Skip to content

The Ten Commandments of Project Risk Management

There are ten commandments in the Old Testament and ten amendments in the U.S. Bill of Rights. Eight of the ten are negative, in the sense of telling people what not to do. Similarly, there are more things you should avoid doing than doing when practicing project risk management. I have come up with a list of 10 commandments for project risk management:

  1. Thou shalt conduct quantitative risk analysis for cost and schedule. Risk must not be ignored, and a qualitative treatment is not sufficient.
  2. Thou shalt not use risk matrices for cost and schedule risk analysis. The use of risk matrices tends to result in a significant underestimation of risk.
  3. Thou shalt not rely solely on S-curves/confidence levels/percentile funding for risk measurement. Doing so ignores the significant risks lurking in the tails of the distribution.
  4. Thou shalt not rely on a non-existent portfolio effect. There ain’t no such thing as a free lunch, and there ain’t no such thing as a portfolio effect either. True portfolio risk analysis must be conducted, there is no shortcut.
  5. Thou shalt avoid the use of Gaussian and triangular distributions (except in those instances where it is applicable). The Gaussian, or normal distribution, is anything but normal when it comes to project risk management.
  6. Thou shalt not confuse mild risks with wild ones. Events with wild risks, such as pandemics, required different risk management than mild risks, such as the risk of drowning.
  7. Thou shalt not put all risk reserves on contract. Risk reserves need to be carefully guarded to keep a project manager or contractor from access to the proverbial cookie jar. Applying extra money or time without careful consideration will waster resources.
  8. Thou shalt jointly consider cost and schedule risk. The joint analysis of cost and schedule has been successfully used by NASA for over a decade. In my own experience, my joint analysis of cost and schedule risk enabled me to accurately estimate a $500 million program.
  9. Thou shalt provide quantitative risk management, not just risk measurement. The use of confidence level funding only provides a gauge for when things go wrong. They provide no advice on how much reserves will be needed when cost increases dramatically or schedule is delayed significantly. Such measures exist, and should be used. Examples include semi-deviation and expected shortfall.
  10. Thou shalt work with engineers to incorporate technical risks. Not including these risks is akin to developing a cost or schedule estimate without using any program information.

If you find these ideas interesting, check out my book, Solving for Project Risk Management: Understanding the Critical Role of Uncertainty in Project Management, which is now available for pre order from Amazon and Barnes and Noble, both in hardcover and e-book versions. You can see the Table of Contents and read the first chapter for free here: https://bit.ly/3ggPZK2