The High Cost of Poor Risk Management

At MXA, we are often called in to conduct project rescues. One of the first places we look to find out what went wrong is the risk register. More often than not, we can identify the root of the problem by what's missing from the register or by how risk management has been handled.

Poor risk management results in projects running over budget, missing deadlines, or delivering subpar outcomes. These failures usually stem from risks that could have been anticipated and mitigated but weren't. When risks are identified too late, teams are forced into costly, reactive measures that erode the value of the project.

Projects lacking early, rigorous risk assessment typically suffer from delays and scope creep, increasing costs and damaging stakeholder confidence. Mitigations divert resources away from core objectives and create inefficiencies that weaken project delivery. In the long term, poor risk management undermines trust in future projects and can tarnish an organisation’s reputation.

The Power of Early and Rigorous Risk Management

Effective risk management hinges on early identification and proactive planning, ensuring projects remain on budget, on time, and aligned with strategic objectives. Yet too often, risk management is treated as a "box-ticking" exercise, resulting in projects that falter when unforeseen challenges emerge. Risks are frequently identified too late or documented too broadly, leaving teams scrambling for solutions mid-project.

The real power of risk management lies in anticipating potential obstacles well before they materialise and embedding this thinking into the project lifecycle. When risks are defined early and with precision, teams are not just reacting—they're building practical, actionable strategies that ensure success.

The Role of Rigorous and Proactive Planning

Rigorous planning must begin at the business case stage, ensuring that key risks are anticipated and mitigations are built into the project from day one. This includes:

Identifying Specific Staffing Needs and Timing Early: Ensuring the right personnel are available when needed.

Budgeting for Risk Mitigations from the Outset: Allocating funds to address potential risks before they escalate.

Recognising Dependencies and External Factors: Identifying elements that could delay progress and planning accordingly.
Generally, risks that can be mitigated through the implementation plan are called "issues," and the project budget must be updated to factor in the cost. Other risks are difficult to directly build into the plan (e.g., a project dependency being delayed), but if specified with enough granularity, their impact can be minimised.

To assist this planning, risks must be documented with precision. Broad, vague risks like "delivery delays" are not helpful. Instead, teams should identify the exact causes of potential delays—such as supplier issues or regulatory approvals—and map out targeted mitigations. This granularity facilitates appropriate planning and costing.
As a rule of thumb, for a moderate-sized IT project with a $1 million budget, we would expect the risk register to list several dozen risks (including both business and technology risks). In our experience, failed projects of this size almost always have risk registers with fewer than 20 risks, whereas projects with comprehensive, proactively managed risk registers rarely encounter insurmountable issues.

Maintaining a detailed risk register that’s continuously updated ensures that risks are monitored and managed throughout the project, not just at the outset. By keeping a history of risks and realised mitigation costs, the accuracy of both the likelihood assessments and the budget impacts of mitigating actions will improve over time.

Building a Culture of Risk Management

Risk management goes beyond planning and documentation; it requires embedding a proactive culture where risks are continuously anticipated, owned, and mitigated throughout the project lifecycle. Building a risk-aware culture positively impacts overall organisational success by fostering resilience and adaptability.

Singular ownership of risks paired with accountability is key. The Banking Executive Accountability Regime (BEAR) in Australia’s banking sector illustrates how clear accountability can transform risk culture. Post-2018, banking executives became responsible for specific risks with severe penalties, driving a stark change in behaviour. This same principle applies more broadly—assigning clear risk ownership with enforced consequences for poor risk management will drive behaviour in both public and private sectors.

Another key driver of risk culture is empowering teams to raise risks early without fear of repercussions. Without fail, every organisation we have served where staff are afraid to raise risks has encountered problems with risks being realised before they can be mitigated.

Strengthen Your Risk Management Today

Effective risk management is the difference between successful projects and costly failures. By embedding early identification, rigorous planning, and a proactive culture of ownership, your organisation can mitigate risks before they escalate. The key is not just planning but instilling a culture where teams are empowered to raise and manage risks throughout the project lifecycle.

If you’d like to review and improve your risk management processes or build a stronger risk culture, reach out to MXA. Our expertise can help your team deliver projects with confidence and resilience, ensuring you meet your strategic objectives while minimising unforeseen challenges.

Let's craft your digital future.

Get in Touch
Company
AboutServicesCase Studies
Connect
LinkedInEmail UsNewsletter
© 2023 MXA. All rights reserved.