Who is Responsible to Monitor Risk?

Monitoring risk requires delegating the monitoring, passing responsibility like one passes a baton in a raceOver the course of my career, I’ve noticed that monitoring project risk is hit-or-miss.

Some Project Managers focus on it diligently, almost territorially.

Others have the attitude that “stuff happens.” They will deal with risk events if they happen. They feel they have enough to worry about with just getting the job done. Who has time for one more responsibility?

Which of these two approaches is correct? Who is responsible for monitoring risk? (You may wish to read the article “These are the Basics of Monitoring Risk” in concert with this one.)

Would it surprise you if I said that both are correct in some way, and both are incorrect in some way? In my experience, and what I found worked optimally, was that responsibility for monitoring risk belongs to the Project Manager. As one senior executive was fond of telling me, “Who’s got the most to lose?”

The Project Manager bears the ultimate responsibility for project success and by that measure has the most to lose. He must take responsibility for monitoring project risk. That is not to say, however, that he must take responsibility for monitoring each risk event.

Those Project Managers who hold on tightly, territorially, must learn to let go – and delegate. Maintain overall responsibility? Yes. To the exclusion of delegating individual risk items to appropriate risk owners? No.

At the same time, those Project Managers who do not monitor risk, and who would rather handle risk when it happens, must learn to take on the responsibility – and delegate. Take on overall responsibility? Yes. Delegate individual risk items to appropriate risk owners? Yes.

The fact is that while the Project Manager retains ultimate responsibility for the overall project risk, he must delegate ownership of and responsibility for individual risks to others. This can take many different forms depending on the nature and size of the project, organizational policies, past experiences with similar projects, risk tolerance, and other factors.

For example, on a large project with hundreds of moving parts and thousands of tasks, there will be many risks to monitor. Risks identified for staffing the project and retaining staff may be the co-responsibility of the Project Manager and the project recruiter. A risk identified about an upcoming regulation change may be assigned to a stakeholder from the client organization, who in turn may delegate it to a member of his policy team. The risk of having equipment installed and configured on time can be delegated to the project technology lead. Any risk associated with the timely review and approval of project deliverables becomes the ownership of the client manager. The risk of securing training classrooms for implementation and rollout becomes the responsibility of the training manager. And so on.

Each risk is monitored and reported on by its owner, with the understanding that each risk’s monitoring has a direct impact on the success of the project. The Project Manager maintains overall responsibility, stays aware of the potential impact and status of each individual risk, and oversees the risk resolution should it materialize. But the Project Manager need not dog each individual risk by himself.

At the same time, it is important to maintain flexibility regarding risk monitoring

As risks become more likely to occur, or if they lose priority, risk ownership may change. Frequency of reporting on them may change. Individual risk responses may change, and mitigation may become the responsibility of someone else on the project.

A good example of this would be if the risk of new or changed regulations materializes. The person responsible for monitoring that risk alerts the Project Manager and provides a summary of the change. The Project Manager then assigns the risk mitigation to his application lead to determine the extent to which it will impact the project.

With delegation of monitoring comes the responsibility of reporting. The Project Manager and other decision-makers need the information from monitoring the risks to determine what actions may be necessary:

  • To increase the frequency of risk review.
  • To initiate the planned risk responses.
  • To adjust any strategies developed around the risk.
  • Or, alternatively, to downgrade a risk or close it as no longer consequential.

If there is no change in the status of the risk, then there is no need to report other than a quick “no change” indication. Reporting on risk monitoring should be crisp and focused, alerting decision-makers to those risk events that may soon require their attention. Individual risk management strategies and potential risk responses should also be summarized to assist the decision-makers in how they may wish to proceed.

Project Managers should never feel that they need to go it alone with respect to monitoring risk. Neither should they shirk the responsibility in favor of urgent project tasks. Delegating and managing risk is no different than delegating and managing other aspects of project delivery. It is the Project Manager’s ultimate responsibility. And he achieves it through people.


Get Your Free Guidebook

Subscribe and receive your free guidebook,
5 Ways to Master the Art of Managing People, Projects and Profits.