The benefits of risk management in projects are huge. You can gain a lot of money if you deal with uncertain project events in a proactive manner. The result will be that you minimize the impact of project threats and seize the opportunities that occur.
This allows you to deliver your project on time, on budget and with the quality results your project sponsor demands. Also your team members will be much happier if they do not enter a “fire fighting” mode needed to repair the failures that could have been prevented. It is important to note that the roles and responsibilities must be documented and included in the original project plan. For all intents and purposes, project risk management can be seen as a project within a project or alternatively a sub-project of the project. Five separate roles can be defined for performing project risk management.
These are: • Project risk manager • Project risk management team • Project risk profile owners • Project risk custodians • Project team members It is important that the project manager and team leaders show their support for the effort and motivate team members to contribute . On many projects, reporting a risk is rewarded by making the same person the risk profile owner. Doing this sends a message to other members that reporting a risk will lead to more work. If possible, team members should rather be incentivized to report risks.
Keyword:- Risk management procss, Risk management roles, Risk management responsibilities, Project Risk management culture. 1. INTRODUCTION There is no denying the importance of risk management on modern day projects . It has taught us that things do go wrong and that it is naive to think that everything will go according to the project plan. Both the PMBoK and the APMBoK have sections dedicated to the field of project risk management. There is also a significant amount of literature available on how to perform risk management on various kinds of projects across different industries.
Different techniques have been developed over the years to address both macro-level project risks, for example project selection, as well as micro-level risks, such as scheduling risks. Different formulae with varying degrees of complexity have been developed, followed by a myriad of supporting tools and techniques. Despite all this, research has shown that projects, specifically IT projects, still fail at an alarming rate . The question can, therefore, be asked why this is the case given the information, knowledge, tools and techniques available to perform risk management.
This paper addresses the human component of risk management, specifically focusing in on the roles and responsibilities of all parties involved. The first section looks at risk management and its well-defined processes and the roles and responsibilities as defined by the PMBoK. This is followed by a suggested, structured framework for roles and the associated responsibilities. The article concludes by looking at the required culture to ensure successful project risk management. 2. RISK MANAGEMENT Risk management consists of five phases starting with planning and finishing off with monitoring.
This process is repeated as cycles throughout the duration of the project. One such cycle isshown below: FIGURE 1 – RISK MANAGEMENT PROCESS Each of these processes is further sub-divided into sub-process with PMBoK clearly showing the inputs, tools and techniques and outputs for each . The one area that seems to be neglected is the roles and responsibilities for performing risk management. During the risk planning phase, the PMBoK states that one of the outputs would be a risk management plan containing the roles and responsibilities and is explained as follows: Defines the lead, support and risk management team membership for each type of action in the risk management plan”. It goes on to motivate why an external risk management team would be better than an internal one. During the risk response planning phase, one of the inputs is stated as risk owners and explains this as follows: “A list of project stakeholders able to act as owners of risk responses. Risk owners should be involved in developing the risk responses”. These are the only references in the PMBoK to the people that should be involved. From the above, two roles are identified.
The first is the risk team that will perform the required activities and secondly, risk owners to be involved in the development and implementation of the risk actions. It does, unfortunately, not state what the responsibilities are that accompany these roles. In the next section, a more comprehensive framework is given for the roles for risk management followed by an explanation of the associated responsibilities. 2. RISK MANAGEMENT ROLES Five separate roles can be defined for performing project risk management. These are: • Project risk manager • Project risk management team Project risk profile owners • Project risk custodians • Project team members Following is an explanation of each role. 1. Project risk manager The role of the project risk manager is to provide the overall project risk strategy and to coordinate the project risk management team. On small projects this can be done by the project manager, but on medium to large projects, a different person should fulfill this role. The project risk manager should ideally be from outside the team or organisation to ensure objectivity. This need not be a full-time role and can, therefore, be outsourced.
The project risk manager reports to the project manager but has a direct link to the project sponsor. 2. Project risk management team The role of the project risk management team is to collect, capture and coordinate the necessary project risk information. The size of the team will be determined by the size of the overall project. Team members can be internal to the project but must have a detailed understanding of the project risk management methodology being used. The project risk management team reports directly to the project risk manager. 3. Project risk profile owners
The role of the project risk profile owners is similar to the risk owners as mentioned in the PMBoK. Once a risk has been identified, it must be allocated to a responsible person. The person must be in a position to address the specific risk. It is, therefore, possible that a project risk profile owner could only have one risk although the norm is to have several. The project risk profile owner reports to the risk custodian . 4. Project risk custodians The role of project risk custodian is to oversee and consolidate all the risks within a specific risk category.
Risk custodians are usually team leaders or sub-project managers. Depending on the risk categorisation schema used, there might be several risk custodians. The project risk custodian reports to the project risk manager but also has a direct link to the project manager. 5. Project team members It is very important to explicitly state the role of project team members as they need to provide the necessary information to the project risk management team as well as to the project risk profile owners. Without this information the process of risk management cannot take place.
On many projects team members are under the impression that they need not do anything about risk, as there is a team responsible it. Risk management is a team effort and can never be done in isolation. Project team members report directly to the project risk custodians that are usually their team leaders or sub-project managers. 6. Other The two other roles that must be mentioned are those of the project sponsor and the project manager. The project sponsor must realise that there is a cost associated with risk management but that the payoff is an increased probability of success.
If the project sponsor perceives risk management as an unnecessary cost, then the rest of the team will follow suit. The project manager must also understand that risk management is a supporting function and is there to assist theproject manager. Often risk management is viewed as an unnecessary overhead taking valuable resources andtime away from the project. The attitude and perceptions of the project sponsor and project manager is vital for the establishment of a risk management culture. A project risk organizational structure is depicted below: FIGURE 2 – PROJECT RISK ORGANISATIONAL STRUCTURE
The solid lines represent direct reporting lines with the dotted lines representing communication lines. The following section lists the responsibilities associated with each role. 4. RISK MANAGEMENT RESPONSIBILITIES Using the roles discussed above, different responsibilities can now be allocated to each. It is important to note that the roles and responsibilities must be documented and included in the original project plan. For all intents and purposes, project risk management can be seen as a project within a project or alternatively a sub-project of the project. . Project risk manager The project risk manager fulfills the same role within the project risk management context as a project manager does in a project context. Responsibilities include: • Selecting and implementing a project risk management methodology • Developing a project risk management strategy • Implementing a project risk management infrastructure • Generally managing within the risk management context, for example setting objectives, forecasting, planning, organizing, directing, coordinating, controlling and communicating 2. Project risk management team
The project risk management team is there to execute the risk management process. Responsibilities include: • Facilitating the risk identification, analysis, quantification and qualification of the risk profiles • Providing a format and mechanism for project risk management • Providing integrated interpretation and basic recommendations • Consolidating, documenting, reporting and providing feedback on risk profiles • Ensuring that the risk profiles are updated and made available to the project risk manager, project manager and project team Monitoring risk profiles • Providing general guidance on any facet of the risk management process 3. Project risk profile owners Project risk profile owners must ensure that action is taken to address risks. Responsibilities include: • Populating the risk profiles in terms of risk measurement and risk action plans • Ensuring that risk profile values are objective and representative (reflect opinion of adequate number of involved/affected parties) • Implementing risk action plans Providing comments on additional risks and communicating changes to risk measures to the project risk management team for consolidation and reporting • Communicating with team members regarding specific risks 4. Project risk custodians Project risk custodians perform a quality control function. Responsibilities include: • Consolidating all risks within a specific risk category • Co-coordinating all project risk profile owners within risk category • Providing feedback to project risk manager and project manager on progress with the implementation of action plans Providing project risk profile owners with necessary resources to implement action plans 5. Project team members All project team members have a responsibility towards ensuring project success. Often team members forget this responsibility as it is perceived as being of secondary importance. Responsibilities include: • Providing project risk management team with necessary information • Assisting with the implementation of action plans as specified by the project risk profile owners • Reporting any new risks that might appear during the life cycle of the project to the project risk management team.
The next section addresses the need for a risk culture in which to operate. 5. PROJECT RISK MANAGEMENT CULTURE For project risk management to contribute to the success of the project, the right culture must be established. Telling all project team members to cooperate with the project risk management team will have no effect if risk management is perceived as a waste of time and effort. It is important that the project manager and team leaders show their support for the effort and motivate team members to contribute.
On many projects, reporting a risk is rewarded by making the same person the risk profile owner. Doing this sends a message to other members that reporting a risk will lead to more work. If possible, team members should rather be incentivised to report risks. Project risk management culture can be measured by using the Risk Management Maturity Model (RMMM). FIGURE 3 – RISK MANAGEMENT MATURITY MODEL LEVELS The RMMM was developed based on the now de facto Capability Maturity Model (CMM) that was developed by the Software Engineering Institute (SEI).
The level of maturity of an organisation in terms of risk management will determine its value. Having a Level 1 maturity will not yield the same results as a Level 4 maturity. It is therefore recommended that a risk culture survey be performed before the start of a project. This will help in establishing realistic expectations as well as show what needs to be done to reach the desired maturity level. It must be noted that risk management requires an extensive infrastructure if it is to deliver optimal results.
This infrastructure must be in place before the start of a project. 6. CONCLUSION The purpose of this paper is to provide a framework for the roles and responsibilities associated with project risk management. Detailed processes, tools and techniques are of little value if the human component that is supposed to use it, is not in place. The project manager should ensure that risk management has been included into the project plan from the beginning. Adding it at a later stage can create the perception of lower importance and even an increase in workload.
Unless there is a true belief in the value of risk management by the project sponsor and the project manager, the results will be of little value. The benefits derived from this suggested framework are numerous and include the sharing of workload and, even more importantly, raising the awareness of risk. It also fits into any project organization and can be used in conjunction with any of the current standards for project management. For risk management to be truly successful it is important to remember the following: ¦ Risk management should never be seen as an audit function that checks up on project team members or their managers.
The project risk manager must make an effort to build relationships with all stakeholders and to promote the benefits of risk management. ¦ Risk management is an enabler to assist the project manager to bring the project to its successful completion. Too often there is an “us-and-them” mentality on projects where in actual fact, everyone is on the same team. ¦ Risk management cannot be performed without the support of all project team members. The project risk manager and risk management team can only provide the mechanisms for managing risk; the information must come from the team members.
Future research in this field includes the risk management infrastructure that is required before starting a project as well as how to measure the risk culture by means of a risk culture survey.
7. REFERENCES •PMI. A Guide to the Project Management Body of Knowledge; PMI; ISBN 1-880410-25-7, 2000 •Software Risk Management – A Practical Guide, Department of Energy Quality Managers, Software Quality Assurance Subcommittee, Reference Document SQAS21. 01. 00 – 1999, http://cio. doe. gov/sqas, February, 2000.