Most companies have huge misconceptions about the risk management process and what risk is. As a result, many companies waste time, money, and resources.
Let’s make sure this doesn’t happen to you.
First, consider the following:
• Do you want to control your project or have your project control you?
• Can you imagine going on vacation at the beginning of the executing of your project because everything is under control?
• Would you like to prevent 45 percent to 90 percent of the problems on your project?
You can do all these things. . . if you use risk management.
An original by Rita Mulcahy, here are some of the greatest misconceptions about risk, including some of the biggest mistakes people make in risk management.
Misconceptions About Risk
• Risk identification cannot begin without having inputs to the process. These include identifying—or creating—the project scope, a WBS, the project team and other stakeholders, a network diagram, and a project budget and schedule.
• Risk management is not completed using only a checklist or a Monte Carlo simulation. It involves identifying risks for the project and by work package. • Risk identification cannot stop after only a brief effort that results in a short list of risks (20 or fewer). Because of the huge benefits of risk management in the real world, risk identification should involve the stakeholders and result in hundreds of identified risks.
• Risks should not be evaluated as they are identified. Qualitative and quantitative risk analysis should be done later in the process. Evaluating risks at the wrong time decreases the number of total risks identified.
• The risks identified are not really risks. A risk is an event that is uncertain! If your project has too few resources, this is not a risk. It is a fact and must be addressed in the project management plan, not in risk.
• Risks are not properly stated. A risk of “poor communication” is too nondescript to be useful in the risk management process. Risks should be described more fully, (e.g., “poor communication of customers’ needs regarding installation of system XYZ will cause two weeks of rework”).
• Whole categories of risks are missed. Companies focus on only technology risks, cost risks, etc., when there are also risks related to project management, various departments, lack of knowledge, the marketplace, and any number of other things.
• Only one method, such as a checklist, is used to identify risk, rather than a combination of methods. A combination helps ensure that more risks are identified.
• The first risk response strategy identified is selected without looking at other options to find the best option or combination of options.
• Team meetings address everything except what they should be addressing—risks!
• Contracts are risk mitigation tools and must not be created and signed until the project manager is assigned and a risk analysis is done.
• Companies forget that risks can be good or bad. Though they are sometimes called threats and opportunities; the good things must be improved while the bad things are diminished.
• I will save the biggest item for last: Most companies, due to lack of knowledge, equate risk management with adding a pad to the project schedule and cost. Proper risk management will result in a “reserve,” but it is not a pad because it can be based on analysis and calculation and can be justified.
Most of these items could have a huge negative impact on the project. How much of this was new information for you? What will you do to better understand the risk management process?