illustration of two people sharing a project risk trello board with checkmarks

there’s an old sailor’s proverb you could just as easily apply to project risk management: “when the boat reaches mid-stream, it is too late to stop the leak.” in other words, hindsight is 20/20. while no project manager, no matter how skilled, is a fortune teller, smooth sailing for any project requires foresight, experience, and a healthy fear of risk. in one evaluation, only about 30% of projects come in under budget. and only 15% come in on time. so, what’s going on here? why can’t people estimate what a project will look like from beginning to end?

because no one can. as master yoda might say, “always in motion is the future.”

after all, no one has a crystal ball. project risk management is inherently a process of planning for the future. no matter how good you are at it, there’s no getting around the fact that your best guesses might end up wrong. fortunately, there are strategies you can put in place that mitigate risk.

the temptation to ignore project risk

in 2006, everyone was making a killing in the mortgage industry. one company—lehman brothers—was making risky investments in real estate and leveraged loans. they thought they had “a very respectable risk management system, and its regulator, the securities and exchange commission (sec), viewed its risk framework as being fully compliant with regulatory requirements,” writes the journal of financial crises. and the potential returns were too good to ignore.

but the growth opportunities proved too much to pass up. they “began dismantling its carefully crafted risk management framework.” they tossed out old risk standards. they replaced their risk evaluator with a wheeler-and-dealer without experience in risk management.

by 2009, the company was gone.

while most interpret lehman brothers’ demise as a cautionary tale about the risks of subprime mortgage investing, it’s more than that. it’s a parable about the perils of ignoring risk management. 

the problem? risk is more complicated than most people imagine for several reasons:

  • risk is exciting. maybe even too exciting. nothing ventured, nothing gained, right? people want to work on thrilling, innovating projects—the once-in-a-lifetime resume builders you can milk for an entire career. few were complaining about risk when lehman brothers was restructuring itself to focus on high-growth assets. to some, it might have even seemed like a logical step toward growth. 
  • risk management is uncertain. it sounds as though you can twist a few dials, tap a few buttons, and never worry about risk again. but it’s more accurate to think of it as risk influence. good management reduces risk, but it can’t be avoided. effective managers minimize risk, but never promise risk is eliminated.
  • poor management. consider that when tony hayward entered the executive position at bp, it was with an eye on safety. he created new safety rules, like lids on coffee cups to prevent spills into critical equipment. but within a few years, the deepwater horizon oil spill spewed four million barrels of crude oil and became one of the most significant environmental disasters in history.

at the heart of it, risk management is project management. the ability to evaluate risk, communicate risk to others, and integrate a systematic approach to deal with it is what helps prevent disasters.

why some companies fail at risk management

even companies with massive risk management budgets sometimes find themselves facing unnecessary risk. 

how is that possible? it’s not a simple matter of throwing out more money. quality project risk management requires good risk management habits:

  • use historical data for forecasts. history may repeat, but that doesn’t mean it’s always about to repeat. as the harvard business review points out, risk assessors in 2006 may have been overconfident because there was so little history of an unprecedented drop in real estate. historical data can be vital, but it’s by no means a guarantor of future results.
  • failure in communication. evaluating risk requires free-flowing communication. without it, project leads may not even be aware that risks exist. one study in sweden found several ways to mitigate this problem, such as assigning clear responsibilities to team members.
  • failure to plan. the old saying “failing to plan is planning to fail” rings true. solid research and roadmaps are key to a project’s success.

three techniques that mitigate project risk

technique #1: perform a swot analysis

a swot analysis is an acronym of four key variables:

  • strengths: the advantages that separate your brand and your projects from others.
  • weaknesses: challenges (employee turnover, debt, etc.) that you have to overcome for a smooth delivery on your project.
  • opportunities: competitive advantages that give your company an edge. these typically refer to external opportunities such as a country loosening its regulations, or a product feature gap in a competitive analysis.
  • threats: a threat is not something that’s already happened. it’s merely the potential of it. for example, let’s say you have no control over the deadline. what happens if you get one week behind schedule? if there’s zero deadline flexibility, you’d have to assess the risk of hiring external help to meet your deadline. to deal with threats, estimate two variables. first, identify the threats themselves. second, address the likelihood that the threat will surface.

oftentimes, businesses conduct a swot analysis company-wide. but it’s just as applicable for new projects and ventures. it’s so popular, in fact, that there are read-only swot analysis templates on trello you can download for your own use.

technique #2: diversify risk

it’s one of the oldest-known investing strategies around: spread your risk around. “diversify your assets,” a financial advisor might say. “don’t put all your eggs in one basket.”

according to a paper from the project management institute, in project management, spreading out risk makes your results more predictable. for example, enron stock reached a peak of $90 in the year 2000. someone who had all their eggs in the enron basket was doing well. but by the end of 2001, that same share of stock dropped to $1.

risk diversification doesn’t only work in the stock market. at nasa, for example, dual redundancy is common practice. one system failure could lead to loss of life, or damage to billion-dollar equipment. nasa adds redundant systems to spread out the risk of every mechanical failure.

“it may also increase costs,” nasa admits. “however, the costs may be recovered by the increased reliability.” in other words, short-term risk mitigation costs tend to outweigh the damage from taking on unnecessary risk in the long run.

technique #3: create a risk and damages report

add tangible terms to your project’s various risks. for example, consider this trello risk report template. this categorizes risks into three categories:

  • high risk level, such as losing a team member in the middle of a project
  • medium risk level, such as running over budget
  • low risk level, such as a data breach to a competitor

note that risk is not the same as the potential damage from each risk. evaluate potential risks on a grid. rank your risks by likelihood and also by the potential damage they could pose to your project.

  • damage from losing a team member might be minimal
  • damage from running over budget could be moderate
  • damage from a data breach to a competitor could be incredible

kickoff your projects with a risk report. this will help you plot the risk and damage potential that pose threats to your efforts.

make project risk less scary

managing risk can sometimes feel like guesswork, but with a plan in place, it’s educated guesswork. 

conduct a thorough swot analysis. communicate with team leaders and stakeholders. sharpen your skills to address risk before it happens.

don’t ignore project risk: 3 tools for project management success