Internal versus external risks
Much is made of the difference between internal and external risks. The major differences, however, relate to the ability to apply the risk process to them.
Internal risks can be just as difficult to identify, assess and evaluate as external risks and thus just as complex to manage. The same broad principles of risk management apply to both.
The cost of setting up a management of risk process for a project depends on the technical, political and organisational complexity involved.
There are some general guidelines that can be applied, however. Planners for projects should expect to spend 1−3 per cent of their budget on an initial risk management effort and an additional 2 per cent on monitoring and updating this throughout the development life cycle.
Checklist on assignment of risk ownership:
- Have owners been allocated to all the various parts of the complete risk process and the full scope of the risks being catered for? For example, suppliers may be tasked with ownership of assessing and evaluating risk as part of their contracts.
- Are the various roles and responsibilities associated with ownership well defined?
- Do the individuals who have been allocated ownership actually have the authority in practice to fulfil their responsibilities?
- Have the various roles and responsibilities been communicated and understood?
- Are the nominated owners appropriate?
- In the event of a change, can ownership be quickly and effectively reallocated?
- Are the differences between benefit and delivery risks clearly understood and, if required, do they have different owners?
The Project Manager’s Daily Log can be very useful in monitoring risks. Entries can be made in it for the Project Manager to check on the status of any risks where he/she is the owner. Other entries can be made to remind the Project Manager to check that other owners are monitoring and controlling their risks and feeding the information
Where the project is part of a programme:
- Programme management is responsible for ensuring the management of those risks with interdependencies between projects and programme.
- Where appropriate, the programme should take part in the risk management activities at the project level. This can normally be done by attendance at end stage assessments by either a member of programme management or a designated risk management function.
- Risks are frequently common across projects and would benefit from being centralised at programme level. The cost of corrective action can be reduced if it is planned, agreed and actioned only once. Also, problems can result from an inconsistent approach being taken by projects.