Two Risk Monitoring and Control Techniques

Professional consultant Gary Blair says that "Thoughtless risks are destructive, of course, but perhaps even more wasteful is thoughtless caution which prompts inaction and promotes failure to seize opportunity."

The thoughtful caution of risk monitoring and control helps you seize project opportunities and avoid destructive risks. By learning how to monitor and control these opportunities, you can boost their potential for success.

Two risk monitoring and control techniques can help you learn how to handle and control risks, increasing your chances of a successful project. The techniques are:

1. project risk response audits
2. periodic project risk reviews

To determine whether a risk owner has taken appropriate action to prevent a risk from occurring, you can use a project risk response audit. Risk response audits examine and document the effectiveness of the risk response and the risk owner. Risk response audits verify that those responsible conduct the responses as planned. You perform these audits throughout the project's life cycle to help control risk.

Companies must decide when they want to conduct risk response audits and under what circumstances. A company may decide to conduct an audit on risks with a potential cost to the project over a certain amount. This amount will vary from project to project, but will be set out at the beginning of the project.

To avoid biased results, you must have an objective third party conduct your risk response audits. Your company may have a risk specialist or internal audit department, otherwise it will have to hire an external auditor.

The second risk monitoring and control technique that can help you learn how to handle and control risks is periodic project risk reviews. Periodic project risk reviews are regularly scheduled examinations of potential risks. Since project risks are always changing, they should be an agenda item at all team meetings.

Depending on the phase of the project's life cycle, risk ratings and prioritization may change. If team members decide to change the risk rating or prioritization of a risk, they may have to perform additional qualitative or quantitative risk analyses.

Project risk response audits and periodic risk reviews keep track of project risks and how your team responds to them. This helps you handle and control risks properly and increases your chances of managing a successful project.

Managing Additional Risks and Scope Changes

Since you never know when a situation will arise that will cause you to reevaluate your project risks, you should prepare for unanticipated situations by knowing what to do when they occur.

There are two ways to recognize new risks. The first is identifying additional risks during project management processes. The second is identifying new risks caused by changes to the project scope. Your initial risk management plan and risk response plan will not account for these new risks, which is why additional risks and scope changes are important inputs to the risk monitoring and control process.

As the project team members go through their normal project management processes like weekly meetings or status reporting, they may identify additional risks. You must add these additional risks to the risk log. The risks listed in the risk log are inputs to the risk monitoring and control process.

Once a project scope change has been approved, the change log becomes the input. The project team will then review the approved changes to see if any new risks emerged as a result of the scope change.

To identify priorities and triggers and to plan responses, you must input the information about additional risks and the approved scope change into the cycle of risk management processes. There are six main risk processes.

1. risk management planning
2. risk identification
3. qualitative risk analysis
4. quantitative risk analysis
5. risk response planning
6. risk monitoring and control

As you implement the six processes, you will find that often the information from one process is needed to drive the next process. For example, you must complete risk management planning before risk identification can occur.

Risk management planning addresses how the additional risks and scope changes will be approached in regards to risk management. Depending on the magnitude of the risk or scope change, it may or may not affect how you conduct risk management for the project as a whole. For example, a new risk or scope change may be important enough that the budget for risk management of the project is increased.

A project team should consider any changes that may need to be made to the risk management plan before moving on to risk identification.

Risk identification determines which risks are most likely to affect the project. The project team will examine scope changes to identify any new risks that may threaten the project. The team will then take these new risks, or the additional risks that were already identified, and document their details and characteristics. From this point on, new risks will refer to both additional risks and risks identified from scope changes.

After examining the risk management plan and identifying new risks, the next logical step is to find out the potential impact of each risk and how likely it is that each new risk will occur. To do this, you must implement the next two risk management processes: qualitative and quantitative risk analysis.

Qualitative risk analysis assesses the potential impact of new risks and determines the likelihood that each will occur. Qualitative risk analysis prioritizes the new risks based on their potential impact on project objectives. This helps determine which risks are most likely to threaten the project.

Quantitative risk analysis is a numerical analysis that determines the probability that the new risk will occur. It also explores the consequences that the new risk will have on project objectives and on the project as a whole.

The first four processes direct the project team to the risks that are most likely to threaten the project. Risk response planning is the process where specific actions are planned in response to these new, threatening project risks. During this process, project managers assign individuals or groups ownership of particular risks. Common risk responses include avoidance, transference, mitigation, and acceptance.

Risk management planning and risk response planning will help you monitor and control risks effectively. The risk management plan and the risk response plan provide the details that a project team needs to carry out the risk monitoring and control process.

By inputting additional risks and scope changes into the cycle of the risk management process, you will be able to identify priorities and triggers and plan responses. This will help you monitor and control your project effectively.

Using Project Communication Documents to Control Risk

Often, team members spend time sharing information that may provide clues to potential project risks. How can this valuable information be incorporated into the risk monitoring and control process?

Project managers and project team members can monitor risks through project communication. Generally, these are documents that provide information on project performance and risks throughout the project's life cycle. As project performance is being monitored, so are project risks. Performance that is lower than expected may indicate that a project risk is emerging, or if performance improves, this may indicate that a risk has been brought under control.

The most obvious communication documents to use in monitoring risks are the work results, project records, and project reports.

Work results
Work results are the outcomes of a project and may include results such as information on the completion status of project deliverables, acquired or allocated costs and resources, and whether project quality standards have been met. It is important to gather reliable and consistent work results, as they are useful for performance reporting and monitoring project risks.

Project records
Project records contain other project information that you should consider when assessing project performance and risks. Project records may include correspondence, memos, and documents describing portions of the project. Project team members may even keep personal records in a project notebook.

Project reports
Project reports are a type of formal documentation that you and your project team can use for risk monitoring and control. Some of the most commonly used reports are:

• issue logs keep track of issues that are risks and issues that could lead to risks. Issue logs contain information such as the date, time, details of the issue, responses implemented, and person reporting the issue.
• action-item lists record information regarding responses to risks. These lists often include a description of the action, the name of the person assigned the action, when it is due, and its status.
• jeopardy warnings are reports that warn project team members that a risk may be about to occur. This information gives the team a chance to prepare its response.
• escalation notices are reports that inform decision makers that a risk has escalated to a higher level. With this information, decision makers can determine the best way to respond.

You and your project team can extract important clues for risk monitoring and control from project communication documents such as work results, project records, and project reports.

Components of Risk Management and Risk Response Plans

H. Stanley Judd, author, film producer, and communications consultant, once said, "A good plan is like a road map: it shows the final destination and usually the best way to get there." Like a good roadmap, a good project plan points out potential risks and includes strategies for managing and responding to those risks. The plan accomplishes this with a risk management plan and a risk response plan, two important aspects of project risk monitoring and control.

Risk management plan
The risk management plan, created during the risk management planning process, is a document that focuses on how to plan for and deal with all risks associated with a project. It describes how risk monitoring and control will be carried out during the project's life cycle. It does not look at the specific responses that will be implemented if a risk occurs.

The risk management plan has several components that are inputs to risk monitoring and control.

• Methodology - outlines the approaches, tools, and resources that can be used to carry out risk monitoring and control. The methodology used will depend upon the information available and the current project phase.
• Roles and responsibilities - is the designation of risk monitoring and control actions to specific individuals or groups. External risk monitoring and control teams are able to provide independent, unbiased risk analyses.
• Budgeting - requires a specific amount of funds to be allocated to the risk monitoring and control process of a given project.
• Timing - is how often risk monitoring and control processes will occur during the project's life cycle. Results must be reviewed periodically so they can be used in decision making.
• Scoring and interpretation - are methods used to score risks and assign them a rank. This risk-ranking process will indicate which risks need constant, close monitoring in order to control their impact on important project objectives.
• The acceptable threshold - is the set limit that the project team members will use to decide when they will implement a control.
• Reporting formats - describe what is in the risk response plan and how it is formatted. It also identifies how the outcomes of risk monitoring and control will be documented, analyzed, and communicated to team members and stakeholders.
• Tracking - is the documentation process that records information about risk monitoring and control activities. The tracking process saves the information so you can use it for the current project, or for future projects.

Risk response plan
The risk response plan is a document that addresses the specific responses to individual project risks.

The project manager and project team create the risk response plan during the risk response planning process. The plan provides project team members with the details they need when a risk occurs. The information in the risk response plan allows team members to take specific actions to control risks.

The risk response plan has several components that project teams use during the risk monitoring and control process.

• Identified risks - The risk response plan lists the identified project risks. The project team will monitor and control the identified risks throughout the project's life cycle.
• Risk owners and responsibilities - The risk response plan identifies risk owners and the details of their responsibilities. The risk monitoring and control process examines and documents the effectiveness of the risk owner.
• Agreed responses - The risk response plan clearly states the agreed responses for each identified risk. These responses may include avoidance, transference, mitigation, or acceptance. Once the project team implements a response, the response will be monitored to determine if further action is necessary.
• Specific actions - The risk response plan not only describes the response strategy for each risk, but also describes the specific actions that will be necessary to carry out each strategy. Risk monitoring and control determines if these actions are adequate.
• Residual risk - The risk response plan outlines the expected residual risk. Residual risks are the risk effects that remain after the implementation of a risk response. These residual risks must be monitored and controlled.
• Contingency and fallback plans - The risk response plan will outline any potential contingency or fallback plans. The project team will monitor the use of these contingency and fallback plans and take action if the plans are deemed inadequate.

The risk management and risk response plans provide you with the processes and actions required to prevent, reduce, recognize, and deal with risks. Using these plans as inputs will help lead your project along the path of success.