Making (and Keeping) Project Risk Visible
I was surprised to discover that a significant risk the project had been monitoring had been closed by the project management team. The risk was still a possibility, and the consequences could be financially devastating if the risk occurred.
When asked about it, the team said, “We have done all we can to mitigate the risk. We can’t think of anything more to do, so we closed it.”
The goal of risk management is to defend a project from foreseeable danger where practical. Let’s unpack that.
“Defend a project from foreseeable danger” implies that there are dangers we cannot anticipate. That’s an important idea. “Where practical” means that we have to make choices about the cost effectiveness of our risk mitigation efforts. All risks are worth considering.
For example, since a flat tire can make a vehicle unsafe to drive, it makes sense to carry a spare. Why not carry two? Because while the odds of one flat tire are relatively small, the odds of two at the same time are vanishingly small. A spare tire negatively affects gas mileage and consumes cargo space. It is cost effective (and a good idea) to carry a single spare, but in most contexts, is would be silly to carry two.
Context is what matters. I wouldn’t say, “Never carry more than one spare.” If you were going to have an off-road adventure in an area known for eating tires and poor cell service, carrying a second spare might be a great idea. But for an urban worker with a 10-mile commute in their reliable sedan, a second spare would probably be a paranoid waste of trunk space.
There are choices to be made about how much we wish to invest in risk avoidance, risk mitigation, and contingency planning. When those choices are made, there is an implicit assertion: “We have done what we think is reasonable to manage this risk and are prepared to accept the consequences if our efforts have not been sufficient.”
This is why risk management requires executive input. Project managers recommend how much should be invested to address various risks based upon their understanding of project context, but the final decision about what to do and when those efforts are sufficient belongs to the sponsor.
The risk log is not a CYA (“cover your assets”) document; it’s an inventory of identified risks that threaten a project. If all reasonable measures have been taken to address a risk and the risk still exists, it should remain on the log as part of an audit trail, indicating: “We have identified these risks. We have implemented the preventions, mitigations, and contingencies approved, and we will continue to monitor until we believe the threat has passed.”
Periodically reviewing the log keeps the risk top of mind and encourages the team to look for early warning that the risk probability or impact might be changing.
Risks should remain on the risk log until they no longer menace the project because dropping them removes existing threats from sponsor view, depriving sponsors of the data they need to make informed decisions.