Fire Your Risk Manager Now (Part 1)

 

The incomparable Walter E. Williams has written several prescient columns on the topic of the idiocy of raising the minimum wage, and he has furthered several interesting arguments in his criticisms. I think one of his most effective points is that if the minimum wage is $7.25 (USD) per hour (which it is), but any given (usually unskilled) employee is incapable of generating that amount in wealth, then no organization that seeks to turn a profit would ever hire or retain such a one.

According to Salary.com’s Salary Wizard page, risk managers typically earn between $72,033 and $132,106 (USD) per year. Forgive me for being imprudent, but I have to ask:

What does that buy you?

Obviously risk managers do not create that amount in wealth. So what, exactly, do they produce? They produce information. What kind of information? Ahh, there’s the rub. In order for risk managers to lay claim to justifying their salaries (not to mention their offices, computers, overhead accounts, and colleagues having to put up with their statistical jargon-based haranguing), they would have to show that the information stream they generate leads to, if not the realization of that amount of economic wealth, then at least the avoidance of being hit with fines or overruns equal to or exceeding that amount.

Okay, so what kind of information, specifically, do risk management-types provide? (I promise to stop writing as if some unseen person is asking me questions.) Typically, Decision-Tree or Monte Carlo analyses are based on a review of the existing scope, cost, and schedule baselines for a given project. The point of the review is to try to articulate and estimate alternate scenarios to the project execution plan documented in the baselines, and then to estimate the impacts of those scenarios should they come to pass. This fails on several levels:

·         Unless the projected alternate scenarios alter the project team’s response to events unfolding in that manner, they remain nothing but rank speculation. So what if the alternate scenario came about? Other than “I told you so” bragging rights, nothing has improved from the project managers’ point of view.

·         The possibility that something – anything – could go wrong on a project is the typical PM’s ubiquitous consideration. The quantification of this consideration is highly subjective, and adds nothing to the decision-makers’ information base.

·         Consider the risk managers’ own terminology. Events are either “known-unknown,” or “unknown-unknown.” What’s the difference? The former were documented in the risk managers’ analysis, the latter were not. It’s an inherent get-out-of-stupid-analysis-jail-free card. Did we predict it, and it came about? We’re geniuses! Did we predict it, but it didn’t come about? Well, it’s a good thing we at least thought about it! Did we fail to predict it? It was inherently unpredictable!

Now, I understand this sort of pseudo-management science has a vast following, its own ISO standard, a revered place in the PMBOK Guide®, and is entrenched in many guides on how to conduct project management. But a lot of law enforcement bodies employ psychics on major cases, especially when they’re desperate, but that doesn’t make psychics a valid avenue of forensic crime investigation. “Pet Rocks” created quite a sensation in their day, but that doesn’t make common rocks an appropriate object of our attentions or affections.

Risk managers are particularly useless in information technology projects. Will technology change in the middle of your IT project? Probably. Will the scope change, in ways both subtle and profound? Undoubtedly. That’s why Agile and Scrum were developed in the first place. Has your risk manager ever fed you information that tangibly helps mitigate, or even ameliorate, these happenstances? The successful project manager is prepared to respond in a robust manner to the unexpected events that unfold in the course of pursuing her project’s scope requirements. Attempting to quantify the odds and cost/schedule impacts of those things that may or may not go wrong is nothing more than institutional worrying, described in Gaussian terms.

I’m not even close to exhausting my criticisms of the risk management field, as currently practiced. A more complete discussion is contained in my recently-released, must-have book Game Theory in Management (Gower Publishing, 2012). For now, the simple fact remains that the future cannot be quantified. Anyone who claims to the contrary is either engaged in deceit, or in quackery. For that reason alone, you should fire your risk manager.