Risky Business

Risk management is perhaps the most difficult and misunderstood part of project management.  In project management circles there is the classic “triple constraint model” – it’s every PM’s duty to balance Cost, Schedule, and Scope.

The Classic Triple Constraint


PRINCE2 defines a full 6 constraints that must be managed, adding

  • Benefits
  • Risk
  • Quality


In the truest sense the PM can hold the big three (cost, schedule, scope) constant if they increase risk, decrease benefits, or decrease quality.  One of the great things about PRINCE2’s approach is the extra focus it brings on Risk Management.


The trouble is that PRINCE2 doesn’t give much advice on how to actually DO risk management.  There are discussions of risk logs (and the related issue logs), risk classification, and even risk tolerance.

Risk Appetite GridRisk Appetite Plot











However, there is little practical guidance on how to manage risk in projects.  I’ve heard lots of good thoughts from peers in industry but there’s no codified body of knowledge (yet – both OGC and PMI are working on their versions).


In my experience, most executives aren’t ready for a conversation on risk appetite and risk tolerance.  I find that many PMs present risks to their stakeholders, believing the execs understands the implications but in fact there is a huge gap which is left undiscussed.   The executives often aren’t looking for mitigation plans and offering contingency budgets or schedule tolerance, instead they are saying “Ok, I get it.  Don’t let that happen!”  


As a PM you need to recognize the difference between risk acceptance and risk acknowledgement.  Know which you’ve been given – if it’s merely acknowledgement you need to put a comms plan in place quickly… you need to bring those executives around until they actually accept the risk.  Either that or you’d better cook up some darn fine mitigation plans that will let you still nail your baselined cost, schedule, and scope!  Otherwise it’s your career (or at least your reputation) you’re gambling with should your risks become issues.   What happens in Vegas may stay in Vegas, but what happens on your project will follow you!


Risk Acceptance or Risk Acknowledgement – know the difference or let it ride!

~ by brianherman on October 20, 2008.

6 Responses to “Risky Business”

  1. As a PM you need to recognize the difference between risk acceptance and risk acknowledgement. So true! The latter giving you a nasty and long lasting bite on the ass from those executive blood hounds.

  2. Managing risk at just the project level won’t work – the whole organization needs to buy into a method of managing risk of which project management will of course play its part. There’s little opportunity for any gains in the organization for risk management to be evangelized or disseminated from individual projects. This needs to be top-down, not bottom-up.

  3. M – I agree with you in part. Managing risk should be an organization-wide process and I contend that it should be both top-down *and* bottom-up. The project teams should be looking at core business risks, provided from a top-down viewpoint, and these same teams should be evaluating risks in their own micro-environments and feeding that data back up the stack. The larger organization should be reviewing these bottom-up data feeds and looking for trends and impacts that cross the organization.

    Regardless of the org approach to risk management, each PM has a responsibility to manage and communicate risks at a tactical level for his or her projects. It is the communication (and larger acceptance) of these tactical project risks that I’m addressing with this post.

    I do agree that a disciplined organizational risk management approach would yield powerful results. It is organizational immaturity (WRT to Risk Management) that is causing the very problem I am writing about. Without that maturity the PMs must address Risk individually for the success of their projects.

  4. The number one issue which has “bitten” me most lately occurs with risk analysis and determining the probability of a risk actually occurring or not. Any ideas on how to better determine probability?

  5. Debbie, I was hoping we’d get some comments on your question. For me, I’ve not seen much done beyond the “high, medium, low probability” measures that most people use. The PMO Executive Board did have a case study from TransCanada around building a risk profile for a project and using that to derive contingency budgets. It was really great stuff and they built it all using the same H/M/L probability measure for each risk on the project, then building a composite risk profile of all the risks and their probabilities for the project. You can find it on the PMO Exec Board website – entitled “Project Estimate Simulations”.

  6. I did attend that session so I have it as well. After I heard the speaker at the PMI Congress regarding “black swans”, I asked him about probability and he indicated that we (people) are usually too optimistic when determining probability. I’m going to use his information, the information about buffering from an online course I took about planning as well the PMO Executive council information and see if I can come up with some type of model that would have helped with my last few projects which I can then apply to future projects. I’ll let you know what I discover. Meanwhile, if anybody has any other thoughts, chime in!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: