How often should we perform risk assessment on a project?

This is the third article of our series on Project Risk Management. Click here for the first or second article. We are publishing these articles based on our observations in the market place in regard to the practices of project risk management and the gaps that exist.

Point of Confusion

In this specific article, we address a gap that is related to a major point of confusion. This point of confusion is not specific to risk management but to general aspects of project management. However, this point of confusion has significant impact on how we manage risks on projects.

The confusion is about the project life cycle vs. the PMBOK Guide process groups.

The question is: how often should we perform risk assessment (meaning identification, analysis, and response/treatment) on a project?

Think about it before reading further. On your projects, how many times do you perform risk assessment? Please do not confuse assessment with Risk Monitoring & Control (to use PMBOK terminology).

Here are possible answers:

  • Throughout the project: if this your answer — read the previous sentence; do you mean risk monitoring and control throughout the project or you do assessment throughout the project and if the latter how do you do it?
  • Some will say: once, during project planning, per PMBOK planning process groups. If this is your answer that you are likely falling in the trap that planning processes (including risk assessment) are done once during the project. In this case, you are likely confusing the PMBOK process group called planning and thinking that planning is an actual phase on the project life cycle (span).
  • Others will say: throughout the project … but will continue to say: we identify, analyze, and respond to risks during planning but we monitor and control throughout the project

Neither of the above answers is correct; except maybe for “tiny” projects.

Why the Confusion

Because those answers reflect someone who thinks that the project life cycle = process groups … and therefore (in their views), since planning occur only once during the project the same is applicable to risk management planning processes. Forgive us for repeating but we cannot say this enough and many professionals still miss this point.

This is why it important to note that we cannot address this question (how often should we perform risk assessment on a project) without reflecting back on a common pitfall in project management, especially among PMP and those who studied the PMBOK Guide.

The Origin of the Confusion

The pitfall is not due to errors or gaps in the PMBOK Guide but in the understanding of the guide.

The guide outlines for us five process groups, namely initiating, planning, executing, monitoring and controlling, and closing. The PMP (professionals) and PMBOK Guide “students” confuse these process groups and think of them as project phases. It is even quite common that some organizations use these names for their project phases as well not recognizing a crucial factor. These are process groups that repeat in every phase. Yes repeat; maybe except in tiny projects. So even though the names could be used as project phases we cannot forget that the processes repeat.

Mapping-the-PMBOK-Process-Groups-Against-a-Sample-Project-Life-Cycle

Mapping the PMBOK Process Groups Against a Sample Project Life Cycle

How does this relate to risk management?

The PMBOK says risk assessment has to be done as part of the planning processes for the project … OR … a phase. Therefore, risk assessment has to be performed – from scratch or update – with every phase.

So how many times do we perform risk assessments on a project? Depend on the number of phases; once per phase.

Your opinion?

Do you agree or disagree?

  • JUSTICE KPEI

    I’m a student in this field and I consider myself a novice when it comes to project management, however, I think I can make some contributions to the subject under discussion. I don’t think it is appropriate for risk assessment to be tied to the process groups only. When this happens, it means that the project manager have to wait until the project transitions into another process group before risk assessment could be made, whereas in reality, the project manager or the project team are confronted with new risks on daily basis and needed to response. Risks occur almost everyday, and in some cases hourly. In fact some risk response strategy may give rise to new risks, this is why I believe risk must be assessed every day of the project and risk review meetings must be held weekly, and in some cases daily when there is a major risk threat needing an emergency response.

    • Thank you for your comments. “Risks occur almost everyday” — those are not risks by definitions – they are issues. Risk is what you anticipate and plan to manage – not respond to after it occurs. There are risks that the team could have accepted. In these cases, you are right – these risks occur – so how do we deal with them?

      The key is to read this article with a project life cycle mindset – not a process group mindset.

      Regards

  • SUKAD Admin

    This
    comment was posted on LinkedIn PMO group by badreddine riabi, https://www.linkedin.com/groups/How-Often-Should-We-Perform-106439.S.5973845639652536321view=&gid=106439&item=5973845639652536321&type=member&commentID=discussion%3A5973845639652536321%3Agroup%3A106439&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5973845639652536321%3Agroup%3A106439

    As a former PMO, we have to perform risk
    assessment in the begining of the main phases of the project (define, …).

    the most important
    is in the define phase : the top management has to make decision to launch or
    not the project with the risks identified.

  • SUKAD Admin

    This
    comment was posted on LinkedIn PMLink – Project
    Management Link – Project, Program & Portfolio Managers, PMP, PMBOK, PMO group by Alejandro
    Varga Meder,
    https://www.linkedin.com/groupItemview=&gid=59531&item=5973796600881885187&type=member&commentID=discussion%3A5973796600881885187%3Agroup%3A59531&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5973796600881885187%3Agroup%3A59531

    At least once. But depends on the size of the
    project, mini or micro projects may not be analyzable

  • JP d’Hotman

    As with Project Planning and Control Risk management is a continious process. One should not ask how often it should be carried out, one should ask what is the danger on not making it a continious process. We all know that schedules are live documents which shace very freequently as does the market in which we operate. At every change imaterial of it being to scope, schedule, cost or market, the risk of that change should be analysed planned for and managed. Risk management should go hand in hand with project planning and must therefore be a continious process.

  • Thank you all for commenting. Risk management, project management, and management in general is not an exact science … so it is not always black and white. What we are trying to highlight in these articles are some issues in relation to risk management, gaps in practice, miss-understandings, etc.

    Karl / Basil – I think we are aligned, although we are explaining things differently.

    Kris – I see things a bit differently. If we are dealing with small projects with limited resource then I would tend to agree with you. However, on larger projects with many resources and extended durations there are risks specific to each phase. In the concept phase the risk might be market related, funding, etc. but as we move into other phases we might be dealing with development risks, implementation risks, delivery risks — some of these risk could not be properly assessed early on.

  • It has gotten that every entity is trying to outdo each other with terminology and processes. The issue today is to sift through all the gargone and come to a KIS (keep it simple) step by step procedure. One that allows quick and efficient analysis of your project at any point within its evolution.

    Determining when another risk assessment is needed it like trying to forecast the weather six months out. You do your best to try and manage the process so that the desired outcome will be achieved, but along the way a new front moves in and you have to reassess you plan (risk).

    Successful PM/ OR/ CM will always be looking to the horizon for indicators of the changing weather (project) indicators. Thus risk assessment is a living document / actively that is not complete until the project is closed out.

  • Kris

    I agree with performing risk assessment at the beginning of each phase. I would also think it might need to occur if there are significant changes to scope, schedule, resources, etc. This might not be a full assessment, but a look at the new risks being introduced, their impact on existing risks, etc.

  • Winds change! And what use does a forecast from last summer make in december?
    Risk Management is Project Management for adults. (Tom De Marco I think..) My experience proofs that RM is not only a monitoring and treatment process. It much more has got something to do with things that happen and things that change. So the minimum is to review the Initial Risk Analysis at any mayor Milestone along the projects life cycle. This is where you review the ongoings, the results achieved as well as the things to do next. (I call it CrpL= Continuous (re)planning Loop). A regular 360° scan over things, events and Individuals in your projects environment that might build up a negative influence on the outcome of your project is a MUST. So schedule such a scan as part of any review. It may be a quite time consuming thing but you better stick to the wind of reality before the storm hits you.