Project Risk Management: Are You Asking, "What Can Go Wrong?"

Marc Weinberg

According to a study by The Standish Group International (a leading IT advisory firm) of 365 small, medium and large projects, 13.1% of all projects will be canceled before completion, 52.7% of all projects will cost 189% of their original estimates, and the average time overrun is 222% of the original estimate.

Even with all the advances in project management software, weekly status reporting and constant updating of issues logs, why is it that projects do not deliver what is expected, within budget and within the expected time frame?

A critical ingredient appears to be a lack of proactive risk management. Take for example, the US-led coalition of troops after they invaded Iraq. Lack of a proactive risk management plan resulted in chaos, more political in-fighting and a greater loss of life than was ever expected. The US led-coalition had to tactically adjust and react to the situation at hand. Most projects are similarly run. We walk through a proverbial minefield of issues and problems and try to fix them as they occur or unfold before us. The quality gurus of today have continually told us that the cost of fixing problems is always more expensive than the cost of preventing them. Even Benjamin Franklin had it right when he said "an ounce of prevention is worth a pound of cure".

Risk management should not be reactionary but perpetually in place to identify possible outcomes (both good and bad) for the project’s duration. Negative outcomes should be identified and prioritized by reviewing for each outcome the combination of impact (potential loss) and probability of occurrence. Once negative outcomes are prioritized, a risk response plan is then developed for those risks having a medium/high combination, i.e., high impact and medium probability; medium impact and high probability; and, high risk and high probability. The purpose of the risk response plan is to determine what can be done to reduce the overall risk of the project by decreasing the probability or impact of the short-listed risks. This includes contingency planning, which identifies the actions one will take if the risk actually happens.

So, what kind of risks can you expect to occur in your projects? You will find People, Process and Technology risks, among others. If you’re involved in a Sarbanes-Oxley section 404 documentation project where you need to interview process owners, typical causes, risks and effects, based on this writer’s experience, might include the following:

People-related:

• Process owners out on vacation – people unavailable for interviews – Project Delayed.
• Lack of senior management support - people refusing to meet with you as they consider being interviewed as unimportant - Project Delayed.

Process-related:

• Poorly defined work breakdown structures which details project requirements, i.e., end items, tasks and resources, into manageable work units – project team spends valuable time in an unproductive activity determining the meaning and/or relationship of tasks and associated end items – Project Delayed.
• Inadequate change control process – scope creep (unplanned additional work, i.e., interviewing and documenting procedures) - Project Cost Overrun.
• Accounting busy closing the books – accounting personnel "off-limits" for everyone – Project Delayed.

Technology-related:

• System conversion issues - unclean data resulting in valuable process owner time spent "fire-fighting"– Project Delayed.
• System crashes – time lost for everyone involved – Project Delayed.

Your risk response plan will indicate how you addressed your short-listed risks. You can choose to (1) avoid a risk by eliminating its cause; (2) accept the risk if it occurs, which means doing nothing; (3) mitigate it, i.e., doing something that will make the resulting outcome less unfavorable; or (4) outsource/ transfer the risk to another party.

How would you go about mitigating the above listed people, process and technology risks?

• For people risks, (1) process owners might be asked to delay their vacation time until after project completion, and (2) the company’s CFO might be appointed project czar or champion, whose role it is to communicate the project’s importance throughout the company.
• For process risks, (1) the project team would clearly define the meaning of each component task of the work breakdown structure and its associated end item prior to project execution, (2) the project manager would develop a change control system that formally defines how project deliverables and documentation will be controlled, changed and approved, and (3) documentation of the Accounting department’s general ledger and financial reporting processes might be scheduled at a more appropriate time when accounting resources are available.
• For technology risks, (1) develop a data scrubbing contingency plan to expedite completion of system conversion and free-up process owners for interviews, and (2) develop a data back-up and recovery plan with quick turnaround time.

The benefits of taking the time to develop a risk management plan are clear – a better-managed project resulting in a greater likelihood of achieving project expectations in terms of time, cost and quality.

Remember, if you fail to manage risk, you are planning to fail!

Marc Weinberg, CPA/CITP, CIA, CCSA, CFE, CSOXP, PMP, is a consultant with Parson Consulting in New York. He can be reached at mweinberg@parsonconsulting.com.