Firstly, let's be clear that the responsibility
for risk management is ultimately that of the project sponsor / owner. As with most management issues, this is delegated to the project
manager. The project manager may choose to undertake risk management activities
personally, but like most other project activities, it may be
delegated to a specialist.
The person undertaking a risk assessment,
including workshops and reviews should posses the following attributes:
Experienced in the risk management process and
IT projects. Probably an experienced project manager, or risk management
specialist. Is comfortable with risk management tools.
Someone not immediately involved in the
project in other capacities. (People who are too close to the project may
not be able to be as objective).
Superior facilitation skills
Excellent verbal and written communication
Ability to negotiate with senior management.
A risk management 'champion'. That is,
someone who will not be distracted from the process as a result of other
The person does not have to be available full
time - just for the initial assessment and periodic reviews.
The same person who undertakes the initial
assessments should manage the follow up reviews.
If using a contractor / consultant, avoid
those in competition to other contractors on the project.
Otherwise there is the the potential for commercial competitiveness to
influence the results.
Likewise, avoid contractors being supplied by
a company supplying key project resources, as there is the potential
for a conflict of interests.
This role lends itself to being undertaken
by an external contractor, who has the ability to remain objective, and does not
get caught up in other project tasks. this is particularly important as the
project progresses, and the key focus is on faster delivery. It also means you
can bring the person in only as needed.