March 2010 ■ Project Management Journal ■ DOI: 10.1002/pmj 87

Cover to CoverKenneth H. Rose, PMP, Book Review Editor

Those curious about the state of project

risk management will find Hillson’s

compact treatment of the topic

informative. He reaffirms the disci-

pline’s foundation, reviews current “best prac-

tice,” and identifies new developments. Yet, he

pulls no punches that organizations struggle

with risk management. He describes the fac-

tors he believes are necessary to be successful.

Hillson notes that risk is rooted in the con-

cept of uncertainty. His explanation gives the

reader a way of understanding the sources and

context of risk from an individual viewpoint,

broadened to the global view. He expresses the

relationship of uncertainty to risk as “uncer-

tainty that matters.” Yet, he is quick to note

that uncertainties are not equal. The challenge

is to identify what is important to the project

and design appropriate responses. This is

becoming harder to do, as project managers are falling behind in

their ability to grasp and apply knowledge timely in the “new world

order” of information and change.

Risk management has a special, if underappreciated, impor-

tance to project management because projects are particularly

risky. Common characteristics, such as complexity, assumptions,

and constraints, introduce uncertainty into projects. But with no

lack of theory for doing project management, projects continue

to fail at significant rates. Hillson maintains that a major reason

is unforeseen events—risks.

Risks, both threat and opportunity, apply whenever there are

objectives. In general, there are project-level risks and overall

project risks. The latter is greater than the sum of individual risks

on projects. Project managers represent the project view while

sponsors must interface with the overall project risk arising from

outside the project.

Hillson provides a pragmatic approach to risk management

within formal processes identified typically in standards and

methodologies. There are good descriptions of how to go about

preparing a risk management plan. For example, he addresses

how to separate risks from issues and problems using a three-

part structured risk statement to drive clarity.

On the people side, he emphasizes being aware of the atti-

tudes toward risk management. Not only do individuals carry their

own biases, but collectively groups exert influ-

ence, too. Hillson helps the reader understand

the influence of attitudes in the risk manage-

ment process. He notes that practice in overall

project risk management is weak, particularly

in risk response execution. Analysis to action is

often the missing link; people do not follow

through, which tends to reflect attitudes

toward the value of risk management.

Hillson laments the tendency to separate

risk management and project management. He

contends risk management needs to be “built-

in not bolt-on,” and woven into the complete

project life cycle to realize full benefits. Because

energy for risk management tends to wane after

identification, project managers need to sus-

tain appropriate levels of energy end-to-end in

order to do risk management well, especially to

activate risk responses effectively.

He goes on to address integration beyond the project,

between the project and the organization’s vision. This relation-

ship creates a hierarchy of risks that require attention, or enter-

prise risk management. It needs to be coordinated actively, not

just done in isolated areas. From the project perspective, the

natural interface upward is in the program structure that has its

own Program Risk Management.

To make risk management work, Hillson offers critical suc-

cess factors that have two characteristics: their presence pro-

motes effectiveness and their absence hinders it. He identifies

factors internal and external to the project. For example, a user-

friendly risk management process tends to support success for

which he offers pragmatic suggestions for implementing.

Similar treatments are there for factors external to the project,

such as management support.

Hillson gets at four primary motives for doing risk manage-

ment and notes that only one really counts. Organizations do risk

management reluctantly because of a contract or regulation. It’s

done out of a fear of failure or blame. It is done to copy someone

else. The one motive that counts, however, is demonstrating ben-

efits, and he describes a good approach to marshalling them.

Whether you are developing your own competency or trying

to jump-start better risk management in your organization, this

book is a solid resource.

Reviewed by Paul E. Shaltry, PMP, a partner in Catalyst Management

Consulting LLC, Worthington, OH, USA, and member of the PMI Standards

Program Member Advisory Group.

Managing Risk in Projectsby David Hillson

Gower Publishing Limited, 2009, ISBN:9780566088674, paperback, 126 pp.,$47.45 Member, $49.95 Nonmember.

Project Management Journal, Vol. 41, No. 1, 87© 2010 by the Project Management InstitutePublished online in Wiley InterScience (www.interscience.wiley.com)DOI: 10.1002/pmj.20156