Project risk management isn’t a one-person job. OK, as a project manager you might feel like you drive the whole thing, but it should be a team effort. Working out exactly who should be on your risk management team isn’t something that every project manager does upfront, but if you do, it will save you time later when a risk suddenly arrives on the horizon. So, who does what in risk management? Who are you going to need on side and primed ready for action when risks show up? Let’s start at the beginning, with the project manager.
Project manager
Your role as a project manager is to create the risk management strategy and plan. You’ll decide how risk is to be managed (or rather, you’ll turn the policies of your project management office into a tangible action plan for your project). You’ll also be the guardian of the risk log. Don’t let people update it unless you give them permission!
Then your final role is in a governance and oversight capacity. Don’t let people forget that risk management is important. Make sure that the standard risk management processes are being followed and that you are identify, assessing and managing risk as a team.
This isn’t bureaucracy for bureaucracy’s sake: the PMI Pulse of the Profession report 2014 says that a quarter of organisations use standardised project management processes (which would include risk management) throughout the organisation and that this improves your success rate. In fact, there is a 30% difference in performance between low performers who typically don’t have standardised processes, and high performers who do and a 20% difference in the number of successful projects. So it does actually pay to enforce those risk management processes.
Project Sponsor
The project sponsor has a huge role to play in managing risk effectively. They are accountable for the risk profile of the project and ensuring that there is a risk management strategy in place that fits the needs of the organisation. They are also the point of escalation for anything that needs to go to the board or corporate management – they can take risks higher on the project manager’s behalf.
Supplier
The project’s suppliers also have responsibilities when it comes to managing risk. They should be flagging anything to the project manager that relates to supply risk, and they should also be managing those themselves. They should report all this to the project manager, so be wary of the supplier who says that there are no risks and that everything is fine. That’s very likely not to be the case so you have to wonder what they aren’t telling you!
Project team
It isn’t the project manager’s job to identify all the risks, and you’ll rely on your project team to flag things as and when they come to light. The project team are ideally placed to notice new potential problems and to work out how best to mitigate them. Make it clear that they also have the responsibility of bringing risks to you. No one is going to speak up if they don’t. They will have tasks to do for risk mitigation too, and several of them will probably end up owning risk action plans and reporting progress to you.
PMO
The Project Management Office function varies from company to company and you’ll probably find that when to comes to risk management what they do, and what they expect you to do, will also vary. They will probably get involved with project assurance, which is the function that makes sure you are doing what you should – in this case, following the prescribed risk management process. They might hold a corporate risk management policy or a process guide that you’ll have to stick to.
You might also get help from a project support person, in which case they can take over some of the admin and maintenance from the project manager and keep the risk log up to date. If you don’t know what your PMO will do for you or expect from you, talk to them before you get too far into the project.
It’s a good idea to sort out who is going to do what on your project and who will be responsible for what when managing risks at the beginning of your project. Start as you mean to go on, and make sure that everyone knows what is expected of them. That’s far easier than hitting your first risk identification session and having to spend ages in the meeting explaining about how it is going to work. Try to knock off those areas first and then you can start risk identification with everyone being clear about their role.
Got any more tips for who does what? Let us know in the comments below.