How to Audit Project Risk Management

How to Audit Project Risk Management
By Harry Hall

Are your project managers consistently meeting the objectives set by your management team? How do you know if your project managers are following the appropriate project processes?

A few months ago, I conducted a Project Risk Management Workshop for a PMI Chapter. I recently received an email from a class participant inquiring about how to audit the project risk management processes.

I scheduled a conference call with three of the organization’s team members. These team members worked within a Project Management Office that was less than three years old. The PMO had implemented project risk management approximately one year ago.

Assumptions

An audit provides management assurance that their objectives are being met using efficient and effective processes. Therefore, there is an assumption that processes have been established. That is to say, the project managers have been taught the project risk management processes such as:

1. Planning for Risk Management

2. Identifying Risks

3. Evaluating Risks

4. Responding to Risks

5. Controlling Risks.

While there are different ways to approach this audit, here were my suggestions.

Steps to Audit Project Risk Management

• Define your audit goals. Why is the audit being undertaken?

• Define the scope of the audit. Is this a company, department, or team audit? Which risk management processes will be reviewed? What will not be audited?

• Define the audit assessment plan. Determine how you will collect information such as interviews or surveys. Define a template for performing an audit of each project. For example, you might assess each risk management process on a scale of 1 to 5, 5 being the highest score. Another part of the plan might include an assessment of the mitigation, contingency, and fallback plans.

• Determine who will conduct the audit. Who will conduct the review? A project manager. A team of project managers. An external consultant.

• Select projects from the project portfolio. Review the enterprise’s project portfolio. Select a sample of projects such as a small, medium, and large project.

• Request Project Documents. For each of the selected projects, ask the project manager for a copy of their Risk Management Plan, Risk Register, and Project Charter.

• Perform the audit. Assess the projects. Score each of the risk management processes. Note comments from the interviews.

• Complete the audit report. Document the findings of the review. For example, the auditor may find that the project managers are doing a great job identifying risks, but the risk owners are not responding to the risks appropriately. The author should summarize key findings and recommendations.

• Communicate audit results. Share your findings with appropriate stakeholders. You may choose to share specific results of each project with the project manager. Share the general findings with a larger audience.

After the Audit

Once the analysis is completed, determine how you will address the issues. This plan may include the sharing of lessons learned and additional training or mentoring of project managers and risk owners, to name a few.
Final Thoughts

I commended the PMO for auditing their risk management processes. Few organizations invest in project process improvement. If done properly over time, organizations can greatly improve their results.

Question: What else would you include in this informal audit?

Harry Hall, PMP, PMI-RMP, is the Director of Enterprise Risk Management at the Georgia Farm Bureau Mutual Insurance Company, one of the largest domestic insurance companies in the state of Georgia. You can read more from Harry on his blog.