“Risk, what is it good for? Absolutely nothing, say it again,” as Edwin Starr never sang.
But, a bit like insurance, risk is one of those things that you wish you’d paid attention to after the fact. And it is a vital component of project and programme management regardless of the mental model you bring to the subject.
From the Australian Qualifications Framework (AQF) side of the house (and influenced by the PMBOK Guide), risk is a mandated core unit in BSB51415 Diploma of Project Management in the form of BSBPMG517 Manage project risk. For BSB41515 Certificate IV in Project Management Practice, it’s a Group A elective unit (BSBPMG415 Apply project risk-management techniques).
From AXELOS’ perspective, it’s a (governance) theme in MSP and PRINCE2 and influences its respective principles. Risk – or rather its management – can be a significant reason in your justification for setting up a P3O and the risk role can provide your organization with functional expertise that might be shared at the project, programme and portfolio levels. It’s a process perspective in the P3M3 framework also.
Risk is also an ever-present component in ANAO Better Practice Guides, among them Planning and Approving Projects – an Executive Perspective: setting the foundation for results, Commonwealth of Australia, 2010, and Successful Implementation of Policy Initiatives, Commonwealth of Australia, 2014. (One of my axioms is that they might be better practices, but what argument could you possibly advance not to follow government-endorsed advice?) So, rather than what is it good for, maybe the question would be better articulated as: why should risk matter to you, the practitioner?
The answer is: because you need to do something about it. This component was writ large in the Report of the Royal Commission into the Home Insulation Program (Commonwealth of Australia, 2014). Chapter 14 detailed the lessons learned; along with addressing the capacity of Commonwealth agencies and staff to undertake projects and programmes (section 14.2), emphasis was paid to the importance of risk (section 14.7). In particular, it pointed to the significance of having a functioning risk management process and for staff to be able to use the process.
And what about risk’s sometimes unloved and neglected cousin, issue? While I’m sure (I hope!) we all know the theoretical difference between a risk and an issue, in practice I don’t think it matters. I have been asked countless times whether you should have a combined or separate approach to risks and issues. My stock answer is: I don’t mind. I’d like to believe that your delegate feels the same way. The requirement is to have something; the unit of specification (separate? combined?) can be managed and decided at the task level rather than the escalated level. That said, another of the conclusions from the HIP Report (section 14.7.4) was that risk is holistic. Rather than it being the domain – or for the protection – of senior officials and the Minister, or for reputational and political purposes, risk impacts policy, business-as-usual and projects, and all of those people who are involved in these areas.
Accordingly, accepting this advice on face value, you should forget about which flavour of project or programme management philosophy you prefer. You need to ignore the delineation of whether the item under discussion would be better located in the risk management strategy rather than in the risk management plan. Instead, your approach to risk should focus on something that is usable, flexible and extensible, and at an appropriate level of specificity for the project/programme team, management and corporate governance. Far better to have something that is used and flawed (and can be improved) rather than a product that is robust, complicated and sits on the shelf. My view is that while it is great to have a comprehensive risk strategy, I would trade off some of that ‘great’ to have a good – think functional – risk management process that everyone knows and, even better, has adopted. Then you can join it up to the rest of your project and programme management framework as your maturity increases.
So, I started off opining that, for me, risk didn’t matter. Of course, it does, but more in practice than it does in theory. As a practitioner, trainer and educator, I’m more far more interested in the practicality of application (and response!) than I am in an esoteric discussion of perspective and approach. Perhaps that’s the lesson to learn in preparation for when your delegate asks you how confident you are of managing, mitigating and recovering from the situation in which you find yourself. Good in theory, better in practice...
Click here to access Tanner James’ collection of templates, which includes examples of a Risk Management Strategy, Issue Resolution Strategy and Risk Register and Issues Log for MSP, and a Risk Management Strategy and Issue Report for PRINCE2.
Process maps, explaining how risk and issue management fits in to both MSP and PRINCE2, along with their supporting documents, may be found here.
Matt Overton is a Principal Consultant and Trainer with Tanner James Management Consultants. He has spent the last 20 years delivering risky projects and programmes in the UK, the USA and Australia. Matt is an AXELOS MSP Accredited Trainer and PRINCE2 Registered Practitioner. He is an accredited trainer and assessor in the Diploma of Project Management and Certificate IV in Project Management Practice under the Australian Qualifications Framework. He welcomes feedback to the issues (pardon the pun) he’s raised and invites you to suggest subjects for future consideration.