With COVID-19 pandemic rapidly spreading throughout the globe and almost bringing everyone’s life to a standstill with businesses closing-down and employees forced to stay-at-home because of local or federal guidelines, it is imperative to assess the impact of these unprecedented conditions on the on-going, projects, programs, and portfolios.
According to the World Health Organization (WHO), there are 4,347,935 confirmed COVID-19 cases, including 297,241 deaths reported globally as of May 15, 2020, 05:09 PM CT. So almost all the business sectors have been affected by this pandemic and the companies had to implement urgent policies such as remote work, limiting employee travel, furlough, or termination.
In these situations, the first thing that is recommended for every organization either private or public sector is to focus on a business continuity plan to mitigate the impact of this tragic event and ensuring all the critical business functions can operate without any issues. A critical part of coming up with an effective business continuity plan is the Risk assessment and management of the organizational level risks, followed by the portfolio, program, and projects.
In this blog post, I will solely focus on the project risk management and things project managers can keep in mind to assess the impact and plan the effective mitigation and contingency plans.
The project managers possibly would not have captured the risks related to the pandemic affecting their projects in their risk register as these are so unlikely to occur. So, most likely, none of us could have had a mitigation or contingency plan in place prior to such an unlikely event.
Below are the few aspects project managers can keep in mind while performing the risk assessment;
1. Update Risk Register – First and the foremost task is to identify all risks that could impact the project because of COVID-19. Below are the few examples;
- Impact on project timeline due to unavailability of internal and/or external resources
- The productivity of the team while working remotely
- Data security risk while the resources are working remotely
- Missing deadline for any Regulatory compliance and/or legislative mandates
- Impact to user acceptance testing and training plans where a multitude of stakeholders are involved
- Availability of virtual meeting tools and video conferencing
- Impact on any on-going contracts and the associated deadlines
- Strategic importance and viability of the project to the overall organization
- Availability of project funding
- Impact of local and federal guidelines to the work environment
Risk description should be written in a way that is clear, easy to understand and concise. The recommended way to write the risk description is to start with IF… the risk happens, THEN.. what will be the consequence?
Let’s take one of the examples from the potential COVID-19 pandemic related risks listed above and draft the risk statement;
“If the regulatory compliance or legislative mandate deadline of August 31, 2020 is not met, then the organization could face legal issues or loss of funding“
2. Analyze the risks – After documenting all the possible risks, it is really crucial to analyze each risk and assigning the individual priority, probability and consequence. These can be characterized into Low (1), Medium (2) or High (3). I’ll take one of the example from the risk identified above;
Risk related to regulatory compliance and legislative mandates – Does the project have any upcoming regulatory, legal or legislative compliance deadlines?
Estimate the Priority, i.e., review and determine the timing of actions that may need to occur sooner than other risks. The risks with greater impact and urgency should have a higher priority. In case of the example above, if there is an upcoming regulatory or legislative mandate deadline, that could be in jeopardy, the priority of this risk can be High (3).
Estimate the Probability, i.e., likelihood the risk will occur. In our example, if the likelihood of missing the compliance deadline is certain, the probability can be considered High (3).
Estimate the Consequence, i.e., determine the impact or cost to the project should the risk is realized. In our example of compliance, if the impact of not meeting the compliance is a significant fine or legal issue, the consequence can be High (3) as well.
Calculate the project’s Overall Risk Factor using the formula below. It is based on the Priority, Probability, and Consequence of the risk.
For our example, the overall risk factor will be 5 which would require us to take immediate action. The table below provides the recommended approach for different risk levels.
| Risk Factor (RF) | Overall Risk Level | Recommended Approach |
| RF ≤ 2 | Low risk level | Team should monitor the risk but not invest significant resources into response planning. |
| RF = 3 | Medium risk level | A risk response plan should be prepared, in case the risk increases in probability or consequence. |
| 3< RF ≤ 5 | High risk level | Immediate action should be taken to implement the risk response plan. |
3. Risk response strategy and planning – Based on the overall risk factor, the next step in the process is to finalize the strategy and plan the team’s strategy if the risk were to be realized.
The following four types of strategies can be used for each individual risk;
- Avoidance is a preventative-type strategy whereby the project team can act to eliminate the threat or protect the project from its impact.
- Transference is shifting some or all of the negative impact of a threat, along with ownership of the risk, to a third party. Transferring the risk simply gives another party responsibility for its management.
- Mitigation is also a preventative-type strategy deciding to lessen the probability that the risk will occur or lessening the impact if the risk does occur. Without early identification and planning, this risk response option may not be available.
- Acceptance is agreeing to accept the consequences and impact of a risk occurrence. Active acceptance involves preparing a plan (schedule or budget) or identifying workarounds for the risk event. Conversely, passive acceptance simply involves monitoring until a risk event occurs and then dealing with the result after-the-fact.
In our example regarding the regulatory compliance, Avoidance, or Mitigation might only be the two viable options, if the risk is not already realized. In this case, we will go with the mitigation strategy and document the plan to lessen the probability for the risk to occur.
Once the strategy is finalized and selected, the team should document the plan to support the strategy. In our compliance-related example, we will put forward a mitigation plan to add additional resources to the team to meet the regulatory or legislative deadline. The plan should include triggers (when should this plan be implemented), actions to be taken, timeline, resources needed, cost and any other expected impacts associated with the plan.
An example mitigation plan for the risk related to regulatory and legislative compliance deadline;
“If the system development effort related to the legislative mandate is not completed by June 30, 2020, we will plan to add 2 additional developer resources for next two months to meet the critical legislative implementation deadline of August 31, 2020 with the additional cost of $40,000 to be used from the project’s contingency reserves.”
Below is the direct download link to the risk, issue and decision register template with all the relevant columns, formulas, and dropdowns.
Risk, Issue, and Decision Register – Template
4. Risk Monitoring and Controlling – Each risk should be assigned a risk owner who should be responsible for risk monitoring activities throughout the life-cycle of the risk and can look out for the following;
- Has the risk owner identified any triggers regarding the risk?
- Is the risk still a possibility and valid for the project?
- Evaluate if a risk should be closed, or determine if any risk component needs to be updated.
With these uncertain times during the COVID-19 pandemic, it is recommended to monitor the triggers for these risks daily or weekly.
5. Contingency Plan – Some risks with high-risk factor should also have a contingency plan documented in case the risk is realized even after implementation of the risk response strategy.
In our example, the contingency plan can be described as the following;
“If the implementation of the legislative mandate is not achieved by the deadline of August 31, 2020, the project team will seek a temporary exemption/extension for two months from the required authorities.”
Depending on the type of risk response strategy or contingency plan, a project change request (PCR) might be needed. In the next post, I will provide recommendations on drafting PCR and certain Do’s and Dont’s. Stay tuned!