Ihor Pavlenko: PMO Risk Management (UA) Lemberg PMO School 2023 Website – https://lembs.com/pmoschool Youtube – https://www.youtube.com/startuplviv FB – https://www.facebook.com/pmdayconference

1. PMO RISK
MANAGEMENT

2. https://www.linkedin.com/in/ihor--pavlenko/
https://t.me/korwwyn
THAT’S ME
HEAD OF OPERATIONAL EXCELLENCE /
HEAD OF PMO
AT ALTEXSOFT

3. CONTENTS
A LITTLE BIT
OF THEORY
ROLES AND
RESPONSIBILITIES
RISKS
IDENTIFICATION
CLASSIFYING
RISKS
RISKS
ASSESSING
RISKS
PREVENTING
TO WRAP
UP
What is a risk, what are
the main strategies.
RACI, escalation paths,
and more.
How to identify risks at
the earliest stages?
Right strategy for each
type of risk.
Mitigation of risks?
Ownership and more.
Should we care about
certain risks?
What should be done to
prevent risks beforehand?
What did we get as a
result?
PMO GOALS

4. WHAT IS A RISK?
Risk is any unexpected event that can affect your project — for
better or for worse. Risk can affect anything: people, processes,
technology, and resources.
POSITIVE
RISKS
NEGATIVE
RISKS

5. FACTORS
IMPACT
RISK
TIMEFRAME
PROBABILITY
RISK EVENT
What events might
forewarn or trigger the
risk event?
What’s the expected
outcome?
When is it likely to
happen?
What’s are the chances of
it happening?
What might happen to
affect your project?
5 ELEMENTS OF A RISK

6. Risk avoidance: taking actions to eliminate or avoid the risk by
altering project plans or approaches.
Risk transfer: shifting the risk to a third party through contracts,
insurance, or outsourcing.
Risk mitigation: implementing measures to reduce the likelihood
or impact of the risk.
Risk acceptance (actively): proactively acknowledging the risk
and developing contingency plans to address it if it materializes.
Risk acceptance (passively): acknowledging the risk but not
taking proactive measures to address or mitigate it.
Risk escalation: reporting risk to higher levels of authority or
management for further assessment and decision-making.
RISK RESPONSE
STRATEGIES

8. RISK MATRIX & RISK ASSESSMENT
GRID
MITIGATE AVOID
TRANSFER
ACCEPT
Severity of Consequences
Likehood

9. Internal / External risks: these can include Cost Risks, Schedule
Changes, Performance or Quality Risks, as well as Governance
Risks, Strategic Risks, Operational Risks, Legal, Market, etc.
Controllable / Uncontrollable risks: Controllable risk factors are
those which you can take steps to change or influence.
Uncontrollable risk factors are those which you cannot influence.
CLASSIFYING RISKS

10. PMO GOALS
PREDICTABLE
DELIVERY
SCALING
APPROACHES
RISKS
IDENTIFICATION
LESS
ESCALATIONS
RISKS
PREVENTING
Delivery of projects just in
time, scope, and budget.
Scaling experience and
good approaches is
essential
Assist PMs to identify and
work with the risks.
Less escalations == better
work with the risks.
Projects expansion, using
the opportunities.
... via processes,
procedures, reviews, etc.
USING RISKS AS
OPPORTUNITIES
ESTABLISHING
A FRAMEWORK
The Risk Management
framework should be
established to secure the
projects and scale
practices.

11. From the PMO side, it is impossible to track all risks on all projects.
We also can’t identify all possible risks.
The only way to do it - is to create a risk prevention mechanism.
RISKS PREVENTING
ATTENTION!
A severe risk prevention mechanism can make the lives of your
managers quite hard.
When building a robust Risk Management strategy it is essential to
find a compromise between standards, policies, and agile
approaches.

12. Keeping the risk registry in an up-to-date state by the PM or other responsible
persons.
Regular review of the risk registry together with the key stakeholders and project
team.
Regular project reviews: it is important to have a side view of the project.
Establishing a solid risk reporting (and escalation) process is essential for
preventing risks.
Having understandable risk triggers and thresholds can give your PMs and
stakeholders to address risks promptly.
Postmortems and premortems are powerful instruments for preventing further
risks (or even issues).
RISKS PREVENTING

13. Identifying risks promptly, and having a relevant response strategy
are the most important parts of the risk identification phase.
Risks identification process is a continuous process, that should be
done regularly, and improved (as well as any other process).
RISKS IDENTIFICATION

14. Lessons learned analysis: review lessons learned from past projects to identify risks
encountered in similar endeavors and apply those insights to the current project.
Requirements review: assess project requirements and specifications to identify
potential risks associated with meeting those requirements.
Brainstorming sessions: conduct collaborative sessions to generate ideas and
identify potential risks, leveraging project stakeholders’ expertise and diverse
perspectives.
Checklists and templates: utilize pre-defined checklists or risk register templates
to consider common risk areas and ensure comprehensive coverage promptly.
SWOT analysis: assess strengths, weaknesses, opportunities, and threats to identify
potential risks and their impact on project objectives.
Root Cause Analysis: investigate past incidents or failures to uncover underlying
risks and identify similar potential risks in the current project.
Affinity diagram: organize and categorize potential risks based on their
relationships and common themes, facilitating a better understanding of risk
interdependencies.
RISKS IDENTIFICATION

15. REGULAR
UPDATE
PRIORITIZE
SHIFT LEFT
Risks do not stand in one place.
They are constantly appearing
and so should be reviewed and
resolved.
Don’t try to cover everything. Be
focused on the most important
aspects. What aspects are
important? Well, know your
customer.
The sooner we’ve identified a
risk - the more time we have to
create an appropriate strategy,
build correct expectations, and
prepare the team for it.
RISKS IDENTIFICATION

16. A project risk assessment is a formal effort to identify and analyze
risks that a project faces. First, teams identify all possible project
risks. Next, they determine the likelihood and potential impact of
each risk.
The goal of a risk assessment procedure is to check, whether all
actions and strategies were done properly, and enhance them, if
needed.
RISKS ASSESSING

17. The Project Risk Assessment should be done by PMO in terms of controlling (or
reviewing) procedures.
Potential risk identification using all possible options provided before;
1.
Determine the Probability of Each Risk;
2.
Determine the Impact of Each Risk;
3.
Determine the Risk Score of Each Event;
4.
Understand Your Risk Tolerance;
5.
Review the Risks prioritization and update it;
6.
Develop Risk Response Strategies;
7.
Monitor Risk Plans;
8.
Perform Risk Assessments Continually;
9.
Identify Lessons Learned;
10.
RISKS ASSESSING

18. Project managers: oversee risk administration activities, including
identification, assessment, and response planning; ensure
effective communication of risks and integration into project
plans.
Project team members: participate in risk identification and
mitigation, leveraging their expertise; support risk monitoring and
report emerging risks or changes.
PMO executives/sponsors: govern risk administration, establish
policies, set tolerance thresholds, act as a point of escalation.
Stakeholders: collaborate on risks and response strategies,
ensuring clear understanding and alignment.
ROLES AND
RESPONSIBILITIES

19. A contingency plan in project management is a defined, actionable
plan that is to be enacted if an identified risk becomes a reality.
CONTINGENCY PLANNING

20. 1. Identify triggers
Identify what specific event or events need to happen to trigger the implementation of
the plan.
2. Determine the who, what, when, where, and how
Cover the five bases in each step of your plan: who will be involved, what they need to
do, when it needs to happen, where will the plan take place, and how will it be
executed.
3. Make sure that everyone involved knows about the contingency plan
Share the plan with all relevant stakeholders, and make sure that they know about
who, what, when, where, and how.
3. Establish communication norms
Have clear guidelines for reporting and communication during the implementation of
the plan. How will internal and external stakeholders be notified? Who will draft and
send the notice, and how soon after the incident will it be released? How often will
updates be provided?
4. Monitor and adapt
Monitor the plan regularly to ensure it is up to date.
CONTINGENCY PLANNING

21. GENERAL ADVICES
SHIFT LEFT
LEARN FROM
MISTAKES
EDUCATE
PEOPLE
CRITICAL
POINT OF VIEW
IDENTIFY NEW
RISKS PROMPTLY
Try to address risks as
early as possible.
It is better to learn from
others’ mistakes, btw.
PMs or team members
are much deeper in the
context, so they can see A
LOT.
Review the risk registry
and risk mitigation
strategies regularly.
Confirm scope changes in
a written way, and run
official communication in
emails.
Not everything can be
covered by a framework.
PMs and project teams
should be able to identify
risks as early as possible.
BASIC RULES
CAN HELP
ESTABLISH A
FRAMEWORK
The Risk Management
framework should be
established to secure the
projects and scale
practices.

22. SO, HOW TO
ESTABLISH A PMO
RISK MANAGEMENT
FRAMEWORK?

23. Create a shared understanding of Risk Management across all
PMs.
1.
Share this understanding with other units, or PMs’ peers.
2.
Make sure that PMs have all needed instruments and templates:
3.
RACI matrices;
a.
Risk Registry;
b.
Project Risks Assessment procedure;
c.
Develop the risk process. That includes reporting, escalations,
and any other actions, that are required to manage risks.
4.
Set up controlling points - how will you or other stakeholders
know about risks?
5.
Conduct regular training;
6.
Save postmortems, premortems, and lessons learned to the
shared base.
7.
Remember about the continuous improvement.
8.
HOW TO