What Does risk management Inform, Exactly?

 

The risk management (no initial caps) practitioners are very fond of setting up elaborate risk management (no initial caps) baselines and risk registers, collecting data, processing it using various Gaussian Curve-based techniques, and delivering … well, what, precisely? Now, before said risk management (no initial caps) practitioners flood the comments section citing their preferred artifacts, let me add in just one criterion: the output has to actually inform a project-changing decision or strategy.

Some years back I came across a story about one of the earliest college-level statistics courses ever offered, where the instructor started off the first class by producing a coin from his pocket, and announcing that, when he flips the coin, there can only be one of two outcomes: it lands with the “heads” side up (showing, in relief, the image of a person), or the not-heads side (in American parlance, this would be “tails”). He then proceeded to flip the coin. According to the story, the coin landed and stayed on its edge. I don’t know if it managed to find a crack in the floor, or if it simply spun on edge until it came to rest in the vertical position. I don’t even know if the story is true, but it does illustrate something about risk management (rather than keep typing “no initial caps,” I’m just going to use the acronym “NIC”), that, no matter how hard we try, we can never capture every possible outcome to a given situation, even one as controlled as a simple coin flip.

The same phenomenon often comes into effect when discussing Game Theory. One classic example involves the Ultimatum Game, where a researcher approaches two people (Person 1 and Person 2), and offers Person 1 this deal: the researcher will give the Persons $100 (USD) if Person 1 can provide an arrangement for how the money will be split between the two Persons, and that proposal is accepted by Person 2 on the first try. The Game Theorists calculated speculated that Person 1 would maximize their payoff by proposing $99 for Person 1, and just $1 for Person 2, under the theory that Person 2, looking at receiving either $1 or nothing at all, would (naturally!) approve of this distribution scheme. In reality, such offers were almost always rejected by Persons 2. Perhaps the Persons 2 felt that the Persons 1 were being unfair, or didn’t deserve such a lopsided distribution of unearned largess, or was somehow being disrespectful. Interestingly, when the actual evidence of the Game Theorists’ wildly inaccurate calculation speculation of the optimal distribution scheme was shown to them, a common reaction was to blame “cultural factors” rather than admit that their core assumptions were flawed.

Something very similar occurs when risk managers (NIC) become aware of unforeseen negative events happening to the projects to which they are assigned that receive absolutely no mention in the risk register, or any other document, for that matter. Instead of “cultural factors,” though, the risk managers (NIC) will invoke the “unknown unknowns” category of risk events to escape such obvious evidence of the absence of validity undergirding their analyses.

But I want to take a look at what happens even on those occasions where something happens to the project they’re working, and that something is referenced in the risk register. In the simplest analogy, a project to flip a fair coin would feature a risk analyst informing the PM-coin flipper that the odds of either pre-flip choice coming about is 50/50 (assuming that no coin-holding cracks are present in the floor). How does this inform the decision to pick one side or the other? Keep in mind that this example is one of the most limited-outcome scenarios that could possibly exist. Also, such outcomes are almost always driven by randomness, unless the coin flipper has acquired the skills needed to flip the coin so precisely as to arrive at a pre-determined outcome. While randomness does afflict Project Management, if that was the sole determining factor of project outcome there would be absolutely no reason to have an educated or talented Project Team. 

So, in the PM environment, we’re looking at two aspects that absolutely blow to smithereens any credibility the risk managers (NIC) would otherwise have left:

• The PM’s actions are not random, and therefore do not match any pattern that would otherwise inform an analysis based on Gaussian curves, and
• The environment is far from controlled with respect to its potential outcomes.

With these two factors irrevocably in play, there is simply no output, no report derived from risk management (NIC) or risk analysis (ditto) that can be specific enough to inform a particular decision or tactic. But a lot of time, effort, and expertise goes into such analyses, doesn’t it?