Risk Insights from The Risk Doctor

David Hillson, The Risk Doctor, shares key tips on understanding and managing risk, blending thought-leadership with expert practical application. Managing risk is easy - find out how!

About this Blog


Recent Posts

HAPPY NEW YEAR: Two-faced risk management

Zero chance of a zero-risk project

Innovative risk management

Why some risks turn into surprises

Are project opportunities the same as scope screep?

Understanding and managing risk attitude

Categories: risk psychology

Risk management is essential for business and project success, because it focuses on addressing uncertainties proactively in order to minimise threats, maximise opportunities, and optimise achievement of objectives. However, in practice risk management often fails to meet expectations, as demonstrated by repeated business and project failures. Foreseeable threats materialise into problems and crises, and achievable opportunities are missed leading to lost benefits. Clearly some essential ingredient is missing.

There is wide agreement that people are the most significant Critical Success Factor for effective management of risk. Risk management is undertaken by people, acting individually and in various groups, with a multitude of influences both explicit and covert. People adopt risk attitudes which affect every aspect of the risk process, even if they are unaware of it. Understanding and managing these attitudes would significantly increase risk management effectiveness – so what are they?

“Risk” can be defined as “uncertainty that could have a positive or negative effect on one or more objectives”, and “attitude” is “chosen state of mind, mental view or disposition with regard to a fact or state”. Combining the two gives a working definition of “risk attitude” as “chosen state of mind with regard to those uncertainties that could have a positive or negative effect on objectives”, or more simply “chosen response to perception of significant uncertainty”.

Risk attitudes exist on a spectrum from risk-aversion (uncomfortable with uncertainty), through risk-tolerant (no strong response), to risk-seeking (welcoming uncertainty). They are active at individual, group, corporate and national levels, and where they are recognised their influence on the risk process can be diagnosed and understood.

But diagnosis is different from treatment. Sometimes the risk attitude initially adopted by an individual or group may not support effective management of risk, for example if a product innovation team is risk-averse, or if a nuclear safety inspector is risk-seeking. In these cases action may be required to modify risk attitude. Recent advances in the field of Emotional Intelligence and emotional literacy provide a means by which attitudinal change can be promoted and managed, for both individuals and organisations. The key is to recognise that all attitudes are a choice, and can therefore be modified.

This subject is so big that it could fill a book*, but the first step in applying emotional literacy to the management of risk attitude is self-awareness. This applies to both individual and groups. To start the process of understanding and managing risk attitude, four simple questions can be asked (replace “I/my” with “we/our” for a group) :

  1. How do I feel in this uncertain situation?
  2. Why do I feel that?
  3. Is my response appropriate to help me achieve my objectives?
  4. If not, what am I going to do about it?

Risk psychology has been studied by academic researchers for many years, but there has not been much practical guidance on workplace application. Because risk attitude has such a major effect on all elements of the risk process, it is time to pay attention to this vital topic. Emotionally literate individuals and groups understand why they respond to risk in a particular way, and can adopt attitudes which are appropriate to the situation, helping them to maximise their risk management effectiveness.


* See Hillson D. A. & Murray-Webster R. 2007. “Understanding and managing risk attitude” (second edition). Aldershot, UK: Gower.

Posted on: August 05, 2016 03:23 AM | Permalink | Comments (0)

Brexit: Threat or opportunity?

Today marks the start of a new era of uncertainty, following the referendum vote yesterday by the UK population to leave the European Union (EU). The forthcoming British exit from the EU (so-called “Brexit”) will raise the degree of uncertainty to new high levels in many areas, including politics, trade, international relations, travel, employment, and so on. The result has already produced major volatility on global stock markets and financial exchanges, and the British Prime Minister has already announced his intention to step down within the next three months.

You may view this new reality as a good thing or you may not, or perhaps you have no strong opinion either way. In any case, the fallout is likely to affect many of us in ways that we cannot currently predict. One thing is clear: the UK’s exit from the EU is not a Black Swan because it will certainly happen. But the rustling of wings is becoming louder, and we’re bound to see one or two newly-hatched cygnets emerging in the near future.

How can risk-based thinking help us in this situation?

  • Firstly, we need to recognise that uncertainty is natural, inevitable and to be expected.
  • Secondly, we should have confidence in our ability to respond to uncertainty appropriately, either in proactive and protective ways for foreseeable risks, or in developing resilient contingency plans for the unforeseen.
  • And thirdly, perhaps most importantly, we must remember that risk includes both upside and downside. There is no doubt that some of the risks we face threaten us with unpleasant consequences, and we need to minimise these threats wherever we can. But the new political realities will also present us with new opportunities, which we should identify, exploit and maximise as far as possible.

Those of us who understand risk and who practise effective risk management are well placed to handle the inevitable uncertainties that face us today and that will emerge in the coming weeks, months and years. We are also in an ideal position to advise and assist others who are less well equipped in their ability to respond to uncertainty. Now is the time for risk practitioners to step up and make our contribution.

Posted on: June 24, 2016 11:59 AM | Permalink | Comments (2)

Making risk management work - the final step

Categories: risk responses

The risk management process is not difficult, because it is just a structured way of dealing with significant uncertainty. All you need to do is determine which objectives are at risk, then identify uncertainties that might affect their achievement. The next step is to prioritise identified risks and decide how to respond, and then take action. But although this process is simple to describe, it seems hard to make it work in practice. And the hardest part of all is the last step – implementation.

For some reason, we seem well able to identify and assess risks, and to devise appropriate responses. The problem arises with putting our plans into action, and actually doing the agreed responses. Why does this happen?

A common problem is lack of time or effort for response implementation. Many of us are so busy doing our normal tasks that we have no time to do the extra work involved with risk responses. But if we are “too busy to manage risks”, then we are “too busy”. Since risks by definition are uncertainties which if they occurred would affect accomplishment of our objectives, then addressing them is essential. Risk responses are not “optional extras”, but are vital to the successful achievement of our goals. Removing threats and capturing opportunities should be part of our normal job as we seek to maximise our chances of success. Instead we seem to believe that risk responses are additional tasks, to be performed if and when we get time, and only after we have done all our “proper work” first. Many project teams identify and assess risks, develop response plans and write a risk report, then “file and forget”. Actions are not implemented and the risk exposure remains the same. How can we overcome this barrier?

One answer is to treat agreed risk responses as normal work, with the same priority as pre-planned tasks. The following steps might help:

  • Ensure that every risk response is fully defined, with a duration, cost, resource requirement, owner, completion criteria etc.
  • Add an extra task to the project plan for every agreed response (accepting that this might also require changes to the project budget or timeline).
  • Monitor progress on these risk response tasks in exactly the same way as for all other tasks, including requiring progress reports from owners, and reviewing at project meetings.

Giving risk responses equal importance with other project tasks will encourage people to implement them. When response owners realise that these actions are important to project success, and that risk responses will be treated as legitimate project tasks, then they will give them the same degree of attention and effort as their other tasks. Viewing risk responses as “extra work, optional, different” gives them second-class status behind “real work”. Accepting that they are valid and essential tasks which make a significant contribution to achieving objectives makes sure that they will be treated seriously and actually implemented. After all, identifying risk responses but not doing them is a complete waste of time. Only when we put agreed responses into action can we change the risk exposure and improve our chances of meeting our goals.

Posted on: March 28, 2016 02:44 PM | Permalink | Comments (0)

The cost of managing risk

Categories: risk management

As we seek to manage risk effectively, questions of cost are inevitable since risk management is not free. But is it worth it? There is no “zero-cost option” for risk management, and the costs to be paid fall into three categories : one-off, ongoing, and occasional.

First are the costs of entry, paid once to establish a risk management capability. The primary cost here is for the “Three T’s”: techniques, tools and training. Any organisation wishing to manage risk has to invest in the necessary infrastructure to support the risk process. Techniques and procedures must be developed and rolled out. Tools to support the process must be bought or developed. And staff must be trained to use the techniques and tools effectively. If the entry cost is not paid, risk management remains merely a good intention, with no capability to deliver.

The second type of costs are for ongoing maintenance, to preserve an effective organisational risk management capability. It is important to keep the risk process fresh and up to date. Without ongoing development of the risk process, there is a danger of losing effectiveness. Risk management is a developing discipline, and new techniques and tools emerge regularly. Even the conceptual basis continues to grow as new ideas become accepted into the mainstream. Effective risk management requires refresher training to maintain and develop staff skills, as well as revitalising the process to incorporate recent developments and new approaches. On average an organisation should aim to refresh its risk process every 2-3 years to stay up to date.

Lastly there are the costs associated with managing risk on projects. Each project faces a unique risk challenge, and managing this incurs costs for assessing risk and for addressing risk.

  • Assessing risk : These are the costs of implementing the risk process on the project, including spending time and resources in risk identification workshops or interviews, performing risk assessments and analyses, attending risk reviews, writing risk reports etc.
  • Addressing risk : This covers the cost of executing risk response plans, those actions which were not originally in the project plan, but which are deemed necessary in order to deal appropriately with identified risks. Proactive actions are needed to avoid or reduce threats, and to exploit or enhance opportunities. Contingency and fallback plans must be put in place in case risks occur. These costs would not have been incurred if risks had not been identified, but they are necessary to optimise the chances of achieving project objectives.

If an organisation is serious about managing its risk, it must be prepared to pay these costs. This is particularly true of projects, which tend to have fixed budgets. Risk management will never be effective if it is seen as an optional zero-cost extra. The cost of assessing risk must be included in the overall project management budget, and there must be adequate contingency in the project budget to cover the costs of addressing risks.

Of course there is a cost-benefit relationship from investing in risk management. Risk management delivers a wide range of benefits to the organisation and to its projects, clients  and staff. Although it is hard to measure the return on investment for risk management, it is certain that no benefits will be realised unless the organisation is prepared to pay these costs. Indeed, not paying the cost to implement risk management exposes an organisation to another unnecessary cost – unmanaged risk. This includes threats which turn into problems which could have been avoided, as well as missed opportunities which could have delivered extra benefits.

In my view, the answer to the question “Is it worth it?” is a definite yes. If we pay the cost of managing risk, we will surely reap the benefits.

Posted on: February 23, 2016 03:31 PM | Permalink | Comments (13)

Decisions, decisions

Categories: risk analysis

“The future is another country; they do things differently there”, to adapt the opening words of L P Hartley’s novel “The Go Between”. A large part of the risk management process involves looking into the future and trying to understand what might happen and whether it matters. One important quantitative technique which might help is decision tree analysis. This has been neglected in recent years but is enjoying something of a revival. Some people feel it should be reserved for strategic decisions, and others regard the technique as complex and difficult. But at heart it is really quite simple, and can be applied to many different uncertain situations.

The decision tree approach recognises that there are two major factors which affect the future – choice and chance. And in evaluating these we need to consider two parameters – costs and consequences. These four elements form the basis of decision tree analysis.

  • The first step in building a decision tree is to identify the choices we must make in trying to achieve our objectives. These choices form the branches of the tree. For example “make or buy”, “in-house or out-sourced”, “fast-track or traditional”, “innovative or proven approach”, “supplier A or B”, “low or high priority”. Each of these decisions leads to different outcomes, which are reflected in the decision tree using the other three elements.
  • The simplest factor associated with alternative choices is cost, including both implementation cost and opportunity cost. In some cases this may be negative, reflecting a saving. But it is important to accept that making a choice is rarely a zero-cost action, and an estimate of this must be included against each branch of the decision tree.
  • Chance is also an important variable associated with different decision options. Each alternative could have a range of possible outcomes, though some choices could lead only to one certain result. For example different technology options may have different chances of success, or alternative contractors may be more or less reliable. Where there is uncertainty over the result of a decision, this must be identified and assessed, including the estimated probability of each outcome. And some chance events might also open up the possibility of new choices, producing a series of nested branches within the tree.
  • Finally the decision tree must address consequences. If a particular decision option were to be taken, incurring both cost and risk, the final result must be estimated, which is usually the payoff for implementing that decision. This is typically expressed in financial terms, though other measures can be used. The decision tree structure describes the predicted outcome of each choice/chance combination, representing the leaves at the end of each branch.

Having built the decision tree from these four components, it can then be analysed to determine the most favourable choice, taking into account the related costs, chances and consequences. First each possible forward path through the tree is followed and its value is calculated by accumulating the costs and payoffs from beginning to end. Then using these path values and working backwards from the end of each branch, the “expected value” of each choice is calculated, taking probability-weighted consequences when chances occur. The branch with the highest expected value becomes the recommended decision option.

There are several challenges in using decision trees effectively, including the practical limitation of the technique to analysing a small number of decision options with a limited range of possible risks. The typical project involves many decisions at different levels, each with a wide range of associated risks, and trying to reflect this in a single decision tree could result in a massive and unusable model. The technique also require all factors to be represented quantitatively – cost and consequences are usually expressed in financial terms, and probability must be estimated for all chances. And decision tree analysis also assumes a “risk-neutral decision maker” whose choices are based on highest expected value – which is rarely the case.

Despite these limitations, decision tree analysis presents a powerful quantitative technique for assessing possible futures, taking into account the effects of both choice and chance and estimating both costs and consequences.

Posted on: January 04, 2016 10:27 AM | Permalink | Comments (1)

I don't have a good apartment for an intervention. The furniture, it's very non-confrontational.

- Jerry Seinfeld