There are three simple risk management points that organisations often overlook which, when corrected, make all the difference to their success in controlling risks and therefore enhancing their chances of project/programme success:
1) Define your corporate risk management process
If individual project/programme/risk managers are managing risks in different ways, then you cannot achieve good control of the risks across the organisation. You are also in the hands of the individuals regarding their attitude to risk. As an organisation, you should define the behaviours you want from the project/programme management community (as part of a suite of simple project/programme management guidelines), to ensure that risks are properly considered and appropriately treated.
2) Relate project and programme risks to plans
Project and programme risks (rather than organisational risks) should be related to plans. A plan should be a current assessment of the most likely sequences of tasks that are intended to be actioned to deliver the project/programme (rather than an optimistic orpessimistic view, unless all three are estimated). Risks should then be considered in terms of what could go wrong with the project/programme as currently planned. Appropriate tasks to treat risks should be added to plans and contingent time should be added within schedules to make them more realistic.
3) Define corporate standard risks
Any organisation should be able to define a set of standard risks that usually apply to all of its projects/programmes (or maybe a few sets for different types of projects/programmes). Obvious items that should have risks associated with them are; clarity of deliverables (requirements), external dependencies and stakeholder resistance.
Whilst organisations may have something in place to ensure that some project/programme risks are captured, there is often little substance to ensure that risks are properly considered and treated. It is worth being very aware of the link between risks and issues. If an organisation is dealing with alot of issue management (firefighting), then this is a clear indication of poor risk management.
If you would like help with ensuring your project/programme/portfolio management (P3M) framework includes simple but essential risk management elements, please contact me.