Not all, in fact most, projects fail to effectively manage risks. The default position is to record risks but not to actively manage them. Even projects that have well established governance practices and are actively managing risks can fall into a state of confusion over correctly documenting and managing both risks and issues. For example, there are circumstances where issues may also have further risk and more significant impact at some future point.
It is vital that, in order to manage projects to a successful conclusion, that risks and issues are identified early, are effectively analysed and managed. In the case of risks then the following governance should be in place:
- Concise definition of all of the risks to the successful delivery of the project that can reasonably be managed by the project team or stakeholders. Good practice is to hold these in a risk log which is accessible by all members of the project team.
- Analysis of the impact if it were to mature and probability of maturing into an issue
- Clear definition of the mitigation to be put in place to minimise or completely negate the risk
- Documentation of an action log with risk mitigation actions to be taken, action owner and dates for actions to be completed
- Appropriate and agreed risk ownership (mitigation actions may or may not be appropriate to be undertaken by overall risk owner)
- Ongoing and regular reviews of the risks analysing progress and any new scoring of risk level
- Escalation of high level risks or movement into the issues log if the risk has actually matured.