This content was published prior to the merger of equals between BKD and DHG on June 1, 2022. See all FORsights for the most up-to-date articles, webinars, and videos.
Risk Assessment in Project Management
EPISODE 80: The risk assessment process should be at the forefront of any project. Art Marshall and Sarah Carcello share their insight on the process and why it's critical in today's environment.
[00:00:09] JL: Welcome to today's edition of DHG's GrowthCast. I'm your host, John Locke, and at DHG, our strength lies in our technical knowledge, our industry intelligence and our future focus. We understand business needs and are laser-focused on company goals. In this ever-changing world, DHG's GrowthCast provides insights and thought-provoking conversations on topics and trends that address growth opportunities and challenges in the current and future marketplace. Thanks for joining us as we discuss tomorrow's needs today.
[00:00:42] ANNOUNCER: Views and concepts expressed by today's panelists are their own and not those of Dickson Hughes Goodman LLP. Always consult the advice of your legal and financial professional before taking any action.
[00:00:58] JL: Welcome to GrowthCast. Our topic today is risk assessment in project management. And our guests are Art Marshall, manager; and Sarah Carcello, consultant, representing DHG's Risk Advisory Practice. Welcome to you both.
[00:01:13] SC: Thanks. Happy to be here.
[00:01:15] AM: Thanks, John.
[00:01:16] JL: Well, Art and Sarah, it'd be great for our listeners to know a little bit about your background and project management risk assessment experiences that you've had. So could you share that with us?
[00:01:28] SC: Yeah, I think I can get started. I've worked at DHG for a little over a year. I've worked on three different clients, and they've all been a bit different in their approach to risk assessments in project management. The first client had a repetitive project, but it was highly subjective. So we had to have regular meetings with our leaders to mitigate the risk of any incorrect assumptions that we would make that could impact our final deliverable. The second client had much tighter deadlines and was a much shorter project. So we had an iterative approach to our risks and dependencies. And we met every day and so that we could um evaluate any new dependencies that came up. Since we were highly dependent on documentation from the client, we had to make sure that if there were any items that we needed or any items that needed to be escalated, we took those into account.
And my third client, which is my current client, I've gone back and forth between two different projects, and they are quite different in terms of structure and consistency. One project is a bit more cyclical in nature, and it's a more fine-tuned process with formalized structures in place so that we can identify document and escalate risks. As well as a formalized review process that helps us make sure that we're not missing anything. But the other project is a bit newer and a more haphazard by nature. So we have to be more reactive and synchronous in our risk assessment process. But in a lot of ways, I've just scratched the surface on how useful risk assessments are in project management. And I know Art has a lot of experience in this area.
[00:02:59] AM: Thanks, Sarah. Yeah, so I've been with DHG for a little over two years now. And prior to that, I had actually been working in the industry for a risk and regulatory compliance group. So I was able to see firsthand how these groups deal with risks in a day-to-day operation process. I then moved over into a project management role and was able to bring forth my knowledge of how risks are actually dealt with and how they can actually be improved. So looking at that in a project management environment, you want to make sure that it's properly brought in, they're tracked accordingly, and you move forward with them.
Here at DHG, we've been able to help the clients with anything from software implementations, to internal audit engagements, to now legal entity restructuring. And with all those, you do have to manage your risks accordingly. And so it's been a great knowledge building to all that at this point.
[00:03:52] JL: Well, thanks for you sharing both of those experiences and perspectives. And Art, why is risk assessment important to a project management process?
[00:04:05] AM: Yeah. So, John, you really want to talk through the risk assessment process, especially the planning, in any initial phase of the project. Risk needs to be at the forefront of any project. And they need to be thought of as an important factor of your requirements. So think about those requirements gatherings or even your scope definition that you start off with at the beginning of the project. You want to have a risk assessment at the beginning to make sure that you're pulling those through throughout the entire project. You might not think of them as being important at the beginning, but you never know where they're going to make an impact on your project.
Project managers should be the central point for aggregation and reporting for these items from the start, because inefficiencies can emerge that can result in lost time and also increase costs along the way. You have to remember that it's important to perform your due diligence on your sponsoring organization's risk management framework to better understand the risk appetite and the reporting rigor along with the monitoring process that's going to govern your project. Because as we mentioned before, you want to make sure that these are tracked throughout the entire lifecycle of the project.
[00:05:11] JL: So Sarah, tell us about risk assessment principles. And if you're a project manager, what should you be thinking about including in that approach?
[00:05:21] SC: Yeah, great question. So there are really some principles of risk assessments that if you consider them when you're in your project management they really propel your risk assessment process forward from being just checking the box to value added to your project. So first you want to specifically identify the risks. And you want to be sure that you're looking at the organization and business as a whole beyond just the scope of whatever your initiative is. There might be some risks that aren't necessarily within your drug scope, or the realm of your project, that could still impact the overall delivery of your milestones and goals. So that's why it's so important to include all relevant stakeholders in your discussion about risks so they can weigh in on the potential risks that could impact your project life cycle.
And along with that, as it might seem, it really just needs to be a process that is integral to your organizational process and part of your decision making. If risk assessments aren't part of your decision making and how project managers determine their priorities and lead their team, it's really a futile documentation exercise. But on the other hand, if you make it dynamic enough to withstand the test of time and based on the best available information and responsive to change if needed, that's when you really propel yourself into that value-added section of your project. And it's really more about your approach and mindset than the document itself. You can't treat it like one and done. It should be part of your project and evolving alongside it. And depending on your project needs, it's important to consider what this best approach might look like or what the methodology you need to adopt to ensure that the risk assessment process is not forgotten about.
[00:07:01] JL: So art, let's talk about a risk framework here. And how does a project management team adapt a risk framework for the different methodologies?
[00:07:11] SC: Yeah. So here at DHG, we use three main methodologies, and that's going to be waterfall, agile and hybrid. And it's extremely important for the project manager to make sure that if they're initiating a project, they'd pick the right methodology that they're using. And if they're coming into a project, they need to know how those work so that they can apply the appropriate risk frameworks to it.
I think one thing to take away from what Sarah had mentioned earlier is that this is all evolutionary. So you need to remember that your risks can continue to evolve over your project and it's not going to be a one and done type of activity. So once you choose that methodology, it's important that you move forward with it correctly.
So when talking about our waterfall or traditional methodology, it's sequential in ordered steps occurring in a linear fashion, which is going to be document heavy so when we talk about the risk assessments and moving it forward, you will be tracking that from the initial planning phase and move it through all the way into implementation, tracking it through either until it's closed, you accept the risk, or just continue to track it moving forward.
Agile is going to focus on an integrable approach that emphasizes the short development cycles, or sprints as they're called, in continuous improvement throughout. It's not going to be as document-focused. But you need to make sure that you're looping into the sprint planning sessions how you need to look at that product backlog. So when you are prioritizing what needs to be worked on next, those risks that are associated with it should be brought in. Because as we all know from being project managers, there can be something that comes up that you are not expecting. And luckily, with an agile approach, that can be put into a sprint almost immediately depending on the severity of it and continue to be moved forward.
And finally, the hybrid is a combination of both approaches as it sounds. So it takes the lean aspects of agile, but also incorporates the structure of that traditional waterfall approach. So the continuous risk assessment strategy that is built into agile or the hybrid approach may produce a better outcome for identifying and resolving your risks especially for those higher risk projects that have less predictability in a more dynamic environment.
[00:09:26] JL: So Sarah, how do you start the risk assessment process?
[00:09:30] SC: Yeah. So you want to really start with the engagement from the stakeholders from the beginning. So we talked about this a little bit earlier. But when you're thinking about starting this risk assessment process, before you even identify your risks, you want to make sure you have the right people in the conversation. And then you want to get their buy-in. So that's critical to overall project success, because you want the team to be on the same page, understand what in their minds the risks are. What you're dependent on? What might come up later down the line? And if there's not that buy-in, you might just have misalignment between the final deliverable and what the expectations are, and miscommunication can occur. And that really derails the project and causes timing issues and so forth. So it's really important, start with that buy-in. And that'll give you a good jumping off point to identify what the whole team thinks the risks are, dependencies. And then the team isn't surprised if something comes up either.
And then once you've gotten the buy-in, you've identified your risks, you have to decide a risk response based on the risk specific issue and the severity of that risk. So there are four types of risk responses. There's avoid, mitigate, transfer and accept. So you're going to choose a risk response based on the individual risk that is present in your project and depending on what the team thinks the best response should be. This would depend on what the impact potential would be. If your team wants to accept the risk maybe, if it's a very low severity or likelihood of it occurring, or if it's a very severe impact, you might just avoid the risk altogether by choosing a different plan of action. And after you decided a risk response, it's important that that risk assessment process is maintained. And as we've mentioned before, evolving throughout the whole project life cycle.
[00:11:24] JL: So what's the life cycle of a risk assessment process? Art, do you want to take that one?
[00:11:28] AM: Definitely. You can actually think of a risk assessment process almost like a project in and of itself. So you're going to have that initial kind of idea, that gathering session of what is actually happening here that you then move forward into the requirements that you'll need. Test it. See what happens? If you want to move forward with it. And then finally put it in if it needs to go into place.
So where that comes in is performing these assessments in your project will qualify and quantify the identified impediments that you and your team could potentially have an impact on your project with. Once the team has created a working list of the identified risks, applying a common measurement to each risk. So think about one to five, maybe high, medium, low, whatever your methodology is going to entail will help determine the prioritization of addressing those risks throughout the project.
A risk matrix compares the probability of the risk occurring on one access to the actual impact of the risk occurring on another access. So this is going to be another way how you can look at it holistically and take all those risks that you have together. Put it in a matrix and see what needs to be worked on. You can actually find the intersection of the probability and impact by the risk ratings that you're given on this matrix.
You also have something called a RAID log, which is going to have your risks, assumptions, issues and dependencies all captured so that the team has defined for the project these items. But it also serves as a tool to track the issues, the assumptions and those dependencies that you want to make sure are captured throughout it.
Something like this is going to require monitoring throughout the duration of the project, but it's going to give you that visibility into the roadblocks that could potentially come up in your project. You should consider how you're going to track these items. And we have some best practices that Sarah and I have utilized from our successes in the past that we both feel are great accelerators to use in project management.
[00:13:29] JL: So Art, could you share a few of those best practices once risks have been assessed?
[00:13:35] AM: So these assessments should also be designed to align with the overall risk management process and the goals set forth by either your organization as a whole or your sponsorship on the project. Because the purpose of the risk assessments in project management is to address the risk in a productive manner by empowering the project manager, whether that'd be you yourself or maybe the PM that you're reporting to, to act as a central reporting point to communicate the status of the risks that may impact the project delivery timelines and/or the quality that is going to be involved.
Another main point is going to be your stakeholder involvement as well. Because as the project manager, you should leverage the stakeholder matrix that you have to ensure the appropriate representation and the risk assessment discussions are captured so that the value is being added to the project and decisions are not made in a vacuum. It goes back to communication being key, and that everyone's on the same page here so that they know what could potentially be an impediment to your project. Otherwise, the risk assessment outcome can result in misalignment to both the goals and the risk management approach of the sponsoring organization with a lack of integration and critical information from those key stakeholders for the risk portfolio, because risks not only affect your project, but it might affect other areas that you're not aware of.
And so that's why it's important to continually discuss and review these risks, too. Again, as we talked about, it's an evolutionary process that you want to make sure continues to be brought up until you either accept that risk or you find a way to move forward with it.
Documenting these items in the program management reporting so that there's no confusion about how each risk is addressed and ensure that the stakeholders are aware of how each are being tracked as well are some great ways for you as a project manager to make sure that these risk assessments are captured accordingly.
[00:15:28] JL: Well, a lot of great content today, and some best practices. And as we wrap up here, Sarah, would you help us understand why are continuous risk assessments and project management so important for organizations today?
[00:15:45] SC: Yeah. Now more than ever, strong risk assessments incorporated into your project management are crucial to the successful progression of the project. Like Art mentioned, there's unique communication challenges that we're still working through. And creating proactive planning and structure helps plan for the unexpected during a time when that is already pretty hard to do. So having a strong risk assessment process can be that one thing that just propels your project forward and makes you stand out to your stakeholders, client, sponsoring organization, whoever it is that's invested in the success of the final deliverable and shows how you're able to add value to an organization.
Here at DHG, we not only have the tools and accelerators, like Art mentioned, to help your organization manage the risks associated with your initiative. But we also have the experience with methodologies that help support these efforts. Agile and traditional methodologies are combined with DHG's hybrid risk-based approach, which assists you in not only completing your project, but keeping up with the ever-changing market conditions. Any program will encounter unexpected challenges during its execution. And DHG has the capabilities to provide your organization with opportunities to mitigate any risk while accelerating the goals of your initiative.
[00:17:01] JL: And Sarah, if our listeners want to find more information on this topic, where would they go to find it?
[00:17:07] SC: Yeah, if anyone wants to find more information, please visit dhg.com for information regarding the CFO and business advisory service line. And you can also see the show details for our related knowledge share on this topic and additional contact information.
[00:17:22] JL: Well, thanks to you both for sharing your insights with us today. And thank you for joining us on today's episode of GrowthCast, with Art Marshall and Sarah Carcello, from DHG's Risk Advisory Practice. We hope that this discussion will help you better understand principles, practices and processes associated with risk assessment in project management.
I'm your host, John Locke, and I look forward to reconnecting with you soon on another episode of DHG GrowthCast. Until then, be sure to rate, review and subscribe to DHG GrowthCast on Apple Podcast, Spotify or Podbean.