Where do you go once your organization has good risk managers, good risk governance, and a strong risk management program? That’s not an easy question to answer, particularly because so few organizations have the magic combination of good risk managers, governance, and programs. Most fall short. But what’s compelling is that organizations are looking for the “next level” without completing the ground floor.
Despite the years and years of effective risk practice available and waiting, organizations (including the Project Management Institute [PMI]) are looking for new, different, and inventive ways to effectively implement risk practice. The question surfaces as to whether or not the basics have been addressed first.
In the Guide to the PMBOK, 3rd Edition, PMI has dropped some of the fundamental practices (such as the Program Evaluation and Review Technique [PERT]) in favor of newer techniques and practices in an effort to energize the practice.
The new edition emphasizes tools that have been characterized in other ways in an attempt to rediscover best practice. For example, for years, the Software Engineering Institute has explored risk through a taxonomic process, which now has a close cousin in the latest PMBOK Guide: the risk breakdown structure.
There is a significant allure for things that are new and unfamiliar. Project organizations continue the quest for better practice through a proliferation of different tools. Risk models (PMI’s OPM3, George Washington University’s PMPM Model), software tools (Risk Radar, PERTMaster), risk guidelines, risk templates — all hold the promise of improving our risk practice. But the question remains as to whether or not these newer or less heavily applied tools will serve as the panacea for our risk concerns.
In examining risk taxonomies, breakdown structures, models, software tools, templates, and guidance, they have a common foundation. They all require the basic understanding of what risks exist, what the organization can tolerate, and how the organization prefers to deal with risk. Before we can stride to the “next level” of risk practice, the basics need to be in place and implemented effectively. In order to test whether your organization is truly primed to try more advanced practices, consider the fundamentals: