We know we SHOULD do Risk Management
But many PMs don’t do it. (Based on paper from PMJ Sep 2009; and ad-hoc surveys during PMI 2010 Congress)
It isn’t because the complexity of the mechanics/process, which seems easy enough, well documented as a Knowledge Area in the PMBOK guide: You have a risk register or log, you identify risks, analyse them e.g. for probability and impact, look into responses, remediation or contingency measures, and keep revisiting and updating the register as project moves along…
As usual, the challenge is applying theory to practice.
You think you have done it right, and then some new Risk still hits you because of unknown unknowns (remember Rumsfeld talking of WMD in Irak?), Murphy’s law, “shit happens”, etc. Sometimes your buffer time and budget will be enough to cover it, other times it won’t…
Examples: The winner of the PMI 2010 Project of the Year, the decade long building of the National Ignition Facility in California, explained during a Dublin PMI Congress presentation that their two main issues were risks they had not considered and were not in their register - The construction site got flooded because of El Niño storms. And sure they were not expecting to find mammoth bones when excavating… Both events consumed money and time, though the project recovered.
Other examples are the typical external (to the project) factors such as weather/Nature (Ash cloud closing Northern European air space; Hurricanes, earthquakes), political changes, economic crisis (Iceland, Greece, Ireland, Portugal), etc…
And this is clear when you realise that the Input to Risk Management Planning, according to PMBOK guide, are “internal” docs, such as Scope Plan, Cost Plan, Schedule Plan, and so on. We can plan for what we know, but isn’t Risk Management too ambitious when trying to control and have a response for the unknown?
Therefore, how much work do we need to put into identifying this very long list of things that may happen? The cost and time needed is a first negative factor. (Sponsors/customers want cheaper and faster)
Then you have the human element of having to talk about Risks…it is all negative and worse-case, it highlights the project or company gaps, our badly prepared areas, our legacy problems…and the PM is the messanger for all those bad news.
No wonder many PMs prefer not doing Risk or doing a “light version” / once off at start. First, as seen, many external factors will be missed -we can’t plan for everything-. Secondly, PMs rather avoid the confrontation with stakeholders and other managers to discuss “potential bad news”.
We need to re-think how we do Risk Management in practice. We need to support PMs to plan appropriately (How Much? 80/20 rule? Set a time and cost limit for Risk Management? Who decides?). Perhaps even a Risk Function should be the owner of this activity for all projects (Portfolio Risk Management – like a mini PMO focused on Risk), where this function has more size and power to get the appropriate cost and time to buffer the project(s).