Module 2. Project risk management: stakeholders’ risks and the project manager’s role
There are a number of key roles and responsibilities within project risk management. In many cases the most important role is that of the project manager. Within project risk management the importance of understanding stakeholders cannot be ignored.
The project manager’s role
A project manager’s scope of work is vast, from day-to-day project work, to end-to-end planning, to monitoring. A good project manager needs strong skills and capabilities to complete project outcomes within budget and schedule (PMI 2021, 2019; Kendrick 2019). This includes capabilities in project scoping, planning, budget control, resourcing and communication. A project manager also needs to identify, document, and treat risks, which means that they must have skills in forecasting the potential consequences and likelihood of identified risks, and how to best respond if they arise to ensure that no negative consequences impact the project objectives.
The primary responsibility of a project manager is to understand organisational knowledge and new trends in technology to better assess and mitigate risks related to the project (PMI 2021, 2019; Kendrick 2019). Projects can be significantly impacted by risks and issues which cause delays, cost overruns and scope creep. The project manager and project team need to be prepared for any potential scenario and put contingencies in place. Contingency and mitigation plans need to be supported with stakeholder buy-in and assistance, and this can be achieved by maintaining ongoing stakeholder communication and engagement.
Through the risk identification process, the project manager gathers and documents issues, negative feedback from clients and stakeholders, potential defects, and the project team members’ perspectives on the current state (PMI 2021, 2019; Kendrick 2019). Therefore, to achieve the goal of risk assessment, the process should include:
- forecasting the project’s next steps, including identifying risks
- assessing risks through assessing the likelihood and impact of identified risks
- planning responses to manage risks before they occur
- implementing responses to minimise adverse effects
- measuring effectiveness of the plan against identified threats
- monitoring activities which may trigger a risk.
The project manager is key to minimising the chance of risks occurring and mitigating them where possible. Their role as a risk manager will differ depending on the project scope, stakeholders, budget, schedule and industry. The project manager needs to understand the intricacies of the project to appropriately assess the risk and mitigate it accordingly.
With the support of the project manager, the project team are responsible for working collaboratively to achieve project goals and outcomes. ‘Project team members collectively have a diverse range of skills, with each having a specific skill set that meets the project’s needs (PMI 2021, 2019; Kendrick 2019). The project team is essential to project outcomes. They are often divided into 4 groups, depending on the project type:
- Functional teams: these are the permanent teams which fit within the broader organisational structure; their skills are used in the project space.
- Project team: a dedicated team who is responsible for developing a specific project. At the end of the period, the team is disbanded.
- Cross-functional team: this includes individuals from various departments, who come together for the duration of the project and return to their business-as-usual role after the project is complete.
- Self-managed and virtual teams: these are often temporary teams who come together for specific tasks or activities within the project.
The project team has a significant role in helping the project manager to identify, assess and respond to project risks. This role is ongoing throughout the life of the project (PMI 2021, 2019; Kendrick 2019). Both informal and formal risk assessments should be completed at each phase of the life cycle, and the frequency will depend on the scope of the project. A formal risk assessment incorporates built-in steps to identify and measure risks and track progress. While informal assessments are process-driven, information is obtained through the infrequent monitoring of circumstances where formal assessments are not deemed necessary. The project team members will often share the responsibility for creating the risk documentation, along with the updates.
Skills for risk management
Project teams, managers and stakeholders require numerous skills to manage risk. These include:
- Communication: ability to communicate the importance of understanding risk across all stakeholders, team members, sponsors and managers.
- Organisational understanding: an understanding of the current organisational strategic direction, goals and risk appetite.
- Creativeness: ability to act under pressure and respond to risks as required.
- Preparedness: ability to establish a risk management process that is easy to follow and action throughout.
- Solutions driven: ability to solve problems and develop solutions to respond to identified project risks.
Stakeholders play a fundamental role in all aspects of project success. Stakeholders are defined as anyone who is (or perceive themselves to be) affected by or can affect a decision, project, strategy or process (Freeman 1984). A stakeholder can be an individual, organisation, or department within an organisation, and the role may change throughout the process.
There are 3 primary questions which lay the groundwork for understanding both stakeholder management and its link to risk management (PMI 2021, 2019; Kendrick 2019):
- Who is affected by or interested in the project?
- What are the stakeholders’ concerns with the project?
- What measures or treatments are being applied?
These questions will help the project manager understand the different stakeholders and assist with taking actions to include and engage stakeholders in the process, particularly because projects are rife with uncertainties that include stakeholder roles, behaviours, and requirements (PMI 2021, 2019; Kendrick 2019). Stakeholders can impact the project through behaviours that are negative, destructive, irritating, damaging to reputation, supportive, positive or encourage project outcomes.
Stakeholders need to be engaged throughout the project and risk management process to ensure that they are aware of the potential risks, their outcomes and (where necessary) provide information about the risk (PMI 2021, 2019; Kendrick 2019). By engaging stakeholders, there are opportunities for the project team and manager to understand the different perspectives, obtain expertise and develop appropriate risk mitigation or treatment responses.
Stakeholder roles and interests change throughout a project, and this is also similar for their role in risk management. There are numerous roles which they can hold (Ndlela 2019), including:
- Understanding: understanding the elements of the risks being discussed.
- Informing: provide specialist support or information to respond to a risk.
- Training: where education is required (for staff or clients), training can support risk mitigation.
- Identification: identifying the specific risks within a project.
- Communication: sharing information with other stakeholders or seeking subject matter expertise to understand the risk generally, mitigation processes and likelihood or consequence.
To engage the different stakeholders, consultation is required early on. By starting early, the process can establish the context of risks within a project, identify the risks and understand how stakeholders can provide support. Throughout the process, the stakeholders may be re-consulted to support evaluation and treatment, and throughout the monitoring and controlling processes.
There are numerous people who are considered risk stakeholders. These include the stakeholders who can support the risk management process on one or more occasions – for example, subject matter experts, stakeholders, clients, legal departments, accounting, etc. By engaging with risk stakeholders throughout, the risk monitoring process can have a positive effect on the risk action or response plan.
Risk stakeholders can help develop strategies and analyse the risk management process. There are certain risk management processes which risk stakeholders can sign off on, and others where they can take on the responsibility through transferring the risk (Ndlela 2019). Stakeholder relationships are complex, including the dynamic relationship between multidimensional groups and individuals. ‘An organisation must develop and maintain strong relationships with their stakeholders, and effectively manage the stakeholders, their interests and perspectives’ (Zsolnai 2006). This is not distinct from the risk management process, as there are numerous benefits of engaging with stakeholders, including increased trust, collaboration, quality information, informed decision-making, broad understanding of external stakeholders, potential risks, and consideration of stakeholders’ interests. By collaborating with stakeholders, improved understanding of risks and opportunities can occur.
By engaging stakeholders, an organisation and a project manager can determine the influence of social and cultural networks that could affect the outcomes. Stakeholders have their own perceptions and opinions about risks which can be subjective. The subjective nature of opinions and perceptions affects objective assessments of risks, which can differ between the subject matter experts, project managers and technical support (Collier et al. 2004). Therefore, by engaging stakeholders, project managers are better able to interpret risks considering more than social norms, emotions and networks. Barnes (2002) stated that experienced risk managers are more scientifically and technologically sophisticated in their approach to managing and measuring risks. Whereas inexperienced risk managers will rely on cultural and social components to identify, assess and respond to risks. Therefore, organisations who employ experienced risk managers will significantly reduce the ‘blind spots’ because they understand the contextual experience of risk and the issues which cause problems (Loosemore et al. 2005).
There are 3 steps for incorporating risk stakeholders (PMI 2021):
- Stakeholder identification: identify the potential stakeholders.
- Stakeholder response plan: outline what stakeholders require and develop a collaboration plan.
- Continuous stakeholder management and engagement: execute the plan, appropriately engaging the stakeholder throughout the project.
This 3-step process is parallel across the risk management plan and the stakeholder management plan. Therefore, by following this 3-step process, stakeholder management can be proactive rather than reactive.
Let’s go into the 3 steps in more detail.
Step 1: Stakeholder identification
Stakeholder identification involves using multiple techniques.
This requires bringing the project team together, including the sponsors, managers and technical team members (PMI 2021). Brainstorming can help team members determine:
- who is invested in the project
- who has influence over the outcomes of the project
- who will be affected by the project.
Each person is given a stack of sticky notes or space on a whiteboard. They are given 10 minutes to list any stakeholders they can think of, using a single sticky note per group or individual stakeholder identified. Then the names identified are brought to the group, creating a list where duplicate names are removed.
Stakeholder role profile
Stakeholder roles are often predictable in projects. Stakeholder role profiles identify stakeholders who are either historical or common to a project type (PMI 2021). By answering the questions below, the project team is better able to consider the different roles, perspectives and stakeholders. This improves the likelihood that all key stakeholders are identified.
Where the project team later identifies key stakeholders that have been missed during the identification process, a team member will be responsible for updating the stakeholder register. The stakeholder register outlines the roles and, like the risk register, will outline the specifics of the stakeholders (e.g., role, responsibility, contact details). To develop the stakeholder role profile, each question below needs to be answered:
- Who approves the project budget?
- Who approves the functional requirements or tasks?
- Who approves the technical components?
- Who approves designs?
- Who approves changes (including changes to schedule and budget)?
- Who approves procurement?
- Who is the sponsor?
- Who approves each iteration?
- Who are the users of the services or project deliverables?
- Who sets the organisational strategic direction?
- Who manages the project?
- Who assigns resources?
- Who performs the work?
- Who changes the systems or processes?
- Who identifies laws and policies that affect the project?
- Whose work will be impacted by the project?
Projects require ongoing decision-making and authorisations. Therefore, the project manager and team need to understand all their decision and authorisation points, considering who each of the decision-makers are, including who has the right to cancel or veto the project.
Identify secondary stakeholders
Secondary stakeholders include individuals or groups who have an indirect relationship with a project, but who do not have direct power over the outcomes. The role of these secondary stakeholders can change to primary stakeholders throughout the project life cycle or in response to a risk arising. The most common secondary stakeholders include the community, associations/social groups, media groups, regulators and the general public.
Organisational process assets
Identifying stakeholders can also be completed through a review of Organisational Process Assets (OPAs). These include the documentation held by the organisation which supports project management and historical project information (PMI 2021). OPAs incorporate project plans, organisational policies, procedures, and governance guidelines. These documents can be used to understand who previous stakeholders were in historical project information and who stakeholders could be, based on other organisational resources.
These stakeholders are documented within the stakeholder register. This outlines all of the information related to the project and risk stakeholders. An example of a stakeholder register is provided in Table 2.
Table 2. Stakeholder register example
|Name||Contact||Project role||Communication medium||Frequency||Power||Influence||Internal
Identifying stakeholders is an important step in understanding the project risks. The stakeholder register supports the documentation of who each of the stakeholders are, how they link back to risks and project deliverables.
Step 2: Stakeholder response and analysis
Every stakeholder has a different level of power and interest, and they leverage this to support the project, mitigate or treat risks and in some cases negatively influence the outcomes (PMI 2021). Through analysing stakeholders, the project team and managers are better able to understand their stakeholders, including their concerns, interests, risks and opportunities. The response plan needs to consider methods and frequencies for communication and engagement to ensure that stakeholders are included in the risk response. The analysis process includes the following.
The stakeholder management process undergoes a similar prioritisation process as that undertaken for risk management (PMI 2021). Stakeholders are ranked by interest and power, as shown in the model in Figure 2. There are 4 primary categories or quadrants within this model: Keep Satisfied, Manage Closely, Monitor, and Keep Informed. These quadrants assist with prioritisation and help with understanding the influence/power of each stakeholder.
Figure 2. Stakeholder power interest matrix, by Carmen Reaiche, Samantha Papavasiliou and Frank Anglani, licensed under CC BY (Attribution) 4.0
Stakeholder priority analysis
Stakeholders who have high power and high interest are defined as high impact stakeholders (Smith 2000). The project manager and team must understand:
- what the stakeholders are interested in
- how the project aligns to their other areas of interest
- the areas of subject matter expertise
- how can they support project risk management.
The aim of understanding the highest impact stakeholders is similar to understanding the highest ranked risks – it helps the project team understand what matters, how stakeholders can provide support and where gaps in the process are.
The RACI matrix stands for Responsible, Accountable, Consulted, and Informed. It is a way of classifying stakeholders by their roles or required level of engagement for individual project tasks, risks or deliverables (Blokdyk 2021). It can be used to support the risk management approach, whereby stakeholders can be given responsibility to respond to a risk if it arises or accountability to implement contingencies. In addition, there is consideration of which stakeholders need to be consulted and which need to be informed of the occurrence of a risk. An example of a RACI matrix is provided in Table 3. There are a few rules associated with applying the RACI:
- There is only one accountable party and this stakeholder is accountable for making the decisions.
- Minimise how many stakeholders are responsible for taking actions to prevent ‘too many cooks in the kitchen’.
- Not all stakeholders need to be consulted – there are circumstances where it is better to inform certain stakeholders.
Table 3. Example of a stakeholder RACI matrix
Stakeholder engagement assessment matrix
In each row, the stakeholder engagement assessment matrix outlines each stakeholder’s current compared to desired level of engagement. The columns outline the level of engagement which, according to the PMBOK includes unaware, resistant, neutral, supportive and leading (PMI 2021). An example is provided in Table 4. The current state can occur in any of the columns; however, the desired state should be Neutral, Supportive and Leading. This is important, as project managers do not want resistant or unaware stakeholders.
Table 4. Example of stakeholder engagement assessment matrix
This matrix can be used for specific risks, deliverables and tasks, which can support project risk management.
Step 3: Ongoing stakeholder engagement and management
The ongoing stakeholder engagement and management process occurs throughout the project. This includes who we engage with, through what medium, the required messages and who in the project team is involved. There are 2 key documents that can help the project team to communicate with stakeholders and how they can interact with stakeholders in response to risk.
Stakeholder communication plan
The communication plan outlines the requirements for communicating with key stakeholders, including what information needs to be shared, when, through what format and how frequent (PMI 2021). Through the identification and planning stages of stakeholder and risk management processes, this evaluation helps determine the requirements for communication with key and secondary stakeholders about different risks and deliverables within the project. An example of the communication plan headings, incorporating risks, is provided in Table 5.
Table 5. Communication plan common headings
A communication plan is about ensuring that communication and engagement is proactive rather than reactive. This is especially important for risk management processes.
The decision-making framework in project management is also referred to as the DACI. This acronym refers to Driver, Accountable, Contributor, and Informed, stipulating specialist roles for each project team member and key stakeholders (Kendrick 2006). Within the DACI model, the Driver is the leader across the project life cycle for certain risks, activities or deliverables within a project. The Approver is the final decision-maker who has the authority to reject or approve decisions impacting the project, including implementing risk contingencies or mitigation processes. Contributors are stakeholders who have high power or interest within a project team’s decisions. They can be used to support the decisions through information sharing and consultation. Finally, the Informed stakeholders are those who do not require consultation but who do need to be made aware of decisions made. There should only be one Driver and one Approver to avoid confusion. Table 6 provides an example of the DACI decision-making framework.
Table 6. Example of the DACI decision-making framework
The value of using the DACI decision-making framework is reducing the confusion over who has what role in the decision-making for each risk, activity or deliverable. Each is assigned clear authority and responsibility for the key deliverables, activities or high exposure risks across the life cycle of the project.
Other roles in project risk management
For larger or more complex projects, the risk roles are often allocated as independent roles and responsibilities of the project manager and project team. Where risk is extensive, there are opportunities to seek support from the organisation’s enterprise risk management teams and expertise (Ndlela 2018). This includes the allocation of the following roles.
Project risk manager. This person is solely responsible for understanding and responding to the risks and opportunities that are identified and analysed at any stage of the project life cycle. Where there is a project risk manager, the project manager collaborates with the risk manager to set expectations and validate the proposals for actions to be made in response to potential risks arising.
Project risk profile owners. These are the owners of each risk. These individuals or groups are identified to help create and implement the plans to treat and mitigate risks. These owners are often subject matter experts or approvers for implementing risk response processes.
Overall, there are numerous roles within project risk management. Along with the project manager and sponsors, there are key project team members who play important roles in risk identification, analysis and response planning. These roles often include an understanding of the support and information that can be provided from different stakeholders. People are key to project outcomes, and as there are many uncertainties which can arise from interactions between these people, there is a need to understand what opportunities or threats these relationships offer. It is important to note that people are the decision-makers, workers, leaders and so forth within projects, and the resulting risk management process needs to take people and stakeholders into consideration.
Now let’s review our knowledge:
- Stakeholder roles and interests change throughout a project. This is also similar for their role in risk management.
- Through analysing stakeholders, the project team and managers are better able to understand their stakeholders, including their concerns, interests, risks and opportunities.
- The primary responsibility of a project manager is to understand organisational knowledge and new trends in technology to better assess and mitigate risks related to the project.
- People are key to project outcomes, and as there are many uncertainties which can arise from interactions between these people, there is a need to understand what opportunities or threats these relationships offer.
Barnes P (2002) ‘Approaches to community safety: risk perception and social meaning’, Australian Journal of Emergency Management, 17:15–23.
Blokdyk G (2021) RACI matrix: a complete guide, The Art of Service, Queensland Australia.
Collier P, Berry AJ and Burke GT (2007) Risk and management accounting: best practice guidelines for enterprise-wide internal control procedures, Elsevier, Oxford.
Freeman RE (1984) Strategic management: a stakeholder approach, Pitman, Boston, USA.
Loosemore M, Raftery J, Reilly C and Higgon D (2005) Risk management in projects, Taylor and Francis, London, UK.
Ndlela MN (2019) ‘A stakeholder approach to risk management’, in Crisis communication, Palgrave Pivot, Cham.
Kendrick T (2006) Results without authority: controlling a project when the team doesn’t report to you, AMACOM Books, USA.
Kendrick T (2019) Identifying and managing project risk: essential tools for failure-proofing your project, Harper Collins Leadership, United States.
Project Management Institute (2021) A guide to the project management body of knowledge (PMBOK® Guide), 7th edn, Project Management Institute, Newtown Square, PA.
Project Management Institute (2019) The standards for risk in portfolios, programs, and projects, Project Management Institute, United States.
Smith LW (2000) ‘Stakeholder analysis: a pivotal practice of successful projects’, paper presented at Project Management Institute Annual Seminars & Symposium, Houston, TX, Project Management Institute, Newtown Square, PA.
Zsolnai L (2006) ‘Extended stakeholder theory’, Society and Business, 1:37–44.