If your goal is to avoid being late and spending more money on a project than you have initially planned, keep reading. Project risk management is often a neglected area in project management when in reality, it is among the most important ones.
The following video is a part of our online course on project management for medical devices. The video has a part 2 as well, so make sure you watch it.
It should be said that this is an article on project risk management, not product safety risk management (done according to ISO 14971). Make sure not to confuse the two.
To get back to our topic: if you are wondering when it is too early to start thinking about project risk management, you are already late. In other words, it is never too early. Why? Because thinking of it should be present every step of the way.
Risk is defined in ISO 31000 as
“The effect of uncertainty and objectives.”
In this context, it is appropriate to understand “objectives” as the project objectives – the deliverables, schedule, and budget constraints.
There is a similar definition of risk in the Project Management Body of Knowledge:
“An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.”
Therefore, we can define project risk management as:
“The process of identifying, analyzing, and responding to risks and opportunities that arise over the life cycle of a project to increase the chance of the successful completion.”
The good news is that there are usually numerous ways to deal with a potential situation where the project is not coming along the way it was supposed to, if you just do it before it is too late. It is also worth mentioning that this whole process is not a one-time thing; instead, the steps should be iterated over and over again.
So, what are the steps of project risk management?
- Identifying the risk – asking what could go wrong
- Analysis and the evaluation of the risk – figuring out the possible impact of the risk, and which risks to prioritize
- Coming up with the response – what is it that you can do to reduce the risks
- Implementing the response – a practical way to document and keep track of what you come up with (use a spreadsheet)
Having the proper documentation is useful for both identifying and dealing with the risks. A risk register (or risk list) is the output, and it should be updated every step of the way.
Project document updates contain the risk responses you have already implemented, as tasks with someone’s name on them, and that is how you stay up to date. The risk description contains the analysis and the evaluation of risks: the impact, the probability, severity, urgency, and priority.
Mistakes – better safe than sorry
The risk description is fairly simple: it is answering the “what could go wrong?” question. In case you did not list a risk, and it still occurs, the solution is to update the register and continue.
But what happens if you identify the risk that, for example, sales will not be what you expected them to be? Is that a project risk? Unless you have sales as one of the project deliverables, it is not, and most projects would not have that part in the deliverables. It is important to distinguish between corporate and project risk. Formally speaking, corporate risks are someone else’s job (assuming you are working on a project) and should not be included in your project risk management.
When you have followed and implemented all the previously stated stages, it is high time to shift your focus to the impact.
Figuring out what the impact will be is the key thing to do. Please note, this is where mistakes are often made. The most common one is that people just say “the project will be late” or “the project will spend more than planned”. That is not sufficient information to evaluate the risk. Be a lot more specific than that by specifying and quantifying the expected impact. With careful planning and attention to detail, you will be able to prioritize correctly or determine how expensive risk controls you can afford.
What is the next step?
Now that you have defined the impact, there are steps you should follow to have your project run smoothly:
- Estimate the probability and severity of the impact occurring – it is a good idea to do this using a grading scale with low, medium, and high marks.
- Organize by the urgency – risks that are similar, but happen at different points in time will have different levels of urgency.
- Use the urgency to bump up or down the priority that you have calculated based on the probability and the severity.
Similar to the previously mentioned mistake of having a vague or unspecific description of the impact, a common mistake is to be vague in the risk responses. Unspecific risk responses are not measurable, and it is not possible to follow up on how, and if at all, they are being done.
So, what do you need to do? Select risk responses for which you can verify that they have been implemented and that they will have the desired effect. This is not that different from the requirements on verifying the effectiveness of risk controls and verification of implementation as defined in the ISO 14971.
Risk responses will cost money, but the whole idea is that by spending a little more, you save time and money (or both) in the long run.
Make a note and highlight it: the risk response needs to be tangible, specific, and measurable.
A risk response done for the sake of it, and not with a specific problem and an even more specific suggestion for its solution is a waste of space and time, and it is doomed to fail. There is a (true) anecdote on this topic – one time, an actual risk response found in a project document was ‘’Communicate more’’. Only those two words. Do you think anyone communicated more?
Risk response types
The responsible person, the risk owner, should be the one to implement risk responses or ensure they are implemented. Bear in mind that most of the risk responses will impact other project planning, such as scheduling, human resource planning, and budgeting.
When selecting risk responses, there are several strategies to pick and choose from.There are several responses:
- Nothing. It may seem funny, but in reality, most risks will be left without action and risk response. When you think about it, there are virtually thousands of possible risks; you would not be able to, and should not, come up with risk responses to all of them.
- Mitigation. Take actions to reduce the probability and/or the severity of the impact.
- Transfer. You put the risk on someone else. This does not mean that you should escape your responsibilities by shoving them onto a colleague, but it could be to purchase insurance or outsource to someone who can offer a fixed price contract, for instance.
- Avoidance strategy. This is often changing the project management plan to eliminate the threat, for example, to extend the schedule or budget of the project.
As you can see, risk management is simple. Project risk management is part of our Project Management for Product Development of Medical Devices course. If you would like to read more of our articles, see them here.
Would you like to know more about Project Management?
A pre-requisite for this course is that you have taken the Introduction to Design Control for Medical Devices online course.
Peter Sebelius (PMP) is a highly esteemed trainer, consultant and entrepreneur in the medical device industry. He is a member of the Joint Working Group that is revising the ISO 13485 and ISO 14971 standards.
He has vast ‘hands on’ experience too, having developed, amongst other things, a mechanical chest compression and an ex vivo perfusion machine for lungs. He has received numerous awards including the Great Design Award and the title “This year’s specialist” by Veckans affärer.