Risk Insights from The Risk Doctor

Welcome to 2018! In many languages the month January is named after Janus the two-faced Roman god of doorways, and the start of a new year is traditionally a time for review, looking back at the past 12 months and looking forward to the next. There is also a widespread custom of making “new year resolutions” to change something in the year ahead. Unfortunately, these resolutions usually last only a few weeks before old habits reassert themselves!

Calling someone “two-faced” isn’t usually a compliment, but when it comes to managing risk, it might actually be something to aim for. How can we be like Janus in our management of risk, looking backwards as well as forwards, at the same time?

Risk management is obviously about looking forwards, scanning the uncertain and unclear future in an attempt to discern what awaits us. It offers businesses, projects and individuals a “forward-looking radar”, identifying threats to be avoided and opportunities which might be captured. Even though the precise details of such uncertainties may remain unclear, the “risk radar” can make us aware of their location and size, helping us to formulate appropriate action plans in advance.

But what about the other direction, the “rear-view mirror”? Does the past have any relevance to risk management? How can risk management look backwards?

Strictly speaking there is no risk in the past, since it has already occurred (although we may remain uncertain about what actually happened and what it means!). But George Santayana said “Those who cannot remember the past are condemned to repeat it.” So we must review the past in order to learn for the future. For risk management this means addressing the following questions:

• What types of risk can be identified on my project or business? Are there any generic risks that might affect similar projects?
• Which identified risks actually occurred, and why? This includes problems that could have been foreseen as threats, and missed opportunities that could have been captured.
• What preventative actions could have been taken to minimise or avoid threats? What proactive actions could have been taken to maximise or exploit opportunities?
• Which identified risks did not occur, and why? Which responses were effective in managing risks, and which were ineffective?
• How much effort was spent on the risk process, both to execute the process, and to implement responses?
• Can any specific benefits be attributed to the risk process, e.g. reduced project duration or cost, increased business benefits or client satisfaction etc?

The results from this type of lessons-learned exercise can be used to update risk identification tools such as checklists, to incorporate preventative risk response strategies into future projects, and to improve the effectiveness of risk management. It might also be possible to estimate return on investment (ROI) for the risk process, by comparing specifically attributable benefits with process costs.

If we do not learn lessons from our past, we will repeat it. I often hear people say “This risk affects all our projects, and it usually happens!” This is shocking, from a risk perspective!! For a risk to happen once is understandable, since uncertain events can occur even on the best-managed projects. If the same risk occurs twice, that is unfortunate, because the chances should be less than the first time. But for the same risk to happen a third time is unacceptable, as it exposes a lack of learning from the past.

So as we stand on the threshold of another new year, we should look behind us as well as in front, using the rear-view mirror as well as the forward-looking radar. Of course, we must focus on the challenges ahead and use the risk process to help us move forward safely towards our objectives. But we must also remember our past, learn the lessons from our journey to this point, and not repeat the same mistakes. Happy New Year!

The word “risk” is a common and widely-used part of today’s vocabulary, relating to personal circumstances (health, pensions, insurance, investments etc.), society (terrorism, economic performance, food safety etc.), and business (corporate governance, strategy, business continuity etc.). One area where risk management has found particular prominence is in the management of projects, perhaps because of the risky nature of projects themselves.

So why are projects risky? There are some factors which are found in all projects, and which make them inherently risky, including:

• Uniqueness, involving at least some elements that have not been done before
• Complexity of various kinds, including technical, commercial, interfaces or relational
• Assumptions and constraints about the future, both explicit (open) and implicit (hidden), which may prove to be wrong
• Objectives, defining the measures by which project success will be determined, which are usually fixed and sometimes conflicting
• People, including project team members and management, clients and customers, suppliers and subcontractors, all of whom are unpredictable to some extent
• Stakeholder requirements, expectations and objectives that can be varying, overlapping and sometimes conflicting
• Change, since every project is a change agent, moving from the known present into an unknown future
• Environment within which the project exists, including both the internal organisational environment, and the external environment where changes outside the project’s control can occur

These risky characteristics are built into the nature of all projects and cannot be removed without changing the project. For example, a “project” which was not unique, had no constraints, involved no people and did not introduce change would in fact not be a project at all. Trying to remove the risky elements from a project would turn it into something else, but it would not be a project. Indeed projects are undertaken in order to gain benefits while taking the associated risks in a controlled manner. It is impossible to imagine a project without risk.

Of course some projects will be high-risk, while others have less risk, but all projects are by definition risky to some extent. The “zero-risk project” is an oxymoron – it does not and cannot exist. This of course is why risk management is such an important part of effective project management: since all projects are exposed to risk, successful projects are the ones where that risk is properly managed.

A project management magazine recently contained an article on innovation which was somewhat provocative when it stated that “Project management is about processes and risk management, and that’s the absolute antithesis of innovation.” This challenge to risk management deserves a response!

The purpose of risk management in projects and business is to seek out significant uncertainties and address them proactively. It is most effective when it considers both threats and opportunities, as recommended by most best-practice guidelines (including the PMI PMBOK Guide). Surely achieving this goal requires a great deal of innovation?

The first area where creativity is essential is in risk identification. This requires thinking the unthinkable, not being constrained by “the Plan”, but considering other options and alternatives. It asks questions such as “What if… Why not… If only… How about…?” Potential problems (threats) and unexpected benefits (opportunities) can be identified using a range of creative techniques, including brainstorming, assumptions-busting, root-cause analysis, visualisation, scenario analysis, or futures thinking. Indeed it is probably not possible to identify risks without being innovative and thinking new thoughts.

But a second part of the risk process also requires fresh thinking, namely development of effective risk responses. Einstein reputedly said “It is not possible to solve a problem using the same thinking that created it.” Just identifying risks is not enough, and if appropriate action is not taken then risk exposure will remain unchanged. However deciding what is “appropriate” for each risk demands a degree of innovation, being prepared to consider and implement actions which were previously not thought necessary. Einstein also defined insanity as “Doing the same thing over and over again and expecting different results”, which might be rephrased as “If you always do what you always did, you’ll always get what you’ve always got!” As the Chinese proverb says, “If we don’t change direction we’re likely to end up where we’re headed.”

It seems likely that the person who wrote that “risk management [is] the absolute antithesis of innovation” was probably reacting to an outdated caricature of risk management. If the aim of risk management is perceived as preventing variation from plan at all costs, desperately clinging to the original approach and refusing all change, then it is true that creativity and innovation will be stifled. But modern risk management is very different. It actively embraces and welcomes change, recognising that some risks present an opportunity to improve on the original plan by working “smarter, faster, cheaper” – there is upside as well as downside.

“Uncreative risk management” is an oxymoron which cannot exist, and risk management without innovation merely rehearses and records the inevitable. To be effective the risk process must embody innovative and creative thinking in both risk identification and response development, proactively seeking potentially significant uncertainties and addressing them appropriately. Anything less does not deserve to be called risk management.

It is often said that successful risk management should lead to fewer surprises. Risk management acts as a “forward-looking radar”, scanning the uncertain future to identify things which might pose a significant threat to be avoided or an important opportunity to be explored. Even though it may not be possible to discern every last detail of the uncertain future, the risk process aims to expose areas of particular uncertainty and indicate the best path to follow.

Despite this aim, the future does still contain surprises, both good and bad. Some future uncertainties seem to be unforeseeable. There are four reasons why it is not possible to identify all risks in advance.

1. Some risks are inherently unknowable. These are the true unknowns, where uncertainty lurks hidden in the future, unperceived by everyone until it strikes and delivers its surprise impact. In fact it might be true to say that these “unknown unknowns” are not actually risks, since they are essentially invisible to the risk process. It is as if they don’t exist until or unless they happen, when they are no longer risks but they are either unexpected problems or unplanned benefits.
2. Other risks are time-dependent, and only emerge with the passage of time. The “risk radar” can only see a limited way into the future, and some risks exist below the time horizon. It may not be possible to identify such risks until later on, when they are closer in time. Until they rise above the time horizon they will remain hidden and unidentifiable.
3. Some emergent risks are unforeseeable because they are progress-dependent. They cannot be identified until progress has been made. If a risk exists at the back of a building, I cannot discover it until I walk round the building and gain a new perspective. While I am standing in my current position at the front of the building the risk is invisible. Similarly, some integration risks may not be visible until coding and testing is complete.
4. The last group of risks which can remain hidden from the “risk radar” are response-dependent, also known as secondary risks, which only appear when action is taken to respond to an existing risk. Until action is taken these risks do not exist, so of course they cannot be seen before the response is identified.

With so many ways in which risks can be hidden from our forward-looking radar, it seems that risk identification is doomed to failure, since we are unable to identify unknowable risks, emergent risks or secondary risks. This is why risk management is not a single-shot process, but must be repeated on a regular basis. Risk identification should aim to identify all knowable risks at this point in time, recognising that some risks are currently hidden from sight. Identifiable risks should be assessed and appropriate actions should be developed. But the risk process must be iterative, coming back to identify risks which have become visible since the last time. This will include risks which have emerged with the passage of time and as a result of progress made, as well as secondary risks arising from implemented responses.

Unfortunately, risks which are inherently unknowable will always be able to surprise even the most expert user of the “risk radar”. But routine updates will minimise additional surprises from risks which are unforeseeable today but which become visible later.

For many people the idea of using the risk process to identify and manage opportunities is new, since their focus has previously been on dealing with threats. As a result, people are sometimes unsure where to find opportunities. A common concern is that proactively seeking opportunities may result in scope creep, as a result of looking for extra unplanned benefits in addition to those already defined in the agreed scope. Pursuing these optional extras might distract attention and effort from the original objectives, and could even be counter-productive.

A colleague illustrated this when he set himself an objective to lose some weight, and decided to take up running. He realised that he might discover that he really enjoyed running, and might even be quite a talented runner, so that perhaps he might be able to join a club or take part in a marathon. But do these count as opportunities, and should he be exploring them proactively? They have nothing directly to do with his original objective to lose weight, so aren’t they just additional scope to the weight-loss project?

The same situation might occur at work. If while we are trying to enhance an existing product we discover a gap in the market for a completely new product, is this a genuine opportunity to be pursued or just potential scope creep?

The answer to this important question is to treat opportunities in the same way as threats. So what happens if during a project risk assessment we identify a threat where the potential negative impact would be outside the scope of the project? Do we take responsibility for addressing this threat within our project, since if we identified it we should manage it? In fact an out-of-scope threat should be escalated to someone outside the project who can decide what to do, perhaps the project sponsor or someone in another part of the organisation.

In the same way, if we identify an opportunity which is outside the boundaries of our responsibility, we cannot just decide to include it in our project. Instead we should escalate the out-of-scope opportunity to someone who is able to decide whether and how to address it.

The key to deciding whether to escalate a risk or deal with it ourselves is to remember that all risks, both threats and opportunities, must be defined in relation to objectives. So the only risks which should be managed through a project risk process are those which could affect a project objective. Any threat or opportunity where the potential impact is outside the agreed project scope should be escalated. This ensures that these types of risk do not automatically result in scope creep, although of course a positive decision could be made to change scope to include a particularly good new opportunity or to avoid a serious wider threat.

Instead of worrying about scope creep, the search for opportunities should consider anything that might help us reach the agreed objectives. We are looking for ways of working “smarter, faster, cheaper” within the existing scope, and not trying to increase the scope. My colleague needs to find creative ways to help him lose weight more quickly with less effort, and not worry about running a marathon – unless he wants to launch a new project with a different objective.