By Mark Powell
Have you ever seen a risk register with 500 or more risks on it? It seems that these days a lot of projects have huge risk registers. How does this happen?
Most people believe that this is natural for a large and complex project.
A good friend recently described a proposal for the California High Speed Train that would go from San Diego to San Francisco and Sacramento. His pre-project draft risk register covered everything from track, signals, routes, station interchanges, software, train sets, health and safety, Environment, etc., and it was huge. Well, that, of course, is no surprise; it is one big, complex, project!
However, I told my friend that when he started that project, his risk register should be empty. I also told him that during the life of that project, he should never have more than about a dozen active risks on his risk register. He scoffed – of course.
Now why would I say such outlandish things for such a large complex project? Two reasons: good Project Management and good Project Planning.
Good project management handles (identifies, assesses, sets up monitoring and, possibly, mitigations) all those pre-start risks in their multitude of management plans and management systems that are complete at project start. In fact, if you think about it, all of our management plans and management processes are nothing more than plans to execute monitoring and mitigation of all those risks we identified before project start.
For instance, we know there’s a risk that all project requirements may not be satisfied in the implemented system. But we don’t put a risk for every requirement in a risk register; we develop a verification plan to mitigate all those risks, and work it through a verification processes. We know there is always a risk that the subsystems and components of the system as-built may not interface correctly. We don’t put those risks in the risk register, we develop an integration plan to monitor and track interface development and manage system builds to mitigate those risks.
For a big infrastructure project like the California High Speed Train, there will be a slew of environmental risks. Various EPA regulations will be prescriptive with respect to monitoring and mitigation of these risks. Every project has a multitude of budget and schedule risks, but we have Earned Value Management Systems to address those.
Good project management may generate upward of 50 management plans. Each of these plans will describe how the risks identified before project start (most of which we know that all projects will have) will be monitored and mitigated through existing processes. Only those risks that were not identified before project start should ever populate the risk register, and any well-managed project should never have more than dozen active risks at any one time.
Bad project management dumps all of these risks into a risk register instead of developing all of those plans. It is nothing short of an abdication of project management responsibility. That’s how you will see 500 or more risks in a risk register. It is not poor risk management; it is poor project management, and no real project planning.
Mark Powell is a consultant specializing in Project Management, Systems Engineering, Risk Assessment, and New Business Acquisition. He is regularly sought as a plenary speaker for conferences and symposia, and to provide tutorials and workshops to improve corporate performance.
He is active on a number of discussion groups on LinkedIn that are particularly relevant to this blog post. Invite him to link, or contact him directly at firstname.lastname@example.org for more information.