Exceptional Project Management – Risk Management

Risk management is an important aspect of successful project delivery. This article introduces the concepts of risk and risk management and describes how the application of risk management techniques increases the likelihood that a project will succeed in delivering its objectives.

What is Risk?

Risk is the possibility of suffering harm or loss. Risks are inherent in every project and can be considered to be anything that will adversely impact the progress or objectives of the project.

What is Risk Management?

Risk management can be defined as “the culture, processes and structures that are directed towards realising potential opportunities whilst managing possible adverse impacts”.

From a project management perspective, risk management is a continuous activity throughout the life of the project that seeks to identify potential risks to delivery, evaluate their likely impact, develop mitigation plans and monitor progress.

Identifying Risks

Finding risks is an ongoing process. Everyone involved in the project should be encouraged to think about possible problems that might arise and adding them to the “risk register”, which is a list of all known project risks.

A risk is initially placed into an “open” status when it is added to the risk register and remains in this state until it has been fully reviewed and a mitigation strategy has been put in place.

When a risk is registered, the person creating the entry also assigns an estimate of the probability of the issue occurring and the magnitude of the impact on the project if the risk does eventuate. The scale used to represent the probability and magnitude may vary between organisations and projects however I recommend you keep them simple so that anyone involved in the project can understand and utilise them.

If you are a project manager then you should strongly consider running regular risk workshops with the project team and also key stakeholders. These workshops are used to brainstorm finding additional risks and to assist with development of mitigation strategies.

Evaluating Risks

Generally it is the responsibility of the project manager to ensure that all new risks are properly evaluated once they have been added into the risk register. On larger projects there may be a dedicated risk manager who holds this responsibility.

The first step in evaluating new risks is to validate the risk. This includes ensuring that the risk is not duplicated in the register and also identifying and separating out issues, which are impacts that have actually occurred rather than those that might occur in future.

Once a risk has been determined to be a valid new item on the register, then the probability and magnitude estimates from the risk creator are also reviewed to ensure they are appropriate and consistent with other risks.

Monitoring and Control

Each risk on the register should be allocated to an owner, who has responsibility for determining the appropriate mitigation strategy and also for monitoring the risk on an ongoing basis. Make sure that the risk owner is someone who is in a position to understand and respond to the specific risk being assigned to them and also ensure they are aware of and agree ownership of the risk.

For each risk, ensure there is one or more mitigation strategies identified. This may be as simple as determining that the impact of the risk is negligible and nothing further is to be done, however in most cases an active strategy will be required to reduce the probability of the risk occurring or to address the possible impact. It is essential that clear and realistic dates are set for achieving each mitigation.

On a regular ongoing basis, preferably weekly, the risk register should be reviewed to determine whether actions have been taken and whether the probability or impact of a risk should be adjusted.


Any risk that is evaluated as having a potentially significant impact on the project or that is viewed as highly likely to occur should be escalated to the appropriate group or individuals. Similarly, any risk where the required actions are overdue should also be escalated. The escalation path will depend on your project governance structure and is likely to include a project or programme office, project sponsor and steering committee.

Improving Certainty of Delivery

Good risk management increases the likelihood or project success by decreasing the probability and impact of negative events on the project. By proactively identifying and preparing for potential issues throughout the life of your project you will be well prepared for challenges as they arise and can reduce the chance of potential threats becoming real problems.

Go Kart Accidents – Risk Management

Go karts are fun. They make you feel like you are in a Formula 1 racer. You are so close to the ground that it feels like you are going 100 mph. At that moment the farthest thing from our minds is the reality of racing, especially the history of racing, where people died.

We almost forget that a teen idol James Dean rolled his Porche Spyder and lost his life. There is a glory to racing, and there is the tragic to racing.

Back then, that was the learning curve in racing. It was a later innovation to use roll bars, roll cages and better safety equipment to prevent such catastrophes.

The reality though is most people do not want to face this: accidents do happen.

We tend to have these nerves of steel, which steal reality away from underneath us.

We need to ask the following questions:

– What contingency plans do I have that will cover an accident?

– Do I have insurance?

– What if a neighbor rides my go kart and hurts themselves?

– Do I have insurance that will cover them?

– Or how will this be handled?

– Can I get insurance for a go kart?

The grief of fretting mothers needs to be considered at the outset. Put yourself in a mother’s shoes, and you will get the idea.

Translation Trees don’t move, you will. And probably in the opposite direction like a super ball!

Go karts to a mother are equal to NRDD :

– Noise

– Recklessness

– Danger

– Death.

You may not think an accident can be that severe, however, counting the cost is a large part of go karting. An understanding of vehicle dynamics and the potential disasters that can occur when gokarting need to be grasped and understood.

When we watch “You-Tube” and see some Yahoo jumping off a roof and landing on his privates, we know that is dumb. If we know that is dumb then we need to put similar thinking into keeping the “dumb” in the closet.

Insurance is designed to repair the broken bones and the scrapes, but the unsaid is that it cannot repair a paraplegic or a broken neck. Even Christopher Reeve didn’t make it…don’t think that gokarting is any different.

A healthy fear of the laws of nature and their reaction towards gokart performance is a good thing.

Your job here is to minimize those risks…

Hence the next section “How am I going to Drive This Go Kart?”

The Consequences of Inadequate Due Diligence

Operating a global business today requires efficiently managing a network of third-party partners that supply product components, run operations in foreign markets, operate call centers, or act as outside consultants or agents.

The vast array of capabilities and specialized skill sets of a well-maintained third-party network makes operations easier for both the organization and its customers. But many organizations, from small businesses to multi-national corporations, can rarely afford the time and effort required in-house to manage these often complex third-party relationships.

Because of this, the risk of unethical business practices, bribery and other business corruption potentially increases if inadequate due diligence is conducted on third-party partners. The ramifications of a scandal related to a third-party partner can easily take down an organization, resulting in such risks as a damaged reputation and brand devaluation, to regulatory violations, legal proceedings and possible fines and jail terms for directors. The only way to fully protect the corporation’s assets, therefore, is through a strong and viable third-party risk management program.

Building a third-party risk management program is not a passive process. It requires time and effort on a continual basis, as the risks associated with third-party partnerships constantly evolve.

Consider the events of this past summer, during which the legislators of three separate nations signed new compliance regulations and standards into law. Without a doubt, if your organization’s third-party risk management program is unable to quickly adjust to these new regulations (or is not designed to anticipate future legislative movements) your organization is truly at risk.

Cutting corners: not worth the risk

Still, far too many organizations are willing to tempt fate by cutting corners on development and implementation of their third-party risk management program. Certainly, building a strong risk management program requires a significant investment of time and resources (both internally and from the outside), but the consequences of not doing it right could be dramatically severe.

One way organizations attempt to cut corners is by relying on outdated or stagnant tools to monitor, detect and prevent risks. Almost always, hiring outside industry professionals with proven track records of successful due diligence experience is necessary.

Relying too heavily on “desktop” due diligence is another dangerous shortcut. Desktop due diligence is an important initial step of the investigative process, involving background checks, lien searches, regulatory filing investigations and environmental reports. And while it is a vital component of any effective due diligence program, it’s not nearly enough to thoroughly evaluate a third-party.

Truly understanding a potential partner’s business requires a considerable amount of time spent face-to-face with the outside organization’s leadership, operations management and even current customers. This “boots on the ground” process will detect potential risks which are often hidden from a distance, and undetectable via web-based discovery tools.

The “boots on the ground” approach also helps to establish a relational dynamic required for ongoing negotiations and provides clear insight into two of the fastest-growing issues in third-party risk management: bribery and labor management.

Bribery as a compliance issue

Anti-bribery and anti-corruption compliance is a fast-moving target. New anti-bribery laws and regulations are being decreed around the world at a relentless pace. Complicating matters further, many countries may have laws in place but lack the ability to adequately enforce them. When this is the case, the responsibility falls to your organization’s due diligence program to ensure detection and protection.

High profile investigations in recent years have contributed to the rapid emergence of bribery and corruption as a societal issue. Never before has such a contrast been drawn so dramatically on a global stage between those that engage in bribery and those that suffer as a result. Any organization that finds itself mixed up in a scandal involving bribery has more than a legal mess to contend with. It has a long battle to win back the trust of its shareholders, employees, customers and the public.

Conducting sufficient due diligence surrounded by such varying factors is work that must be conducted in person. Gaining insight into a potential partner’s company culture requires a level of immersion with the organization’s leadership, management and staff. When it comes to evaluating bribery risk, some warning signs can only be discovered on-site.

Labor matters and compliance

From overtime issues and under-age workers, to unsafe working conditions and improperly documented accidents, labor compliance represents a major component of any strong third-party risk management program.

Once again, inadequate attention to risks related to labor compliance can bring on considerable penalties. Understanding which industries, geographic regions and management structures elevate the organization’s risk is key to efficiently operating an effective due diligence program. This understanding is nearly impossible to guarantee via ‘desktop’ due diligence. Spending the necessary time in person is the only way to be sure a potential supplier is properly compensating and managing employees while providing a safe workplace environment.

Make no mistake, even if your agreement with a third-party partner places the responsibility of payroll issues firmly upon the vendor, your organization — as a joint employer — can still be held accountable in many countries. After all, the labor being conducted at your partner’s facility benefits your organization’s bottom line.

Best practices

The demands of identifying and measuring third-party risk, monitoring those potential risks on an ongoing basis, and making recommendations based on empirical research is best met by a dedicated team of outside professionals. And while no two organizations are alike in terms of risk profiles, several factors have become consistent in building a strong and effective due diligence program:

Planning. Without a well thought out plan outlining ongoing monitoring efforts with assigned roles and responsibilities, efforts to mitigate risk will be haphazard at best, and dormant at worst. With a thoroughly established, management-advocated program that identifies specific risk factors for each affiliation, a process for addressing red flags, and an established mechanism for continual revision, the organization will remain vigilant in its efforts to protect itself from liability.

Documentation. Due diligence efforts are only as good as the information and data gathered and secured. Meticulous documentation and reporting enables the organization to recognize trends, communicate analyses, and sustain efforts during any future personnel changes. Effective risk management programs feature established guidelines for capturing data, contracts and research with uniformity.

Culture. An organization where leadership, management and workforce do not take third-party risk seriously will never be adequately protected from risk. Successful organizations in this respect dedicate themselves to building a culture in which every employee feels personally invested in the risk management of the operation. Employees must feel empowered and encouraged to report red flags. Passive engagement is simply not enough.

Done correctly, third-party risk management can effectively save the organization from risk, liability and other perils often associated with outside entities wanting to engage and transact with your business.