Although there are a number of benefits of risk monitoring, acceptance in the industry is not as widespread as should be. PMI’s (2009, p. 51) risk monitor and control process has several main objectives. One objective is to monitor identified risks for any changes, another is to identify new risks, a third is to ensure any risk response plans have been appropriately implemented, and a fourth is to monitor for residual or secondary risks, both of which may occur after implementing a risk response plan. It is important to do these activities regularly because the environment changes, new risks begin to develop, and project changes can result in additional risk (PMI, 2009).
Even though it is important to continually monitor the risk landscape, does not mean that projects are diligent in doing this. Hillson and Murray-Webster (2005, p. 27) warned that the risk implementation phase, which they defined as putting the risk plans into action and monitoring their effectiveness, is the point where many organizations fail to reap the benefits of the preceding stages. PMI (2009, p51) agrees with this idea, asserting that if the risk monitoring and controlling process activities are executed that not only will the current project’s rewards be worth the invested effort, but future projects will also stand to benefit.
However, Hillson and Murray-Webster (2005) report that although many project teams take the effort to identify, assess, and even develop risk response plans, few go the step further and put those plans into action. Additionally, risks should be regularly reviewed and communicated, not just done one time and then put on the shelf.
This lack of emphasis is corroborated by Pinchangthong and Boonjing (2017) who surveyed 200 IT professionals for their perception of the impact on project success of four risk processes; risk identification, risk analysis, risk response planning, and risk monitoring and controlling. Risk monitoring and controlling was considered fourth of the four in terms of impact on project success. Risk identification was ranked first, though the efficacy of identifying the risks is reduced by not tracking them.
Hillson (2009) asserts that the key to ensuring that risk monitoring and response implementation takes place is to ensure that these activities are included within the project’s schedule and budget and assigned owners. This is also what I advise my students when I teach exam preparation. I advise that project managers should not baseline the schedule until after risk planning is complete because there are often many activities that result in carrying out contingency plans, creating and communicating risk reports, and carrying out risk responses.
Crispim, Silva, and Rego (2019) in an international study of 865 project managers, found that risk reviews, a type of meeting called for the purpose of monitoring and controlling risk status, were performed somewhat regularly. However, this tended to be true primarily for those organizations that already had mature risk processes in place.
One of the activities to plan for in the schedule is the time required for regular risk reviews. When I was managing projects, I ensured that at least 15 minutes of every weekly project status meeting was spent reviewing and updating our risk register for any new information learned since the previous week. Hillson (2009, p. 47) advises that incorporating the risk review with the overall project team meeting is an acceptable practice for smaller projects, although he does recommend a separate meeting for larger projects. I now tell my students when I teach, of the importance of these regular reviews.
Risk reviews are an interactive means of communicating risk status. Written reports are another mechanism. The sixth edition of the Guide to the Project Management Body of Knowledge (PMBOK Guide) lists a risk report as both an input and an output to the Monitor Risks process (PMI, 2009, p. 453). This report at first appeared superfluous as an output, since the risk register was also listed. However, Hillson (2009, p. 47) explains why it is important to have such a report.
He advises that the risk report should be action-oriented with specific instruction on who needs to accomplish what and with the specific conclusions found that warrant this action. Merely distributing an updated risk register would not accomplish the communication objectives that this risk report would. Further, the report should be targeted and tailored to the recipient. There could be multiple reports, therefore, depending on the stakeholder.
Perrenoud, Lines, and Sullivan (2014) described a similar meeting which they termed the weekly risk review (WRR). This was a highly effective meeting because in addition to describing the status of current risk, the meeting would gather metric data such as time and dollars lost that were directly attributed to specific risks (that had become issues). The source of these risks was also tracked. Knowing the source and scale of the risks and issues, allowed the organization to better prepare in the future.
A best practice for lessons learned found in the literature was one at NASA that involved storing the risk register in a centrally accessible location and including the specific learnings regarding that risk right within the risk entry (Lengyel, Newman, & Mazzuchi, 2019). NASA termed this “knowledge-based risks”. Within each risk record is a story-based narrative that explains how the risk was identified, what mitigation techniques were employed, and how effective or ineffective they were. A NASA manager reported that these risks were continually accessed, reviewed, and updated. This approach may be more time-intensive than other lessons learned techniques but the ability to reuse the information across multiple projects is an excellent return on investment.
Since the project environment is dynamic, risk probabilities and impacts can and likely will change through the course of a project. Additionally, new risks may crop up and identified risks may no longer be a factor. It is therefore important to continually monitor and communicate risks. Regular risk review meetings should be scheduled and executed to accomplish this objective and actions and important risk-related information should be communicated via risk reports to all relevant stakeholders.
Note: This article was adapted from work submitted as part of Capella University coursework.
Crispim, J., Silva, L. H., & Rego, N. (2019). Project risk management practices: The organizational maturity influence. International Journal of Managing Projects in Business, 12(1), 187-210.
Hillson, D. & Murray-Webster, R. (2005). Understanding and managing risk attitude. Burlington, VT: Gower Publishing Co.
Hillson, D. (2009). Managing risk in projects. Burlington, VT: Gower Publishing Co
Kiridena, S., & Sense, A. (2016). Profiling project complexity: Insights from complexity science and project management literature. Project Management Journal, 47(6), 56-74. doi:10.1177/875697281604700605
Lengyel, D., Newman, J., & Mazzuchi, T. (2019). Integrating risk and knowledge management in human spaceflight programs. Online Journal of Applied Knowledge Management, 7(2), 1-15. doi:10.36965/OJAKM.2019.7(2)1-15
Perrenoud, J., Lines, B., & Sullivan, K. (2014). Measuring risk management performance within a capital program. Journal of Facilities Management, 12(2), 158–171
Project Management Institute (PMI). (2009). Practice standard for project risk management. ProQuest Ebook Central https://ebookcentral-proquest-com.library.capella.eduProject Management Institute (PMI) (2017). Guide to the Project Management Body of Knowledge (PMBOK