Any formal 'project' conducts a risk analysis. It is standard practice. But, in most cases, it is not practiced well.

Firstly, while 'decision trees' and other methods may be used, often quite fundamental relevant risks are missed.

Secondly, there seems to be a view that all risks can be treated the same, whereas there are risks that are a potential threat that may or may not occur, risks that exist and need to managed down and risks that exist and cannot be changed but their implications need to be carefully managed. How each of these types of risks is managed should be different.

Thirdly, risk registers abound but contain so much data that, even on an A3 sheet of paper, the room for risk mitigation action recording is minimal. At best, a sentence or two exists. The rest if left to chance. Most importantly, little discussion is held as to what the desired end state is of the risk management approach for any one risk. So, how do you know if you're successful?

There are eight project risk dimensions

1. Critical success factors — factors that need to exist or go right for this project to be successful

2. Project-specific risks — threats to this particular project

3. Project delivery risks — systemic risks to the successful delivery of the project itself, applicable to all projects

4. Benefits delivery risks — systemic risks to the successful delivery of the benefits, applicable to all projects

5. Business risks — risks to the business, its customers and suppliers from this project, applicable to all projects

6. Design risks — risks that the solution/output delivered is not what was asked for or expected

7. Corporate risks — risks to the success and survival of the organization that any one project may impact (increasing or decreasing)

8. Leading indicators of failure — project trends that cumulatively can spell disaster for the project.

Over the coming weeks we'll discuss each of these risk dimensions and how they need to be managed.

However, there is another dimension to project risk that formal risk approaches often ignore — the 'Swiss-cheese' effect.

It is rare that a single risk will bring down a project. What causes most problems is when a series of mishaps, mistakes, events and other minor happenings occur simultaneously or in quick succession causing a disaster.

You know the sort of thing, the automatic backup machine is late being delivered, the person who has managed the backups leaves, the new person starts the process but gets lost and fails to finish and then the system goes down losing all current data. . . So, while we can formally and effectively manage project risks, we must always be wary of these 'Swiss-cheese' events — when all of the 'holes' in the cheese line up and something falls through it — that can easily bring our project down.

To read Jed's last column, 12 Ways to Ensure Your Projects Never Fail, click here

Jed Simms is CIO magazine's weekly project management columnist. Simms, founder of projects and benefits delivery research firm Capability Management, is also the developer of specialized project management and project governance Web site www.project-sponsor.com