Epilogue: Next Steps
The ATOM process presents a pragmatic perspective on project risk management that was produced by practitioners for practitioners. The emphasis is on what works, with a simple framework and practical guidelines on how to use proven tools and techniques.
This final chapter covers how to take the basic ATOM process out of the book and into practical application in the workplace. It answers the question “Okay, so I’ve read the book—now what shall I do?” A number of steps are recommended, as summarized in Figure E-1. As with everything else about ATOM, these steps are simple, pragmatic, and based on the wide experience of multiple practitioners over many years.
Step 1: Appoint an Organizational Risk Sponsor
One of the key Critical Success Factors (CSFs) discussed in Chapter 2 is a supportive organization. One expression of this is the appointment of an organizational risk sponsor to lead the introduction of risk management into the business. Ideally, this is a senior manager with broad experience across the organization and who is widely respected at all levels. He or she must have:
• A reasonable working knowledge of the risk process and a clear vision of the place of risk management in the organization
• The time and energy to commit to making risk management effective across the business, working with others in the organization as required
• The authority to define and implement the necessary changes and the ability to engage staff at all levels to cooperate with the initiative.
This person’s appointment should be announced widely throughout the organization so people know what is expected of both the organizational risk sponsor and themselves.
Step 2: Tailor the ATOM Process
A main attraction of ATOM is that it is applicable to any project of any size in any industry or business sector, meeting the CSF requirement for a scalable process (see Chapter 2). The ATOM process can be tailored based on project size and is presented here in three versions:
Figure E-1: Recommended Next Steps
1. A reduced ATOM process suitable for small projects, integrating risk activities into the routine management of the project with minimal additional overhead
2. The standard ATOM process for medium projects, adding specific risk activities to the normal project process
3. An extended ATOM process for large projects, using quantitative risk analysis and a more rigorous review cycle to address the increased risk challenge.
However, projects come in all shapes and sizes, and expecting them all to fit neatly into three categories is somewhat simplistic. As a result, most organizations will find it necessary to customize ATOM to meet their particular needs, though some will be able to apply the small, medium, or large versions directly.
Tailoring the ATOM process requires a review of the types of projects typically undertaken by the organization. A standard project sizing tool should be developed (as described in Chapter 3) and used to assess a wide range of previous projects. This gives an indication of the distribution of projects between the ATOM categories of small, medium, and large. The version of the ATOM process corresponding to the largest concentration of projects should be used as a starting point for a tailored risk process. For example, if 70 percent of the organization’s projects are in the small category, that should form the basis for the tailored process.
Starting from one of the three ATOM variants, the process is reviewed by a representative group of project stakeholders led by the organizational risk sponsor, and process modifications are made as required. These might include changing some of the techniques recommended in the standard ATOM variant, or modifying the reporting requirement, or making specific role allocations for the risk process. This should result in production of an organization-specific risk management process based on one of the three versions of ATOM, but reflecting the needs of most of the projects most of the time. This tailored process can be used as the baseline for managing risk in the majority of projects, though the organization should aim to have all three variants available to deal with their small, medium, and large projects.
Having customized the ATOM process in this way, a set of process documentation is produced following the organization’s documentation standards.
Step 3: Pilot Application
The tailored version of the ATOM risk process should be piloted on a typical project to validate its appropriateness, demonstrate its applicability to the specific business of the organization, and deliver the benefits to the pilot project. The process can then be refined in light of the pilot experience. The pilot project should be carefully chosen to be representative of the majority of projects undertaken by the organization. It is important to ensure the full commitment of all project stakeholders in using their project as a pilot for the risk process, because lack of buy-in can jeopardize a successful implementation. A short briefing for project stakeholders from the organizational risk sponsor is useful for introducing the process, clarifying the tools and techniques to be used, and emphasizing the importance of the pilot.
Facilitating the risk process on the pilot project might require external support, perhaps from other parts of the organization skilled in risk management, or from outside consultants.
The pilot project should implement the tailored risk process in full, following the process documentation closely. All project stakeholders are encouraged to take a full and active role in the process, and to note any areas of difficulty that might require modification after the pilot stage is complete.
Step 4: Modify Process (If Required)
At the end of the pilot project (or at a suitable interim milestone), the organizational risk sponsor conducts a review meeting, which is attended by key project stakeholders. At this meeting, attendees review the tailored ATOM risk process as actually implemented on the pilot project, and the organizational risk sponsor considers all comments from those involved. If possible, decisions are made at the meeting regarding required changes to the risk process. Following the review meeting, the organizational risk sponsor settles any outstanding issues, and then ensures that agreed-upon changes are incorporated into the process documentation.
Step 5: Develop Infrastructure
Once the tailored ATOM risk process has been piloted and reviewed, and any agreed-upon changes have been fully documented, the organization must ensure that the infrastructure necessary to support the risk process is provided. Chapter 2 indicates that appropriate methods, tools, and techniques are another CSF for effective risk management, and these must be present if implementation of the risk process is to work.
A key area of infrastructure is the provision of software tools to support the various steps of the risk process. As discussed in Chapter 2, a prerequisite for this is determining the level of implementation required by the organization, which is decided via the pilot project step. For a simple implementation, the organization might decide to support the risk process using basic spreadsheets and risk databases. More complex implementations might justify purchase of a dedicated risk software package, though this should be done with care, considering selection criteria in advance (including those outlined in Chapter 15 for quantitative risk analysis tools) and scoring each candidate package against the requirement. The organizational risk sponsor decides which tools are appropriate and arranges for their provision.
Another important aspect of infrastructure is developing suitable templates for the risk process. ATOM provides a range of generic templates (see Appendix) that can either be used directly or be modified to meet the specific requirements of the organization’s tailored risk process. The organization should produce a range of templates, including the following:
• Risk Management Plan
• Risk Register
• Risk checklist
• Risk breakdown structure (or prompt list)
• Risk reports.
These templates should be made widely available for use by all projects across the organization, perhaps via an intranet or shared knowledge database.
Having decided on tools and templates, attention must be given to how these will integrate into other systems and processes, particularly those used for routine project management. It is important for risk management to be a fully integrated part of how projects are managed. The interfaces between the risk infrastructure and the rest of the project support system largely determine how successfully this is achieved.
Step 6: Train Staff
The final CSF detailed in Chapter 2 is the need for competent people to perform the risk process, operate the tools and techniques, and make appropriate risk-based decisions. Staff training is thus an important element of implementing a tailored ATOM process. This training should be developed specifically around the organization’s customized ATOM process.
A variety of stakeholders participate in the risk process, and each requires a different type of training. A multilayered training program should be developed, with targeted messages to each stakeholder group at a range of levels depending on their responsibilities within the risk process. This might include different types of training for senior managers (benefits awareness), project/program managers (risk process management), project team members (risk process implementation), and risk specialists such as risk champions and risk analysts (risk skills training). Ongoing mentoring and coaching may also be necessary to resolve issues as they arise and to provide implementation assistance.
If the organization has in-house training capability, it should be engaged to provide the required training; otherwise, suitable external support should be sought.
Step 7: Assess Existing Risk Management Capability
Prior to full implementation and rollout of ATOM, the organization assesses its existing level of risk management capability and maturity. This assessment provides a baseline against which improvement in the organization’s ability to manage risk will be measured.
Several tools are available to assess general project management capability, and some of these include project risk management. It is better to use a specific risk management assessment framework, such as the Risk Maturity Model (RMM). This model assesses the project risk management capability of an organization against four attributes (culture, process, experience, application) and places the organization on a spectrum with four levels of maturity (naïve, novice, normalized, natural). A similar assessment can be conducted for subsets of the organization, such as a department or project team.
This assessment of organizational risk management capability and maturity is used to define the starting point for introducing ATOM into the organization, and the assessment is repeated afterward to demonstrate the results of the implementation.
Step 8: Implementation and Rollout
The agreed-upon customized ATOM risk process as documented within the organization’s quality system is then implemented on all projects and across the business, led and supported by the organizational risk sponsor, who notes early experiences in order to capture lessons to be learned and enable ongoing development of the process.
A structured communication campaign is recommended, led by the organizational risk sponsor, taking the message of project risk management throughout the organization, and encouraging everyone to play their part. The specific details of this campaign depend on the nature of the organization, but it should focus on sharing the principles, processes, and benefits of the adopted approach to managing risk on projects. It might include some or all of the following components:
• Senior management awareness briefings
• Road show presentations
• Articles in company publications and newsletters
• Items on the organization’s external website and intranet
• Workplace posters and leaflets
• Special promotions.
During the rollout, it should be emphasized that the organization wishes to continue to learn as progressively more experience is gained in implementing risk management on various projects. A feedback mechanism is put in place to receive constructive criticism and positive suggestions for improvement from staff who are starting to use risk management on their projects. The organizational risk sponsor ensures that all feedback is considered and acted on appropriately, and that originators of suggestions are kept informed of the progress of their comments.
Step 9: Reassess Capability and Refresh Process
After a period of implementation (perhaps 6 to 12 months), the level of risk management capability and maturity is reassessed, using the same framework described in Step 7, in order to demonstrate improvements and indicate areas requiring continued attention. Immediate adjustments are made as required to ensure maximal risk management effectiveness, with consequential changes to risk procedures, tools, templates, and training.
In addition, it is recommended that every organization refresh its approach to risk management after approximately two to three years to ensure that staff remain motivated and committed to proactive management of the risks facing their projects. The organizational risk sponsor leads a structured review, addressing all aspects of risk management on projects (and possibly more widely), and identifying areas requiring adjustment or improvement. For example, new risk techniques or refresher risk training for key staff might be considered.
Conclusion
While a simple scalable process such as Active Threat and Opportunity Management (ATOM) offers a robust framework for management of risks on projects, any organization serious about risk management needs to do more than just blindly follow a process. The steps outlined in this epilogue assist in applying the generic ATOM approach to the specific risk challenges faced by a particular organization.
Risk management is not difficult, because it is simply structured common sense. By taking the steps described here and implementing ATOM across the full range of projects conducted by the organization, the undoubted benefits of effective risk management can be reaped, leading to increased predictability of project outcomes, more successful projects, enhanced customer satisfaction, improved team motivation, reduced waste, increased profit, and clear competitive advantage. ATOM offers the means to manage project risk and meet the challenge of uncertainty; using it guarantees improved success.