Re: Linking Risk Management wiith Lessons Learnt
Interesting question.
One lesson I learned from a few poor projects was to do risk management early in a (software) project - we called it "addressing technical uncertainty first." Our lesson learned, if you will, was that when a project went badly wrong it was more often than not that we had taken a bad bet on a new idea - a new algorithm, some new technology, even a client who didn't quite know what they wanted. So at the start of the project we'd ask, of what are we uncertain?
We learned to address risks early so that we had as much time as possible to get them mitigated and, with luck, some contingency time in case the preferred mitigation failed. (One lesson learned as a result was to plan projects assuming a normal working day, reserving overtime as something to be used if early risk mitigations failed. While senior managers often balked, we never allowed them to reduce time and budget for a job by including overtime in the project budget: it was our contingency time.)
In some cases we had, not so much a lesson learned, but more a mistake made and not to be repeated - somehow. In risk management we listed it as something that would likely go wrong again, and put mitigations and fall-back plans in place. We didn't know if they'd work or not so in a sense, yes, we had open actions. At that time we weren't doing ISO 9001 (we were a small company and it was the mid-seventies) so the formalities didn't concern us.
For ISO 9001, yes, under ISO 9001:2008 one could identify the mitigations as preventive actions and close them when and if they worked, perhaps folding the good ones into defined processes. This is one area where the 2015 version of the standard will certainly sit better, I think.
I don't think risks identified are lessons learned. The two concepts are in my experience different. If the risk is identified, and the mitigation plan works, that might be a lesson learned for the next time around. For me, risk management looks forward into uncertainty, while lessons learned look back to evaluate what worked, and what didn't. I think both are essential to sound project management.
One other thing: I'd be careful to separate lessons learned from risk management somehow, to avoid risk management being completely conditioned by what went before. I think there should be an element of free thinking about this project and its risks so that risk management can help avoid lessons we don't want to learn.
Hope this helps,
Pat