Intro to Risk Audits in Project Management
Risk is part of any project, of any size, in any industry. The size of risk, and whether it will have a positive or negative impact on the project’s outcome will vary. But there is always risk in any project. Risk Management plans, which include Risk Assessment and Risk Audit activities, are critical tools for project managers. It is important to understand what a Risk Audit is, not only in preparation for Project Management Institute (PMI)’s Project Management Professional (PMP)® exam but as part of executing effective project management.
On this page:
Risk audit in Project Management
PMI defines risk for project managers such that both sides of possible outcomes – good vs bad – are acknowledged. Risk is such an integral part of project management, that it is not only included in the PMP exam content outline but there is a PMI-Risk Management Professional (PMI-RMP)® certification. One must know the definition of risk to build on and understand what a risk audit is.
|Risk||An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.|
|Risk Audit||Examination and documentation of the effectiveness of risk responses in dealing with identified risk and their root causes, as well as the effectiveness of the risk management process. (Source: https://www.projectmanagement.com/contentPages/wiki.cfm?ID=346698&thisPageURL=/wikis/346698/Risk-audit#_=_ )|
Just as an audit for any financial system, software system, or other processes, a risk audit is a systematic review of each step and the outcome of it. Within risk management work, project managers should have defined risks, risk analysis results, risk responses, and risk mitigation results. That data is used to conduct a risk audit. Project Managers should include Risk Audits in the overall Risk Management plan so time to conduct the audit is included. The size of the project will determine the frequency of risk audits (small projects may only need one audit conducted vs a large and/or extended project needing a series of risk audits conducted). Documentation of the results of the risk audit should be kept with other project documentation as it should be part of the project’s final lessons learned and/or postmortem activities.
Why risk audits are important
From the audit, the project manager and team gain insights into the effectiveness of risk management efforts already conducted to apply to the project work ahead. Having an objective risk audit performed at regular intervals throughout a project can help “ensure that your project stays on track and on budget.” A thorough risk audit gives a line of sight into how each project process is performing, especially risk management work. As shared on PMI’s website, “The main idea behind doing a risk audit is for the organization to become more proactive in dealing with risks.”
How risk audits are conducted
Risk audits have a standard approach even if the project merits only one or is large enough to have multiple audits within the risk management plan.
- Identify the risk auditor. The risk audit should be led by a clearly identified person, commonly the project manager of the project, so that all team members know who is leading it. While objectivity is critical to the success of the audit, it is also important for the risk auditor to have a strong background in the project work itself to assess the data (and to know what data is available and where it is located). Depending on project size or budget, and in some cases to bring in a completely neutral observer, companies may choose to hire an external auditor.
2. Interview team members. When auditing a process, there should be input from the team members. Potential questions include:
- Is the team using the Risk Management plan? (If not, why not?)
- Have risk responses been effective? (Why or why not for each)
- Are there new risks not currently on the risk register?
- For each currently identified documented risk, are the probability of occurrence estimates still valid?
- For each currently identified documented risk, are the estimated impact values still valid?
3. Assess the success of risk processes. Establish a rubric and/or scoring guide for the information gathered via interviews. For example, if the goal is for 95% of the team to be following the risk management processes, how many of the project team members answered they knew of the risk management plan? How close to the target of 95%? Be consistent in the scoring guide so it can be used for all risk audits within a project’s lifetime. In that way, trends can emerge, and the impact of changes made following an audit can more likely be determined.
4. Gather documentation. Include any relevant documentation, including but not limited to the Risk Management plan itself, and also Q&A logs, risk register, process documentation, and where relevant, injury or complaint logs. The documentation should be included with the interview data as part of all of the information gathered for the audit.
5. Analyze data. Like the team interviews, objectivity is key in the analysis of the gathered data. The auditor must examine all of the interview inputs and the available documentation to determine for example:
- How many of the success criteria are being met and/or missing?
- How close is the project staying to plan?
- Is the risk management plan serving its purpose in keeping the project on schedule and budget?
- What should continue to keep the project on schedule, and/or what should change to get the project on schedule?
6. Generate the report with a conclusion. Of course, the audit is not complete without capturing the information in a format that can be shared back with the team. Ideally, it can also predict lessons learned for similar future projects.
7. Conduct scheduled audits. Depending on the scope of the project, additional audits should be scheduled. With each, the same process should be used for continuity and consistency within the project’s risk work.
Risk audit, risk assessment, and the PMP exam
There are multiple related tools within the risk management area, and some can seem similar but they serve different purposes. For example, a search of the term “risk assessment vs risk audit PMP” will reveal that the assessment is when looking ahead to determine the probability and impact of a specific risk, but the risk audit is looking back to determine how risk management work is performing within a project underway.
If comparing a risk assessment vs risk audit PMP, know they work together. When reassessing risks, new risks are identified, and current risks are either updated with new information or removed as no longer applicable. Then in the next audit, the results of the reassessment can be evaluated to (hopefully!) capture process improvements.
Outside of the formal project management space, some use the term “risk audit PMP” to capture the significance of the tool. And while there is not a “Risk Audit PMP” in PMI’s lexicon, the risk audit is part of the project manager’s tool kit. Knowing what risk is but failing to conduct strong audits is increasing the risk of your project experiencing missed opportunities or even failure.
Upcoming PMP Certification Training – Live & Online Classes