It is often said that successful risk management should lead to fewer surprises. Risk management acts as a “forward-looking radar”, scanning the uncertain future to identify things which might pose a significant threat to be avoided or an important opportunity to be explored. Even though it may not be possible to discern every last detail of the uncertain future, the risk process aims to expose areas of particular uncertainty and indicate the best path to follow.
Despite this aim, the future does still contain surprises, both good and bad. Some future uncertainties seem to be unforeseeable. There are four reasons why it is not possible to identify all risks in advance.
With so many ways in which risks can be hidden from our forward-looking radar, it seems that risk identification is doomed to failure, since we are unable to identify unknowable risks, emergent risks or secondary risks. This is why risk management is not a single-shot process, but must be repeated on a regular basis. Risk identification should aim to identify all knowable risks at this point in time, recognising that some risks are currently hidden from sight. Identifiable risks should be assessed and appropriate actions should be developed. But the risk process must be iterative, coming back to identify risks which have become visible since the last time. This will include risks which have emerged with the passage of time and as a result of progress made, as well as secondary risks arising from implemented responses.
Unfortunately, risks which are inherently unknowable will always be able to surprise even the most expert user of the “risk radar”. But routine updates will minimise additional surprises from risks which are unforeseeable today but which become visible later.
For many people the idea of using the risk process to identify and manage opportunities is new, since their focus has previously been on dealing with threats. As a result, people are sometimes unsure where to find opportunities. A common concern is that proactively seeking opportunities may result in scope creep, as a result of looking for extra unplanned benefits in addition to those already defined in the agreed scope. Pursuing these optional extras might distract attention and effort from the original objectives, and could even be counter-productive.
A colleague illustrated this when he set himself an objective to lose some weight, and decided to take up running. He realised that he might discover that he really enjoyed running, and might even be quite a talented runner, so that perhaps he might be able to join a club or take part in a marathon. But do these count as opportunities, and should he be exploring them proactively? They have nothing directly to do with his original objective to lose weight, so aren’t they just additional scope to the weight-loss project?
The same situation might occur at work. If while we are trying to enhance an existing product we discover a gap in the market for a completely new product, is this a genuine opportunity to be pursued or just potential scope creep?
The answer to this important question is to treat opportunities in the same way as threats. So what happens if during a project risk assessment we identify a threat where the potential negative impact would be outside the scope of the project? Do we take responsibility for addressing this threat within our project, since if we identified it we should manage it? In fact an out-of-scope threat should be escalated to someone outside the project who can decide what to do, perhaps the project sponsor or someone in another part of the organisation.
In the same way, if we identify an opportunity which is outside the boundaries of our responsibility, we cannot just decide to include it in our project. Instead we should escalate the out-of-scope opportunity to someone who is able to decide whether and how to address it.
The key to deciding whether to escalate a risk or deal with it ourselves is to remember that all risks, both threats and opportunities, must be defined in relation to objectives. So the only risks which should be managed through a project risk process are those which could affect a project objective. Any threat or opportunity where the potential impact is outside the agreed project scope should be escalated. This ensures that these types of risk do not automatically result in scope creep, although of course a positive decision could be made to change scope to include a particularly good new opportunity or to avoid a serious wider threat.
Instead of worrying about scope creep, the search for opportunities should consider anything that might help us reach the agreed objectives. We are looking for ways of working “smarter, faster, cheaper” within the existing scope, and not trying to increase the scope. My colleague needs to find creative ways to help him lose weight more quickly with less effort, and not worry about running a marathon – unless he wants to launch a new project with a different objective.
Describing risk as “uncertainty that matters” allows for different types of consequences, and leading standards and guidelines define the concept of risk to include both upside as well as downside impacts. This means that the word “risk” can be used to describe uncertainties which if they occurred would have a negative or harmful effect, and the same word can also describe uncertainties which if they occurred would be helpful. In short, there are two types of risk: threats and opportunities.
Accepting this in principle is one thing; using it in practice is another. The traditional risk process (initiate, identify, assess/analyse, plan responses, implement, review) can clearly be used to handle both threats and opportunities. But people who have only used this process to identify and manage threats sometimes have problems extending it to deal effectively with opportunities. And the difficulties start right at the beginning: how can we identify opportunities?
The first step is to be clear about what we are looking for: uncertainties which might or might not occur, but which if they did happen would help us to achieve our objectives, for example allowing us to work smarter, faster or cheaper.
Equally important is to know where to look for opportunities. There are at least four distinct ways of finding them:
Opportunities cannot be managed unless they are identified. People familiar with identifying threats can start with these, then ask whether their absence or inverse might present an opportunity. Planned actions should also be examined to see whether they open up new possibilities to help us achieve our objectives. But “pure opportunities” must not be forgotten, since these often present the greatest potential upside of all.
Some say that risk identification is the most important phase of the risk management process, since it is impossible to manage a risk unless it has first been identified. As a result, many risk identification techniques have been developed, including brainstorms, interviews, questionnaires, checklists and prompt lists, assumptions/constraints analysis, SWOT analysis, Delphi groups, nominal group technique, root cause analysis, failure modes analysis and others. Some of these methods are creative and others draw on past experience; some can be undertaken by individuals while others require group input; some approaches are simple and rapid where others are labour-intensive and take time.
Whichever risk identification technique is used however, they all require one factor to make them effective. This powerful characteristic is possessed by all but forgotten by most. Every person is born with it, and some people work to develop theirs into a mature capability while it remains dormant in others. This risk identification tool exists in the human head, and is called the imagination.
All risk identification techniques require people to imagine potential future conditions which do not currently exist. The success of risk identification depends on people’s ability to envisage imaginary circumstances and possible futures. Without imagination, risk identification is limited to what has happened before, and specific new risks which challenge the current situation cannot be foreseen.
A range of techniques are available to stimulate the imagination, including visualisation, scenario painting, rich pictures, appreciative enquiry, story-telling and other creativity approaches. Risk practitioners should consider using these to develop their own ability to imagine possible risks, as well as to help their colleagues during the risk identification process.
One simple and fun way to encourage the imagination is the use of “fantasy questions” to expose risks in a non-threatening way. These can be employed during risk identification interviews, though they might also be used with other techniques. You can ask yourself, or you can question others. Example fantasy questions might include:
These examples are light-hearted and may not be appropriate for all situations or organisations, but the principle can be applied in a more serious way. Questions can be asked during risk identification interviews which stretch the imagination and encourage the interviewee to consider options beyond their normal experience. For example:
Questions like these (and other creativity approaches) use the imagination to take us beyond the present and the familiar, opening doors to new possibilities. In a sense all risks are imaginary since they do not yet exist, and imagination-based techniques can be powerful aids to risk identification. If you can imagine something, it could happen.
Set your imagination free and see what risks emerge!
No-one knows the future with perfect certainty, which of course is why we need risk management. But sometimes we try to guess what might happen, and use that information as a basis for planning or decision-making. The proper name for such a guess is an “assumption”, and these are an important source of risk, for projects, businesses and life in general.
An assumption is a way of dealing with an uncertain future when there are a number of possible options. In its simplest form an assumption is a decision to proceed on the basis that one option will turn out to be correct and the others will not happen. For example, we might assume that our suppliers will deliver on time, or that our client will sign-off all approvals within two weeks, or that all key members of our project team will remain for the duration of the project. But what happens if we assumed the wrong thing? In most cases a false assumption would lead to a problem for the project, since we usually tend to assume that things will go the way we want.
Of course not all assumptions matter equally. There are some assumptions which might prove false without having a significant effect on the overall project, but there are others where a different outcome could be serious. Fortunately there is a simple process for testing how risky assumptions might be, and for including them in the risk process if necessary. A simple IF-THEN statement can be written for each assumption, in the form :
The IF side tests how likely the assumption is to be unsafe, and the THEN side tests whether it matters. Another way of describing this is to see the IF statement as reflecting probability, whereas the THEN phrase is about impact. And probability and impact are the two dimensions of risk. This simple approach can be used to turn project assumptions into risks. Where an assumption is assessed as likely to be false and/or it could have a significant effect on one or more project objectives, that assumption should be considered as a candidate risk.
This type of Assumptions Analysis is a powerful way of exposing project-specific risks, since it addresses the particular assumptions made about a given project.
There are however two dangers with this technique :
The first shortcoming can be overcome by a facilitated approach to identifying and recording assumptions, using someone independent and external to the project to challenge established thinking. To be fully effective, Assumptions Analysis needs full disclosure.
For opportunity identification, the technique can be extended to address and challenge constraints. These are restrictions on what the project can or cannot do, how it must or must not proceed. But some of these constraints may not be as fixed as they first appear – indeed some of them might be assumed constraints. In fact it might be possible for a constraint to be relaxed or perhaps even removed completely. In the same way that assumptions can be tested to expose threats, a similar IF-THEN test can be applied to constraints to identify possible opportunities:
Instead of making assumptions about the future, or accepting that stated constraints are unchangeable, being prepared to challenge assumptions and constraints can expose significant threats and opportunities which can then be addressed through the risk process.