation criteria.

Establish Clear Accountability, Shared Responsibility

No one person "owns" risk management within MSF. Everyone on a team is responsible for actively participating in a risk management process. Individual team members take ownership of action items specifically addressing project risk within a project schedule and plans. Each holds personal responsibility for completing and reporting on these tasks in the same way that he or she does for other action items related to completion of a project. Activities might span all areas of a project during all tracks of a project and risk management process cycles. These activities include risk identification within areas of personal expertise or responsibility and extends to include risk analysis, risk planning, and execution of risk control tasks during a project. Within the MSF Team Model, a Project Management functional area of the Program Management Advocacy Group holds final accountability for organizing a team in risk management activities and ensuring that risk management activities are incorporated into standard project management processes for a project.

Deliver Incremental Value

Incremental delivery of value typically enables a reduction of risk. More frequent and smaller deliveries enable a team to react and respond quickly to risks. By decomposing a solution into incremental deliveries, a team and stakeholders reduce risk on many fronts. They reduce risks associated with technology because they continually are building and refining a deployed solution. They reduce risks that a solution will not meet stakeholders' needs and expectations. They reduce risks that what is being delivered does not provide value to stakeholders. They reduce risks associated with team member skills readiness because incremental builds of a solution can be used to hone and assess team member skills.

Stay Agile, Expect and Adapt to Change

Murphy was an optimist!

O'Toole's commentary on Murphy's Law

Prospect of change is one of the main sources of uncertainty facing a project team. Risk management activities should not be limited to any one portion of a project life cycle. All too often, teams start out a project with the good intention of applying risk management principles, but fail to continue the effort all the way through project completion under pressures of a tight schedule. Agility demands that a team continuously assess and proactively manage risks throughout all tracks of a project life cycle because continuous change in all aspects of a project means that project risks are continuously changing as well. A proactive approach enables a team to embrace change and turn it into an opportunity to prevent change from becoming a disruptive, negative force.

Invest in Quality

Investing in quality typically translates into reduced risk and better management of risk. Managing risks effectively usually means a team has more time to focus on their efforts rather than spending time reacting to realized risks (i.e., issues). How many times have you been on a project that has had to "drop everything" to deal with an issue that could have been prevented? Most likely too many times!

Learn from All Experiences

MSF assumes that keeping focus on continuous improvement through learning leads to greater success. Knowledge captured from one project decreases uncertainty surrounding decision making with inadequate information when it becomes available for others to draw upon in the next project. MSF emphasizes the importance of organizational or enterprise-level learning from project outcomes by incorporating a step into a risk management process. Focusing directly on capturing project outcome experiences encourages team-level learning (from each other) through fostering open communications among all team members.

Partner with Customers

As discussed, risks are not necessarily caused by the failings of a team. Rather, risks are usually generated when a team takes calculated steps to accelerate solution delivery. This type of risk, if handled correctly, typically means a windfall for customers. As such, partnering with customers to gauge how much risk should be assumed is essential to the success of a project.

MSF Risk Management Fundamentals

In this section, important concepts about risk and risk management central to understanding the MSF Risk Management Discipline are discussed.

Risk Is Inherent in Any Project or Process

Although different projects might have more or fewer risks than others do, no project is completely free of risk. Projects are initiated so an organization is able to achieve a goal that delivers value in support of an organization's purpose. Uncertainties always surround a project and the environment that can affect the success of achieving this goal. By always keeping in mind that risk is inherent and everywhere, MSF practitioners seek ways to continuously make the right trade-off decisions between risk and opportunity and do not become too focused on minimizing risk to the exclusion of all else.

Proactive Risk Management Is Most Effective

MSF adopts a proactive approach to identifying, analyzing, and addressing risk by focusing on the following:

• Anticipate problems rather than just reacting to them when they occur

• Address root causes instead of just dealing with symptoms

• Have problem resolution plans ready ahead of timebefore a problem occurs

• Use a known, structured, repeatable process for problem resolution

• Use preventative measures whenever possible

Effective risk management is not achieved by simply reacting to problems. A team should work to identify risks in advance and to develop strategies and plans to manage them. Plans should be developed to correct problems if they occur. Anticipating potential problems and having well-formed plans in place ahead of time shortens the response time in a crisis and can limit or even reverse the damage caused by an occurrence of a problem.

Defining characteristics of proactive risk management are risk mitigation and risk impact reduction. Mitigation can occur at the level of a specific risk and target the underlying immediate cause, or it can be achieved by intervention at a root-cause level (or anywhere in the intervening causal chain). Mitigation measures are best undertaken in the early stages of a project when a team still has the ability to intervene in time to affect project outcome.

Identification and correction of root causes has high value for the enterprise because corrective measures can have far-reaching positive effects well beyond the scope of an individual project. For example, absence of coding standards or machine naming conventions can clearly result in adverse consequences within a single development or deployment project and thus be a source of increased project risk. However, creation of standards and guidelines can have a positive effect on all projects performed within an enterprise when these standards and guidelines are implemented across an entire organization.

Treat Risk Identification as Positive

Effective risk management depends on correct and comprehensive understanding of risks facing a project team. As the variety of challenges and the magnitude of potential losses become evident, identifying and managing risks can become a discouraging activity for a team. Some team members might even take the view that to identify risks is actually to look for reasons to undermine the success of a project. In contrast, MSF adopts the perspective that the very process of risk identification enables a team to manage risks more effectively by bringing them out into the open, and thereby increases the prospects for success by a team. Open, documented discussion of risk frees team members to concentrate on their work by providing explicit clarification of roles, responsibilities, and plans for preventative activities and corrective measures for problems.

A team (and especially team leaders) should always regard risk identification in a positive way to ensure contribution of as much information as possible about the risks they face. A negative perception of risk causes team members to feel reluctant to communicate risks. The environment should be such that individuals identifying risks do so without fear of retribution for honest, constructive expression of tentative or controversial views. Examples of negative risk environments are easy to find. For example, in some environments reporting new risks is viewed as a form of complaining. In this setting, a person reporting a risk is viewed as a troublemaker, and reaction to a risk is directed at a person rather than at the risk itself. People generally become wary of freely communicating risks under these circumstances and then begin to selectively present the risk information they decide to share to avoid confrontation with team members. Teams that create a positive risk management environment by actively rewarding team members who surface risks are more successful at identifying and addressing risks earlier than those teams operating in a negative risk environment. There also should be a reward for team members who propose ways to address these risks.

To achieve a goal of maximizing positive gains for a project, a team must be willing to take risks. This requires viewing risks and uncertainty as means to create the right opportunity for a team to achieve success.

Continuous Assessment

Many people misperceive risk management as, at best, a necessary but boring task to be carried out at the beginning of a project or only at the introduction of a new process. However, actively managing risk can provide team members with the confidence to be able to take risks.

Continuing changes in project and operating environments require project teams to reassess the status of known risks regularly and to reevaluate or update plans to prevent or respond to problems associated with these risks. Projects teams should also be constantly looking for the emergence of new project risks. Risk management activities should be integrated into an overall project life cycle in such a way as to provide appropriate updating of risk control plans and activities without creating a separate reporting and tracking infrastructure.

Maintain Open Communications

Although risks are generally known by some team members, this information is often poorly communicated. Often, it is easy to communicate information about risks down an organizational hierarchy, but difficult to pass information about risks up the hierarchy. At every level, people want to know about project risks but are wary of communicating this information upward. Restricted information flow regarding risks is a potent contributor to project risk because it forces decision to be made about those risks with even less information. Managers and key influencers need to encourage and exhibit open communications about risk and ensure that risks and risk plans are well understood by everyone.

Specify, Then Manage

Risk management is concerned with decision making in the face of uncertainty. Generic statements of risk leave much of the uncertainty in place and encourage different interpretations of a risk. Clear statements of risk aid a team in the following:

• Ensuring that all team members have the same understanding of a risk

• Understanding the cause or causes of a risk and the relationship to problems that might arise

• Providing a basis for quantitative, formal analysis and planning efforts

• Building confidence by stakeholders and sponsors in a team's ability to manage a risk

MSF advocates that risk management planning be undertaken with attention to specific information to minimize execution errors in a risk plan that render preventative efforts ineffective or interfere with recovery and corrective efforts.

Don't Judge a Situation Simply by the Number of Risks

Although team members and key stakeholders often perceive risk items as negative, it is important not to judge a project or operational process simply on the number of communicated risks. Risk, after all, is the possibility, not the certainty, of a loss or suboptimal outcome. As explained in the next section, the MSF Risk Management Process advocates the use of a structured risk identification and analysis process to provide decision makers with information on the presence of risks and the importance of those risks as well.