PMO Risk Management

The PMO is expected to do a lot in an organization, but one of the areas that I don’t see enough PMOs assisting with is the issue of risk management. Although I would never suggest that risk management shouldn’t be happening at the project level, I feel that there are a lot of aspects of risk management where the PMO can provide tangible support to project managers in their risk management endeavors. In this article, I would like to explore some of that support in terms of identification, analysis and response.

Risk identification support
The PMO has a broader perspective than an individual project manager, and can therefore have visibility into areas that a PM doesn’t have access to. When it comes to risk identification, that can have a number of advantages:

• Risks identified on one project can be communicated to project managers on similar or related initiatives. They won’t automatically apply to all those other initiatives, but they provide a valuable additional resource that can be used during the process of risk identification. This resource can also avoid later projects from “reinventing the wheel” by looking for risks that have already been identified. Similar ongoing initiatives are more current than using historic projects as a potential source to identify risks.
• The PMO will identify program- and portfolio-level risks that may have a knock on impact on individual projects. While the project manager may be aware that the risks exist, the assistance of the PMO can provide a greater level of transparency into the detail, impact and probability of the risk as they have a more complete picture.
• The PMO is closer to the strategic level of the organization and will be aware of items outside of the direct scope of the project’s portfolio that present risks to the projects (and remember that risks can be negative (threats) or positive (opportunities).

The PMO and the project manager should partner on risk identification--the project manager can’t abdicate their responsibilities to the PMO, and they shouldn’t see the PMO as an auditor to correct problems with risk identification. Rather, by working together the project manager can leverage the PMO’s knowledge and expertise to ensure that as many of the risks as possible are identified. Remember, a risk doesn’t cease to exist because you fail to identify it, it just means that its impact will be more severe if it becomes real--you can’t manage what you haven’t identified.

It’s also worth mentioning that this isn’t just an exercise for early in the project. In the same way that you should consider whether any new risks are occurring throughout the project, the PMO should be looking to help identify other risks that may be occurring elsewhere with the potential to impact you. For example, if one project is experiencing delays with a supplier, then there may well be an increased likelihood that other projects with future dependencies on the same supplier will also suffer delays. That’s a level of insight that the PMO should be able to provide earlier than it would become apparent to the project manager.

Risk analysis support
Risk analysis is all about understanding the impact that a risk can do to your project if it becomes real. This can be an inherently difficult process; by their very definition, a risk is an unknown--so project managers are trying to quantify financial and schedule impact and probability of occurrence against an unknown. This is an inexact science, but we have to make it as exact as possible as risk impact is the fundamental driver for the establishment of our reserves--the amount of time and money that is set aside in order to protect the project from risks.

Project managers should be looking to the PMO to provide expertise here in a number of ways:

• The PMO is the central repository for historic project information and should be able to assist with validation of the analysis—historically, how good has a certain vendor been at delivering on time? What has been the average delay? How many errors are typically seen, and what is the cost of correcting them?
• The PMO can also provide “standards”--for example, what is the expectation for the percentage of project employees who will resign in any given year (which allows you to calculate the number of people that you should expect to lose during the duration of your project), and what is the expected time to replace them?
• The PMO can also facilitate the provision of SMEs to the analysis process--if one project team has recently been through a risk analysis with a number of similar risks to the project that is currently completing risk analysis, then the PMO can connect those two teams together to assist in the exercise.

Again, this is not a “one and done” exercise. The PMO should also be acting as an early warning system to help identify when things change. They can see what is happening from a portfolio-wide perspective and should be able to interpret those events in terms of the impact on individual projects. Similarly, they are in a position to identify the impact of a change in corporate policy, the acts of a competitor, a new regulatory requirement, etc.

Risk response support
The best risk planning in the world is meaningless if you can’t determine what needs to be done in response to the risk, or if you can’t build a contingency plan to put into effect if the risk becomes reality. The PMO can provide valuable assistance in supporting responses:

• Having the higher and broader view, they can identify opportunities to leverage resources to manage risks (if there is a skills gap on one project and a skills surplus on another project, to use a very simple example).
• As a central resource, the PMO can also use economies of scale to assist in reducing risks. For example, if a number of projects feel that they need to engage outside resources to address skills risks (effectively transferring the risk to a third party), then the PMO may be able to consolidate those elements into a single consulting engagement.
• The PMO’s experience can assist in determining when a risk is actually becoming reality. This isn’t always obvious--if you buy hardware from a supplier, then they technically aren’t late until the delivery date arrives and the equipment doesn’t show up. However, if the vendor has been used before, then the PMO will have access to information about how long it takes between the various steps in the build and delivery process. If previous projects suggest that it takes six weeks from confirmation that the build has been scheduled to deliver, then you know that there is a good chance that your risk is occurring if you haven’t received confirmation five weeks before the due date.

In addition, the PMO can provide guidance as to historically what kind of risk-reduction strategies have worked and which haven’t. If a particular course of action has historically had no impact on the probability or impact of a risk occurring, then there is little point in implementing it. Instead, simply accept the risk and use your efforts elsewhere.

Conclusion
Risks are unique to individual projects, and the way that they are managed has to be similarly unique. However, the categories of risk are common across many projects, and there are many similarities from one initiative to the next. The PMO can act as a tremendous resource to allow you to review risks from other areas and consider how that information can assist in managing the risks on your current project.

Failing to leverage this resource is likely to significantly increase the risk of your risk management being unsatisfactory.

Author: 

Andy Jordan is President of Roffensian Consulting S.A., a Roatan, Honduras