8

Spread the Word (Reporting)

Risk management is about taking appropriate action in response to identified risks. Unfortunately, the earlier steps of the risk process do not guarantee that those who must take such action possess the necessary information to do so. It is therefore important to include a step for communicating the results of the risk process to the people who need to know. In ATOM this step is called Reporting.

Following the First Risk Assessment on a medium-sized project, Reporting simply combines the outputs from the previous steps into a single risk report. Extracts from this report can be distributed to different stakeholders—for example, the executive summary to senior management, or subsets of risks to individual risk owners. Additional reports may also be necessary, depending on the project reporting cycle or other organizational requirements.

The purpose of the Reporting step in ATOM is to:

•  Document and communicate key results and conclusions from the risk process

•  Inform project stakeholders of the current risk status of the project

•  Ensure that each project stakeholder has the information required to fulfill his or her role in managing risk on the project.

Reporting requires the following inputs:

•  Risk Management Plan, defining the reporting requirements for this project

•  Project communication plan, if available

•  Risk Register containing full details of all identified risks, their assessment, responses, and current status

•  Analysis results following the Assessment and Response Planning steps.

Reporting requires the following activities:

•  Produce the full risk report, first as a draft to be reviewed, then issued in final form

•  Generate extracts and other reports as required

•  Distribute reports to project stakeholders. The Reporting step produces the following output:

•  Full risk report and extracts.

These inputs, activities, and outputs are illustrated in Figure 8-1 and described in detail in the following sections.

Figure 8-1: Flowchart for the Reporting Step

Inputs

The Risk Management Plan defines the project’s reporting requirements. Where necessary, the risk champion refers to the Risk Management Plan to clarify these requirements. The project communication plan, if one exists, should also be consulted, because it may give more details on the precise information needs of project stakeholders.

The risk champion uses the results of the preceding steps in the risk process to generate the risk report and other reporting outputs. Most of these results are captured in the Risk Register, or they may be produced directly from it (either manually or as outputs from the risk management tool), though some additional analysis results may be documented elsewhere. Analysis outputs that are used in addition to the Risk Register to compile the risk report include Probability-Impact Matrices showing both pre-response and post-response assessments, prioritized lists of risks, and various groupings of risks (for example, sorting risks by priority in red, amber, green [RAG] groups, or mapped to RBS or WBS, etc.).

Activities

Based on the defined reporting requirements, the risk champion considers the inputs and compiles them into a full risk report. These inputs commonly include:

•  The full Risk Register, which contains consolidated data on each identified risk, with a clear description of the risk, assessments of current probability and impacts, mapping against the RBS and WBS, an assigned risk owner, an agreed-upon response strategy with actions and Action Owners, assessment of post-response probability and impacts, and the status of the progress of agreed-upon actions

•  A double Probability-Impact Matrix, which shows the current distribution of risks across the grid, allowing them to be prioritized for further attention, based on assessments of current probability and impacts

•  Another double Probability-Impact Matrix, which shows predicted risk distribution based on post-response probability and impacts

•  Two prioritized risk lists, one for threats and another for opportunities

•  Analysis of risk causes, based on mapping identified risks to the various elements of the risk breakdown structure

•  Analysis of risk effects from mapping risks to the work breakdown structure.

If additional analysis is required to generate useful information from the risk data, the risk champion performs such analysis, seeking advice where necessary from other project stakeholders, technical specialists, or domain experts. In addition, the risk champion draws conclusions from the risk data concerning the overall risk exposure of the project, and particular areas where risk is concentrated (either common causes or “hot spots” of effects). Recommendations are also drafted that provide advice and guidance to project stakeholders on the course of action required to maintain effective management of risk, especially if the position has changed significantly since the last report.

Having drafted the risk report, the risk champion submits it to the project manager for review and comment, as well as to provide a “sanity check” that the conclusions are realistic and accurate, and that the recommendations are feasible and appropriate. The project manager should not change any of the report data, but might be aware of additional factors in the project environment that influence the analysis, conclusions, or recommendations.

The risk champion and project manager together agree on any changes to the draft risk report; these changes are implemented by the risk champion, who then issues the report. It is recommended that the full risk report be distributed to the project manager, project sponsor, key project team members, all risk owners, and other key stakeholders.

Depending on the reporting requirements for the project, as defined in the Risk Management Plan, the risk champion may also prepare extracts or subsets of the full risk report and distribute them to other project stakeholders, and may also produce specific report formats as required by the project or organizational reporting process. For example, the executive summary of the report may be extracted for senior management or clients, giving the highlights from the current risk assessment but excluding unnecessary detail. Risk owners may be offered a subset of the Risk Register that contains just those risks for which they are responsible. Risks falling within certain categories may be extracted for distribution to people with an interest in those areas; for example, sending legal risks to the contract manager, or passing the subset of procurement risks to the commercial department.

Outputs

The main output from the Reporting step is a full risk report containing complete information on the results of the current major cycle in the risk process. Figure 8-2 gives a sample contents list for a full risk report, and its various items are outlined in the following list. A range of other report formats and types is possible; the reporting requirement will have been defined in the Risk Management Plan.

•  Executive summary. This section summarizes the key findings, conclusions, and recommendations of the main body of the report. It should be no longer than a single page and should omit unnecessary detail. It should stand alone, meaning that it should not be dependent on references to additional data in the body of the report. The executive summary should be written at a level suitable for senior management and key project stakeholders, since it may be extracted and distributed to this group.

•  Scope and objectives of report. The main purpose of the report is described, highlighting its place in the risk process.

•  Project status summary. This section briefly summarizes the current status of the project, including progress against the project schedule and budget, delivery of products, and major issues that have arisen. This summary sets the context within which the risk assessment was undertaken. Ideally, the summary of project status should be extracted directly from routine project progress reports.

•  Overall risk status. A short summary is presented of the current level of risk exposure for the project. This summary highlights the main areas of risk, plus any significant individual risks, together with planned responses. This section also highlights any concentrations of risk exposed during the categorization analysis, indicating any causes that could give rise to a large number of threats or opportunities, as well as any areas of the project that could be affected by significant levels of threat or opportunity.

Figure 8-2: Sample Contents List for a Full Risk Report

•  Top risks, actions, and owners. In this section, lists of the top threats and opportunities are presented in priority order. Some projects prefer to use a combined list of “top risks,” containing both threats and opportunities, and others like to see a “worst threats” list and a “best opportunities” list. These lists commonly present the “top 10,” but a suitable number should be chosen to ensure that all the worst threats and best opportunities are included. These are discussed in turn in this section, and their causes and effects, planned actions with their owners, and expected changes are detailed. Significant groupings within the top-risk lists are noted, for example, if five of the top threats relate to requirements uncertainty, or if the best three opportunities all concern the same supplier.

•  Detailed risk assessment. This is the main analysis section of the report, where the risk exposure is considered in detail. Discussion includes the numbers of risks in the red/amber/green categories, as well as distribution of risks within the RBS and WBS; examples are given in Chapter 6 (see Figures 6-6, 6-7, 6-8, and 6-9).

Expected response effectiveness is discussed, based on the pre-response and post-response P-I Matrices (see Figure 7-5). The aim is to present all significant findings from the analysis, but not to swamp readers with unnecessary detail. This requires the risk champion to use judgment to determine what is important to include and what can be omitted; the risk champion should draw on the experience of the project manager and other experienced project staff, if required.

There are a number of ways of presenting detailed information. This should be tailored to the specific needs of stakeholders.

•  Conclusions and recommendations. Perhaps the most important part of any report is indicating what its contents actually mean and what action readers are expected to take as a result. This section draws conclusions based on the data within the main body of the report, without introducing any new facts, and presents findings at a summary level rather than simply repeating what is contained elsewhere in the report. Based on these conclusions, the report moves on to develop a series of focused and specific recommendations that respond to the level of risk currently faced by the project. Each recommendation should be written with a sufficient level of detail to be clearly understood and effectively implemented, following the SMART model (Specific, Measurable, Achievable, Realistic, Time-bound). Typically, the number of recommendations should be limited to about 10, to avoid diluting the impact of the report.

•  Appendices. Supporting information is presented in appendices. One of these contains the complete Risk Register, giving full details of every identified risk. It is also common to include a complete list of all risks in priority order. The content of other appendices is optional, depending on the information needs of the recipients.

Summary

The purpose of the Reporting step is to document the results of the First Risk Assessment and communicate these appropriately to project stakeholders in or der to make them aware of the project’s current risk status and give them the information they need to take effective action. Completing this step requires the following activities:

•  Assemble all sources of information on current risk exposure, including the Risk Register and analysis outputs

•  Perform any additional analysis required to understand the information

•  Draft a full risk report presenting this information in a structured way

•  Review the draft report for completeness and correctness, and modify as required

•  Issue risk report to project sponsor, project manager, project team members, risk owners, and other key stakeholders

•  Prepare and distribute extracts, subsets, and additional reports as required.

The First Risk Assessment in the ATOM risk process is followed by the Reporting step, and also leads immediately to the start of Implementation, which is described in the next chapter.