Under managing delivery risks
I recently reviewed a $15m project that was struggling. It was already 6 months late and likely to slip another 6 months, yet its risk log contained only three risks, one of which related to delivery. Overall, from a risk perspective, the project was rated ‘Green’.
When we performed our standard delivery risk analysis against the project it came out Amber with spots of Red.
Although the project was 9 months old, its requirements were still not finalized, the design was a moving feast and the cost of failure was escalating due to some of the decisions made to date. Yet it only identified one delivery risk — that the software component, that was on the critical path and had been outsourced to a vendor, may be late.
This missing of the obvious delivery risks is not an isolated case. Frequently our health checks find the root causes of major problems are delivery risks that were never identified and therefore not managed by the project.
‘Laundry lists’ of potential risks don’t help. Relevant risks still get ignored and extraneous, highly unlikely risks can be picked up ‘just in case’.
I’ve also seen several risk scoring approaches that may encourage people to score a risk as high but, as there is no action attached to rating the risk, the risk disappears into the scoring system never to appear again. Worse, the project team now believe that they have ‘dealt with that risk’ by scoring it!
In addition, because the realization of benefits is still seen as outside the focus of most projects, risks to the delivery of the benefits and value — the reason why the project was commissioned in the first place — are usually not considered at all.
Why this neglect of delivery risks?
One reason for this seems to be that scoring delivery risks can be seen as rating the project team. If you rate, say. requirements risk as “high” (ie unstable) are you saying the project team hasn’t done its job in this area? I remember, when running a team through our standard delivery risk profiling process, the project manager objecting violently when the team wanted to rate requirements as ‘red’. As far as he was concerned they were clear and complete (but he was alone in this view).
Also, when brainstorming or other methods are used to identify potential risks the focus seems to be more on outside factors that can threaten the project (Eg The resources are not made available in time) rather than the internal-to-the-project delivery status and capability risks.
A simple solution
This is why we devised a simple, quick but highly effective Delivery Risk Assessment and Management process. To get a clear picture of your project’s delivery risks you only need to assess 10 project and 10 benefits delivery risk categories.
Both the project and delivery risks have three “environmental risks”. These environmental risks are inherent in the way the project has been set up and cannot be mitigated except by changing the project. They provide a context and multiplier on the remaining seven delivery risk categories.
For example, if the risk of failure (an environmental risk) is low, then the potential business impact of unstable requirements is lower than if the risk of failure was high.
Each delivery risk has four risk level options to be selected from so as to ensure comparability of responses. Teams can score both their current and the targeted risk levels and then plan to manage each risk down to its targeted risk level.
This simple process rates the risks, sets target risk outcomes and enables planning to manage the risk down the desired level. In addition, a standard, comparable delivery risk profile can be generated.
Each project’s delivery risk profile can then be compared across the portfolio and analysed at the next layer down to see which risk categories are reoccurring and why. This profile can also be used to progressively track the actual risk reduction achieved against the planned reductions. If a project is not reducing its risk profile to plan, this is an immediate (and early) danger signal.
Effective delivery risk management does not need to be complex or time consuming.
Delivery risk assessment is part of the TOP Prioritization program