Project risk should be managed at the individual project level, at the project portfolio level and from the company strategic perspective where the changes are being brought about. Risks within each individual project can affect the wider programme of projects and can adversely impact business operations and overall corporate strategy.

The standard time, cost and quality project risks are well understood and can usually be successfully mitigated by using well documented techniques and methods, but often the wider risks to benefits and the impact on corporate goals and strategy is harder to assess. This means that project risk needs to be brought into the enterprise risk management framework.

Luxon Risk Systems has extensive experience in managing project risk of all types and at all levels within organisations.

Project risk is the risk that the time, cost, quality and benefits of a project are not achieved which may lead to key corporate goals being compromised. Key risk categories include:

Project governance and sponsorship. Poorly defined roles and responsibilities, lack of motivation and clarity of thought of project committees, project justification unclear or ill-conceived.

Project scope. Failure to clarify scope clearly, scope creep, critical success factors poorly defined.

Project objectives risk. Project deliverables and benefits are not aligned to objectives. Objectives may not be rigorously defined or understood.

Budget risk. Overoptimistic financial estimates, final budget established too early in the project lifecycle, budgeting process inadequately carried out.

Timescale risk. Project plan elapsed times set in stone before sufficient information becomes available, project milestones made immovable through political considerations, project estimates ‘padded’ for defensive reasons, insufficient rigour or expertise used in project estimating.

Quality of deliverables. Quality criteria not clearly defined or understood, key reviewers of deliverables not included in the process or included too late, deliverables not sufficiently specified. The project quality management process has to be rigorous and structured.

Ineffective project risk management. A risk management plan needs to be prepared and risk ownership assigned during project start-up.

Stakeholders and communications management. Key stakeholders not identified or identified too late, key stakeholders not aligned with project goals. Key stakeholders not kept properly informed or expectations not managed effectively.

People management. People in the project team may not be properly experienced or trained, they may not be sufficiently motivated or may be disgruntled, they may not be available at the appropriate time.

Internal dependency management. Internal dependencies not clearly defined or understood, significance of dependencies not properly assessed, dependencies not rigorously monitored.

External dependency management. External dependencies may not have been rigorously analysed or identified, project planning may not be sufficiently flexible to allow for these uncertainties.

Benefits delivery risk. Project benefits may be hard to identify and measure, ownership of benefits not be properly defined or agreed, benefit owners not brought into stakeholder group early enough.

Project portfolio risk. The priority of the project within the portfolio is unclear or inconsistent. Vested interest taking precedence over commercial priorities, project portfolio not aligned to corporate strategy.

Supplier management. Third party service and product providers pose another layer of complexity to projects. Sufficient controls have to be established as part of the project plan and risks need to be formally monitored throughout. This must be included in the project risk management plan.

Legacy risk. Flaws may be built into critical business processes and software as a result of projects being implemented before sufficient rigorous testing (including regression testing) has been carried out and before business processes have been properly embedded.