VOICES In the Trenches
Zombie
Risks
How to prevent retired risks from
coming back to life.
By Rex M. Holmlin, PMP
I teach project management to undergraduate and
graduate students, as well as students in continu-
ing corporate education programs. During one
class on project risk management, we discussed
retiring risks once the activities associated with
them were complete. That’s when a student asked,
“What about zombie risks?”
He had worked on a project in which the team
diligently identified risks and included them in the
risk register. As the likelihood of each risk became
low enough, the team retired it, and the contin-
gency funds set aside for that risk were freed up
for other purposes.
Unfortunately, after being retired, one risk
“came back to life”—much like a zombie—and
was realized. At this point, the funds associated
with the risk response plan had been used for
other purposes.
In our discussion about zombie risks, three
important points emerged. First, project risk man-
agement tools should be integrated with other
tools we use in project management
to provide a better understanding of
interdependencies. One option is to
map risks to either the work breakdown
structure (WBS) and/or the project
schedule. (For more information on
this, see the PMI Global Congress paper
Understanding Risk Exposure Using
Multiple Hierarchies by David Hillson,
PhD, PMP, PMI Fellow.)
By mapping risks to the WBS, we
know which deliverables have risks
associated with them. We also get a
much better idea about where clusters
of risk may lie in our project. A project
team could map risks directly to activi-
ties in the schedule, but there is potential value in
taking a “top-down” approach and mapping to the
WBS first. While risks may be primarily associated
with a particular activity, mapping to the WBS and
then decomposing deliverables into activities could
better identify other relationships or dependencies.
A second theme in our discussion on preventing
zombie risks was the need for a structured process
for risk retirement and the release of funds associ-
ated with the risk. When should a risk be retired?
When the activity it is primarily associated with
is complete? Or when a deliverable the activity is
associated with is complete? Making this decision
takes considerable judgment, and organizations
could benefit from a formalized discussion about
risk retirement, as well as a documented risk
retirement process.
Lastly, the discussion stressed the importance of
the role of risk owner, the project team member
who is charged with monitoring and managing a
particular risk. The risk owner should have a very
clearly delineated role to play in recommending
risk retirement and requesting release of contingency funds associated with that risk.
With these processes in place, project teams can
make sure their risks won’t come back to haunt
them after they’ve been retired. PM
Rex M. Holmlin, PMP, is a visiting professor of
project management in the Mason School of
Business at the College of William and Mary, Williamsburg, Virginia, USA.