Project Management

The cost of managing risk

From the Risk Insights from The Risk Doctor Blog
by
David Hillson, The Risk Doctor, shares key tips on understanding and managing risk, blending thought-leadership with expert practical application. Managing risk is easy - find out how!
risk identification | risk management | risk responses | show all posts

About this Blog

RSS

Recent Posts

HAPPY NEW YEAR: Two-faced risk management

Zero chance of a zero-risk project

Innovative risk management

Why some risks turn into surprises

Are project opportunities the same as scope screep?

Categories

risk analysis, risk identification, risk management, risk process, risk psychology, risk responses

Date

linkedin twitter facebook Request to reuse this  

Categories: risk management


As we seek to manage risk effectively, questions of cost are inevitable since risk management is not free. But is it worth it? There is no “zero-cost option” for risk management, and the costs to be paid fall into three categories : one-off, ongoing, and occasional.

First are the costs of entry, paid once to establish a risk management capability. The primary cost here is for the “Three T’s”: techniques, tools and training. Any organisation wishing to manage risk has to invest in the necessary infrastructure to support the risk process. Techniques and procedures must be developed and rolled out. Tools to support the process must be bought or developed. And staff must be trained to use the techniques and tools effectively. If the entry cost is not paid, risk management remains merely a good intention, with no capability to deliver.

The second type of costs are for ongoing maintenance, to preserve an effective organisational risk management capability. It is important to keep the risk process fresh and up to date. Without ongoing development of the risk process, there is a danger of losing effectiveness. Risk management is a developing discipline, and new techniques and tools emerge regularly. Even the conceptual basis continues to grow as new ideas become accepted into the mainstream. Effective risk management requires refresher training to maintain and develop staff skills, as well as revitalising the process to incorporate recent developments and new approaches. On average an organisation should aim to refresh its risk process every 2-3 years to stay up to date.

Lastly there are the costs associated with managing risk on projects. Each project faces a unique risk challenge, and managing this incurs costs for assessing risk and for addressing risk.

  • Assessing risk : These are the costs of implementing the risk process on the project, including spending time and resources in risk identification workshops or interviews, performing risk assessments and analyses, attending risk reviews, writing risk reports etc.
  • Addressing risk : This covers the cost of executing risk response plans, those actions which were not originally in the project plan, but which are deemed necessary in order to deal appropriately with identified risks. Proactive actions are needed to avoid or reduce threats, and to exploit or enhance opportunities. Contingency and fallback plans must be put in place in case risks occur. These costs would not have been incurred if risks had not been identified, but they are necessary to optimise the chances of achieving project objectives.

If an organisation is serious about managing its risk, it must be prepared to pay these costs. This is particularly true of projects, which tend to have fixed budgets. Risk management will never be effective if it is seen as an optional zero-cost extra. The cost of assessing risk must be included in the overall project management budget, and there must be adequate contingency in the project budget to cover the costs of addressing risks.

Of course there is a cost-benefit relationship from investing in risk management. Risk management delivers a wide range of benefits to the organisation and to its projects, clients  and staff. Although it is hard to measure the return on investment for risk management, it is certain that no benefits will be realised unless the organisation is prepared to pay these costs. Indeed, not paying the cost to implement risk management exposes an organisation to another unnecessary cost – unmanaged risk. This includes threats which turn into problems which could have been avoided, as well as missed opportunities which could have delivered extra benefits.

In my view, the answer to the question “Is it worth it?” is a definite yes. If we pay the cost of managing risk, we will surely reap the benefits.


Posted on: February 23, 2016 03:31 PM | Permalink

Comments (13)
Please login or join to subscribe to this item
avatar
George Lewis Program/Project Manager| DXC Technology Company Heredia, Costa Rica
Thanks for sharing. Sometimes there is the assumptions that there is no cost in managing risks, but I agree: “Is it worth it?” is a definite yes. If we pay the cost of managing risk, we will surely reap the benefits.

avatar
David Hillson The Risk Doctor| The Risk Doctor Partnership Petersfield, Hampshire, United Kingdom
Thanks George.

avatar
Thomas Walenta Global Project Economy Expert Hackenheim, Germany
Good overview David,

it reminded me of the concept of CoQ = Cost of Quality (cost of conformance + cost of non-conformance) which is minimized when both sides of the sum are balanced.

Is there a similar representation for risk? A CoR?

avatar
David Hillson The Risk Doctor| The Risk Doctor Partnership Petersfield, Hampshire, United Kingdom
Hi Thomas. That's a great comparison. As far as I know there is no formal CoR metric, but that's exactly what I was aiming at.
If we compare with CoQ, then the "cost of conformance" is the cost of establishing a risk management capability and implementing it, including the cost of agreed risk responses. And the "cost of non-conformance" is the impact of avoidable threats that turn into problems, and missed opportunities that should have been captured.
But with CoR we're not aiming to balance the two of these factors. We're calculating a ROI for risk management, based on the benefits from implementing risk management divided by the Total CoR.
Thanks for suggesting this interesting link.

avatar
Rami Kaibni
Community Champion
Senior Projects Manager | Field & Marten Associates New Westminster, British Columbia, Canada
I like the fact that it resembles somehow the CoQ in terms of how it is structured. This is very useful and maybe adding a CoR would be a future metric, why not. Great Post David !

avatar
David Hillson The Risk Doctor| The Risk Doctor Partnership Petersfield, Hampshire, United Kingdom
Thanks Rami. I think with Thomas's help we may have discovered something new and useful!

avatar
Ayman Omar Atallah Deputy Project Control Manager| Consolidated Contractors Company Doha, Qatar
Very nice simple words to summarize the very important processes of Risk Management that are often overlooked and handled lightly by practitioners.

avatar
Prabhaker Panditi Head of Agile | Global Bank in UAE Hyderabad, Telangana, India
Hi David, Identifying costs as those relating to ongoing entry, maintenance, assessment and addressing is excellent! At the same time, estimating the cost of unmanaged risk may not always be straightforward or easy.

avatar
David Hillson The Risk Doctor| The Risk Doctor Partnership Petersfield, Hampshire, United Kingdom
@Ayman. Thanks, I'm glad you found this helpful. Risk management should not be too difficult!!

avatar
David Hillson The Risk Doctor| The Risk Doctor Partnership Petersfield, Hampshire, United Kingdom
@Prabhaker. Thanks for your contribution to this topic. In my view, the cost of unmanaged risk has two components: (1) The additional cost arising from the effect of a threat that turns into a problem; and (2) The opportunity cost of missed savings that we could have made if we had captured an opportunity.
I think it should be quite straightforward to calculate this, don't you?

avatar
Rogerio Santos Director| .: RIZ | iko Software :. Rio De Janeiro, Rj, Brazil
Great! I can't agree more!

The question is who will pay for unmanaged risk? Sponsors with their money and managers with their jobs!

avatar
David Hillson The Risk Doctor| The Risk Doctor Partnership Petersfield, Hampshire, United Kingdom
Thanks Rogerio. I''m not sure that sponsors should pay for all unmanaged risk? This depends on the form of contract. Sometimes the client or a supplier might be the cause of unmanaged risk, and the contract may allow the cost to be claimed from them. But generally the cost of unmanaged risk becomes part of the project budget, and if the project over-runs then someone has to pay!
And I hope you are not right about the project manager''s job?!! ;-)

avatar
Prabhaker Panditi Head of Agile | Global Bank in UAE Hyderabad, Telangana, India
@David: I agree. Cost of a risk turning into problem and opportunity cost are good candidates.


Please Login/Register to leave a comment.

ADVERTISEMENTS

"If you can't be a good example, then you'll just have to be a horrible warning."

- Catherine Aird

ADVERTISEMENT

Sponsors







Vendor Events

See all Vendor Events

Newsletters

Jun 3: The Career Problem Facing New PMs
May 20: Your PM Career as a Project Life Cycle
May 13: The Big Lie After Layoffs

See all newsletters