The Real-life of Risk Management at Projects.

Bob looks nervous; he is watching his wristwatch every single minute thinking about what he needs to say when he gets into a meeting with his boss Rick. He has been called to discuss the delay of one of the major projects this year for the company.

He is not a single member of the project; he is Project Manager indeed, however with this new global illness named “COVID-19” everything has changed on the project development. He gets into the office of the sponsor:

  • Rick: Hi Bob, thanks for coming to the meeting, how you doing?
  • Bob: Hello Rick, I doing fine thanks, just a little bit worried about this illness and its impacts on the project.
  • Rick: Actually, that’s why I invite you to this meeting. The company Shareholders are worried about the recent project reports, which show some delay. We are forecasting ending 6 months later than expected and of course, this means a bunch of money for the company.
  • Bob: In matter fact, I believe that is worse than that Rick. We are not prepared to face all the consequences of this illness and keep the business continuity of the project. Every day is a big challenge. The project teams are a concern, the providers are late and so on.
  • Rick: Well Bob that is exactly what I do not want to hear out. Later this afternoon I got a meeting with shareholders and I will say to them that we will be executing the Risk response plan of our project, just tell me, do we have one for this project?
  • Bob: Not Rick, as you know, we are just starting to implement PM methodologies at the company, and risk management we are not there yet…
  • Rick: Bob, we have a major issue here, I need you to do….

Have you ever lived a situation like Bob or Rick in the past? This is a frequent situation at companies. Risk Management (RM) is still growing in most of them, in fact, several organizations besides of receive major negative impacts due to risk, they are blockers to change their minds about how serious they need to take RM on their projects.

When did this RM thing begin?

Let’s put some history here “The study of risk management began after World War II. Risk management has long been associated with the use of market insurance to protect individuals and companies from various losses associated with accidents. Other forms of risk management, alternatives to market insurance, surfaced during the 1950s when market insurance was perceived as very costly and incomplete for protection against pure risk. The use of derivatives as risk management instruments arose during the 1970s, and expanded rapidly during the 1980s, as companies intensified their financial risk management. International risk regulation began in the 1980s, and financial firms developed internal risk management models and capital calculation formulas to hedge against unanticipated risks and reduce regulatory capital. Concomitantly, governance of risk management became essential, integrated risk management was introduced and the chief risk officer positions were created. Nonetheless, these regulations, governance rules and risk management methods failed to prevent the financial crisis that began in 2007. (Dionne, 2013).

Well since 1945 it has been a while, however, RM has been evolving several changes in different areas, like at PM. Project Management Institute (PMI) is one of a few institutions that constantly are improving its vision of PM. Risk has been added since the first edition of PMBOK (project management body of knowledge) in September 1987 (camilamotato, s.f.) and also has been changing too. In the last edition (6th) now, there is a new process in the execution phase: implement the risk response plan. Why is that? It is simple, RM must be proactive during the entire project and especially when the deliverables are being created, and that fact does not look obvious in previous editions.

This also matches with the latest version of the framework of ISO 31000:2018 Risk Management Standard, which allows us to see an integral vision of RM from five bases focused on Leadership and commitment (ISO, 2018).

Illustration 1 ISO 31000 Framework (clause 5).

At this point, everything shows great, in papers looks amazing, but in real life not always does like that. Certainly looks more as Bob explains to his boss in our initial history. How do I know that? First, my experience with RM at projects and second because I made research with 50 project managers that now I will show you.

RM in real life told by professionals.

I made this survey with professionals of several countries asking them about how they live PM and how they add RM in their journeys? The truth is that we all manage risk consciously or unconsciously, but rarely systematically.

For this survey the participation was:

Table 1 Gender-age participation

Therefore, I ask these professionals with the following questions:

1. Do you apply project management plans in your organization?

Normally, we maybe think “of course all of them practice PM at their companies” but the reality shows that there is 16% who does not apply PM at their companies. From this 16 % universe, 83.33% belong to men between 36-45 years.

What does mean? People who are in their professional maturity still without developing PM formally and women are more focused to work organized. So we probably ask:

  • How they manage the risk?
  • How their company manages projects?
  • Are they following a different kind of business strategy?
  • How they measure the success of their projects?

We are just starting here, so we now know that not everyone involved in projects uses PM plans. Let’s see what about RM.

2. Do you include a risk management plan in your project plan?

40% of professionals do not include RM in their plans. It is remarkable the 28% of them just manage the risk as it appears, because the other 12% who voted that they do not include at all, probably manage risk as it appears too.

This takes us to improvise, what is the issue with improvising? We are throwing a coin looking for luck; we got a 50% chance of solving and 50% of making it worse.

Furthermore, we think at risk such as a bad thing, but it means also good things, yes! it is related to threats or opportunities. Consequently, when we create an RM plan we are not only making to manage threats, mitigate, avoid, transfer or accept risk; we are also doing to manage opportunities, to escalate, exploit, share, enhance or accept them.

What about that 60% of professional that use RM plans? This 60% is split by 66.67% of men, 30% by women and 3.33% by others. That is a very interesting fact because more than 70% of these universes use hybrid methodologies (qualitative + quantitative) for RM. Why is this so amazing? Use hybrid methodologies is not easy, is not even cheap, is difficult and expensive, requires top training, good tools, and real expertise, but provides the best outcomes. So, matter fact, we are in a good line.

Do you remember Bob and the consequences that he was talking about with his boss? We now going to talk regards the real consequences of a lack of RM at projects.

3. What has been the main consequence you have suffered for not managing risks in any of your projects?

36% of professionals surveyed had suffered scope, schedule, budget or business case consequences due to the lack of RM in their projects and 32% represents the major impacts on schedule and budget.

Do you know the definition of project failure? It is when at least one of the next conditions shows up:

  • You finish the schedule later than expected.
  • You spend more budget than you have planned.
  • Your scope is changed (this condition affects more to predictive methodologies than agile, where the scope is probably changing due to prioritization of the product owner or even final customer).
  • When your final customer is not satisfied with the results.

The last one conditions it is perhaps the most important and will be related to failure in the first three. Apply RM helps us to improve our odds to achieve better results on projects.

What do we need to get this better?

4. What do you think is the main cause that does not allow risk management to be carried out in a project?

In particular, the 58% that represents the lack of an RM culture in the organization that is not only the main cause for the companies to adopt suitable PM practices. It is also the route cause due to they cannot change their mind to the improvements as well.

A good culture comes from the top, without this way to visualize the growth of the company it will be harder. Months ago, I made a survey asking about what kind of management rules in companies in 2020. The outcomes were that 40% of employees work for Management 1.0 in their organizations, it is that bad news? Well, it means that they are working on companies that management still in the 1900s culture.

In real life, those trends must change if we want to see improvements in RM. Any change that we are living in our environment needs to be evaluated, the world moves so much quicker and constantly we need to adapt to him.

Do you think that now is hard to start to implement PM and RM? It will be harder later, technologies, diseases, nature do not stop; we need to move faster than they do.

If you get involved in Bob’s situation, now you have some facts to discuss with your boss and explain why the companies need major changes to achieve better results, not in the future, but right away.

I hope you like this research; it is always nice to share experience and knowledge with you.



  • camilamotato. (s.f.). Timetoast timelines. Obtenido de
  • Dionne, G. (2013). Risk Management : History, Definition and Critique. Cahiers de recherche 1302, CIRPEE.
  • ISO. (2018). ISO. Obtenido de
  • PMI. (2017). PMBOK GUIDE 6th Edition. Newton Square, Pennsylvania, USA: Project Management Institute, Publisher.

Riesgo Coronavirus: 11 medidas preventivas para mantener la continuidad del negocio.

¡Todos los escenarios siguen sobre la mesa! Así lo describe la Organización Mundial de la Salud (OMS) en lo que concierne al coronavirus o COVID-19, en este inicio del año 2020. Si bien aún no se estima que se vuelva una pandemia, este virus sigue todavía en el revuelo mundial por su alto nivel de contagio (a pesar de presentar una baja tasa de mortalidad, la cual es cercana al 2.8%) ya que se tienen registrados aproximadamente 74,576 casos.

Según (Consalud, 2020) “Hasta la fecha, todos los fallecidos se han producido en China salvo seis que han sido reportados en Taiwán, Japón, Filipinas, Hong Kong y Francia”

Siendo China un país con altísimo nivel comercial y de manufactura [es el país número 1 a nivel mundial en capacidad de exportación (, 2019)] la posibilidad de contagio sigue siendo una realidad con el resto del mundo.

Sea hoy el COVID-19 o el día de mañana un nuevo virus desconocido para la humanidad, las preguntas que te invito a que te hagas son: 

  1. ¿Está preparado mi país para manejar una situación de este tipo de riesgo?
  2. ¿Está preparada mi organización para mantener su operatividad bajo un riesgo como este? 

Si la incertidumbre es lo que viene a tu mente, posiblemente no lo estén. Y es acá donde entra la Gestión de Continuidad de Negocios. Cuando escuchamos el término continuidad de negocios (si ya lo conocemos) la sensación inmediata invita a pensar en contingencias, riesgos tecnológicos e incluso desastres naturales; sin embargo, la estrategia para mantener la operatividad de las organizaciones en escenarios disruptivos debe ser orientada al más amplio espectro de riesgos o escenarios que pueden afectar a la organización.

En otras publicaciones he resaltado que el corazón de un sistema de continuidad de negocios pasa por un correcto Análisis de impacto al negocio y una correcta evaluación de riesgos, las cuales, forman las bases para la construcción de una estrategia que contempla un plan.

La mayor parte de las estrategias contra riesgos fracasan, porque carecen de una planificación, las organizaciones subestiman las condiciones que les pueden causar disrupciones a la operatividad y luego se ven en escenarios donde tiene que “improvisar”. Esto me recuerda a una frase que leí por ahí “Nunca hay tiempo para planificar, pero siempre hay tiempo para hacer las cosas dos veces”un reflejo claro de la práctica continua de los reprocesos.

Por lo tanto, revisaremos un conjunto de medidas propuestas por OMS que te han de apoyar en la creación de una estrategia para poder prepararte ante escenarios como el COVID-19, pero las integraremos en 11 medidas con una perspectiva de continuidad de negocios para riesgos asociados a enfermedades, desde las directrices de comunicación, personas y la recuperación tecnológica.

Ilustración 1 Directrices básicas para mantener la Continuidad de Negocios.

1. Personas.

Proteger el bienestar de los colaboradores y brindarles apoyo, forma parte fundamental de la estrategia de continuidad de negocios. Acá las medidas son:

  1. Designar una persona con rol de liderazgo en la organización que se encargue de dar seguimiento a la evolución de la enfermedad y los posibles impactos en la continuidad de la operación.
  2. Brindar los equipos de protección adecuados al personal (desinfectante de manos, mascarillas, etc.) y garantizar tener un stock de abastecimiento.
  3. Establecer un procedimiento sencillo para el manejo de cualquier sospecha de infección, que pasos se deben seguir y cuáles son los canales de comunicación adecuados. Así mismo, mantener identificados a los entes autorizados para el manejo de los casos detectados (Hospitales, centros de salud, Clínicas, etc.).
  4.  Realizar continuas evaluaciones de las condiciones higiénico-sanitarias en diferentes puntos de la organización y realizar las adaptaciones correspondientes a los diferentes escenarios que vaya presentando la enfermedad.

2. Comunicación.

Esta parte juega un rol principal en la capacidad que tiene la organización para poder transmitir el conocimiento, las medidas adecuadas, y la continua retroalimentación a su staff. Las medidas en este punto son:

  1. Comunicar los riesgos críticos y demás eventos asociados a la enfermedad a todo el personal, de esa forma, se mejorará el conocimiento de los colaboradores y se ira eliminando la desinformación.
  2. Desarrollar un plan de educación para capacitar a los colaboradores sobre control de infecciones, higiene personal, uso de equipos de protección, medidas alimentarias, lavado de manos y comportamiento en ambiente llenos de personas.
  3. Implementar una estrategia de comunicación de riesgo sencilla que transmita a los colaboradores las medidas de protección y prevención en caso de identificar un escenario de contagio.

3. Enfoque tecnológico.

Encontrarse bajo escenarios de este tipo no significa que la parte tecnológica no pueda ser afectada, causando afectaciones a la continuidad del trabajo. Acá la solución pasa por mantener una correcta administración de vulnerabilidades basada en riesgos a como lo destaca la consultora Gartner (Prateek Bhajanka, 2019) “Para 2022, las organizaciones que usen el método de administración de vulnerabilidades basada en el riesgo sufrirán un 80 % menos”. 

Las 4 medidas básicas a tomar en cuenta son:

  1. Tener identificadas los procesos y las funciones críticas de la organización; aquellas que puedan verse afectadas y aquellas que puedan trabajar a un mínimo de capacidad.
  2. Revisar las locaciones alternativas que pueden ser usadas para realizar el trabajo operativo por el personal crítico (esto incluye el trabajo remoto desde casa, garantizando el equipo adecuado).
  3. Validar o establecer relaciones con socios estratégicos que brinden servicios de críticos a la compañía y que puedan garantizar la continuidad de estos en situaciones disruptivas (servicios de telecomunicaciones, electricidad, soporte técnico, etc.).
  4. Establecer un procedimiento y proporcionar la capacitación para el staff crítico necesario para poder desarrollar el trabajo de forma remota o en condiciones disruptivas.

Estas son las medidas esenciales que he considerado deben tomar las organizaciones ante situaciones disruptivas originadas de eventos como el coronavirus para mejorar sus opciones de mantenerse operativos (cabe señalar, que para establecer un sistema de continuidad de negocios bajo un estándar como ISO 23301, se requiere en la profundización de estos y otros relacionados).

Sin duda alguna, la administración de la vulnerabilidad cada vez se vuelve un punto más sobresaliente e importante para las organizaciones y se deben tomar medidas al respecto en un mundo tan acelerado.

Siempre es un gusto para mí poder compartir un poco de conocimiento y experiencia. Espero este articulo haya sido de tu agrado

¡Saludos Cordiales!

Créditos a las publicaciones de

· (14 de Marzo de 2019). Datasur. Obtenido de

·        Consalud. (20 de Febrero de 2020). Consalud. Obtenido de

·        Prateek Bhajanka, M. S. (2019). A Guide to Choosing a Vulnerability Assessment Solution. Gartner.