Risk Management : Important or Effective (or both)?
From the Risk Insights from The Risk Doctor Blog
by David Hillson
We recently conducted some research in partnership with Peter Kulik to investigate how organisations perceive the value of risk management. The survey addressed a number of different aspects, but two questions were particularly interesting. The first question asked “How important is risk management to project success?”, with possible answers chosen from extremely important, very important, important, somewhat important, not important. The second question asked “How effective is risk management on your projects?”, with answers ranging from extremely effective, very effective, effective, somewhat effective, or ineffective. Of course the raw data was interesting in itself, but the correlation between answers to these two questions was fascinating. If the answers to each question are simplified into two options (positive or negative), then there are four possible combinations :
- Risk management is important and effective
- Risk management is important but not effective
- Risk management is not important and not effective
- Risk management is not important but it is (somehow) effective
Perhaps the fourth combination is not really feasible, since it would be unusual for risk management to be effective if the organisation does not consider it to be important. Indeed if it is viewed as unimportant it might not be done at all. But the other three combinations represent different levels of risk management maturity, and organisations in each of these three groups might be expected to act in very different ways.
Where risk management is seen as important and it is also effectively delivering the promised benefits (Combination 1), those organisations could become champions for risk management, demonstrating how it can work, and persuading others to follow their lead. These risk-mature organisations might be prepared to supply case studies and descriptions of best-practice, allowing others to learn from their good experience.
If an organisation believes that risk management is important but is not finding it to be effective in practice (Combination 2), then they should consider launching an improvement initiative to benchmark and develop their risk management capability. Tackling the Critical Success Factors (CSFs) for effective risk management will lead to enhanced capability and maturity, allowing the organisation to reap the expected benefits. Key CSFs include a risk-aware culture, efficient processes, experienced and skilled staff, and consistent application, among others.
It is not surprising that risk management is ineffective in organisations which believe that it is unimportant (Combination 3), as it is not possible to manage risk effectively without some degree of commitment and buy-in. These risk-immature organisations should be persuaded and educated about the benefits of risk management to the business – a task best performed by convinced insiders who can show how proactive management of risk could be applied to meet the specific challenges of the organisation.
It is a good idea for every organisation to review its position on risk management against the two dimensions of importance and effectiveness, and to take appropriate action to move up the scale of risk management maturity. Risk management offers genuine and significant benefits to organisations, their projects and their stakeholders, but these will never be achieved without recognition of the importance of managing risk at all levels in the business, matched with operational effectiveness in executing risk management in practice.
Posted on: November 16, 2015 06:14 AM |
Permalink
Comments (10)
Please login or join to subscribe to this item
Sergio Luis Conte
Helping to create solutions for everyone| Worldwide based Organizations
Buenos Aires, Argentina
Thanks for sharing. Totally agree. Trying to add something I found that is better to implement actions to manage risks in a way where the organization is not aware that your are working on risk management. What I mean is try to use project life cycles, stakeholder management, procurement management, project scope management, project quality management process and strategies focused in avoid/mitigate/transfer risk but not following the PMI´s process for risk management defined into the PMBOK. I found that it is more suitable from a great number of organizations that do not have a traditional risk management culture because of the business where they are competing.
David Hillson
The Risk Doctor| The Risk Doctor Partnership
Petersfield, Hampshire, United Kingdom
Thanks for your perceptive comment Sergio. I agree that a softly-softly approach can be useful in getting people actually to manage risk, without using a formal risk management process. Indeed, in my view, every project management discipline is actually focused on managing some form of risk. for example, developing a WBS is about reducing scope risk – we know what is in the project and what is not. Estimating is about addressing cost risk, and scheduling tackles time risk. Team leadership aims to manage people risk. Procurement is about contractual risk. And so on…
If this is true, then why do we need risk management? In my view, these basic pm disciplines are about managing the typical risks that arise on most (all?) projects. But how do we deal with unique risks that we’ve not seen before? That should be where risk management fits in – identifying risks that are not covered by the routine pm processes and techniques, prioritising them so we know which are the main ones, and giving us time to develop proactive responses.
So yes, I support your approach to get people managing risk through the other pm processes you mention (project life cycles, stakeholder management, procurement management, project scope management, project quality management process), but I still think you need a separate risk process.
Sergio Luis Conte
Helping to create solutions for everyone| Worldwide based Organizations
Buenos Aires, Argentina
I agree with you about the need of a separate risk process. In fact, if we agree that we start a project in order to create a product/service/result to take advantage of a market opportunity (or something outside there in the external or internal environment that helps the organization to get what it is needed to survive, growth and developt) the risk is inherent to the need and it is "present" in all you will use to plan, execute, control and close the project.
Andreia Reis
PMO Coordenator| Adimax Indústria e Comércio de Alimentos
Mairinque, São Paulo, Brazil
Thank you for sharing and I Totally agree, when you mentioned that "every organisation to review its position on risk management against the two dimensions of importance and effectiveness". for me the risk management is important and effective, because in my point of view is necessary to reach success that company is compromised with proactive approach and aware of the risk management all over the project, because always there will be risk from the moment in that the project is designed. Now effectiveness, will depend on how it will be conducted.
Very useful article
Best Regards,
David Hillson
The Risk Doctor| The Risk Doctor Partnership
Petersfield, Hampshire, United Kingdom
Thanks for adding your support to this post Andreia - glad you liked it! I hope your organisation is successful in ensuring that risk management is as effective as possible.
Thank you for sharing, completely agree with your point of view.
I think we all at some point have dealt with “combination 3” where at the onset no one sees value or has time for “Risk Management” and related activities but as soon as things go awry everyone blames everyone else but won’t admit they should have invested more time and resources in risk management planning, identification, analysis, response planning and controlling.
It takes great organizational maturity to allocate sufficient resources for proper risk management to realize the value in “combination 1”.
David Hillson
The Risk Doctor| The Risk Doctor Partnership
Petersfield, Hampshire, United Kingdom
Thanks for your support Amer. I agree entirely. But organisations in Combination 3 present a great opportunity for us to show them the way and make a real difference to their rates of successful delivery of value.
Vincent Guerard
Coach - Trainer - Speaker - Advisor| Freelance
Mont-Royal, Quebec, Canada
I don't know the response choice to “How effective is risk management on your projects?”. If the choice was a possible rating, it would be interesting to view the distribution for those saying ris is not important (combination3).
Then compare it with distribution from combination 1.
Thanks for sharing
David Hillson
The Risk Doctor| The Risk Doctor Partnership
Petersfield, Hampshire, United Kingdom
Thanks for your comment Vincent. The response choices are detailed at the beginning of this blog post. For effectiveness, it says:
"The second question asked “How effective is risk management on your projects?”, with answers ranging from extremely effective, very effective, effective, somewhat effective, or ineffective."
As you can imagine, there is a lot of detailed analysis that can be done on these data, but that would be too detailed for a blog posting!!
Please Login/Register to leave a comment.
|
"Life is like music; it must be composed by ear, feeling, and instinct, not by rule."
- Samuel Butler
|
