“It is not the strongest or the most intelligent who will survive but those who can best manage change.”
― Charles Darwin
When PMI moved from PMBOK-5 to PMBOK-6 it made few changes to process names (among many others), and one of them is to rename ‘Control Risks’ process to ‘Monitor Risks’.
It does make sense to do this – risks by nature are outside of anyone’s control, because they step out of uncertainties. Thus the best thing project manager can do is to identify them, analyze them, prepare specific responses, and monitor risks.
Monitoring risks is a project management activity that is essentially about managing expected and unexpected changes in the project.
While planning for risks you referred to various subsidiary plans in Risk Management planning project management activity, realizing that risks may materialize in any of the areas such as Cost, Schedule, Communication or Scope.
You identified risk categories such as Resources, Technical, External, Project – because risks can appear in any of these areas as well.
Then you went ahead and identified very specific risks – actual risks, residual risks and secondary risks.
Then you analyzed them subjectively and objectively, and prioritized them.
Next, you meticulously planned for dealing with each of them in Risk responses planning project management activity.
- Residual risks are the smaller risks remaining even after identifying responses for bigger risks
- Secondary risks are the new risks that come up due to responses planned to manage risks
All this effort is like preparing for the battle. The usefulness of it is determined in the way we monitor and control risks through the length of the project.
It is almost impossible to think about all the risks up front during planning stage itself.
Environments change, stakeholders change, and even requirements change as project progresses. This leads to changes in the risks, their nature, and planned responses.
Monitoring risks involves looking for identified, residual and secondary risks, identifying any new risks, taking quick corrective action when a risk materializes, planning further preventive actions when you identify a trend of a new risk, and measuring effectiveness of risk responses.
What do you need to monitor risks?
Risk management plan. This is a guide for project manager to understand how to deal with managing risks on the project. It defines approaches, tools and methodology to manage risks; roles and responsibilities of people who need to deal with risks, budget allocated for them, project specific risk categories, definition of risk probabilities and their impact on project objectives, and such.
Risk register is the single most important input. This comes from the project management activity to Identify Project Risks. It lists identified risks, their symptoms and frequencies, and time and cost budget allocated for dealing with risks.
Risk report contain risk response strategies and owners that are expected to address the risk if it materializes.
Issue log contains open issues that may turn out to be risks if they escalate beyond a limit.
Then there is lessons learned register that contains strategies, approaches, and methods to address critical risks that are handled on previous projects in the organization.
You would need status of each of the planned deliverables, schedule progress and costs incurred on the project.
Risk related data, and performance reports contain performance measurement metrics such as earned value, planned value, schedule variance, cost variance (EV, PV, SV, CV) as well as forecasting numbers such as estimate at completion (EAC), estimate to complete (ETC) and to-complete performance index (TCPI).
How do you do it?
Reassessing project risks
As the project progresses you find out that some of the risks are not relevant; probability or priorities of few risks are changed, and new risks are identified. All this can be found by regularly reassessing the risks in risk register.
This reassessment exercise is usually done as a team exercise and at regular intervals. Risk register is updated with the changes identified during reassessment exercises. Stakeholders are kept in loop on the risk status.
Auditing for risks
As the word audit suggests this exercise is a methodical examination of how effectively risks have been managed, including the way root causes are analyzed, timely corrective or preventive actions taken, how often risk reassessments are done and their effectiveness and such. These audits typically are conducted by a team outside of the project team.
Analyzing risk trends
In simpler terms this is about looking at project performance over a period of time, studying the trends of cost, schedule and scope variances from baselines, and then trying to forecast whether there is a risk of any of them going rough in near future. If the trend indicates possibilities of any of the risks materializing, then preventive actions are planned and put in place.
Performance analysis
This is about comparing project performance against planned performance. For instance, if you were to complete the high level architecture definition completed by certain period and the project did not realize this milestone, then there may be risks that are overlooked. These need to be analyzed and addressed immediately else they may create havoc for other milestones along the way.
Reserve budget & schedule analysis
Using reserve analysis tool you kept aside certain amount of contingency reserves from the project budget and schedule for realized risks during the project management activity to Determine Project Budget.
This reserve is utilized only when certain risks materialize and you need to deal with them. As project progresses project manager needs to keep an eye on remaining cost reserves and schedule buffers.
If there are less reserves remaining and more risks to handle then you may need to plan preventive actions to ensure they are not realized, and in addition might consider going back to sponsors for more budget.
Just like any planning exercise effective team meetings to go over risks and strategies to manage them is an effective way.
This serves two purposes –
- team is aware of what risks may come up and so they will be equipped to look out for symptoms
- they will be able to contribute to risk mitigation strategies and come up with good risk responses.
Project manager must ensure that these meetings are held at regular intervals such as every other week or at the beginning of a sprint (if you are using Agile methodology).
Meetings are definitely part of this process. Any and all risk management activities are done by involving stakeholders and effective meetings are a great tool for the project manager to respect their time while getting most out of their expertise.
What’s the outcome?
Work performance data when analyzed in the risk management context becomes work performance information, which tells us the effectiveness of response planning and risk response implementation process.
Change requests
By now you have come to expect that any monitoring process is expected to discover changes, and trigger change requests. Changes to risk management plan itself might be required to be changed. Preventive and corrective actions planned as a risk response on the project will need to be raised as a change request and run through change control board via Perform Integrated Change Control process.
Updating project plan and project documents
As we considered various subsidiary plans in the input of this process, the same stand to get updated as output. We looked at cost, schedule, quality, and scope management plans.
When any risk materializing has an impact on any of these project objectives the corresponding subsidiary plan has to be updated.
Assumption logs
Each time you assess risks you may get to know more about them. This knowledge may change certain assumptions you made about the risks and hence you will update assumption logs.
Risk register updates
As a result of executing Monitor and Control process if your risk register has not changed then either your interval to execute this process is very small, or the process has not been executed effectively.
Some of the contents of risk register that get updated are –
- Actual outcome of materialized risks and risk responses
- Outcomes from risk audits conducted by external team, risk reassessment and status meetings to go over risks
- Technical documents
..and lessons learned register and issue log – any changes, omissions, additions are updated now.
You put corrective actions in place when risks materialize, and when symptoms of certain risks start appearing you put preventive actions in place. Both these may very well alter technical approach to produce deliverables. These result in technical document updates.
Some of the documents such as risk breakdown structure, templates and procedures recommended for conducting risk assessment, and lessons learned are updated as applicable.
Summary
Controlling project risks is a very essential project management activity for the project manager. Come to think of it, even if a project manager does not know anything about risk management processes, she would intuitively be managing risks.
May not be comprehensively, but definitely to some basic extent. Because we are built to look for risks for survival, and this instinct helps us keep dangers at bay.
Having said this, following these systematic, scientific and proven approaches to handle risks ensures best possibility of project success.
If you have come this far in the PMP study, you definitely deserve a treat. Wish I could take you out to lunch. 🙂 All that we have left with now is to study the processes for Procurement and Stakeholder management. Which incidentally are easier processes compared to some of earlier knowledge areas such as scope, schedule, and cost.
Why don’t we jump into taking a 10000ft bird’s eye view of Procurement processes?
