11
Ongoing Updates (Minor Reviews)
The ATOM process uses a series of reviews to ensure that the project team and key stakeholders have the latest current risk information to support effective management of the project. These reviews are conducted periodically throughout the lifetime of the project, with Major Reviews taking place at key points and significant milestones (as described in Chapter 10). It is usually insufficient, however, to rely just on the First Risk Assessment followed by periodic Major Reviews, so the ATOM Minor Review provides an opportunity to update the assessment of risk between Major Reviews. Minor Reviews are carried out at regular intervals throughout the project and in line with the project’s normal progress review and reporting cycle, which occurs monthly on the typical medium-sized project.
Since there is often a considerable period of time between the First Risk Assessment and the first Major Review, the First Risk Assessment is usually followed about a month later by a Minor Review.
A Minor Review is conducted in the context of a formal meeting that usually lasts about half a day. The meeting takes place either as part of a routine project progress meeting or as a stand-alone meeting. During a Minor Review, most of the same tasks are performed as during a Major Review, though at a lower level of detail.
The aim of the ATOM Minor Review is to:
• Review the most significant current risks (all red risks, plus amber risks if time allows), and all draft risks raised since the last formal review
• Identify new risks
• Update the Risk Register
• Produce a summary risk report and periodic reporting information for project progress reports and progress meetings.
To do this, the following inputs are required:
• The reporting cycle for the project, as set out in the project management plan
• The Risk Register containing details of all risks (current and draft), including:
• Risk owners and agreed-upon response strategies
• Action owners and agreed-upon actions
• Current status of each risk
• An overview of the current status of the project
• Risk management tool (spreadsheet, database, or proprietary software).
A Minor Review involves the following activities:
• Pre-meeting preparation
• Risk review meeting, the goal of which is to:
• Review the most significant current risks
• Review all draft risks
• Identify and assess new risks
• Update the Risk Register
• Post-meeting actions, during which:
• Risk owners liaise with action owners to refine new responses and develop new actions
• Risk owners liaise with risk champion to provide details of refined responses and new actions
• Risk champion updates the Risk Register and produces a summary risk report
• Risk champion liaises with the project manager to add any new activities to the project plan
• Project manager considers the need for change control as required
• Project manager communicates escalated risks to the appropriate part of the organization or person, if known.
A Minor Review produces the following outputs:
• Updated Risk Register containing the latest information and status of all risks
• Modified and new actions to be implemented
• Summary risk report
• Inputs to project review meetings and periodic project reports
• Further activities in the project schedule that relate to risk actions.
These inputs, activities, and outputs are illustrated in Figure 11-1 and detailed below.
Inputs
The project progress review and reporting cycle is usually described in the project management plan. Routine risk activities such as Minor Reviews are incor porated into this cycle to ensure that risk management is seen as an integral part of the overall project management process.
Figure 11-1: Flowchart for Minor Review Step
The Risk Register contains a complete set of data for each identified risk, including risk owners, action owners, and the current status of each risk. In addition, any risks identified since the last risk review will be included in the Risk Register with draft status.
A key input to the Minor Review is an overview of the current status of the project, which is provided by the project manager, indicating changes to the project that could directly affect existing risks.
As in previous steps, it is assumed that a risk management tool is used to support the ATOM risk management process and that this tool will be available when required.
Activities
The Minor Review is conducted through a risk review meeting, which requires a number of pre-meeting activities and post-meeting tasks. The risk champion is responsible for either performing these activities or ensuring that they are carried out by others (e.g., risk owners), and he or she usually facilitates the risk review meeting.
PRE-MEETING PREPARATION
The project manager, risk champion, other members of the project core team (usually those who report directly to the project manager), and all risk owners attend the risk review meeting. The project sponsor is also invited, though his or her presence is not mandatory.
In preparation for the meeting, a formal agenda is prepared and circulated to all attendees; Figure 11-2 illustrates a typical agenda for a half-day risk review meeting. In addition to the meeting agenda, risk owners receive a prioritized list of all the active risks for which they are responsible, which should be automatically available from the risk management tool. Risk owners should review their risks in advance of the meeting and be prepared to comment on the current status of each one.
The risk champion also prepares a prioritized list of all active and draft risks for review at the meeting.
Figure 11-2: Sample Agenda for a Half-Day Risk Review Meeting
THE RISK REVIEW MEETING
The risk champion facilitates the review meeting and addresses the following topics.
Introductions If the risk review meeting takes place as part of a routine project progress meeting, the risk champion will not need to set the scene because this will have been done by the project manager earlier in the meeting. If the risk review meeting is stand-alone, the project manager gives a short commentary on the current status of the project, highlighting progress to date and any current issues or problems.
Review Red Risks The ideal Minor Review aims to review all active red and amber risks, but in many circumstances time constraints make this impossible. As a result, the risk champion uses the prioritized list to structure the review, starting with red threats and moving on to red opportunities. All red risks must be addressed during the meeting; amber risks may also be considered if time allows.
For each risk, the following must be reviewed:
• Current status. If a risk is no longer active, the risk owner explains its current status and why or how this has occurred.
• Current probability and impact. The probability and impacts of active risks are reassessed, taking into account the effects of any completed or in-progress actions, any changes to the project, and the overall project status.
• Action status. The risk owner reports on the effectiveness of planned actions in addressing each of their risks. If these actions are not affecting risk exposure in the expected way, the risk owner addresses them with action owners immediately after the risk review meeting.
Review Draft Risks The meeting participants next consider all draft risks raised since the last formal review, as well as any secondary risks. These are confirmed as either active, rejected (if they are duplicates of existing risks), or non-risks. Rejected risks are recorded in the Risk Register but not considered further. Risks with impacts outside the project scope are marked as escalated and are passed by the project manager to the appropriate part of the organization or person, if known.
For draft risks raised to active status, the risk description and assessments of probability and impacts are confirmed, a risk owner appointed, and a response strategy and initial actions with owners agreed upon. Each element of this data is reviewed during the meeting and amended if necessary.
Identify New Risks Identifying new risks is an important part of the risk review meeting, although it is anticipated that relatively few new risks will actually be identified. The risk champion, as facilitator of the meeting, leads a discussion to identify new risks. For each new risk, the meeting will:
• Allocate a unique risk identifier based on the project risk breakdown structure
• Clearly and unambiguously describe the risk using the risk metalanguage
• Assess probability and impact using the scales defined in the Risk Management Plan
• Appoint a risk owner and agree on an initial risk response strategy with initial actions
• Determine the post-response assessment of probability and impacts.
Review Amber Risks If time permits, amber risks are reviewed, concentrating on:
• Current status
• Current probability and impact
• Action status.
Update the Risk Register The risk champion ensures that the Risk Register is updated with the current status of each risk. This can be done during the risk review meeting or immediately afterward.
Close Meeting The risk champion closes the meeting by summarizing the outputs and notifying attendees when the next risk review meeting will take place.
POST–RISK REVIEW MEETING
Immediately following the risk meeting, risk owners liaise with action owners to refine any new responses, revise existing actions, and define new actions. The risk owner communicates these changes to the risk champion. The risk champion, in discussion with the project manager, ensures that new actions are added to the project schedule as planned activities and are resourced and budgeted for accordingly. The project manager considers the need for change control as a result of these additional project activities. The project manager also communicates escalated risks to the appropriate part of the organization or person, if known.
If the Risk Register was not updated during the risk review meeting, then the risk champion makes sure this is completed prior to producing the summary risk report.
Outputs
The main output from the Minor Review is an updated Risk Register containing full details of all risks, including current status and action progress. Actions arising from the Minor Review feed into the Implementation step (see Chapter 9).
A further output is a summary risk report, which is prepared by the risk champion and presents the results of the risk review meeting. Figure 11-3 gives a sample contents list for a summary risk report, and the various items are outlined below.
• Executive summary. A summary of the results of the Minor Review is given, in no more than one page.
• Scope and objectives of report. The purpose of the Minor Review is described, highlighting its place in both the risk process and the overall project reporting cycle.
• Overall risk status. A short summary is presented of the current level of risk exposure for this project.
• Top risks, actions, and owners. This section lists the top threats and top opportunities in priority order, often as a “top 10,” although all the worst threats and best opportunities are listed. These are discussed, including analysis of causes and effects, planned actions with owners, and expected changes.
• Changes since last review. It is important to communicate whether the risk exposure has improved or worsened since the last review. This section of the report highlights changes, presenting metrics such as the numbers of risks closed or deleted, how many threats have impacted the project, how many opportunities have been realized, the number of new risks raised, etc. See Figure 10-5 for example outputs.
• Conclusions and recommendations. This section presents conclusions at a summary level, together with key recommendations.
• Appendix. The complete Risk Register is included, listing full details of every active risk in priority order.
Figure 11-3: Sample Contents List for a Summary Risk Report
Having drafted the summary risk report, the risk champion submits it to the project manager for review and comment to ensure that it is a true summary of the risk review meeting. The risk champion and project manager together agree on any changes required to the draft summary risk report; the risk champion implements these changes and then issues the report. The summary risk report is distributed to the project manager, project sponsor, key project team members, all risk owners, and other key stakeholders.
Additional outputs from the Minor Review include inputs to project review meetings and periodic project reports, most likely in the form of customized outputs from the Risk Register. The project manager, in consultation with the risk champion, determines exactly which reports are prepared. The use of an appropriate risk management tool enables the production of information as and when required, and in the format required.
Summary
A Minor Review ensures that the risk process is maintained throughout the project, updating the Risk Register between Major Reviews to reflect the current risk exposure of the project. The Minor Review includes the following activities:
• Prepare for and facilitate a risk review meeting.
• Review all current red risks and newly raised risks to determine their status. Amber risks will be reviewed if there is sufficient time.
• Identify, describe, and assess new risks, appoint risk owners, and develop responses.
• Update the Risk Register.
• Revise and define risk actions and appoint action owners.
• Update the project plan to take into account risk actions.
• Draft and distribute a summary risk report and other information needed for project reporting.
Minor Reviews are undertaken regularly between Major Reviews at the frequency set out in the Risk Management Plan. They are repeated until project closedown, at which time a Post-Project Review is undertaken, as described in the next chapter.