Risk management: Seven habits for highly effective projects

Sword GRC Blog

Risk management: Seven habits for highly effective projects

“Successful projects are primarily focussed on success, rather than avoiding things that can go wrong,” says Solutions Consultant, Karl Magnuson, co-presenter of Sword GRC’s Webinar, ‘7 Habits for Highly Effective Projects’, exploring the risk management practices that when integrated into day-to-day project management, can help ensure a culture of success. 

“We refer to these behaviours as habits because they have a consistency and cultural nature to them. When embedded as part of the project management process – for projects of any size – these habits can make a tremendous difference,” Magnuson suggests. 

In this blog post, we reveal the seven behaviours that if not already in use, may be worth driving into your risk management processes for better project outcomes. 


According to Sword GRC’s Enterprise Software Director, Mike Balut, the first habit is recognizing risk for what it is – an uncertain outcome. “A framework may be in place for managing risk but sometimes that guidance refers to risk only from the perspective of a loss or other negative outcome. Just like you don’t get success simply by avoiding failure, the same is true when we’re trying to increase the likelihood of successfully completing a project,” he says. 

Drawing on the ISO 3100 definition of risk: ‘the effect of uncertainty on business objectives, both positive and negative’, he suggests that when we apply this definition to a project, the objectives are the desired ‘end state’; such as milestones in delivery dates, and completing the project within the forecasted budget. Between embarking upon a project and the end state, there are numerous uncertainties, including delays, cost overruns and quality issues. Yet at the same time, there are opportunities that can lead to favourable outcomes, such as cost savings, quality improvements and the introduction of new approaches. 

“Ultimately it’s the achievement of those opportunities that leads to successful missions, bonus payments, and a track record of happy customers,” Balut says. 

Actions taken throughout the lifecycle of a project should steer towards the attainment of opportunities, and this is in effect, effective risk management. “Unfortunately, in many projects, risk management is almost exclusively focussed on threats. If we want to get better project results, then it’s time to start recognizing all project uncertainties. Why only think about what could prevent the desired project outcome? 

“Most successful projects that we see are related to companies that track metrics related to the identification of opportunities, the ratio of threats to opportunities, and their conversion rate for turning opportunities into achieved benefits. For greater project success, it’s imperative that we consider each of our desired outcomes and actively act on our ideas to achieve our desired end-state,” he advises. 


All recognized risks should be recorded in a single system. “With one version of the truth, we can spend time actively managing risks, as opposed to the all-too-common slog of process administration,” says Balut. “We need the flexibility for anyone to identify threats and opportunities quickly, easily, and as soon as possible. With the appropriate process and tools, we can easily capture the relevant risk data, with the confidence that we’re supporting our needs for project risk analysis and risk-based decision making to keep our project on track.” 


“We need to expand our view into what causes risks and what the consequences of realized risk might be so that we can plan for them. Basically, we want to plan for the best and prepare for the worst; in the risk management world, that means that we need to proactively take actions to prevent causes of negative events and foster causes of positive events. 

“On the consequences side, we need to be prepared to respond in a quick and pre-planned way for both negative and positive consequences. Conceptually, this process is referred to as Bow-tie Analysis – a process simplified by Active Risk Manager, Sword GRC’s enterprise risk management solution,” he says. 


“Communication, transparency, and openness allow us to honestly deal will threats and set up a firm footing for subsequent mitigation. Quality communication assists us in developing opportunities too,” Balut explains. 

Suggested Communication Principles: 

  1. Identify stakeholders
  2. Know core information and requirements
  3. Leverage risk management tools
  4. Emphasize transparency and timeliness

“We want to have a culture where people are able to communicate the risks they identify, as soon as they identify them,” Balut advises. 


Outputs should provide meaningful insights to help project stakeholders perform more effectively within their project role. “The key is to provide the information in a manner that’s complete, that drives action and supports decision-making – and you want to be able to do that without people having to sift through mountains of reports and different data outputs, perhaps designed for other stakeholder levels,” he says. 

For example, project risk analysts need a very detailed view of risk data, which they are easily able to achieve in ARM, Sword GRC’s best-in-class risk management software, using Monte Carlo analysis. Reports for project stakeholders can be formatted to provide quantitative and qualitative analysis, plus metrics about risk process activity. 


“Even though past mistakes frequently are some of our most memorable experiences, we want to consider all of our experiences to avoid negative impacts for the future and to pursue positive outcomes that we may have experienced before,” advises Balut. 

Some useful tips include: 

  1. Document results and actual outcomes
  2. Analyze those results and outcomes
  3. Create and utilize a knowledge base/risk library
  4. Develop a regular project review cadence

Balut recommends that project reviews are not left until the last stage, particularly in lengthy projects that can run into years or even decades in lifecycle. “If you leave the review until the end, you are leaving value information untapped,” he cautions. 


Balut suggests that the first six habits detailed should be part of everyday risk management processes. He acknowledges that the seventh habit, the creation of a strong risk management culture within the organization, does not happen overnight and the leadership team’s approach is fundamental to getting risk culture right. “It tends to be fostered through the questions that they ask, as well as through the way that they respond when presented with new threats and opportunities because it’s really more about how people behave than what’s written on a policy or promoted through a newsletter,” he says. 

An effective risk management culture needs to flow through all levels of the organization. Balut points out, “Risk management works best when there is a culture of openness and sharing,” and concludes, “We all have a responsibility for sharing lessons learned and ideas that can help to drive better project performance. With that in mind, we urge that all of you become advocates for change, and help create a more effective risk management culture within your organization.” 

Summarizing, Magnuson explains that these habits are best embedded so deeply within risk management practice within the business that they become foundational. The outcome? “As we implement and develop these habits, we will see incremental improvement in the quality of our projects,” he says. 

The full 7 Habits for Highly Effective Projects webinar, including and examples of how Sword GRC’s enterprise risk management software can help simplify processes together with customer examples of risk management best practice, is available to view, free of charge.  

Read more on our Risk Management Software – Active Risk Manager