Project Practitioners > What Could Possibly Go Wrong? (Risk Management, Part 2)

What Could Possibly Go Wrong? (Risk Management, Part 2)

By Sinikka Waugh

In a previous blog, I hinted at both my deep-seated passion for risk management, and my dark fear that in general, it’s not a popular topic. It’s only natural, then, that my first few blogs of the new year would draw upon my very favorite theme and try to bring some readers over to my side…

Last time, I introduced the general topic of effective risk management as having three key components:
1. First, you need to anticipate the obstacles you could encounter – identify the risks,
2. Then, you need to make a plan for how you’ll respond to those risks,
3. And finally, you need to monitor your risks and put the right plans into action to manage them on an ongoing basis.

Let’s take some time to dive deeper into the first step: identifying risks. Specifically, how can we build a risk list that is comprehensive enough to manage the project effectively? My recommendation is two-fold. First, make sure your list of risks is thorough, and second, make sure your risks are stated well.

So how do you make the right list of what could possibly go wrong? Here are some of the strategies I encourage people to use.

Think through your own experiences.

Think about when things went wrong; Think about the near-misses; When things went well, think about what made them go well; Think about times you were surprised by something, or caught unprepared; Think through the times you said “I wish I had thought of that ahead of time” or something along those lines; Think through the times you said, “I’m glad we thought of that…”

Get input from others.

Listen closely to peoples’ “horror” stories about projects that have gone badly or tough moments they’ve encountered; Ask around to find people who have worked on or seen a similar project or a project with similar components; Ask your leader; Ask your peers; Ask a mentor; Review lessons learned and risk logs from other projects within your organization; Ask someone who’s not even associated with the project to see if they give you some fresh ideas

Use your intuition.

Consider what your gut tells you could prevent you from being successful; If there’s something nagging in the back of your mind, pay attention to it, add it to the list; If there’s some portion of the project you’ve never done or seen done before, make sure that’s on the list; If you’re hearing people talk worriedly about a particular topic – that topic should be on the list

Set aside time for “black hat” thinking during project team interactions.

Make it safe for team members to talk about what they’re worried about, or what they think could go wrong; Ask people associated with the project what’s keeping them up at night; Ask team members what’s the worst thing that could possibly happen

Keep a personal list of common “sources of risk” to draw from.

Try starting with this list of common sources, and then continue to expand your list based on your own project experiences; Remember to consider anything unique to the project at hand

1. The work to be done

  • whether there’s another project competing for priority
  • the extent to which the organization is dependent on the project
  • any regulatory or compliance issues
  • the technical complexity of the work being done (has it been done before successfully; is it something entirely new; is it something routine; is it something that was tried before but failed)

2. The people who are doing the work

  • whether or not they’re available
  • whether or not they’re capable of doing the work that is needed
  • whether or not they understand the expectations
  • whether or not they’re supportive of the project goals
  • whether or not they get along with each other or work well together
  • the extent to which they’re comfortable with the level of ambiguity or precision the project will require

3. The time line

  • whether it accounts for holidays, vacations, operational peak-seasons
  • whether it’s fixed or flexible
  • whether it’s externally imposed, or internally driven from within the project
  • how many of the project activities are on the critical path
  • whether estimates were provided by those closest to the work
  • whether estimates included both effort and duration or just one or the other
  • the extent to which weather or other external, uncontrollable factors play into the project schedule

4. The cost of the work to be done

  • whether or not the money is available
  • how soon the project costs would be paid back to the organization
  • how strong the support of the project is within the revenue-generating parts of the organization

5. If there’s a vendor

  • the vendor’s process maturity
  • the vendor’s technical capabilities for new product development as well as ongoing support
  • the vendor’s existing clients and current production issues
  • the vendor’s ability to meet your time lines
  • the vendor’s awareness of and buy-in to your expectations
  • the vendor’s ability to support your security needs
  • the vendor’s relationship management skills
  • the vendor’s escalation processes

6. The environment

  • how tolerant the organization is to changes within the project
  • the impact to the organization if the project delivers only some or none of the expected benefits
  • any issues of organizational politics relating to the project
  • whether the project dependent is on any other concurrent project or effort in order to be successful

Once you’ve got a good list for your sources of risk, there’s still work to be done. A “source of risk” is not the same as an actionable project risk. A “source” is like a category, a generalization. On the other hand, a project risk is something you can take action on. Listen in on this conversation I had with a fellow project manager, to see how to state a project risk in a way that increases your odds for success…

Tell me about your project and the level of risk associated with it.
There is a ton of uncertainty with this project.

Interesting, tell me about your biggest risks.
I would say the data is definitely our greatest risk.

The data? Can you say more?
Well, there’s a lot of risk around the data.

Okay, but what does that mean? What kind of risks are there around your data? Is it bad or corrupt data? Is it sensitive or confidential data? Is it expensive to extract? Is there a lot of it? Data conversion is a pretty significant portion of your project, but it’s not your project’s only deliverable, so what exactly do you mean when you say that “data” is your biggest risk?

Oh, I see where you’re going with that…Well, yes, it is confidential, and we’re just hoping the vendor deals with it securely. Plus, since we’ve never done this before, there’s a chance the data conversion will be harder than we were planning, and I’m not sure all the resources touching the data have all the information they need. There’s also a chance that the data won’t be converted accurately. And since ultimately the data is visible to some high-ranking individuals in the organization, if the data isn’t accurate, you can imagine how well that will go over! We’ve got to make sure that data is perfect, but there’s a lot of it, and it’s hard to balance perfection and speed. There’s so much risk around the data, I’m just not sure how we’ll be successful!

Hmmm…Let me see if I can help. Let’s try something. Let’s try stating some of these in such a way that we can do something about them. Personally, I’m a fan of “If…then” statements. What is the “IF”? What’s the thing that could happen? And, if it does happen, what is the “THEN”? What is the impact to the project? If “X” happens, then the impact is “Y”. Like this…

1. If the data is not kept secure, then confidential information could get into the wrong hands, and the organization will face significant regulatory and financial exposure.
2. If the data conversion is more complex than we anticipate, then we may need additional resources to help resolve issues.
3. If the data isn’t converted accurately, then we will not have met our quality goals for the project.
4. If data accuracy has to be at 100%, then we may spend a lot of time reconciling the data or researching discrepancies until it’s perfect.

Okay, Sinikka, I see what you mean about stating cause and effect more clearly. I see your point about making the risks more precise, and stating the thing that I’m afraid of and how it impacts the project or organization. But what’s so important about “if…then” statements? Couldn’t I just state them as “may cause” or “could result in” type statements?

Yes, you could, but I find that “if…then” statements are easier to prioritize and are much more easily actionable. Once I know the “if” and the “then”, I can figure out how likely the “if” is, as well as how big of an impact the “then” could have. From there, I can make a plan to make the “if” less likely, or the “then” less painful…or both!

Aside from being a bit of a tongue-twister, the rest of that conversation takes us right into risk response planning, so I’ll save the rest for next time!

Read more from Sinikka's 4-part series:
Part 1: Crystal Ball, Anyone?
Part 2: What Could Possibly Go Wrong?
Part 3: The Project Manager and the Glass
Part 4: Told Ya So

Related Links
Learning from past errors is much easier when project managers can review lessons learned reports from previous projects. Comprehensive risk assessment and mitigation tables include projected problems and possible solutions that could stop problems before they start. If you've got a team member stuck in the black hat, try switching to one of the other five colors for a while.

Not all comments are posted. Posted comments are subject to editing for clarity and length.

thanks for the wonderful ideas on project risk. i feel that you left out two important steps, namely:
1. business strategy analysis( SWOT, GAP analysis, etc.)

2. Organisational Structure and resources

A great article with easy to follow steps to formalize 'Risk Management'.

The comments to this entry are closed.

©Copyright 2000-2017 Emprend, Inc. All Rights Reserved.
About us   Site Map   View current sponsorship opportunities (PDF)
Contact us for more information or e-mail
Terms of Service and Privacy Policy

Stay Connected
Get our latest content delivered to your inbox, every other week. New case studies, articles, templates, online courses, and more. Check out our Newsletter Archive for past issues. Sign Up Now

Follow Us!
Linked In Facebook Twitter RSS Feeds

Got a Question?
Drop us an email or call us toll free:
7am-5pm Pacific
Monday - Friday
We'd love to talk to you.

Learn more about ProjectConnections and who writes our content. Want to learn more? Compare our membership levels.