Project Management Report - Risks

An important part of any Project Management Report are the Project Risks which will be covered in more detail later in Project Management Risks.

Project Management Risk Reporting

Essentially in your Project Management Report you should only detail the new, updated or important Risks. Unfortunately whilst this might seem like quite an easy thing to do, the amount of detail required when a Risk is raised means this can quickly become an onerous task, as you will see below.

Now you may well be looking at the number of columns which need to be filled in and be thinking “Wow” or something a little less polite. But don’t worry, that was exactly my reaction when I saw it as well.

The good news is that this is probably the most onerous way of raising a Risk I have ever come across in all my years as a Project Manager, so there is a good chance that wherever you work, it will be an infinitely easier process.

However if it isn’t then the columns have the following meanings and should be filled in accordingly.

Risk No

This is the Number which you have assigned to the Risk

Status

This can have one of three status’s which are:

• Open – Where the Risk remains valid and can adversely impact the project
• Closed – Where the Risk can no longer adversely impact the project or has been mitigated.
• Occurred – Where the Risk actually happened.

Please note that the Occurred Status does happen. A major Risk which simply could not be mitigated actually happened on a Project I was running and it had to be shut down as a result.

Date Raised

The date the Risk was raised. Do not forget to put down the year as well as the month!

Areas Affected

Description of Risk

Here you would include a brief description of the Risk. For example:

"There is a risk that sufficiently experience resources will not be ring fenced to work on the project with the result that the project will be unable to deliver to the deadlines required."

Absolute Impact Analysis

I

This stands for Impact and the numbers 1-8 relate to how big a financial impact in terms of potential profit before tax the Risk would have on the project if it occurred. Obviously how these bandings are defined depends on the Company you work at. However as an example Rating 1 could equate to between $0 to $50k and Rating 8, the most serious could equate to $40m+.

L

This stands for Likelihood and the numbers 1-5 relate to the probability that the Risk will happen. So Rating 1 would normally equate to Rare and Rating 5 to Almost Certain.

Risk Level

This is normally automatically generated by multiplying the Rating you have given to Impact by the Likelihood. So for example if the Risk above had been given an Impact Rating of 3 and a Likelihood Rating of 2 then the overall Risk Level would be 6 ie Low. ,p> The Risk Levels Ratings usually equate to the following:

• Over 15 – Requires Urgent Attention
• Between 7-15 – Needs Close Monitoring
• Less than 7 – Under Control

Please note that any Risk which is usually Over 9 would have to be escalated upwards immediately to either the PMO, or Programme / Project Board. Of course this depends on where you work at as some Companies will have a higher or lower level at which Risks need to be escalated. It really depends on how much of an overhead the PMO want to bear in keeping track of numerous Risks which may or may not impact the Programme going forward.

Existing Controls

This is where you state what is currently being done to reduce the Risk from occurring.

Controlled Impact Analysis

This operates in exactly the same way as Absolute Impact Analysis above. The only difference is that you would score the Impact and Likelihood Rating based upon the Existing Control you have in place. So for example based on the Risk above if your Existing Control is to:

Ensure at least some of the key resources are ring fenced to solely work on the project

Then you would re-rate the Risk based upon these. It should be noted that if there is an Existing Control in place the Impact, Likelihood and Risk Level should be less than it had been for the Absolute Impact Analysis.

Planned Treatments

This is basically where you detail what you’re planning to do to reduce the risk. So any contingency planning or controls should go into Description. It basically assumes that the Existing Control is not going to be enough to reduce the Risk, so basically you need to have a back up plan.

The Planned Treatments section operates in exactly the same way as the previous Absolute Impact Analysis Section with the exception of the Category Section next to Description. The Rating for this is:

• Acceptance – The project will accept the consequences if the Risk occurs on a cost v benefit basis.
• Contingency – The project will develop a contingency ready to be implemented should the Risk occur.
• Prevention – The project will find a way to reduce the Risk from happening in the first place.
• Transfer – The project will the transfer the Risk onto a 3rd party such as an insurance policy.

Treated Impact Analysis

The Ratings in this section are exactly the same as for the Absolute Impact Analysis Section. However please note that the as with the Controlled Analysis Section, the ratings should be lower as a result of the treatment devised.

Action Plan

In this section you should detail how you are planning on implementing the Planned Treatment already stated. Essentially this is where you state your Action Plan for mitigating the Risk.

Risk Owner

This is where you detail who the Risk Owner is. It should basically be the person who is most affected by the Risk. So with the Risk example already stated earlier the best person to be the Risk Owner would be the Project Manager. If it were a Commercial or Budgetary Risk then the best person to nominate, depending on the seriousness of the Risk should be the Project Sponsor

Proximity Date

This is the date at which you anticipate the Risk may materialise. It therefore also becomes the date at which the Risk should be re-assessed by the Project Manager.

Stress Indicator

As the project continues this Indicator becomes more important. This is because this Indicator will specify in more detail exactly what the impact the Risk is having on the project. For example:

• Early project milestones missed
• Additional resources now required
• Costs now exceeding budget

Date Occurred or Closed

This is the date the Risk either happened or it could be closed.

Date Last Updated

This is the date the Risk was last updated ie with progress or further mitigation.

Project Management Risk Report Tips

How you rate a Risk depends on how high you want the Risk to be escalated. If you raise a Risk with an Impact rating of 8 then it will undoubtedly be discussed at potentially main board level, so be aware of this when putting down an Impact Rating.

The Risk Owner should be a specific named person rather than a generic resource such as Project Sponsor. This ensures that a specific person is responsible for the Risk and therefore will be held accountable for it’s progression.

Don’t set too many Proximity Dates too close by as it will mean you are reviewing them constantly. Some may need constant reviewing but the more minor one’s will only need monthly reviews at the maximum.

Lastly don’t go mad and raise every possible variations of Risks possible. You may think that this will cover you in all eventualities but this is rarely the case. All it will mean is a huge overhead for you in terms of ongoing work.

In fact I once managed a programme where one project manager felt the need to raise over 300 Risks on his project. The ridiculous thing was that the project failed because of just one Risk which materialised. The Project Manager had been so busy trying to manage all 300, he’d failed to realise the importance of this one Risk and so had taken his eye off the ball.