Risk permeates everything, and extends far beyond cost, affecting workers’ safety, the firm’s security in respect of its operating systems, even its governance and the effects of its operations on the environment. More companies are beginning to proactively apply ERM principles to the management of their risks, and are finding it highly effective. Thus, it is being increasingly incorporated into strategy and, more importantly, the processes that support the firm’s decision-making. But managing risk at enterprise level, and managing it at project level may vary quite extensively. Project risk management relates directly to risks that arise from, or because of, the project.
It includes the identification and evaluation of project risks; the development of appropriate plans to mitigate those risks; implementing these mitigative measures and monitoring throughout the project period. All this is geared towards making better decisions so that the project’s objectives may be achieved. ERM, with its scalability and focus on understanding issues, processes and procedures, will go a long way towards the risk management of individual projects. One of ERM’s pillars is understanding the kind of risk that challenges the firm; it applies the same level of analysis to all enterprise risk including operational, financial, governance, strategic and compliance risk.
It is not difficult to “scale down” and apply this to determining the potential risk in project management. ERM enables risk-based corporate decision-making that drives strategy for the firm. This is a practical implementation approach that can be used to identify which projects to select, based on cost-benefit and the highest probability of success. There is also risk-based corporate decision-making, another tool in the ERM arsenal; highly effective when properly applied as it produces an accurate picture of the results of strategic decisions, together with the costs involved. The organisation is able to zero in on the project’s problem areas, and set up mitigation measures as required.
Contingency planning is always a vital aspect of project risk management, and should take into account low-probability, high-impact risks which could impact adversely on the project. It is worth noting, however, that many risks and uncertainties that arise during projects are actually beyond the control of the project manager. Bearing in mind that such pitfalls exist, their impact can be anticipated to a certain extent, and unpleasant surprises may be avoided. Even the most fundamental of ERM applications will allow the organisation to optimise risk management at enterprise level; at project level, these are likely to be even more impactful.
For instance, under ERM, risk registers identify risks and mitigative measures for the whole organisation. Project risk registers, which identify all risks that need to be controlled at project level, will be able to function in a similar capacity. It is the project manager’s job to identify, prioritise, manage and mitigate project risks. But risks change as projects move from one stage to another. Risk reviews and reassessment, and identification of possible new risks, have to be ongoing activities when it comes to project risk management. This also relates directly to the overall success of the project, how well it stays within budget, and on schedule.
Part of project risk management is careful monitoring, measurement and reporting. Projects should be measured for success and failure because both of these have a bearing on the performance of the organisation. Additionally, effectively managing project risks ultimately helps the organisation in its efforts to manage its overall or enterprise risks as this will indicate where project resources should be allocated for optimum use. Many companies may not realise that not measuring the success rates of their projects also hinders them from determining whether they are progressing, if they are competitive, and if their processes and procedures are sustainable.
There are many areas where ERM and project risk management intersect but generally, project risk managers may apply the same principles of ERM when managing their projects. In both areas, for instance, identifying risks is crucial. Any project risk analysis and management guide will put this first and foremost. Qualitative and quantitative risk analysis needs to be performed; risk strategies and responses must be developed and implemented; and there must be continual monitoring via reviews, evaluation and feedback from stakeholders. ERM involves, for example, risk associated with accidental losses, finance, strategy and operations; project risk involves the same, but at project level.
It follows, therefore, that project risk managers should look to ERM for pointers when it comes to setting measures that work, and to ensure they are in place. They should, firstly, have a documented risk management strategy in place, and develop support at all levels. Certain levels of expertise are required. For project risk management to be effective, the right people have to be in the right positions. Project management teams should have the necessary skillsets, including experience of managing project-related risks. Project risk management actually carries on beyond the duration of the project; detailed documentation is therefore necessary to add to the organisation’s knowledge and experience.
Documenting failure is just as important as celebrating a project’s milestones. It is a long-term measure that helps the organisation identify pitfalls to be avoided, for future projects. Problem areas can be pinpointed, and mitigation measures can be improved based on documented evidence. This will save the firm both time and money, and contribute directly to building risk awareness at each level of the organisation.