Australian Risk Policy Institute

Risk-Based Project Management

Policy Issue

The disciplined and systematic application of risk management with projects is often difficult to establish and sustain. Project managers often find the requirement to report on risk more an onerous compliance task rather than a natural extension of their project management. 

By embedding risk management as one of the foundations of project management, project managers not only improve the management of their projects, they can demonstrate it as well. 


Project Management

The management of risks to the successful delivery of project deliverables is a key aspect of project management. 

This aspect of project management is widely accepted as a key function in project management. Both the Project Management Body of Knowledge (PMBoK) and the Projects in Controlled Environments (PRINCE2) methodologies recognise and promote the management of risk as critical to the success of projects.

In a broader sense, project management methodologies such as PMBoK and PRINCE2 detail an approach to project management, that if applied increase the likelihood of success for a project. From a risk-based perspective these methodologies identify generic risks to the successful management of any project. 

The benefit of applying a risk-based methodology to project management is that in addition to the identification of generic project management risks, risk management provides a framework for analysis and control that is otherwise left to the experience of a project manager (see AS/NZS 4360 - Risk Management Standard).

For example the PMBoK identifies nine functions of project management, being:

1. Scope Management
2. Time Management
3. Cost Management
4. Quality Management
5. Human Resource Management
6. Communications Management
7. Risk Management
8. Procurement Management 
9. Integration Management

If during the course of a project, the management of any of these functions falters or fails, then the project is at risk. Subsequently taking a risk-based approach to managing the functions of project management provides a framework for approaching (and demonstrating the approach to) the management of projects. This is illustrated below:

Risk:  Fail to manage quality
========================================================================================================
Source                                    Control Activity
========================================================================================================
Don’t identify all users                  Work with business team to identify all users
                                          Market project to users to help identify all users
Don’t follow required                     Contact architecture team and consult
architecture                              Define stages where to check adherence with architecture
Fail to meet user expectations            Hold user requirements meeting
                                          Get user representative on project team
                                          Maintain regular user meetings and deliverable demonstrations
========================================================================================================

Generic risks to a project can be referred to as "project management risks". The purpose of labelling these risks as project management risks is to differentiate this set of risks from those that are specific to a project because of the uniqueness of its objective and deliverables. 


Project Risk Management

The PMBoK states that a project is a temporary endeavour undertaken to create a unique product or service.

The uniqueness of a project is defined through its objective and its deliverables, as well as the context in which the project is undertaken. Therefore as well as generic project management risks, a project will have unique or specific risks that may affect the successful delivery of the project, due to the uniqueness of the project objective and deliverables. This is illustrated below:

Risk: Fail to identify all services
========================================================================================================
Source                                     Control Activity
========================================================================================================
Don’t know where to look                   Identify a contact in all subsidiaries and engage them
                                           Check previous similar project documentation
Unclear definition of a "service"          Research external industry definitions
                                           Define what a service is, with stakeholder input
Fail to consider external services         Liaison with peak body group
                                           Check distribution agreements
                                           Check contracts and supplier agreements
========================================================================================================

Specific risks to a project can be referred to as "project objective risks". The management of these unique or specific risks sits within the project management function of "risk management".


Project Management Planning

Adopting a risk-based approach to the development of a project management plan can enhance the completeness of the plan by ensuring appropriate control activities are included in the project activities and schedule. 


     /===================/                    /=====================/               |===================|
    /  Project          /                    /    Project          /                |   Project         |
   /   management      /                    /     objective       /                 |    activities and |
  /    risk - control /          +         /       risk -control /         =        |    schedule       |
 /     activity      /                    /        activity     /                   |                   |
/===================/                    /=====================/                    |---===___===-------|

Project Assurance

Throughout the life of project, numerous stakeholders require assurance that the project is under control (on time, on budget, on track, etc). One mechanism that can be used to provide such assurance is a project risk report. The example below provides an approach to reporting on project risk in a simple and effective way.

============================================================================================================
    Risk                       Current Risk    Risk Level    Control Activity    Issues/Comments
                                    Level        Trend           Progress   
============================================================================================================
1  Fail to manage scope           Medium           ^                R            Business owner pressuring to include additional deliverables.
                                                                                 Delay in finalisation of all business requirements.
2  Fail to manage quality          High            v                A            Some control activities not yet commenced as per schedule.
                                                                                 User representative has been away
3  Fail to identify all services  Medium          -->               G            All control activities have commenced
                                                                                 Additional services identified and included in design specifications
============================================================================================================


Clearance
Primary Author/s:    Miles Pearson
Primary Contact:      Miles Pearson
Legal Clearance:      Not Required
Authorising Officer:  Tom McDonald, Vice President ARPI