“The sponsor has lost political power and may no longer be able to support the project”, “Executive X may push for Vendor Y due to family connections”, “The key technical resource in the project may leave because he is underpaid and his skills are in high demand.” These are all examples of risks that keep the project manager awake at night, but never make it to the risk registry, because nobody would dare to document them. This is the risk management paradox: we document the risks everybody knows about, and we omit those that have the potential to derail the project.
Because of this, risk management sometimes is perceived as bureaucratic, because it only covers the obvious, the lame, common places, which are known to everyone and are already being managed informally. During my years leading a PMO, I was often challenged by PMs who asked me whether their job was to document the risk, drivers, impacts, triggers, contingent responses, etc; or actually do something, which in many cases they were already doing. My response always was: if documenting the risk does not provide you with a better insight into what is happening and why, then it is just a formality.
Proper risk management should become “structured thinking”, where documenting the risk in a structured way makes the project manager understand much better how to manage the threat or opportunity. A good example is to define drivers: how do we know that this event could happen? Drivers, when identified properly, are facts that qualify the risk and define its probability. As an example: if the risk is that you may have a heart attack, drivers would be: you are obese, a smoker, don’t exercise and, on top of all that, you are a project manager. There you have the plan for prevention, in front of you. Then comes the impact: you may die if you have a heart attack; drivers could be: you live in the boonies, your spouse doesn’t drive, you don’t have cell phone coverage and the closes hospital is 200 miles away. Again, potential actions to reduce the probability of the impact are right there.
Still, how do you deal with those risks you cannot document, because the one at risk would be you? I have no answer for this, other than to have double books, maybe one in your head, to deal with those other risks under the table. Maybe you can share those with the sponsor, unless s/he is at the centre of the risk. Project management: risky business, indeed.
