Risk management - why do procedures so rarely work?

Published on August 24, 2019

Risk management - why do procedures so rarely work?

    Seeming simplicity

    In any textbook, including the PMBOK, the risk management procedure is described in crystal clear and understandable terms.

    Risk need:

    • to reveal
    • qualitatively and quantitatively analyze
    • put in the appropriate section of the risk matrix
    • decide on working with him
    • track until onset or loss of relevance.

    However, in real life it is not often possible to see a careful adherence to these procedures and even less often - the benefits of this.

    Behind the seeming simplicity is the daily work of the project manager, requiring discipline, creativity and intellectual effort. And since risk is a probable event in the future that may not happen, there is no time to do this now and do not want to - there are more pressing tasks.

    Suppose a project manager understands that risk management is necessary. Convince him not to. But how to do it in the most effective way? What techniques and tools should be used in order to really reduce losses from the occurrence of risks with minimal time?

    Risk management

    tools There is a set of mandatory tools, the presence of which, as well as the quality of the content, already indicates that the project manager is trying to manage risks. it

    • Risk register
    • Critical Risk Cards
    • Risk Assignments and Tasks

    However, their presence in itself does not provide a result.

    First - it is necessary to correctly determine the risk. As a rule, a chain of events leads to adverse consequences. What to call risk? Consequences or one of the events that lead to it?

    Let's look at a simple example.

    The figure shows the same chain, but the emphasis is on different links.



    You can try to never be late for work. For example, in order to avoid lateness for sure, go out half an hour earlier. And this is a good option if you are a lark, and half an hour of sleep in the morning is not a great value for you.

    And you can redirect a landline phone to a mobile, and certainly avoid a missed call, despite being late.

    The cost of dealing with the probability of occurrence of risk in two cases is different. Half an hour of sleep or worthless redirection to the mobile. Depending on what we are fighting against, the cost of prevention can vary dramatically.

    A risk event is what we will fight with, what we will try to prevent.
    The following criteria can be used as a practical hint for determining a risk event:

    • The event is under direct control - it can be recognized, it can be influenced.
    • The event is guaranteed to lead to consequences.
    • There is a standard way to solve the problem and this method is usually inexpensive.

    Identifying risks is an ongoing process. They can be formulated on the basis of previous experience, analysis of the current situation, anyone can report them, and in any form. If you keep your eyes open, the risk information will always be there.
    The question is, what of this worthy to get into the registry?


    An entry in the risk register should be specific:

    • If it happens ...
    • There will be consequences ...
    • We can do the following about this ..

    For each risk, a responsible and control date is assigned.

    I recommend the following structure of the risk register, which, however, can be changed or supplemented in accordance with specific conditions and preferences:

    1. No - Unique Risk Code
    2. Name - brief risk label
    3. Description - description of the risk event and consequences
    4. Open - Date of risk registration
    5. Initiator - name of initiator
    6. Risk control - name of the person responsible for regular risk control
    7. Priority - High / Medium / Low
    8. Required Resolution Date - When to Decide on Risk or Problem Action
    9. Consequences of the occurrence of risk (time and cost) - What will the occurrence of risk, in numerical terms.
    10. Risk Management - What to do with risk
    11. Responsible for the actions - Who should perform these actions
    12. Planned date of action - When you need to perform actions
    13. Action at risk - What to do if the risk comes
    14. Status Date - Status Update Date
    15. Status - Open / Analysis completed / Resolved / Closed

    Risk Map
    The most important risks are worthy of creating a separate document for them - a risk map.


    In the risk map, we write:

    • detailed description of what might happen
    • what consequences arise, preferably expressed in money
    • probability of occurrence
    • options for action (do nothing, do something, do something else)
    • Decision and Action Plan



    The risk map is very convenient for escalation. If actions depend on someone else who is not at the mercy of the project manager, then escalation is necessary.

    3. Execution of the risk management plan.

    It is possible to identify risks, keep a register, draw up cards. But if there is no action on risks, then all the previous steps are useless.

    The following risk management strategies and examples of its use are possible:

    • Avoid - do not do the project; abandon the use of unknown technology.
    • Restrain — take any action to reduce the likelihood or extent of the impact of the consequences: engage a subcontractor with relevant experience; move risky tasks to the beginning of the project; conduct additional testing.
    • Accept - form a reserve for the occurrence of risk (time buffer, stock in the budget)
    • Transfer - to entrust someone (customer, contractor, insurance company) with responsibility for the implementation of the task for which there is a risk, or its consequences.

    Once you have decided on which strategy to choose, have planned actions, it is important to ensure their implementation.

    On one of the projects I applied the following practice. He appointed a risk meeting with the deputy general manager of the customer and came with several risk cards. I asked to read, if necessary, explained something, asked to choose one of the options or formulate another solution. After that - sign on paper. It is very stimulated to the actions of people in the subordination of this leader.

    However, such a scheme is not always applicable if it does not correspond to the corporate culture or the manager has a tactic of avoiding a decision. Manipulation is creative.

    On another project, we prepared risk maps on the project portal (seeUsing JIRA and Confluence in charge of the project ), which were then automatically collected into the registry. This option is more convenient than trying to fit all the abundance of information in the Excel spreadsheet. Moreover, due to communication with the task management system, it was easy to plan and control risk actions.

    This statement does not pretend to the severity of terms and completeness of the disclosure of the topic. Instead, I tried to share what really works.

    If you realize the importance of risk management, systematically use the tools and approach this practical, then you can avoid a lot of complications and unnecessary work caused by them.