Академический Документы
Профессиональный Документы
Культура Документы
Effective Project
Risk Management
In The Real World
Text of a talk first given to
members of Bristol Chapter of
the British Computer Society
(BCS) on Wednesday 27
February 2008
The UK now spends more than £22Bn each year on IT projects. Most
of these projects will be late or over budget and many will be cancelled
before completion. But as horrifying as these statistics sound I’m not
going to dwell on the figures because I’m more concerned with the
people who work on projects like these.
For each project that fails there are people like us, working as hard as
we can and as well as we can, but frightened that, at the end of the
whole sad, sorry saga, the culmination of all this effort is yet another
failure.
”
budget As a result you’ll see there is an effective, enjoyable and fun way to
manage risks.
Let’s get started by talking about projects and our current approach to
managing them. If we compared our projects to sailing, it seems to me
that when we embark on our projects we set sail on a sunny day and in
clear skies. But we launch ourselves into a sea of unknowns, without a
According to the U.S. based Standish Group, who have been conducting
research into project failure since the mid 1990s, we are getting better
at managing projects. Their 2006 report confirms this. They found that
the proportion of projects that are completed on time and on budget
has doubled in twelve years, from 17% in 1994 to 35% in 2006. The
proportion of projects that were cancelled before completion fell, from
31% to fewer than 20%. However, this still means that we’re failing to
deliver as planned most of the time. The Standish Group also found
many projects went through several re-plans.
“ Effective risk
management means
fewer delays, lower
We cannot afford to continue with levels of failure like this.
”
and better results with threats to our projects and programmes. The average project takes
nearly twice as long as planned and comes in at almost double the
budget. This inflates the costs and destroys the benefits. Effective risk
management means fewer delays, lower costs, greater returns and
better results.
But if we're still seeing the levels of failure that the Standish Group sees
in its research, then there's something going wrong with the way that
we currently manage risks. What can this be? I believe there are four
key mistakes that we make too often.
The first of these is the failure to identify risks. This is probably the
biggest mistake of all. When you set sail in foggy conditions you just
don’t know what problems lie in wait for you. Let me tell you about a
project I took over last year - a perfect example of the type of project
the Standish Group found in its research. When I arrived the company
had spent several million pounds and two years building a computer
system and yet they still had at least nine more months before they
would be finished and needed another million pounds. I’d been
brought in to evaluate the latest set of plans – the third or fourth replan
the project had been through.
“
The day after I arrived I took a look at the project’s risk log. I wanted
Have a guess how
to see how many risks had been identified. Have a guess how many
many risks the team risks the team had identified in thirteen months? The answer is 41.
had identified in
Given that the project was behind schedule by two years, was
thirteen months.
”
overspent by several million pounds and had been replanned several
The answer is 41 times previously, this seems to me to be an incredible answer. The sad
news for the project and for the organization is that things were so far
behind schedule that there was no point in continuing so we put the
project on hold in the hope that when the organization had more money
it could restart the project.
At the project’s lessons learned review we identified over 100 ideas for
improvement. About half of these comments concerned planning.
They say that hindsight is 20/20 vision. I’d like to suggest that a bit of
foresight isn’t too bad either: the outcome of this project might have
been different if some of the lessons had been learned earlier, rather
than when it was too late. The project manager that I replaced came
to the lessons learned review. His career had been seriously damaged
by the project. When I asked attendees what they most wanted out of
the workshop he said just one word: closure.
I’d like to move on to the second mistake that we often make: the
failure to take action on risks that we do identify. To me this seems like
seeing a lighthouse ahead warning of rocks, but not changing course.
I’ve spoken of the problems that we have because we aren’t aware of
risks. Here’s what happens when we fail to act on those risks that we
are aware of.
• The risk log was being updated in arrears, that is, the update was
made only as a way of recording actions taken in the previous
fortnight. It did not describe the actions planned for the next two
weeks.
This was not a team charting their way to success, but instead
recording the story of their failure. This failure to act on the risks they
faced meant that they continued to run into problems instead of
steering a path around them.
”
caused outrage in our newspapers and for millions of people last month,
their failure and probably continues to this day. I’m speaking of the rail network
upgrade at Rugby.
but this caused problems at Liverpool Street, the second busiest station
in the country, leaving it with no trains and with no travellers.
Let’s look at the damage that this caused the country. Who’s affected
by this?
This has led to talk of the £2.5Bn.year of rail engineering work being
brought back into the public sector, a massive blow to the private
companies who work in that sector. Not all of them were responsible
for the shambles at Rugby, but all of them will pay dearly for the
disaster.
Now I am not saying that the work could have been completed on time,
just that better communication of the problems would have enabled
everyone to take alternative actions. The consequences of failure were
huge and would affect millions of people and organizations. The risks
involved in this upgrade should have been made crystal clear much
sooner to all the key stakeholders and, as the chances of delay grew
greater, contingency plans – prepared in advance – could have been
put into operation. Had Network Rail managed this situation better they
would not now be in the terrible position that they find themselves in.
Not communicating difficulties can cause more damage than the original
problem.
Onto the fourth mistake: failure to look out for new risks as they
emerge. Here’s our captain here, having a quiet forty winks in the
middle of the voyage in the bright sunshine. While he’s asleep on the
deck, who is looking out for new risks, new problems? Those projects
that seem to be going well falter here.
I can think of no better example of this than Northern Rock. How about
“
this: Your business model is based on borrowing money from other
Not communicating
banks and then lending it on, often at high multiples. This works well
difficulties can cause and in a few short years you’ve grown to the point where you’re the
more damage than UK’s fifth biggest lender. So far so good. Then along comes the credit
”
crunch. Banks tighten up lending to new applicants. They also stop
the original problem lending to each other.
If you’re one of the other retail banks you have savers’ deposits to fall
back on to maintain your ability to lend and to provide cash for
withdrawals. What if you’re Northern Rock? Well, what happens is that
you effectively lose your business:
• This kills the company. Just look at the share price! It plummets
from over twelve pounds a share to under a pound;
• Eventually the government steps in. Like that does a lot of good.
They spend months trying to find a buyer for the bank. This is
like trying to sell a clapped out old boat. Nobody wants it. It’s all
over for the Rock and they are nationalized.
This terrifying turn of events doesn’t just affect one bank, it affects us
“
all. Each one of us will end up paying the price for Northern Rock’s
Why did the Rock go failure. I’ve just had my bill in this morning; let’s see how much I have
wrong? At the heart to pay. Three and a half thousand pounds! That’s what I have to pay
as part of my share in the more than £100Bn that the government has
of this problem was
committed to propping up this failing company. I guess I won’t be
the failure to see that going on that holiday after all . . .
they would be
And why did the Rock go wrong? Because at the heart of this problem
especially vulnerable
was the failure to see that the Rock would be especially vulnerable to a
to a tightening in tightening in lending and in market liquidity. I'm sure many will say
lending and in market that the change came so quickly that there was nothing they could do
”
about it. I disagree. History tells us that when the economy turns bad
liquidity following a boom one of the major effects is that money dries up in a
flash. It happened in recessions of the 30s, the 50s, the 70s and the
90s. It happened again in 2000 following the bursting of the tech
bubble. So it’s not as if people didn't see this coming. Except for the
people at Northern Rock. Had they looked at their business model and
asked themselves what risks they were exposed to, a forthcoming
recession would have been top of their list more than for other banks.
But short-sightedness and complacency had replaced taking a long view
and being vigilant. No-one was keeping a look-out for signs of this
disaster of Titanic proportions.
• Greater than one chance in two that your project will be late or
over budget;
I would therefore like to suggest another option, one that combats the
for the risks on the You can solve the first problem – of not identifying risks - by identifying
as many potential risks as you can. This is like checking your chart and
deliverables that they
the weather forecast before you set sail – you may decide that this
are producing
” voyage is too high risk without having to leave the safety of the
harbour.
I know, having a long list of risks doesn’t sound like a good thing. But
here are three reasons why a long list of risks is good for you:
• First, it’s better than not having visibility of the risks. Projects are
full of risks, but few are us are even aware of more than a few of
them;
• Third, it forces you to get help in dealing with them because you
can’t handle them on your own. In fact, you shouldn’t. Your job
as project manager is to make other people accountable for the
risks on the deliverables that they are producing. If people are
not aware of their risks they won’t manage them. Your job
therefore is to make your team aware and to get them to take
ownership.
How do you create a long list of risks? First, try to identify the risks that
any project running in your organization would face. These are things
like:
• Insufficient budget;
• Lack of time.
You can use a risk management checklist for this. Here’s the one I use
– you can download it from my website
Next you should look at the specific risks that your project faces. To do
that you produce a list of deliverables – the tangible end-products that
your project will create - and ask yourself, for each deliverable, what
risks might affect it.
”
Here’s how effective this approach has been for me:
less than two hours
• On a recent project the team had identified 46 risks when I took
over the project;
Has anyone here ever used this approach? Once you have your list
you’ll start to understand why so many projects fail, or at least, why so
many of them are not the successes they were meant to be. So, to
overcome the first key issue: identify lots of risks.
“
the biggest ones by taking action every day to reduce the risk. This is
By unearthing lots of like setting your course and spreading your sails.
risks you’ll probably
uncover some that With your long list of potential risks the first question is: how can we
possibly work on all of them? The good news is that you don’t need to.
are not just It may be that the project isn’t viable. If that is the case it’s better to
significant, they are know now so that you don’t waste your time and effort on a no-hoper.
”
By unearthing lots of risks you’ll probably uncover some that are not
show-stoppers
just significant, they are show-stoppers. Evaluate these risks first – it
will only take a short amount of time. If the outcome of this review is
that the project is not worth doing then that’s a good result for the
project because you’re now not going to spend money on a project that
would have failed anyway. You can move on to other more viable
projects with a better chance of success. That does your career no
harm whatsoever!
If after reviewing your key risks you feel that the project is still viable,
now you need to prioritise, but perhaps not the way that you currently
do.
Why will it fail you? Because you’ll end up with lots of high probability,
high impact risks but without an easy way to prioritise them within each
category. There’s not enough detail to help you to prioritise and this
makes it more difficult to take action.
• For the impact I use my team’s best estimate of the time it will
take to fix the problem.
This doesn’t sound like much of a change, but here’s the thing. Let’s
say I have two risks that affect the same deliverable. Each one has the
same probability, but they require different amounts of time to resolve
the problem. Now the choice as to which one to work on first is easy to
make. The same is true of two different deliverables. If both have the
same probability of risk and the same time to fix, but one starts earlier
than the other, then, again, it’s easy to decide which one I need to
work on first.
After this it gets much, much easier. So, onto the third and fourth
steps.
You can solve the third problem – not communicating risks to our
stakeholders – by getting their commitment to our risk management
plan and by sending them regular updates in the form of a top ten risk
log.
You already have a list of risks a mile long, nicely prioritized. You now
have to add what you’re going to do about them. So the first step is to
create a risk management plan. This will describe your key risks, what
actions you’ll take to resolve them and when and what resources you
need in order to do so.
Here’s where you will chart a different course to other project managers
because where they have a flimsy risk log to record the few risks that
they are aware of, you will have a solid plan that demonstrates your
ability to navigate through tough conditions to achieve your goals.
Just imagine the difference it will make to your next project if you know
in advance where your major problems are and how to steer around
them. Once you have a plan like this you’ll become a proactive
manager of risks, not their passive victim.
• The key risks that you need to manage in order to complete your
project as planned;
• The preventative actions that you can take to stop the threats
from occurring;
The effort you’ve already put into identifying and quantifying risks
“
makes this step much easier:
Just imagine the
difference it will make • Organize a risk management workshop for your team and go
through the list of risks;
to your next project if
you know in advance • Get your team to work out how best to deal with them. With
where your major their combined knowledge you can complete this work quickly
and easily;
problems are and
how you can to steer • Don’t expect to get through the whole list. You only have to
”
make a start and then you can work through the rest of the risks
around them
with their owners at a later stage.
Your project is not guaranteed to succeed, but now everyone will know
what they are letting themselves in for. They’ll be impressed with the
amount of forward planning you’ll have completed. They’ll also be
much more understanding if things go wrong because you will have
explained the risks to them.
Now that you’ve created a risk management plan, your next step in
”
• The ranking, which focuses peoples’ attention on the number one
themselves in for risk for the project;
• The trend indicator. This just makes people want to reduce the
risk even if it’s just by a fraction. They also know that if their
name stays on the list for too long people will ask them what they
are doing about the risk;
• The fact that I send it out every week. This creates momentum.
People know that I’m managing the risks and feel motivated to
act when they see that things are working.
Once you get into the habit of sending out your top ten risk log each
week, you’ll see something amazing start to happen.
After a few weeks the risk level starts to look like this.
What about the final key mistake – not looking out for new risks as they
emerge? You can solve that one too! This is like checking your current
position and adjusting your heading – the more often you check, the
smaller your course corrections need to be and the sooner you can
make changes if you have to.
Once you’ve completed the first three steps, this becomes a simple
task. You’ll repeat the steps that you performed earlier but now it will
take you just a few minutes a week and will get easier as time goes on.
Here’s what you need to do. Hold a regular team meeting, make
reviewing the top ten risks an agenda item each week:
• After the meeting update the risk log and the minutes. Send out
the new version of your top ten risk log to your key stakeholders,
including the line managers for your project team members.
top ten risks an Take a sheet of plain paper or you can use your day book or organizer.
Draw two lines – one down the middle and the other across the middle
agenda item for each
”
– so that you have four rectangles. Write in four headings – risks,
meeting issues, assumptions and dependencies.
• If someone says “that’s easy” or “it’s all under control” then it’s
an assumption. Add this to the list.
Once you start listening for potential risks you will find them. Not all of
them will be significant, but just one or two may be:
• For each one you can prioritise as you did earlier, then add to
your risk management plan;
• If the risk is sufficiently great it may jump straight onto your top
ten risk log, but this is unlikely.
Provided that you have made your team members accountable for their
risks and have been reviewing risks on a weekly basis, the chances are
that they will have discovered the risks themselves, started taking
action on them and reduced the likelihood of the threat affecting your
project. Leaving you more time to focus on managing the major
“
threats.
By managing risks
we can beat the odds At the beginning of the evening I took you down the failure trail:
on time, on budget
”
I talked about four key mistakes: the failure to identify risks; the failure
and without stress to take action on risks, the failure to communicate risks and the failure
to check constantly for new risks as they emerge.
I talked about real world solutions: using a risk form to collate and
describe potential risks; using a risk quantification matrix to quantify
“
and prioritise risks so that we can take action on them; using a top ten
Will tomorrow be the risk log to continually stay focused on the most important risks that we
face; using a project review meeting template to communicate risks and
day that you take
our actions in managing them
your first steps
towards a winning And lastly I talked about a more successful future. After all, that’s
where this system of risk management takes you.
project, a better work
-life balance, reduced Once you begin to chart your way to a successful outcome, you’ll feel in
stress level, a happier control of events and not blown about by them.
And it is at this point that I hand over to you, because now you have a
choice to make. Will tomorrow be another day of firefighting, of worry,
of frustration, of snatched meals, late nights and worrying about your
job? Or instead will tomorrow be the day that you take your first steps
towards a winning project, a better work/life balance, reduced stress
levels, a happier family life and a better, brighter future?
Bryan’s book, Managing Project Risks: How You Can Deliver Your
Next Project On Time & Under Budget, Guaranteed, provides the
tips, tools and strategies for developing effective risk management
plans so that they go on to profit from reduced staff turnover and
reduced stress levels, better teamwork, improved project success
rates and earlier project payback.
Bryan has consulted and worked for dozens of large blue chip
companies in the telecommunications, banking, gaming and
computing sectors.
www.bryanbarrow.com
The UK now spends more than £22Bn each year on IT projects. Most of these projects will be late or
over budget and many will be cancelled before completion. For each project that fails there are people
working as hard as they can and as well as they can. The thing that keeps them awake at night is the
knowledge that, at the end of the whole sad, sorry saga, the culmination of all this effort will be yet
another failure.
If, like me you’ve ever lost out on promotion, or received a smaller bonus than you deserved, or even
missed an important family event because of a failing or failed project then what I have to say will be