During my RMP classes, I am often asked the difference between Risk Reviews and Risk Audits .Lets understand …
Risk Reviews look forward in time to what should happen for Risk , while Risk audits look backward to what has occurred .
The objective of a Risk Review is to reevaluate the risk environment, the risk events, and their relative probability and impact.
Risk Reviews are conducted at regular intervals, when change is planned, and when change occurs. The changes need not be dramatic but rather only sufficient to change the climate in which the risks occur.
Risk reviews take place during regularly scheduled meetings (mostly status meetings ) with the risk owners and project team and may also include the other stakeholders.
A project of several years in duration may be host to quarterly risk reviews, whereas a project of two months may have a single midterm review or weekly reviews, depending upon the organization’s investment in the project and the complexity of the project.
The key for any quality risk review is to acknowledge that it is a comprehensive review rather than a review of a single risk event in isolation .
Risk Audit is a more exhaustive review that involves a task-by-task, risk-by-risk analysis.
Risk Audits are a method for examining the effectiveness of Risk Management Plan and Risk Response Plans. It is also part of the overall process improvement of the project. Risk Audit frequently focuses on the success or failure of the risk response strategies.
Performing a risk audit is a lot like documenting lessons learned. You’ll document information as the project progresses, but the Risk Audit analysis is performed at the end of the project.
When we perform Risk Audits, we examine the risk responses (that were implemented) to determine if they were effective in handling the risks and their root causes. The output of this audit is always documented.
Medium and large projects may have Risk Audits performed at major milestones throughout the project. Audits for small projects are easily performed at the end of the project. No matter the size of the project, remember to document the risks and their outcomes.
The idea behind these kinds of activities is to be more proactive than be reactive. We are constantly trying to refine and improve our processes and efficiency and this can greatly help the risk management practices in not only the project but also the whole organization as well (If we properly capture the results of our audits and create lessons learned documents) It is the responsibility of the Project Manager to conduct periodic Risk Reviews and Audits. How frequently it happen, who does them, and how the output is captured etc. is specified in the risk management plan.
Finally , communicate the updates. No risk review or audit is complete until the findings have been communicated across the organization to those who need the information and can apply it in the project context.