Your projects have risk management plans and you may even be running simulations on particular risks identified by the project team.
But do project managers in the organization routinely include implicit risk in their plans?
Explicit risks are the obvious ones: the risk events that might happen and have the potential to cause problems for the project. These are the risks identified, analyzed and controlled through a risk register and active management plans.
Implicit risks are slightly harder to spot. They are the kinds of things that could cause uncertainty – and potentially trouble – for the project, but they stem from the way the project is set up and the environment it operates in. For example, the project context, decision-making structure, and the framework chosen to run the project could all cause implicit risks.
When do you identify implicit risk?
As implicit risk relates so strongly to the context of the project and the decisions around how it will be run, it’s most useful to spend time thinking about potential problems before the project starts.
Make an effort to identify risks that may happen as a result of decisions being made in the kick off and initiation stages of the project.
If the project’s context changes, for example, the team switches management approach, there’s a significant change in the people who make up the team, the organization’s strategic direction changes or something similar, then revisit the risks to see what affect that might have.
What are some examples?
Before you can actively manage implicit risk, you first have to identify it.
Here are some examples of implicit risk:
- The project management method, framework or approach chosen, especially if it is new to the team or the organization
- The use of new methods, templates or tools to manage the project
- The make up of the project team and whether they are co-located or virtual
- The choice of project sponsor, especially if the person in post has not sponsored projects before
- The governance framework for the project
- The political or economic climate in the country where the project is happening
- The complexity of scope and the method used to elaborate scope.
Help the team look at the bigger picture and try to spot assumptions or choices that might introduce risk. The common thread is that all implicit risks have the potential to affect the whole project.
How do you identify implicit risk?
Identifying implicit risk is really no different to identifying project-specific explicit risk. Common risk management techniques include holding workshops and interviewing key stakeholders and subject matter experts.
There are frameworks that act as a conversation starter in those meetings. You may have come across PESTLE (political, economic, social, technological, legal and environmental – often used with the addition of an extra ‘E’ for ethical) or similar ways of categorizing risk.
Other categories that could be useful for your organization’s approach to grouping risk include:
- Socio-cultural/Cultural
- Competitive
- Regulatory
- Commercial
- Operational
It’s often helpful to have a risk category per business division or department as well.
Write the categories on flip chart paper and ask small groups to brainstorm risks for each category, moving around the room (virtual or in-person) until they have had a chance to comment on each of the categories.
Managing implicit risk
The approaches used to manage risk don’t change, regardless of whether the risk is identified as implicit or explicit. You’ll still want to do a full analysis, understand the implications and build an appropriate management plan. Then someone will have to take ownership for completing the management plan and continually monitor the risk.
However, implicit risks can have wider-ranging and more substantive impacts on a project. It is often worth prioritizing these risks in reporting and management efforts because they have the potential to create significant disruption.
For example, let’s say you are starting a new project for a client and they insist on using an agile framework, despite neither of you having any experience in agile delivery. There are risks to the project as a result, including the potential for miscommunication and poor governance, and tasks taking longer as the team adjusts to new ways of working.
Your risk management plan would need to address that: in this example, perhaps by recruiting someone who could lead the agile effort and coach the team. You could remove the risk entirely by choosing not to take on the project, but that has commercial implications. As you can see, each risk has multiple management options, and it’s through discussion and analysis that you’ll agree the best approach for your particular situation.
The standard approaches to managing risk also work for implicit risk, so once the potential problems have been identified, your team can manage the risk in the same way they would any other.
Risk management is an integral part of how project governance operates within the organization. As well as managing risks related to individual tasks or events on the project, the team also needs to take a good look at the context for the project to spot anything else that might cause a problem later on.