Most portfolio offices collect information on risks (and sometimes issues) but the risk statements supplied by projects are often unfocused and poorly defined. It seems that while many project managers can tell us what a risk is, few really understand the concept of risk and how to get real value from the risk practices they apply.
Risk and issue logs are key to understanding the health of our project portfolio. Analysed appropriately they provide the Portfolio Office with critical information revealing where the ‘hot-spots’ are, what needs to be escalated, the actions that would have most effect on increasing throughput etc.
Unfortunately the quality of risk data is sometimes too poor to be credible
If you were to ask you project managers what analysis was done prior to writing the risk into the log; in many cases you will find that there is virtually no analysis and very little engagement with the team and other stakeholders who are best positioned to really understand the nature of the project risks. The risk log is far too often just seen as something that has to be filled in.
Risk profiles are the eyes and ears of the portfolio office
Below is an analysis of the risk impacts areas in two rather different portfolio situations:
In portfolio 1, the current project risk position is indicating that there are concerns around whether what will be delivered will meet the specified acceptance criteria and fulfil client expectations. In other words- it’s clear what we need to deliver but will it be good enough? Any PMO interventions should focus attention on improving product development processes and ensuring testing has been adequately resourced and planned for.
In portfolio 2, there are concerns that costs are likely to rise, probably triggered by the high level of scope change being experienced. Here any PMO intervention is likely to focus on change control and exploring the root causes of scope increase – perhaps the portfolio needs to be re-baselined.
These are both from real portfolios we’ve reviewed. Interestingly, prior to this analysis the focus of the PMO in portfolio 1 had been on financial control – they just had not ‘heard’ the news that was coming from their projects.
Categorising risks to support portfolio analysis
If you want to make risk logs useful at the portfolio level then you must make not only the categorisation useful but also the language clear and shared across the project community.
First things first – make sure that what is being reported is usefully classified as a risk
In 2011 we reported on a survey of risk logs in SA and the UK. In this analysis we found that over two thirds of the logs in the survey muddled together risks, issues, constraints, actions, and ‘to dos’ as well as having a general air of being a ‘things to keep in mind’ list.
There just is not enough analysis going into the risk and issue logs prior to them being submitted – this has to change if you are to get value from the reporting process.
Here are our suggestions to start making risk reporting valuable:
- Review the risk logs – are they classifiable as risks with useful management actions? In other words, get rid of the ‘dross’
- Review the classifications used and make sure there is shared and common approaches to using the classification.
We suggest you should be using at least the following:
- Risk exposure – often expressed as impact and probability – low, medium, high – make sure there is a stated position about what the different levels mean in your business context
- Risk impact – categorise the impacts of the risk and you can start to look at the profile of risk across the portfolio. We categorise by impacts upon cost, scope, schedule, quality and benefits. Don’t accept risks which say they impact them all – it just means the risk has not yet been expressed clearly or the brain has not been engaged.
- Risk actioner – who, or simpler still which team or business unit has been engaged to take on the risk management actions. The project manager might ‘own’ the risks but it is unlikely on complex projects that the project manager is best positioned to manage all the risks. Understanding what business areas are having to deal with risk helps guide PMO support activities, uncover root-cause concerns and identify potential bottlenecks.
Do you think you should be getting more value from your risk management approaches?
PiCubed offers internal Reflect and Learn workshops.
Using data from your own risk processes we compare these with best practices and facilitate discussion and debate on how the individual projects and the project community can make risk management a valuable process in your organisation.