Project risk management`s role in ensuring project success

Experience has shown that almost all risks that negatively impact project success are present at the initiation of projects.

A mature project risk management process will ensure that project risks are identified proactively and the impact of the risk managed to an acceptable level or avoided entirely, thereby significantly improving the project`s ability to succeed.

Unfortunately, the project risk management process is generally the least mature project process, which has largely contributed to the history of IT project failures and the inability to effectively manage project risks. This, however, is set to change with the implementation of dedicated independent project risk managers.

IT project management has an unenviable track record with a high percentage of project failures and almost without exception a significant unrecoverable cost accompanying the failure.

The frequency of failed IT projects and the costs involved increased exponentially during the 1990s with the advent of large-scale acceptance of IT as a business enabler and the emergence of ERP systems such as SAP and Oracle. The inability to effectively manage project risk is reflected in research results, such as:

* "Project success rates increased to just over a third or 34% compared to 16% in 1994." - 2003 CHAOS report The Standish Group.

* "60% of the South African participants experienced at least one failed project in the 12 months preceding the survey with an accompanying average failed project cost of R22 million." - 2002 KPMG Programme Management Survey

* "75% of the 1 450 firms surveyed exceeded their IT deadlines and more than 50% of them substantially exceeded their budgets. Key reasons were poor planning, inadequate studies on how IT projects relate to the firm`s needs, and lack of management support." Source - KPMG Survey 1999

In response to the occurrence of failed projects, several project management methodologies were developed containing project principals incorporating lessons learned from project failures. At the end of the 1990s, the IT project management community understood why projects fail and had designed methodologies to ensure projects realise their intended business benefit on time and within budget.

The disappointing aspect, however, is the inability of organisations and project managers to utilise these methodologies to ensure project success and improve the grim IT project management track record.

Organisations invest heavily in the appointment of project managers and the implementation of recognised project management methodologies to control project risk and ensure project success. It is clear that this approach is not achieving the intended benefits if one takes the statistics of continued project failure rates into account.

The global KPMG programme management survey reported the major reasons for project failure as being:

* Lack of sponsor involvement;
* Poor scope management;
* Poor planning;
* Over-ambitious commitment to deliver in restricted timescale;
* Resource contention;
* Poor communication between IT and business;
* Misalignment with strategy;
* Quality of code delivered by the software vendor;
* Poor change management; compliance with the process and lack of understanding; and
* A "we know it all" attitude.

To proactively identify and manage project risks, it is critical that the project incorporates a risk plan or a risk management process to identify risks, and manage the continually changing IT project environment and the effect it has on the achievement of the project objectives.

The abovementioned reasons for project failure could be addressed through a mature project risk management process. One could go so far as to conclude that most project failures are due to ineffective project risk management and that the above reasons are merely the symptoms thereof.

An effective project risk management process includes:

* An initial assessment of the potential risks relating to the project including a process whereby the likelihood of the risk occurring as well as the potential impact thereof on the project and the business is determined;

* Appropriate action plans or controls designed and implemented to mitigate high-risk areas;

* Responsibility for the implementation of the action plan allocated to the appropriate persons (risk owners) in the business; and

* A process of continuous monitoring of the risks and the effectiveness of the associated action plans as well as the ongoing identification and assessment of new risks.

In addition, the project risk management process should consider, among others, the project`s ability to:

* Manage the impact of changes in the company`s strategic environment on the project;

* Ensure the project is aligned with the overall business objectives and receives the appropriate senior management support;

* Manage the project to ensure delivery of the intended benefits within the timeframe and cost planned; and

* Ensure that the people aspect is addressed through communication and change management initiatives.

Traditionally, the project manager is responsible for the risk management process. The limitation of this approach is the disparity in the typical project manager`s focus compared to the required focus of an effective project risk manager. Project managers focus on managing project outcomes while an effective project risk manager focuses on preparing for negative outcomes.

The inappropriate focus of project managers results in their implemented risk management process consisting of a process of reacting to the effects of risks and managing the outcome, rather than identifying the risks proactively and ensuring suitable action plans are developed and implemented to mitigate those risks.

The reactionary approach to risk management is ineffective and will most likely result in cost overruns and time delays. For instance, a potential risk identified could be that specialist equipment may be delivered late which could result in a project delay. If the risk management process is effective, the responsible person will perform an assessment of the impact of the risk and develop an appropriate contingency plan. Compare the effectiveness of this proactive approach to the reactionary approach where the project manager will attempt to design and implement a contingency plan once the supplier fails to deliver the equipment on the expected date.

In light of the project management function`s inability to implement adequate risk management processes, the trend in the current project management environment is increasingly to transfer the risk management responsibility to a third-party who reports directly to the project sponsor.

The benefits of appointing a third-party to take ownership of the project risk management process include:

* An objective and independent assessment of the risks affecting a project and the effectiveness of controls implemented to mitigate those risks;

* Appropriate focus is placed on the risk management process ensuring risks are proactively identified;

* All risks are reported to senior management with no motivation to "hide" bad news; and

* Appropriate risk mitigating plans develop and implement to address project risks in a proactive manner.

An effective risk management process incorporated in the overall project management process with adequate reporting channels to the project sponsor significantly enhances the project`s likelihood of success. This is true for all types of projects and the approach should not be limited to IT projects.