Risk Insights from The Risk Doctor

David Hillson, The Risk Doctor, shares key tips on understanding and managing risk, blending thought-leadership with expert practical application. Managing risk is easy - find out how!

About this Blog


Recent Posts

Innovative risk management

Happy New Year 2017: Two-faced Risk Management

Why some risks turn into surprises

Are project opportunities the same as scope screep?

How to find opportunities

Innovative risk management

Categories: risk management

A project management magazine recently contained an article on innovation which was somewhat provocative when it stated that “Project management is about processes and risk management, and that’s the absolute antithesis of innovation.” This challenge to risk management deserves a response!

The purpose of risk management in projects and business is to seek out significant uncertainties and address them proactively. It is most effective when it considers both threats and opportunities, as recommended by most best-practice guidelines (including the PMI PMBOK Guide). Surely achieving this goal requires a great deal of innovation?

The first area where creativity is essential is in risk identification. This requires thinking the unthinkable, not being constrained by “the Plan”, but considering other options and alternatives. It asks questions such as “What if… Why not… If only… How about…?” Potential problems (threats) and unexpected benefits (opportunities) can be identified using a range of creative techniques, including brainstorming, assumptions-busting, root-cause analysis, visualisation, scenario analysis, or futures thinking. Indeed it is probably not possible to identify risks without being innovative and thinking new thoughts.

But a second part of the risk process also requires fresh thinking, namely development of effective risk responses. Einstein reputedly said “It is not possible to solve a problem using the same thinking that created it.” Just identifying risks is not enough, and if appropriate action is not taken then risk exposure will remain unchanged. However deciding what is “appropriate” for each risk demands a degree of innovation, being prepared to consider and implement actions which were previously not thought necessary. Einstein also defined insanity as “Doing the same thing over and over again and expecting different results”, which might be rephrased as “If you always do what you always did, you’ll always get what you’ve always got!” As the Chinese proverb says, “If we don’t change direction we’re likely to end up where we’re headed.”

It seems likely that the person who wrote that “risk management [is] the absolute antithesis of innovation” was probably reacting to an outdated caricature of risk management. If the aim of risk management is perceived as preventing variation from plan at all costs, desperately clinging to the original approach and refusing all change, then it is true that creativity and innovation will be stifled. But modern risk management is very different. It actively embraces and welcomes change, recognising that some risks present an opportunity to improve on the original plan by working “smarter, faster, cheaper” – there is upside as well as downside.

“Uncreative risk management” is an oxymoron which cannot exist, and risk management without innovation merely rehearses and records the inevitable. To be effective the risk process must embody innovative and creative thinking in both risk identification and response development, proactively seeking potentially significant uncertainties and addressing them appropriately. Anything less does not deserve to be called risk management.

Posted on: March 11, 2017 02:49 AM | Permalink | Comments (9)

Happy New Year 2017: Two-faced Risk Management

Categories: risk management

Welcome to 2017! In many languages the month January is named after Janus the two-faced Roman god of doorways, and the start of a new year is traditionally a time for review, looking back at the past 12 months and looking forward to the next. There is also a widespread custom of making “new year resolutions” to change something in the year ahead. Unfortunately these resolutions usually last only a few weeks before old habits reassert themselves!

Risk management is about looking forwards, scanning the uncertain and unclear future in an attempt to discern what awaits us. It offers businesses, projects and individuals a “forward-looking radar”, identifying threats to be avoided and opportunities which might be captured. Even though the precise details of such uncertainties may remain unclear, the “risk radar” can make us aware of their location and size, helping us to formulate appropriate action plans in advance.

But what about the other direction, the “rear-view mirror”? Does the past have any relevance to risk management?

Strictly speaking there is no risk in the past, since it has already occurred (although we may remain uncertain about what actually happened and what it means!). But George Santayana said “Those who cannot remember the past are condemned to repeat it.” So we must review the past in order to learn for the future. For risk management this means addressing the following questions :

  • What types of risk can be identified on my project or business? Are there any generic risks that might affect similar projects?
  • Which identified risks actually occurred, and why? This includes problems that could have been foreseen as threats, and missed opportunities that could have been captured.
  • What preventative actions could have been taken to minimise or avoid threats? What proactive actions could have been taken to maximise or exploit opportunities?
  • Which identified risks did not occur, and why? Which responses were effective in managing risks, and which were ineffective?
  • How much effort was spent on the risk process, both to execute the process, and to implement responses?
  • Can any specific benefits be attributed to the risk process, e.g. reduced project duration or cost, increased business benefits or client satisfaction etc?

The results from this type of lessons-learned exercise can be used to update risk identification tools such as checklists, to incorporate preventative risk response strategies into future projects, and to improve the effectiveness of risk management. It might also be possible to estimate return on investment (ROI) for the risk process, by comparing specifically attributable benefits with process costs.

If we do not learn lessons from our past, we will repeat it. People often say “This risk affects all our projects, and it usually happens!” For a risk to happen once is understandable, since uncertain events can occur even on the best-managed projects. If the same risk occurs twice, that is unfortunate, because the chances should be less than the first time. But for the same risk to happen a third time is unacceptable, as it exposes a lack of learning from the past.

So as we stand on the threshold of the New Year, we should look back as well as forward. Of course we must focus on the challenges ahead and use the risk process to help us move forward safely towards our objectives. But we must also remember our past, learn the lessons from our journey to this point, and not repeat the same mistakes. Happy New Year!

Posted on: December 31, 2016 10:40 AM | Permalink | Comments (2)

Why some risks turn into surprises

Categories: risk identification

It is often said that successful risk management should lead to fewer surprises. Risk management acts as a “forward-looking radar”, scanning the uncertain future to identify things which might pose a significant threat to be avoided or an important opportunity to be explored. Even though it may not be possible to discern every last detail of the uncertain future, the risk process aims to expose areas of particular uncertainty and indicate the best path to follow.

Despite this aim, the future does still contain surprises, both good and bad. Some future uncertainties seem to be unforeseeable. There are four reasons why it is not possible to identify all risks in advance.

  1. Some risks are inherently unknowable. These are the true unknowns, where uncertainty lurks hidden in the future, unperceived by everyone until it strikes and delivers its surprise impact. In fact it might be true to say that these “unknown unknowns” are not actually risks, since they are essentially invisible to the risk process. It is as if they don’t exist until or unless they happen, when they are no longer risks but they are either unexpected problems or unplanned benefits.
  2. Other risks are time-dependent, and only emerge with the passage of time. The “risk radar” can only see a limited way into the future, and some risks exist below the time horizon. It may not be possible to identify such risks until later on, when they are closer in time. Until they rise above the time horizon they will remain hidden and unidentifiable.
  3. Some emergent risks are unforeseeable because they are progress-dependent. They cannot be identified until progress has been made. If a risk exists at the back of a building, I cannot discover it until I walk round the building and gain a new perspective. While I am standing in my current position at the front of the building the risk is invisible. Similarly, some integration risks may not be visible until coding and testing is complete.
  4. The last group of risks which can remain hidden from the “risk radar” are response-dependent, also known as secondary risks, which only appear when action is taken to respond to an existing risk. Until action is taken these risks do not exist, so of course they cannot be seen before the response is identified.

With so many ways in which risks can be hidden from our forward-looking radar, it seems that risk identification is doomed to failure, since we are unable to identify unknowable risks, emergent risks or secondary risks. This is why risk management is not a single-shot process, but must be repeated on a regular basis. Risk identification should aim to identify all knowable risks at this point in time, recognising that some risks are currently hidden from sight. Identifiable risks should be assessed and appropriate actions should be developed. But the risk process must be iterative, coming back to identify risks which have become visible since the last time. This will include risks which have emerged with the passage of time and as a result of progress made, as well as secondary risks arising from implemented responses.

Unfortunately, risks which are inherently unknowable will always be able to surprise even the most expert user of the “risk radar”. But routine updates will minimise additional surprises from risks which are unforeseeable today but which become visible later.

Posted on: December 14, 2016 11:14 AM | Permalink | Comments (2)

Are project opportunities the same as scope screep?

Categories: risk identification

For many people the idea of using the risk process to identify and manage opportunities is new, since their focus has previously been on dealing with threats. As a result, people are sometimes unsure where to find opportunities. A common concern is that proactively seeking opportunities may result in scope creep, as a result of looking for extra unplanned benefits in addition to those already defined in the agreed scope. Pursuing these optional extras might distract attention and effort from the original objectives, and could even be counter-productive.

A colleague illustrated this when he set himself an objective to lose some weight, and decided to take up running. He realised that he might discover that he really enjoyed running, and might even be quite a talented runner, so that perhaps he might be able to join a club or take part in a marathon. But do these count as opportunities, and should he be exploring them proactively? They have nothing directly to do with his original objective to lose weight, so aren’t they just additional scope to the weight-loss project?

The same situation might occur at work. If while we are trying to enhance an existing product we discover a gap in the market for a completely new product, is this a genuine opportunity to be pursued or just potential scope creep?

The answer to this important question is to treat opportunities in the same way as threats. So what happens if during a project risk assessment we identify a threat where the potential negative impact would be outside the scope of the project? Do we take responsibility for addressing this threat within our project, since if we identified it we should manage it? In fact an out-of-scope threat should be escalated to someone outside the project who can decide what to do, perhaps the project sponsor or someone in another part of the organisation.

In the same way, if we identify an opportunity which is outside the boundaries of our responsibility, we cannot just decide to include it in our project. Instead we should escalate the out-of-scope opportunity to someone who is able to decide whether and how to address it.

The key to deciding whether to escalate a risk or deal with it ourselves is to remember that all risks, both threats and opportunities, must be defined in relation to objectives. So the only risks which should be managed through a project risk process are those which could affect a project objective. Any threat or opportunity where the potential impact is outside the agreed project scope should be escalated. This ensures that these types of risk do not automatically result in scope creep, although of course a positive decision could be made to change scope to include a particularly good new opportunity or to avoid a serious wider threat.

Instead of worrying about scope creep, the search for opportunities should consider anything that might help us reach the agreed objectives. We are looking for ways of working “smarter, faster, cheaper” within the existing scope, and not trying to increase the scope. My colleague needs to find creative ways to help him lose weight more quickly with less effort, and not worry about running a marathon – unless he wants to launch a new project with a different objective.

Posted on: October 11, 2016 08:33 AM | Permalink | Comments (4)

How to find opportunities

Categories: risk identification

Describing risk as “uncertainty that matters” allows for different types of consequences, and leading standards and guidelines define the concept of risk to include both upside as well as downside impacts. This means that the word “risk” can be used to describe uncertainties which if they occurred would have a negative or harmful effect, and the same word can also describe uncertainties which if they occurred would be helpful. In short, there are two types of risk: threats and opportunities.

Accepting this in principle is one thing; using it in practice is another. The traditional risk process (initiate, identify, assess/analyse, plan responses, implement, review) can clearly be used to handle both threats and opportunities. But people who have only used this process to identify and manage threats sometimes have problems extending it to deal effectively with opportunities. And the difficulties start right at the beginning: how can we identify opportunities?

The first step is to be clear about what we are looking for: uncertainties which might or might not occur, but which if they did happen would help us to achieve our objectives, for example allowing us to work smarter, faster or cheaper.

Equally important is to know where to look for opportunities. There are at least four distinct ways of finding them:

  1. Some opportunities arise from the absence of threats. If the bad thing does not happen we might be able to take advantage of something good instead. For example, if poor industrial relations do not lead to a strike, we might be able to introduce an incentive scheme and turn the situation round from negative to positive.
  2. Other opportunities are the inverse of threats. Where a variable exists on a continuous scale and there is uncertainty over the eventual outcome, instead of just defining the risk as the downside it might also be possible to consider upside potential. For example, where the productivity rate on a new task is unknown, it might be lower than expected (a threat), or it might be higher (an opportunity).
  3. We should also remember secondary risks, which are introduced by implementing a response to another risk. Sometimes by addressing one risk we can make things worse (the response creates a new threat), but it is also possible for our action to create a new opportunity. Avoiding potential delays to my car journey by taking the train might also allow me to do some useful work during the journey.
  4. Lastly, we must not neglect “pure opportunities” which are unrelated to threats. These are simply unplanned good things which might happen. For example, a new design method might be released which we can apply to benefit our project. Or a new recruit to the team may unexpectedly possess a skill needed to solve a problem. This type of opportunity needs to be actively sought out, requiring fresh thinking and awareness of how potential additional benefits might be created.

Opportunities cannot be managed unless they are identified. People familiar with identifying threats can start with these, then ask whether their absence or inverse might present an opportunity. Planned actions should also be examined to see whether they open up new possibilities to help us achieve our objectives. But “pure opportunities” must not be forgotten, since these often present the greatest potential upside of all.

Posted on: August 23, 2016 04:07 AM | Permalink | Comments (11)

"If you are patient in a moment of anger, you will escape a hundred days of sorrow."

- Chinese Proverb