Risk management is essential for business and project success, because it focuses on addressing uncertainties proactively in order to minimise threats, maximise opportunities, and optimise achievement of objectives. However, in practice risk management often fails to meet expectations, as demonstrated by repeated business and project failures. Foreseeable threats materialise into problems and crises, and achievable opportunities are missed leading to lost benefits. Clearly some essential ingredient is missing.
There is wide agreement that people are the most significant Critical Success Factor for effective management of risk. Risk management is undertaken by people, acting individually and in various groups, with a multitude of influences both explicit and covert. People adopt risk attitudes which affect every aspect of the risk process, even if they are unaware of it. Understanding and managing these attitudes would significantly increase risk management effectiveness – so what are they?
“Risk” can be defined as “uncertainty that could have a positive or negative effect on one or more objectives”, and “attitude” is “chosen state of mind, mental view or disposition with regard to a fact or state”. Combining the two gives a working definition of “risk attitude” as “chosen state of mind with regard to those uncertainties that could have a positive or negative effect on objectives”, or more simply “chosen response to perception of significant uncertainty”.
Risk attitudes exist on a spectrum from risk-aversion (uncomfortable with uncertainty), through risk-tolerant (no strong response), to risk-seeking (welcoming uncertainty). They are active at individual, group, corporate and national levels, and where they are recognised their influence on the risk process can be diagnosed and understood.
But diagnosis is different from treatment. Sometimes the risk attitude initially adopted by an individual or group may not support effective management of risk, for example if a product innovation team is risk-averse, or if a nuclear safety inspector is risk-seeking. In these cases action may be required to modify risk attitude. Recent advances in the field of Emotional Intelligence and emotional literacy provide a means by which attitudinal change can be promoted and managed, for both individuals and organisations. The key is to recognise that all attitudes are a choice, and can therefore be modified.
This subject is so big that it could fill a book*, but the first step in applying emotional literacy to the management of risk attitude is self-awareness. This applies to both individual and groups. To start the process of understanding and managing risk attitude, four simple questions can be asked (replace “I/my” with “we/our” for a group) :
Risk psychology has been studied by academic researchers for many years, but there has not been much practical guidance on workplace application. Because risk attitude has such a major effect on all elements of the risk process, it is time to pay attention to this vital topic. Emotionally literate individuals and groups understand why they respond to risk in a particular way, and can adopt attitudes which are appropriate to the situation, helping them to maximise their risk management effectiveness.
* See Hillson D. A. & Murray-Webster R. 2007. “Understanding and managing risk attitude” (second edition). Aldershot, UK: Gower.
Today marks the start of a new era of uncertainty, following the referendum vote yesterday by the UK population to leave the European Union (EU). The forthcoming British exit from the EU (so-called “Brexit”) will raise the degree of uncertainty to new high levels in many areas, including politics, trade, international relations, travel, employment, and so on. The result has already produced major volatility on global stock markets and financial exchanges, and the British Prime Minister has already announced his intention to step down within the next three months.
You may view this new reality as a good thing or you may not, or perhaps you have no strong opinion either way. In any case, the fallout is likely to affect many of us in ways that we cannot currently predict. One thing is clear: the UK’s exit from the EU is not a Black Swan because it will certainly happen. But the rustling of wings is becoming louder, and we’re bound to see one or two newly-hatched cygnets emerging in the near future.
How can risk-based thinking help us in this situation?
Those of us who understand risk and who practise effective risk management are well placed to handle the inevitable uncertainties that face us today and that will emerge in the coming weeks, months and years. We are also in an ideal position to advise and assist others who are less well equipped in their ability to respond to uncertainty. Now is the time for risk practitioners to step up and make our contribution.
The risk management process is not difficult, because it is just a structured way of dealing with significant uncertainty. All you need to do is determine which objectives are at risk, then identify uncertainties that might affect their achievement. The next step is to prioritise identified risks and decide how to respond, and then take action. But although this process is simple to describe, it seems hard to make it work in practice. And the hardest part of all is the last step – implementation.
For some reason, we seem well able to identify and assess risks, and to devise appropriate responses. The problem arises with putting our plans into action, and actually doing the agreed responses. Why does this happen?
A common problem is lack of time or effort for response implementation. Many of us are so busy doing our normal tasks that we have no time to do the extra work involved with risk responses. But if we are “too busy to manage risks”, then we are “too busy”. Since risks by definition are uncertainties which if they occurred would affect accomplishment of our objectives, then addressing them is essential. Risk responses are not “optional extras”, but are vital to the successful achievement of our goals. Removing threats and capturing opportunities should be part of our normal job as we seek to maximise our chances of success. Instead we seem to believe that risk responses are additional tasks, to be performed if and when we get time, and only after we have done all our “proper work” first. Many project teams identify and assess risks, develop response plans and write a risk report, then “file and forget”. Actions are not implemented and the risk exposure remains the same. How can we overcome this barrier?
One answer is to treat agreed risk responses as normal work, with the same priority as pre-planned tasks. The following steps might help:
Giving risk responses equal importance with other project tasks will encourage people to implement them. When response owners realise that these actions are important to project success, and that risk responses will be treated as legitimate project tasks, then they will give them the same degree of attention and effort as their other tasks. Viewing risk responses as “extra work, optional, different” gives them second-class status behind “real work”. Accepting that they are valid and essential tasks which make a significant contribution to achieving objectives makes sure that they will be treated seriously and actually implemented. After all, identifying risk responses but not doing them is a complete waste of time. Only when we put agreed responses into action can we change the risk exposure and improve our chances of meeting our goals.
The cost of managing risk
Categories: risk management
As we seek to manage risk effectively, questions of cost are inevitable since risk management is not free. But is it worth it? There is no “zero-cost option” for risk management, and the costs to be paid fall into three categories : one-off, ongoing, and occasional.
First are the costs of entry, paid once to establish a risk management capability. The primary cost here is for the “Three T’s”: techniques, tools and training. Any organisation wishing to manage risk has to invest in the necessary infrastructure to support the risk process. Techniques and procedures must be developed and rolled out. Tools to support the process must be bought or developed. And staff must be trained to use the techniques and tools effectively. If the entry cost is not paid, risk management remains merely a good intention, with no capability to deliver.
The second type of costs are for ongoing maintenance, to preserve an effective organisational risk management capability. It is important to keep the risk process fresh and up to date. Without ongoing development of the risk process, there is a danger of losing effectiveness. Risk management is a developing discipline, and new techniques and tools emerge regularly. Even the conceptual basis continues to grow as new ideas become accepted into the mainstream. Effective risk management requires refresher training to maintain and develop staff skills, as well as revitalising the process to incorporate recent developments and new approaches. On average an organisation should aim to refresh its risk process every 2-3 years to stay up to date.
Lastly there are the costs associated with managing risk on projects. Each project faces a unique risk challenge, and managing this incurs costs for assessing risk and for addressing risk.
If an organisation is serious about managing its risk, it must be prepared to pay these costs. This is particularly true of projects, which tend to have fixed budgets. Risk management will never be effective if it is seen as an optional zero-cost extra. The cost of assessing risk must be included in the overall project management budget, and there must be adequate contingency in the project budget to cover the costs of addressing risks.
Of course there is a cost-benefit relationship from investing in risk management. Risk management delivers a wide range of benefits to the organisation and to its projects, clients and staff. Although it is hard to measure the return on investment for risk management, it is certain that no benefits will be realised unless the organisation is prepared to pay these costs. Indeed, not paying the cost to implement risk management exposes an organisation to another unnecessary cost – unmanaged risk. This includes threats which turn into problems which could have been avoided, as well as missed opportunities which could have delivered extra benefits.
In my view, the answer to the question “Is it worth it?” is a definite yes. If we pay the cost of managing risk, we will surely reap the benefits.
Categories: risk analysis
“The future is another country; they do things differently there”, to adapt the opening words of L P Hartley’s novel “The Go Between”. A large part of the risk management process involves looking into the future and trying to understand what might happen and whether it matters. One important quantitative technique which might help is decision tree analysis. This has been neglected in recent years but is enjoying something of a revival. Some people feel it should be reserved for strategic decisions, and others regard the technique as complex and difficult. But at heart it is really quite simple, and can be applied to many different uncertain situations.
Having built the decision tree from these four components, it can then be analysed to determine the most favourable choice, taking into account the related costs, chances and consequences. First each possible forward path through the tree is followed and its value is calculated by accumulating the costs and payoffs from beginning to end. Then using these path values and working backwards from the end of each branch, the “expected value” of each choice is calculated, taking probability-weighted consequences when chances occur. The branch with the highest expected value becomes the recommended decision option.
There are several challenges in using decision trees effectively, including the practical limitation of the technique to analysing a small number of decision options with a limited range of possible risks. The typical project involves many decisions at different levels, each with a wide range of associated risks, and trying to reflect this in a single decision tree could result in a massive and unusable model. The technique also require all factors to be represented quantitatively – cost and consequences are usually expressed in financial terms, and probability must be estimated for all chances. And decision tree analysis also assumes a “risk-neutral decision maker” whose choices are based on highest expected value – which is rarely the case.