Typically the results of the first three steps (Risk Identification, Risk Assessment, Risk Response Development) of the risk management process are summarized in a formal document often called the risk register.
A risk register details all identified risks, including descriptions, category, and probability of occurring, impact, responses, contingency owners and current status. The register is the backbone for the last step in the risk management process: Risk Control.
Risk Control Structure
Risk Control involves executing the risk response strategy, monitoring triggering events initiating contingency plans, and watching for new risks. Establishing a change management system to deal with events that require formal changes in the scope, budget, and/or schedule of the project is an essential element of risk control. Project managers need to monitor risks just like they track project progress. Risk assessment and updating needs to be part of every status meeting and progress report system.
The project team needs to be on constant alert for new, unforeseen risks. Management needs to be sensitive that others may not be forthright in acknowledging new risks and problems. Admitting that there might be a bug in the design code or that different components are not compatible reflects poorly on individual performance. If the prevailing organizational culture is one where mistakes are punished severely then it is only human nature to protect oneself, thus making risk control even more harder to achieve.
Similarly, if bad news is greeted harshly and there is a propensity to “kill the messenger,” then participants will be reluctant to speak freely. The tendency to suppress bad news is compounded when individual responsibility is vague and the project team is under extreme pressure from top management to get the project done quickly.
Project managers need to establish an environment in which participants feel comfortable raising concerns and admitting mistakes. The norm should be that mistakes are acceptable, hiding mistakes is intolerable. Problems should be embraced not denied. Participants should be encouraged to identify problems and new risks. Here a positive attitude by the project manager toward risks is a key for effective risk control.
On large, complex projects may be prudent to repeat the risk identification/assessment exercise with fresh information. Risk profiles should be reviewed to test to see if the original responses held true. Relevant stakeholders should be brought into the discussion and the risk register needs to be updated. While this may not be practical on an ongoing basis, project managers should touch base with them on a regular basis or hold special stakeholder meetings to review the status of risks on the project and improve the level of risk control.
A second key for controlling the cost of risks is documenting responsibility. This can be problematic in projects involving multiple organizations and contractors. Responsibility for risk is frequently passed on to others with the statement, “That is not my worry.” This mentality is dangerous.
Each identified risk should be assigned (or shared) by mutual agreement of the owner, project manager, and the contractor or person having line responsibility for the work package or segment of the project. It is best to have the line person responsible approve the use of budget reserve funds and monitor their rate of usage. If management reserve funds are required, the line person should play an active role in estimating additional costs and funds needed to complete the project.
Having line personnel participate in the process focuses attention on the management reserve, control of its rate of usage, and early warning of potential risk events if risk management is not formalized, responsibility and responses to risk will be ignored—it is not my area.
The bottom line is that project managers and team members need to be vigilant in monitoring potential risks and identify new land mines that could derail a project. Risk assessment has to be part of the working agenda of status meetings and when new risks emerge they need to be analyzed and incorporated into the risk management process.