- 12 Project Risk Management Strategies Learned The Hard Way!
- Digital Project Manager Job Description
- Webinar: Risk Management Tips & Tools To Manage Risk Like A Pro
- Video: Which Agile Project Management Tools Should I Use?
- Why is Project Management Important?
- Learn The Scrum Ceremonies In This Stunningly Simple Guide
- The Digital Project Manager’s Podcast – Apple Podcasts
- Project Management Training
- Join our project manager Slack team
- Become a DPM Member
Ben Aston: So 15% of IT projects have cost overruns of 200% and a schedule overrun of 70%. That’s scary, right? And maybe that sounds familiar to you. The truth is projects are scary. Projects are inherently risky, and that’s because we’re making change happen. Projects go wrong all the time. And as the project manager, we’re the easy target when they do go wrong. So you should be scared. You should be scared of your projects failing because when you’re scared, you’re much more likely to do whatever it takes to make your projects less scary. So keep listening to today’s podcast to discover how you can use risk management to make your projects less scary so you can sleep better at night.
Thanks for tuning in. I’m Ben Aston, founder of the Digital Project Manager. Welcome to the DPM Podcast. We’re on a mission to help project managers succeed, to help people who manage projects deliver better. We’re here to help you take your project game to the next level. Check out thedigitalprojectmanager.com to learn about our training and resources we offer through membership. This podcast is brought to you by Clarizen, the leader in Enterprise Project and Portfolio Management Software. Visit clarizen.com to learn more.
So today I’m joined by Kiron Bondale. And Kiron is a senior consultant for World Class Productivity. And they deliver training and consulting services. He has managed hundreds of different projects. He has got loads of expertise on risk management being published and also different journals, and also talks about Agile a lot as well. So we are going to touch on that in today’s podcast. But thanks so much Kiron for joining us today.
Kiron Bondale: Thank you Ben. Glad to join.
Ben Aston: So we are in 2020. It is a new year. And I’m curious for you Kiron, whether that means is there any new things that are going to be happening for you in terms of what you’re doing with World Class Productivity in terms of your training and consultancy? What’s new for you?
Kiron Bondale: Sure. So what’s new for us is a late last year, as I’m sure you’re aware and your members are aware, a PMI acquired the Disciplined Agile Consortium or their intellectual property. And there’s a fair bit of interest being shown by PMI in integrating their offerings, including some of their certifications. So, as an organization, we are going to be in the process of starting to deliver courses that are aligned with Disciplined Agile. I’d say a toolkit that we certainly believe is a great answer for enterprises that are looking to go through an agile transformation. so I’d say that’s where a lot of the focus, at least in Q1 and Q2 of this year is likely to be for myself and our organization.
Ben Aston: Nice. And so in terms of that delivering, that training, can you just give us a bit of an insight on what your training looks like?
Kiron Bondale: Yeah, certainly. So there’s a standard offering that PMI provides called the Disciplined Agile Lean Scrum Master. I’d say it’s a workshop anywhere from two to four days depending on the experiential and educational backgrounds of the attendees, we’re offering it in a three-day format, covering Lean as well as Disciplined Agile itself. And what’s great about that training is it provides an opportunity for learners to get one free attempt at the Certified Disciplined Agilist Exams. So in a way you take the course, you get a free shot at getting certified.
Ben Aston: And so I’m curious as to your kind of opinions on these kinds of Agile certifications. I’ve got my Scrum Master, which is obviously a two-day course and my kind of view on it is that you can … You do the two days training and it’s fun, it’s interesting. But then to certify someone after two days feels to me a bit premature perhaps. So I’m curious, I mean obviously you’re the one delivering the training so you didn’t want to shoot yourself in the foot too much. But tell me about how different will this training be in terms of the Scrum Master and what’s your kind of opinion on certifications, particularly in the Agile World?
Kiron Bondale: Yeah, it’s a great question, Ben. And actually a colleague and I one of my virtual friends in the Agile and Project Management Space and I were having this exact conversation earlier on today and that with PMI now entering this Agile Certification fray with Discipline Agile, they’re sort of making a very polluted pool, even more, polluted as it were.
Ben Aston: Yeah.
Kiron Bondale: There’s something like 300 plus certifications out there in the agile space. Well, what I like about what PMI is doing is they are actually doing some good positioning, so they are offering certification options for every level of expertise. So the one which I mentioned, the Certified Discipline Agilist is one that is aimed at people that have maybe just the educational component. They don’t have that experiential component.
Ben Aston: Right.
Kiron Bondale: But then if you have a couple of years, let’s say of hands-on experience working in the Agile domain, well then you could look at the Certified Discipline Agile Practitioner level certification or alternately you could stick with the PMI original certifications and go with the PMI ACP If you have enough experience to be able to match the educational background.
And then as you start to go to higher and higher levels, there’s Disciplined Agile offerings that are aimed at those as well. So if you look at most of the well-established organizations offering certifications, they do tend to have this sort of a tiered strategy-
Ben Aston: Yeah.
Kiron Bondale: … and that’s really what PMI is doing, is their kind of offering an option depending on where you stand. Now I think no one out there is going to say, “Just because you’ve got your CSM or you have your CDA or you have some other entry-level agile credential that you’ve got the expertise to be able to go out and either work as part of or support an agile team.” But you pretty much can at least talk the talk. The next step though is definitely you need that hands-on experience and then that’s when you can maybe look at some of these higher-level credentials.
Ben Aston: Yeah. Nice. So credentials are changing and the PMI getting involved in the agile world also an emerging trend. Are there any other kind of major trends that you’re going to be responding to in 2020 in the world of project management?
Kiron Bondale: I think the other big one that I think ourselves and pretty much every other a PMI Registered Education Provider out there is looking at is the changes that PMI themselves is making with regards to their PMP certification process. So as you and your members probably know the PMP exam is changing at the end of June 2020 and in conjunction with that change, they’re moving to a new certification course model whereas in the past PMI reps could create their own content and would differentiate themselves from each other based on the quality of their individually created materials.
PMI is now moving to this model where they are going to be the one-stop-shop for the actual courseware. So pretty much all PMI reps are going to buy the courseware from PMI or license it from PMI and deliver that. All their instructors are going to have to go through a certification training or an instructor training through PMI, Then the differentiation is really going to be around things like price certainly, but also in terms of what value adds, a particular registered Education Provider could add on top of what PMI is providing.
So I think that’s going to create a bit more of a level playing field and might weed out some of the smaller players that were, I would say maybe at the lower end of the quality spectrum. But for some of the bigger guys that have been doing this for decades and that had very high-quality materials, it’s been a bit of a shot to the gut for them. I think for ourselves, one of the smart decisions that we made a long time ago was as opposed to creating our own collateral, we partnered with one of the best providers of PMI prep materials and we just utilize their materials. And so that’s a decision for us whether we’re going to continue to do that or whether we’re going to work directly with PMI and use their materials, but at least there is no investment on our part that’s now become a throwaway as it were.
Ben Aston: Yeah. Good stuff. And in terms of looking ahead to 2021 one of the kind of trends in project management that I hear talked about increasingly is artificial intelligence project management tools and artificial intelligence itself, taking over project management and making the project manager redundant. I just think I remember reading some Ghana article on, something to that effect. What’s your kind of take on the emergence of more kind of artificially intelligent tools and their role within project management and how the role of the project manager is changing among that.
Kiron Bondale: That’s a great question, Ben. And it’s one where I tend to be pretty bullish, I would say when it comes to the value of AI to the project management profession. I think there are folks looking at it saying, “Well, we’re going to be out of a job soon.”
Ben Aston: Yeah.
Kiron Bondale: I look at it and I say it’s actually going to enable project managers to be more effective, because if you kind of look at what a project manager does, there’s a very clear distinction between what I call the project administration aspects of their role.
Ben Aston: Right.
Kiron Bondale: And the true strategic project management aspects of the role. And a lot of that strategic work that a project manager does is around the people interaction, the stakeholder engagement, that kind of thing. But to be able to really focus on that, we need to find a way to free ourselves up from the administrative onerous burden.
So whether that’s things like status reporting, producing reports, doing forecast, things of that nature. That’s where I really believe that machine learning AI can help quite a bit. I also would sort of draw a parallel to star trek and you know how always on the bridge of the enterprise, whether it was the old series of the next generation, the computer was there and it was a vastly intelligent computer. But you’d never see a situation where the human crew or the alien crew would just defer all decision making to the computer.
Ben Aston: Right.
Kiron Bondale: The computer was there as a resource. They would ask it questions, it would provide them probabilities and provide them sort of good guesstimates. But that’s as far as it went and that’s what I see that AI is going to be able to do for us. Whereas right now, if you’ve got a company that’s done hundreds of thousands of projects, there’s no one human being in the future and AI could be turned on to that repository of project information.
And you could ask it a question, well, how many times in the last 10 years, of running similar projects has this situation occurred? And how many times it works out in our favor and you could get answers back. So I think it’s going to be a great decision support capability.
Ben Aston: Yeah.
Kiron Bondale: It’s going to free project managers up from a lot of the sort of the boring administrative onerous burden. But I think it’s also going to then that way free them up to be able to focus a lot more on the truly strategic aspects of project management, which to me I think translates directly into a higher value proposition as well as greater job gratification for project managers.
Ben Aston: Yeah. And so, I mean let’s talk about those more strategic parts of project management then. What part of the role do you see as being more strategic and you kind of differentiate it between, I guess the more administrative, status reporting was one thing that you mentioned there. But what do you see within the role of project management being the more strategic part that as project managers we can begin to own and develop more and as these tools start coming more to the fort? I mean you talked about the role that we play in communication and collaboration, talk me about that’s kind of strategic aspect and how you see that evolving.
Kiron Bondale: I think I would comment on that maybe at four levels. The four different domains where I think there’s a tremendous amount of opportunity if you could up a project manager from the administrative burden. The first one is around general stakeholder engagement. I mean on any project bigger than a bread box, you’re going to have a variety of different stakeholders and a project manager has got to stay in contact with those stakeholders on a somewhat regular basis.
Understanding what’s changing from an attitude, from an interest, from an influence perspective. And that’s an opportunity right there. The better job they can do at understanding what’s going on with stakeholders and engaging with them, likely the greater opportunity for project success. So that’s one. Second I would say is around the business case itself. So one of the challenges is that a project manager might be engaged early in the life of the project by the sponsor to help write the charter.
And so they might have a good understanding of what the original business case for that project was. But then as the rubber hits the road and problems start to occur and they get sort of have to roll up their sleeves and dive in everything going on the project. Sometimes they take their eye off the ball and they lose sight of, well why are we doing this project, and are we still going to get the value proposition? Are we still going to get the return that we’re hoping for from this project? Sometimes that itself can be a big source of risk. I mean you’ve got a project where the scope itself is perfectly being delivered on time, on budget, but guess what, the business proposition is no longer there anymore. We shouldn’t be investing in this project and a good project manager will be first and foremost to raise their hand and say, “Hey, I think this project needs to be put out of its misery. It’s not going to deliver anything.”
So I think that’s another area of opportunity. A third one I think is around the team itself. So helping to develop a high performing team, making people awesome. If I use the wording from Discipline Agile, I think there’s a great opportunity that you look at the amount of focus that’s gone in the last few years into things like psychological safety and radical candor. Daniel Pink with his three factors that went into his book Drive.
Ben Aston: Yeah.
Kiron Bondale: There’s a great opportunity there for a project manager as a servant leader or as a host of leaders, which is sort of the new buzzword around that. And yet to do that, the project manager needs time. They need to be freed up to be able to spend that time with the team, to be able to develop them. So I think again, AI can help the project manager focus in that world.
And the fourth and final one that I’ll raise, and this is the one that I think really talks to what our article was around, was around risk management. One of the challenges I see, and this applies to all stakeholders, is they’ll say, “Risk at the end of the day is uncertainty. There’s a probability, yeah, we think this thing might happen, but there’s also probably a chance that it won’t happen. And if it’s not going to happen, then why should we waste any calories on it?”
And I’ve often seen project managers go through that same thought process to say, “Yeah, we’re aware of these risks, but guess what? I’ve got so much on my plate, I got to produce reports for all these different stakeholders. I just don’t have time to worry about risk.” Well, guess what? If we can free them up from doing that sort of onerous work, now they can really start to invest some effort in understanding risks and peeling back that risk on you and a little bit. And we know that with large context projects, risk management is often the difference between a successful project and a failed one. And so allowing PMs to be able to really focus a bit more on risk management. To me, I think that’s just goodness.
Ben Aston: Yeah, no, that’s great. And a great segue into what we’re supposed to be talking about today, which is, how we manage risk. And different ways that we can approach risk management to ensure that our projects are more successful. So going back to where we started, right at the beginning of this podcast, I just want to recap on why risk management is important. And Kiron you can kind of add to this. But one of the things that Kiron just mentioned is, things go wrong on projects often because we’re not managing risk properly. So managing risk effectively can help prevent bad things from happening. And we’ll talk about the different ways that we can do that in a minute. But it also keeps the team alert.
It keeps the team and the stakeholders aware that things could go wrong and helps people, the team as well mitigate against bad things happening. It keeps the stakeholders aware, it builds transparency and trust so that there aren’t big surprises when bad things happen. But also if we do risk management properly, it helps write this story of the project.
And our status reports are great, but as we use tools like RAID log and we keep a record of what the risks are, what that uncertainty or the probability of bad things happening, occurring is, once we’ve got that record of that and we’ve got a log of the decisions we made and what happened. It helps us remember so that when things do go wrong, we’ve got this paper trail that can help us maybe sometimes be out of the firing line when obviously the easy option is for the project manager to take the hit when it comes to a project failing.
But Kiron, in your article you talked about different types of risk response, and the things that you talked about, are risk avoidance, transference, escalation, mitigation, and acceptance. So we’ve got some different techniques here that we can use when we’re managing risk, but how do you know when to use, what kind of technique? Can you give us any principles that we can follow on that?
Kiron Bondale: Yeah, for sure, Ben. So risk always has to start with what is your organization’s risk appetite. You’ve got to understand that. You’ve also got to have a good understanding of the risk appetite or the mindset of the key senior stakeholders around your project. And so an organization that it tends to have a high degree of risk aversion might be leaning more towards risk avoidance as a default strategy versus let’s say risk mitigation or risk acceptance. On the other hand, an organization that might be in more of a moving dynamic, very competitive market space where they need to take risks on to succeed, they might be less inclined to avoid risks because sometimes when you risk avoiding risks, you’re actually saying no to certain things. You might be descoping a portion of your project, you might be actually canceling a project to avoid risk.
And so that’s where you do need to understand what’s the risk appetite of your organization, what’s the risk appetite of your sponsor, any other key senior stakeholders. So once we understand that, then it’s a matter of looking at the risk itself and that’s where we can pull out our tools from qualitative risk analysis and quantitative risk analysis and start to say, based on how we would assess this risk, how concerned are we about it? We need to understand things like what’s the likelihood it’s going to occur? What’s the impact on the success criteria of our project? If it occurs, what’s the likelihood that we can even detect that it’s about to be realized? We need to kind of understand all those sorts of things and then do the cost-benefit. Just as with quality, you always want to do a cost-benefit analysis. You’ve got to do that with a risk as well.
If I’ve got a 1% chance of losing $1,000 I don’t want to be spending $1,000 on preventing that risk. But if I’ve got a 50 or better percent chance of losing $1,000 maybe it makes sense to spend a couple a hundred dollars to protect myself against that risk. So that’s where cost-benefit analysis becomes really important. And what I’ve seen is I’ve seen both extremes. I’ve seen the organizations that either because of the industry they’re in, the external regulatory influences they have, or just maybe the philosophy or the culture of that organization itself, they are extremely risk-averse.
They will wrap their projects in their project teams in so many layers of bubble wrap that those teams are basically paralyzed. That’s not good because you’re never going to be able to achieve high returns on your projects if you swing that pendulum too much towards the high-risk mitigation or avoidance strategy. On the other hand, I’ve been seeing companies where they’re the other extreme, they’re basically ignorant of risk. They’ll take any risk on show stoppers. They don’t seem to care at all. What point did you lose me?
Ben Aston: I lost you at the point where we were talking where you said, yeah, we’ve got different types of risk response, different techniques, and then I asked you to explain, what techniques do you use when basically?
Kiron Bondale: Okay, so that’s pretty much at the beginning of my spiel about that. Okay. Not a problem. I’ll go back through it again. So when we’re looking at the different risk responses, I mean as you listed, there’s about five or six of them. When we talk about negative risks or threats, what’s important to understand is what is the risk profile and risk appetite of your organization itself? You’ve got to start there. If you’ve got an organization that is extremely risk-averse, they’re operating and maybe an industry or a domain that tends to avoid risks, well that might sort of dictate then the default position, which might be, “Yeah, we want to avoid any risk that we’re concerned about.”
Ben Aston: Yeah.
Kiron Bondale: On the other hand, if you’re looking at an organization whose risk profile is that, “You know what, we’re in a very competitive space and we have to take calculated risks in order to succeed.” They may be less willing to look at a risk avoidance strategy because, but when you’re avoiding risk, oftentimes that means you might be saying no to certain scope elements that might present the greatest risk, but they might also present the greatest reward as well.
So you start off by understanding what’s the risk appetite of our organization. Then you want to kind of ask that same question of your sponsor and if your key senior stakeholders, what’s their risk appetite because, at the end of the day, risk is uncertainty that matters. If we’re coming up with a risk and a risk response strategy that is out of sync with what our stakeholders are willing to tolerate, then we’re just not going to get the time of day out of them, so we need to make our risk communication matter so that they will follow through on what we need.
Once we kind of understand where their mindsets are at, where the organization’s risk appetite is, then we can come up with a good response strategy. If we understand the specifics of the risk itself, understand things like what is the potential impact on the success criteria for our project? What is the likelihood of the occurrence of that risk? What is the likelihood that we can detect that risk? All of these types of qualitative factors. We want to consider them to be able to then be able to come back and say, “Well, based on all this information, maybe we want to try to avoid, maybe we’ll want to try to mitigate, maybe we accept it.” An important factor that goes into risk response planning is cost-benefit analysis.
Ben Aston: Mm-hmm (affirmative).
Kiron Bondale: We want to make sure that we’re making a wise investment decision in our risk response. When I’m trying to sell the value of risk management to stakeholders that maybe are not aware of its importance. I always use the analogy of insurance, so if you’re going to go out there and buy, let’s say a $40,000 car, probably you’re going to feel it’s reasonable to spend a few hundred dollars a year to make sure that that car is protected.
Ben Aston: Right.
Kiron Bondale: But then if your insurance company comes back and says, “Well, for your $40,000 car, we’re going to charge you $10,000 per year to ensure that.” I don’t think anybody would go out there and buy a car. Maybe they wouldn’t even buy insurance because the value they get out of that insurance is not paid off by the mitigation or the risk reduction. There has to be a cost-benefit that we do just as we would do when we’re looking at things like a Qual approach to quality. We want to do it for risk as well.
Ben Aston: Yeah. We’ve talked about risk avoidance where we, agree or we say to our clients, “Hey, well one way to avoid this risk is to just not do that risky bit.” The transference thing where we can say, “Okay, well sometimes we can actually buy insurance.” We can get someone to take on that risk, we can escalate it and we can say to the stakeholders as well, “Hey, there’s a high risk that has a high probability with a high impact that if we carry on the way that we’re going, then if it’s going to go wrong, things need to change.”
And we talked about mitigating as well where we try and avoid this risky thing happening. And you talked about that kind of cost-benefit analysis of “Hey, well we can spend this money, invest this money to try and stop this bad thing from happening.” And you, talked about risk acceptance as well where we say, “Hey, well if this insurance is going to cost $10,000 if we’re going to spend $10,000 preventing this bad thing from happening.” Maybe we just say, “well we accepted this bad thing might happen, but it’s not going to be worth it to spend that money or investment money.”
Kiron Bondale: Exactly. Now again, the caveat I’ll put there is, there are some risks that we simply don’t want to have realized. So for example, if you’re in a situation where the classic example when I used to work for a bank as if there’s a risk where our CEO goes to jail. Yeah, that’s probably a risk that even if it costs us a few tens of thousands of dollars, we might want to actually spend that. Or where let’s say there’s some bad news gets splashed across the front page. If a national newspaper probably wants to avoid those types of risks if you can, but putting those sort of showstopper kind of risks aside, you always want to be doing that cost-benefit analysis because otherwise, it’s equally bad to over-invest in risk as it is to underinvest in it.
Ben Aston: Right. And so, I mean you talked about, doing this cost-benefit analysis, but talking about the kind of documentation that we use as project managers to manage our risks. Obviously, the classic one is a RAID log or risk assumptions issues and dependencies log. Now these can have kind of varying levels of complexity and I’ve seen some crazy ones out there which have lots of automated scoring in them and each risk that you register, it probably takes I don’t know 20 minutes, half an hour to just add it in at all. But what’s your kind of take on RAID logs and how complex they should be and how do you manage risk in terms of documentation?
Kiron Bondale: I would definitely suggest that most other projects be documentation it needs to scale and be tailored to fit the context of the project you’re managing. If I’ve got a small project that’s going to be wrapped up in a couple of weeks involving three or four people, I probably need a lot less documentation than if I’ve got some project that’s going to be involving hundreds of people, vendors, subcontractors, external regulatory bodies stretched out over the course of a couple of years. So there is no one size fits all. You do need to scale or tailor it. And for organizations that have an enterprise-level template, the templates themselves need to scale. One of the easiest ways to get people to just become templates zombies is given them a one size fits all template and don’t give them guidance and how they can scale it based on the complexity of a given project.
So that will be sort of the first lesson I’d provide. But second, I think it comes down to understanding there’s going to be information in the RAID log or in a risk register that is pertinent for the project manager and for the project team. Probably nobody other than that. Then there’s going to be certain information that you want to share with a broader group of stakeholders.
Ben Aston: Right.
Kiron Bondale: Remember I said that risk is uncertainty that matters. If we are overwhelming our stakeholders with a whole bunch of minutia about risks, that could be a bunch of different fields related to each risk or it just might be this long list of hundreds of risks of which only about three of them are really important. We’re going to lose their attention really fast. So usually most of the successful teams that I’ve seen, they’re going to have a risk register, which has maybe all the gory details which they need, but then in terms of presenting risk information to stakeholders, they’re going to lighten it up.
They’re going to take an extract out of it and they’re going to present just what is meaningful to those stakeholders. Putting it in language, hitting them with the important information they need to make the hard decisions. It’s also really important though that the RAID log or the risk register or wherever you’re capturing this information, it has to be current. It has to be accurate. It has to be current. If I go in and I look at a risk register and I see that there’s risk data there, which I clearly know is out of date, it hasn’t been refreshed since the start of the project. Guess what I mean? I had a lot in that, the entire risk management function has just lost credibility. I’m not going to pay any attention anymore. That’s why it is so important that Project Managers doesn’t just apply to risk and applies to any information they’re going to capture and share. They got to make sure if it’s worth capturing, it’s worth keeping up to date.
Ben Aston: Yeah. Then that’s sound advice. And so we’ve got a RAID log or risk register. Let’s talk through how we actually fill this in though. Because I think often people know, okay, well sure there’s a template I can use. And in fact, as part of the Digital Project Manager membership, we have a RAID log, which contains a sample and a template that you can use. So in our RAID log, we’ve got an ID for each risk assumption issue or dependency. We’ve got a status for it, the dates, we give it a name, we give it a description, our probability, and impact and mitigation plan and action. And then give it a status on where we’re at with that. We give it an owner and keep track of a record of the decisions made for it and the decision date.
So we’ve got this paper trail of the risks, when was that identified? What happened to it? But talk us through how you would go about with your team using a RAID log. Because there’s the part whereas the project manager we kind of have a try and write down all our nightmares, all our things that we think could go wrong with the project. All the things that are scary. But you’ve talked about engaging stakeholders, there’s the project team as well who are stakeholders too often. How do you engage them in risk management throughout the project life cycle?
Kiron Bondale: Yeah, normally what I would do is, a risk is throughout life cycle as you said. And so I think early on in the life of the project when you may just have a handful of co-participants, the sponsor, maybe your customer, maybe a few senior leads, you want to do an initial pass at risk identification, risk analysis at that point. Then as you start to peel the onion further, getting to more and more detailed planning, you want to revisit it. But from that point on, my recommendation is there’s sort of two triggers I look at. There’s going to be sort of on a regular basis, we want to be revisiting our risks for both an identification from an updated perspective, what’s new, what’s changed, that kind of a thing so that I just like to do on a regular basis.
So let’s say if we’re meeting with our team and our co-stakeholders every week, I wouldn’t do it every week maybe. If I especially if I’ve got a very long-running project, maybe every two weeks, every two weeks you dust off the risk register, pull it up on the screen. You say, “Let’s do a really quick pass through these risks.” Anything’s changed that we need to be aware of. Are there any new risks that anyone’s aware of? What might go wrong that we haven’t thought of? What might go better than we thought? Let’s capture that information. Spend 10, 15 minutes in the meeting going over that. That’s kind of on that regular basis, but then separate from that, what I would suggest is whenever there’s been a realization of a risk, especially a major severe risk, whenever that a risk is realized as an actual issue, it’s worth taking a step back and saying, “Let’s revisit what does this now mean? Because maybe if this risk was realized, maybe there’s a few others that are about to be realized. We need to be aware of that.”
Similarly, if there’s a change in your project, maybe a scope change of some kind, that’s a trigger to say, well, when a scope change occurs, maybe there’s certain risks that can be maybe closed out. They’re no longer valid anymore, but maybe there’s a bunch of new ones that have been introduced. So I’ll say there’s two different triggers. One could be sort of time-based like it’s been a while since we’ve looked at our risk register. Let’s dust it off. The other one could be more event-based. We’ve had a change, we’ve had a major issue. Maybe you hit a milestone, we’ve hit some major milestone in our project, or you complete a phase. That’s a good opportunity to revisit your risks again before you get started with the next phase.
Ben Aston: Yeah. Cool. That’s helpful advice. And let’s talk about when risk management goes wrong though. So we could debate about what that means, but where do you see risk management failing? And you talked about, part of this is crafting the story to make the risk, meaningful and contextual for the stakeholders. So they end up understand the impact of the event occurring that could occur. But where do you see risk management failing? Where does it start becoming undone?
Kiron Bondale: I’d say there’s probably two examples of that are two fairly common examples of that. One is around, we look at it as a one-time thing. So either it’s because there’s a governance requirement that you’ve got to have a risk register. And they organize the project team, the project manager, the senior, the key stakeholders. They’re just not engaged in the risk process. And so they know they’ve got to populate a risk register. And so they do that. They fill it out and they come up with some generic risks that are not really specific.
Ben Aston: Right.
Kiron Bondale: They, they come up with some fairly generic risk response plans. They don’t really act on any of those, but they can put a little tick next to that box that says, “Have you thought about risks on your project?” That’s one way that it goes wrong.
I mean, to me that’s pretty much as good as not doing anything. The other way that it can go wrong is the core team does due diligence. They actually do a good job at identifying risks, analyzing them, coming up with good response strategies, but then the people that are the risk response owners that are supposed to actually do something with those risks, responses, they dropped the ball. Either the risks are not positioned in a manner that makes them sit up and pay attention or they just have too much other stuff going on and they cannot be bothered to pay attention to those risks. They don’t feel it’s worth their while to invest in risk response implementation and so then again it becomes an academic exercise. We’ve captured this great information on risks. We came up with some wonderful risk response strategies. Nothing changed.
Ben Aston: Yeah.
Kiron Bondale: That would be another example of where risk management fails. I’d say maybe there’s a third one which is that many organizations and teams just don’t seem to learn the lessons from the past.
Ben Aston: Right.
Kiron Bondale: When we look at identifying risks, certainly you can leverage things like expert judgment or you could leverage third-party consultants. You can leverage case studies to try to understand what could go wrong and what might go better than expected on your projects. But a really great source of risk is to look at the issue logs from past projects. So if you’ve had past projects where the issue logs have been diligently maintained and you’ve got a project that’s fairly similar, it’s a good idea to pull it up, take a look at that issue log and say, “Well what’s the likelihood these types of things could happen on our project and how might we go about preventing them or reducing their impact.”
That’s the type of due diligence that oftentimes is not executed. So I’d say a not spreading the net wide enough in terms of identifying risks. That would be another area where risk management fails. So I’d probably summarize across those three. So it’s either we just do, we just give it lip service in terms of identification, analysis, and maintaining it. We’re giving it in terms of acting on those risk responses or we’re not spreading the net wide enough when it comes time to identify the risks.
Ben Aston: I think that’s really helpful. And I think one thing that I’d like to dig a bit deeper on is the risk owner not acting or being engaged in the risk. And I think often what can happen is there can be a reluctance to be a risk owner because if you become a risk owner and your name is down next to the risk as the owner, then you have a responsibility to do something which is either, avoid the risk, mitigate against it. It’s your risk. Try and transfer it in some way. But what I see is a bit of a trend towards people not owning the risks or it by default it being the PMs is the risk owner. How do you engage stakeholders in the risk and prevent the PM from being the owner of all the risks?
Kiron Bondale: Yeah, that’s a really good question. My take on that is you can put your PM on the hook for every single risk on the project. That’s fine. You can fire your PM if you like if those risks are realized. But the PM is not the one that is going to benefit from or be hurt by the failure of a project the most. It’s the organization. And so it comes down to one is the project we’re doing valuable. If it’s a valuable project that we need to think about risk in that context of insurance and then the way to be able to get people to sign up for risks to really own them is first don’t overwhelm them with minutia. Make sure the risks you’re hitting them with are the important ones, the ones where you really do need that assistance. You want the organization to set up and pay attention.
Ben Aston: Right.
Kiron Bondale: Secondly, make sure that there’s enough due diligence is done in terms of having smart risk descriptions. Make them as specific as possible and give it a good understanding. What could be the cause of this risk realization? Well, how do we know if this risk is about to be realized? Given as much information as possible to work with. Do the analysis on it like do your homework.
If you do that and if you have those risk response owners having their successful performance objectives for the year, let’s say tied to the success of the project. Now they have skin in the game. If they’ve got skin in the game, they’re going to want to make sure that project succeeds. So many times what I would say is the downfall of risk response, it’s not that the information was not provided inappropriate fashion, it’s at the individual that you asking to do something with that risk really has no skin in the game. It doesn’t matter to them if that project succeeds or fails. So now you’re asking this individual out of the goodness of their heart to expend some of their political capital or social capital or financial capital to make a difference in your project. So it goes back to how good are you as a Project Manager at influencing and persuading those types of stakeholders?
Ben Aston: Yeah, that’s helpful. And I think these tips have all been really valuable. But I think the one that’s resonating with me is really just around this storytelling and making it contextual and real to the stakeholder, to the person who could potentially be impacted by the risk, their reputation could be on the line as well, but making risks meaningful. And I think one of the things you talked about was often the reason that risk management can fail is that we are just going through the motions. We copy and paste all the risks from our previous project. We don’t actually look at lessons learned or issues that came up on previous projects, but we go through the motions and I think what’s really struck home to me is this realization that Hey, stakeholder engagement within this is important and not just going through the motions, but I’m committing to managing risks not just at the beginning of the project, but as a holistic part of the project life cycle will stand us in much greater stead and prevent these scary things from happening.
But Kiron, for someone who’s thinking, Hey, “I barely even manage risk at all, I don’t even really know what a RAID log is.” For someone who kind of, who’s new to project management, thinking about managing risk for the first time, what’s one key thing that they need to get right for risk management to work?
Kiron Bondale: Make it matter. That’s what it comes down to. You could capture a thousand risks and a thousand pieces of data on those risks, but if it doesn’t matter, it does not matter. I would much rather have a project manager capture one or two risks, but they get their stakeholders to sit up and pay attention and actually do something about them. That tells me that’s an effective risk management process.
So I think for somebody that’s new to the profession or that’s taking on their first project and they’re really eager about maybe making sure they’re keeping an eye on risks. It’s a good practice to do a bit of a retrospective at regular intervals to say, this effort we’re putting into risk management, are we getting the return that we would expect from that effort, or are people actually sitting up and paying attention? Are there those risks responses being implemented? Are we seeing a reduction in the risk profile of our project as a result of the actions we’re taking? If we’re not, then what should we be doing in a differently? Those are the types of questions that I would want to see that individual asking themselves.
Ben Aston: Great stuff. Well, Kiron, thank you so much for joining us. It’s been great having you with us today.
Kiron Bondale: Thank you, Ben.
Ben Aston: And so I wonder what you think, what are your tips, tricks for managing risk? Let us know in the comments below and tell us what works, what’s failed for you. Let us know how you’re managing risk. And if you want to learn more and get ahead in your work, come and join our tribe with DPM membership head to thedigitalprojectmanager.com/membership to get access to our Slack team templates, workshops, including workshops on risk, office hours, eBooks, and more. And if you like what you heard today, please subscribe and take a couple of minutes to leave an honest review for the DPM Podcast on Apple Podcasts. We love our fans’ hands. We’ve only got a couple of reviews, so we know there are thousands of listeners, so please stop by and give us a rating and let us know what you think. But until next time, thanks for listening.