Don’t limit risk management to projects

Plea for embedded risk management in organisations.

Do you know projects that are not subject to change? No?, then we should talk about risk management. Governance and project management introduce risk management in various configurations within various branches as an important tool to have ‘control’. It works, but is no magic wand.

Time and budget will still be exceeded sometimes. Look at large infra projects. Also smaller projects that are executed daily in organisations, know this problem. The question arises what is needed to control projects. Risk management can support in this matter.

Control is a subjective notion, not an objective one. Total control is Utopia! Still risk management is the instrument to contribute largely to controlling a project. To be effective however change is necessary. Risk management should not be focused on negative events (threats) only but also on positive events (chances). It should connect to corporate initiatives and more focus should be given to a sound risk management culture, trust! Trust both between principal and contractor as within the project team.

Standard approach

The urge to control projects is increasing and the perception of control is decreasing. Steering is done on the execution of all activities in accordance with the assignment and the agreed project plan. More and more standard project methodologies are being used, like PRINCE2. These methodologies are characterized by a process approach of project management. The processes define the management activities that are executed during the project and they identify certain components that are executed within those activities. Examples are ‘controls’ en ‘management of risk’. The controls should guarantee the possibility for the next higher management level to:

– monitor project progress;
– compare results to the project plan;
– review plans against future events;
– detect problems;
– initiate corrective action and
– authorize consecutive actions.

Risk management is in place to ensure that threats have none or limited effect on the assignment and the agreed project plan. Risk analysis and risk control are being used as instruments.


This shows that within PRINCE2 risk management goes in one direction. An initial analysis is in place, but after implementation of the counter measures no fresh analysis is performed. Unless this is hidden in the ‘control’. Not repeating the risk analysis is a phenomena that is often encountered in projects. It shows the immaturity of this process in a methodology that is increasingly being used and is considered to be the ‘standard’ in many organizations.

This limited approach of control (all activities are executed in accordance with the assignment and the agreed project plan) also has another disadvantage. The possibility to benefit in a creative way from opportunities that occur in the course of the project and could be advantageous to realize the project goals, is limited. Implementation of risk management in this way does not facilitate identification and employing opportunities.