Risky business: There is a time for playing it safe and a time for risky business

Change Management, Risk Management

Embedding risk management as an integral part of the project framework is an essential and fundamental part of any project, programme or portfolio as a way of keeping costs down, benefits high, and increasing the probability of successful delivery.

Businesses and project managers face increasing demand for project success

Businesses are under greater pressure than ever before to complete projects successfully, and consequently good project management becomes a strategic tool for survival for most companies. Project managers are therefore under ever greater demands to deliver successful projects. Also under pressure are the companies’ IT directors, finance directors and CEOs, as projects that deliver late and over budget can affect the whole company, not just individual departments.

It is well documented that very few companies have 100 per cent of their projects delivered on time, within budget, to scope and delivering the right business benefits. On the contrary, failure to deliver is wide scale.



The ability to manage project risks is in direct correlation with business benefits

However, successful projects do happen, and 3gamma firmly believes that one of the key enablers is the right approach to risk. In this paper we define four key reasons why your chances of project success are linked to your ability to effectively manage risk, using a comprehensive risk management approach.

1. Fewer unforeseen delays

Whilst a project plan should contain all of the tasks and activities needed to achieve your goal, the reality is that all too often additional project tasks are only discovered once the project is well under way. This is a common cause of later problems, when “scope creep” is cited as causing delay or rework.

However, it is possible to better understand the real scope of a project before the project is under way. For many of the projects that go terribly wrong, the potential problems were always lurking there, waiting to be discovered. In a speaking event on risk management a number of years ago, a member of the audience cited an example of a key supplier going bust in the middle of one of their projects. He asked how they were supposed to have foreseen that. The speaker asked the audience of 100 or so, how many had had a similar experience. A number of hands went up. ‘There is your answer’, replied the speaker.

Yet, in project after project the amount of time and effort devoted to risk analysis is very small. Usually, risk management is little more than a hastily drawn up list of generic risks as a tick box exercise. Companies, and project managers in particular, can create a more robust project plan if they com plete a thorough risk analysis at the outset of the project. It will require some effort and involvement from all stakeholders, and this may encounter some resistance. Risk analysis is frequently considered negative, and people who bring up risks are labelled as nay-sayers. When it is not safe to discuss risk, the project is jeopardized from the start, whilst an open and honest risk identification/analysis workshop will highlight most potential problems which can then be monitored.

“When it is not safe to discuss risk, the project is jeopardized from the start”.

Involving the whole project team in a frank and open discussion to identify hidden problems puts the project on the right path to success instead of failure, as a collaborative approach to risk management is far more successful than a “sweep it under the carpet” mind-set. An added benefit is the heightened awareness of the project’s potential risks among all stakeholders. Monitoring against risks is so much easier when all stakeholders and project members know what they should be looking out for!

2. Fewer cost overruns

Once the plan has been updated to include your risk mitigation activities, it is important to develop contingency plans. The new plan is no guarantee that things won’t go wrong. If there are no alterna- tive approaches ready to go when problems occur, the project has to invent one. Unfortunately, this will be right at the moment when there is least time to do so. Progress stalls while re-planning, the project goes into delay and costs begin to rise.

Worse still, if the project needs additional resources, progress could be halted for a long time while the stakeholders are trying to secure these resources. Worst of all, it will put tremendous pressure on the rest of the organisation that may be forced to make difficult choices about whether to make cuts elsewhere so that the project can continue.

A safer approach is to develop a series of contingency plans based on the key risks that have been identified at the start of the project. Three important advantages can be created by developing con- tingency plans in advance:

  1. By costing contingencies, the contingency budget size can be based on facts and analysis, and the process of securing these funds in advance becomes easier.
  2. The project and its stakeholders will get a better idea of the early warning signs to look for that might signal that the original plan isn’t working – giving the project time to put the contingency plans into action.
  3. If you need to change tactics, the project will already know what to do and the risk of delays and cost overruns are reduced.

By following this approach you avoid going into delay while you come up with a Plan B and you’ll have the funds pre-approved and available. If it turns out that you don’t need to use your contingency plans, you can return your unused contingency funds so they can be used elsewhere. It is far better to have a contingency plan that you don’t need than to need a contingency plan that you don’t have.

“It is far better to have a contingency plan that you don’t need than to need a contingency plan that you don’t have”.

This also has a beneficial effect on the morale and confidence of the stakeholders. When a risk becomes an issue and is instantly followed by a planned and funded mitigation, it demonstrates control and good project management rather than a kneejerk, unplanned and unbudgeted crisis response.

3. Improved return on investment

When projects come in late, over budget or fail entirely, it affects much more than the project manager’s ego – it has a ripple effect throughout the entire organisation. The effects may include lost future sales, missed market opportunities, losing a competitive advantage or losing a leading position in a current market. Meanwhile, effective risk management provides the means by which companies can increase the probability of a return on investment. Fewer delays means that projects start repay- ing their investment earlier. Fewer cost overruns means that profit margins are preserved. Avoiding de-scoping means the full business benefits are achieved as expected and the company remains com- petitive.

During the construction of the spectacular Oresund Bridge and tunnel, which connects Sweden to Denmark, the risk analysis showed that the project was unlikely to meet its planned opening date upon which its financial viability was calculated. Mitigating actions and alternative scenarios were considered – leading to significant changes in approach. After these mitigating actions were applied, the risk analysis instead indicated that the bridge could be opened three months early – which it was. This early opening clearly paid for the specialist risk management work.

4. Calculated risks are good

A calculated risk is one where the rewards for success far outweigh the consequences of failure. By raising the ability to manage risks, the project manager is in a good position to take advantage of these opportunities should they appear. A calculated risk in a project context is an identified oppor- tunity that has the potential to fail. It may involve trying a new technology or mentoring a less experienced team member, knowing that it could slow things down or require additional costs, but also knowing that the end result, if successful, would benefit both the current project and future projects.

The graph below represents the spread of risk and associated cost over a project lifecycle. The dark green line shows the number of risks identified and mitigated which (if done properly) will be high during the first defining phase, start to decline during planning, and tail off to nothing during build and delivery. Conversely, the cost to put in place and implement contingency plans starts off low, and increases dramatically if needed during the build and delivery phases of the project. So it is clearly cost beneficial to deal with risk early on in a project.


It is important to actively manage and monitor project risks as a continuous process within the pro- ject. Risks need to be classified, analysed and monitored regularly. The project team should also actively communicate with key stakeholders on the project’s risk exposure.

Risk management strategies must be adapted to business needs and risk characteristics

There are four principal strategies to manage risks: acceptance, avoidance, transference and mitigation. The application of these strategies needs to be matched with the characteristics of the risk, the impact and probability of the risk, and the cost associated with the risk management strategy. As shown in the picture, the four strategies change the risk characteristics in different ways. Risk avoidance is about reducing the probability of the risk to zero, whereas risk transference is typically about transferring the impact of the risk to a third party.



Risk avoidance

The ideal approach is to avoid the risk. Unfortunately, this is seldom a cost-effective or attractive action. On the contrary, it is often the most costly form of risk management in terms of benefit real- isation.


  • Limit work on a system until out of hours to avoid risk of operational impact
  • Reduce scope to exclude high risk deliverables
  • Utilise a more familiar technology or product

Risk mitigation

Most risks can’t be avoided but must be mitigated within the project. Risk mitigation is about identifying activities and actions that reduce the likelihood or probability of the risk materialising, or about reducing the impact should the risk materialize.


  • Use staging area/more testing/build prototype
  • Use more qualified resources
  • Redundancy planning


Transferring risk is about transferring the impact of the risk to an external party. However, trans- ferring risk is a complex action that needs careful consideration. For a start you cannot properly transfer risk to timescales. You may mitigate the risk if the supplier is in a better position to manage it. However, signing a supplier or contractor up to a fixed timescale does not transfer the timescale risk. If there are clear cost implications associated with any delay, you can transfer these by including damages clauses in the contract, but the actual timescale delay risk still remains.

Transferring cost risk is relatively easily done and is a common practice in the use of fixed price con- tracts. But even this practice is not fool-proof. An excellent example of this is BPs experience in the Mexican Gulf. Following the failures that led to the oil leaks, BP initially thought it had transferred the risk to its supplier. However, they were unable to make this stick contractually and ended up with a massive cost impact as a result. This example further highlights that it is extremely difficult to transfer risk to brand and reputation. Attempting to do so can actually increase the risk; by not managing it directly you lose visibility of what management activity is being done and whether it is being done effectively.


  • Lease/subcontract – move liabilities
  • Procurement contracts – fixed price
  • Insurance, warranties, bonds


Acceptance of a risk means that the severity of the risk is low enough that you will do nothing about the risk unless it occurs. Using the acceptance strategy means that the severity of the risk is lower than the risk tolerance level. If this was not the case, it would not make sense to accept the risk. Once the risk occurs, the project will work to fix the problem and move on.

Accepting a risk does not mean that nothing will be done if the risk materializes; it means that something will be done only if it occurs. Many project risks will fall into this category. The cost associated with the risk is less than it would cost to investigate and plan for them.

Proper risk management reduces the number of threats and minimises the effect of those that materialise

All projects are exposed to varying degree of risk. To secure successful delivery, this risk must be appropriately managed. Proper risk management reduces the number of threats that could materialise into problems and minimises the effect of those that do occur. It also results in more opportunities being captured proactively and turned into positive benefits for the project.

About the author

Guy Cullom is a project consultant at 3gamma with 20 years project management experience in the airline and IT industries. His passion and commitment to project excellence combined with a flair for communication have established him as a key mentor of project best practice, helping to deliver 3gamma’s ‘Great Business Deserves Great IT’.

Related Articles

Agile & PRINCE2: The best of both worlds

Change Management

Taking the right approach in project and programme management is often half the battle. Wise choices early on can set you on a course to success. However, an inappropriate choice can leave you wasting valuable time. In this article we use a recent project to explore the pros and cons of using agile and waterfall methodologies, and highlight the advantages of adopting an agile development approach supported within a PRINCE2 framework.

Embedding risk management within IT to deliver business value while maintaining compliance

Assurance & Compliance, Risk Management

IT organisations have long been subject to a wide range of rules and regulations mandating control over information, technology and processes. These rules and regulations are often created…

Using governance, risk and compliance systems to deliver business benefits

Assurance & Compliance, Governance, Risk Management

Governance, risk and compliance systems are getting more and more attention on management and board level. Companies and organisations are struggling to manage governance, risk and compliance in…