Roadmap: How to Adopt Risk Management
This roadmap describes how to adopt the Risk Management Practice.
Main Description

Getting Started

To get started with adopting this practice, identify if your organization already has a defined risk management process that your project could follow, and decide on whether to follow the organization process (as is) or to adapt the process to your project needs. You may want to use - or refine to your project needs - risk management related areas such as:

  • Approach to identify, analyze and prioritize risks
  • List of potential sources of risk and typical risk categories, as well as impacted stakeholders
  • List of risk management strategies that will be used in your project
  • Strategy to monitor each significant risk and its mitigation activities
  • Groups or individuals involved in the project's risk management activities for your project, and their responsibilities
  • Budget available in your project for managing project risks
  • Tools and techniques that will be used in your project to store risk information, evaluate risks, track the status of risks or generate risk management reports

You can accelerate the risk identification process for your project if you start with a list of known and expected types of risks for projects in your organization.

Create a list of prioritized risks (ranked by risk exposure) and come up with strategies to address the "top 10" or so risks only. It may not be worth, from a financial perspective, to come up with strategies for all the identified risks (for some risks, the best strategy may even be acceptance).

Everyone in the team is responsible for risk management, in other words, the team and stakeholders collaborate to identify, asses, and propose strategies to deal with risks. Not everyone will necessarily be responsible for implementing strategies to address one or more risks or become a "risk owner", although it is expected that at some point in the project lifecycle a team member could be requested - or volunteer - to take ownership of risks actions.

Evaluate and assess risks periodically. Recognize that changes will happen throughout the project and that risks need to be identified and assessed on a regular basis, minimally at each iteration of phase of your project.

Common Pitfalls

Not involving relevant stakeholders in risk identification

The whole team and stakeholders need to participate in the risk identification activity. If you involve only one group in risk identification, for example only the project team, you may end up not capturing risks that are relevant to other groups, such as business and marketing risks, etc. If you identify risks with external stakeholders and do not include the team in risk identification, you may miss important risks related to technology and scope, to name a few types.

Identifying risks only at the beginning of the project

A common pitfall that leads to poor risk management is to think that risks need to be identified only at the beginning of the project without the need to revisit the risk list often. New risks do appear throughout the project, and previously identified risks may never happen (those with low likelihood of happening), so it is essential to revisit risks throughout the project at intervals when the team and stakeholders meet to identify new risks and assess if identified risk actions are being effective.