RISK1 – Setting the Stage for Risk Management

First in a multi-part series

I received a compelling request from a project manager (Eniitan) recently with high expectations.  “Carl, could you walk me through the WHOLE risk process with some decent examples?”

Wow.  That’s a high hurdle to jump.  But the more I thought about it, the more I realized the request was a viable and reasoned one.  It would be nice to point to a comprehensive series of steps on how the risk management implementation would go, in a step-by-step approach.

For the example, I intend to use a client that (not for the sake of risk, but for the sake of obsolescence) no longer exists.  I felt they would be the perfect candidate, since there’s no chance of doing them harm through public exposure.  I had been called in to work with this client because they needed risk support and needed to develop certain risk reports to meet government requirements.

In review, I realized that they had no significant risk infrastructure, which meant that was the first requirement.  They needed an organizational risk approach.

Establishing a Risk Approach

A risk culture is based on an organization’s risk appetites. What’s culturally acceptable?  What will management tolerate?  What will the shareholders tolerate?  What will government regulators tolerate?  Those critical questions need to be on the short list early in the process.  Without clear definition on tolerances, there can be no effective risk management practice.

Step One – Define Tolerances

The word tolerance has its roots in the same place as tolerate.  What can we stand?  What can’t we?  The question may seem obvious, and it is for anything rooted in the law or the corporate ethic.  Most organizations won’t tolerate sexual harassment.  Most organizations won’t tolerate bribery or theft.  But the other tolerances (like cost and time) are more amorphous and situational.  For those, management needs to be asked the question in both relative and absolute terms.  They should be queried:

  • When do you expect to be notified regarding potential delays?
  • When do you expect to be notified regarding potential cost overruns?

The answers may be expressed as values (when the project is 2 days late) or as relative terms (when the budget is more than 10 percent overrun).  The answers can also be expressed in terms relating to the conditions that would be met (when the overruns require customer review or approval).

The key is to ensure that there is a common understanding of what constitutes an unacceptable breach in status.  If we can get them to provide that information, much of the rest of risk management has an anchor on which to rely.

Step Two – Define Organizational Risk Terms

The next major undertaking is to define terms to ensure that everyone in the organization speaks a common risk management language.  Risk, for example, is a future phenomenon that may or may not happen to the betterment or detriment of the objectives of the organization. This precludes people from mistakenly having a conversation about risks where they confuse them with issues, for example.  (Issues are risks realized or situations that are already in place and in play in an organization).  There are risk lexicons out there, specifically in the Guide to the Project Management Body of Knowledge (PMBOK Guide).  But a good risk organization takes the time to affirm terms that resonate within their culture.

At a global or organizational level, this ensures that people at the project level don’t deviate from the risk norms of the organization.  Note that if this doesn’t happen early at an organizational level, later risk efforts at a project level may not be aligned.

What are the essential risk terms?

  • Risk
  • Threat
  • Opportunity
  • Tolerance
  • Threshold

If these terms can be defined and expressed at an organizational level, many of the early steps in creating a risk culture have been accomplished.

To accomplish this, the best approach is to interview those at an executive level and then to test or validate them with their senior management team.  If the senior managers fail to concur with their executives, identify the specific areas of incongruity and revisit the terms with those in the executive suite.

Once established and validated, it’s important to ensure that the information is published and shared across the organization.  The more people who know the risk culture and posture of senior management, the more likely it is that they will align with it.

And once these first steps are taken, the process can begin at a project-specific level, which is where the next blog post will go!



Carl Pritchard, PMP, PMI-RMP, EVP


Studying for the PMP?  Have a Windows8 device?  Consider the “PMP4U” app from the Windows app store.