Talking risk

Well worth the investment
While corporate governance and risk management is seen as vital to an organisation, even in today's fast-paced, results-oriented environment, formal project risk management is rarely implemented correctly at IT project level.

This has a number of consequences, including late delivery, reduced functionality, excessive spending, inadequate security or capacity and a constant high-stress environment.

Any change involves both risks and opportunities to the organisation, its infrastructure, people, processes and business success. Since a technical or IT project is developed to exploit an opportunity to do things better or in a safer or more consistent fashion, it is inevitable that the project is both subject to, and is a source of, risks and opportunities itself.

Good project and programme management will find a way to introduce dynamic controls in opportunity and risk management into the development and maintenance culture without harming the project or the opportunities for creativity from the individuals involved.

In a world of potential risks, the IT project risk manager should focus on problems or issues that could threaten or cause loss to a project. Although uncertainty cannot be completely eliminated, structure and experience helps identify, minimise and manage risks to an acceptable level.

Research has demonstrated that where costs, problems and risks are not minimised or removed at early stages, the cost of the entire project increases exponentially throughout the development life cycle.

Every project has at least one deliverable, a deadline, a set of acceptance criteria and an end client. When each of the project characteristics and key performance indicators are clearly and unambiguously stated and agreed by all stakeholders, it is easier to put into place a set of criteria for monitoring progress and the possible causes of risks.

Smaller projects have massive time and resource constraints and it is easy to delay regular risk management activities until it is too late.

While it is often easier to identify threats to larger projects and programmes, it is also more difficult to identify and monitor their progress. Late or incomplete delivery cannot be anticipated until far later in the development life cycle, because the project administration and performance measurement against key performance indicators are often responsibilities of different people.

Once the project has started, risks should be managed from two distinct levels – the "shop floor" or developer's level and the "strategic" or programme level. Uncertainties should be identified, risks analysed and grouped and prioritisation and management process undertaken regularly.

Today's skilful project manager uses risk management not just to mitigate potential problems, but also as a communications and change control mechanism.

If, for example, a website development has unclear customer or product propositions, the astute project risk manager will assess the resulting risk, impact and probability of failure and bring this information to the attention of senior management. By reviewing the risks on a regular basis, as their potential impact, probability and severity grows, the project manager can inform the risk owner, who will be in a position to either initiate corrective actions or make a considered decision to continue.

In the past, project risk management was not implemented to a sufficient extent, because of the perceived cost of training. When compared to the high potential cost of what is often disguised as post-implementation maintenance, however, these costs pale into insignificance.