Risk Insights from The Risk Doctor

It is often said that successful risk management should lead to fewer surprises. Risk management acts as a “forward-looking radar”, scanning the uncertain future to identify things which might pose a significant threat to be avoided or an important opportunity to be explored. Even though it may not be possible to discern every last detail of the uncertain future, the risk process aims to expose areas of particular uncertainty and indicate the best path to follow.

Despite this aim, the future does still contain surprises, both good and bad. Some future uncertainties seem to be unforeseeable. There are four reasons why it is not possible to identify all risks in advance.

1. Some risks are inherently unknowable. These are the true unknowns, where uncertainty lurks hidden in the future, unperceived by everyone until it strikes and delivers its surprise impact. In fact it might be true to say that these “unknown unknowns” are not actually risks, since they are essentially invisible to the risk process. It is as if they don’t exist until or unless they happen, when they are no longer risks but they are either unexpected problems or unplanned benefits.
2. Other risks are time-dependent, and only emerge with the passage of time. The “risk radar” can only see a limited way into the future, and some risks exist below the time horizon. It may not be possible to identify such risks until later on, when they are closer in time. Until they rise above the time horizon they will remain hidden and unidentifiable.
3. Some emergent risks are unforeseeable because they are progress-dependent. They cannot be identified until progress has been made. If a risk exists at the back of a building, I cannot discover it until I walk round the building and gain a new perspective. While I am standing in my current position at the front of the building the risk is invisible. Similarly, some integration risks may not be visible until coding and testing is complete.
4. The last group of risks which can remain hidden from the “risk radar” are response-dependent, also known as secondary risks, which only appear when action is taken to respond to an existing risk. Until action is taken these risks do not exist, so of course they cannot be seen before the response is identified.

With so many ways in which risks can be hidden from our forward-looking radar, it seems that risk identification is doomed to failure, since we are unable to identify unknowable risks, emergent risks or secondary risks. This is why risk management is not a single-shot process, but must be repeated on a regular basis. Risk identification should aim to identify all knowable risks at this point in time, recognising that some risks are currently hidden from sight. Identifiable risks should be assessed and appropriate actions should be developed. But the risk process must be iterative, coming back to identify risks which have become visible since the last time. This will include risks which have emerged with the passage of time and as a result of progress made, as well as secondary risks arising from implemented responses.

Unfortunately, risks which are inherently unknowable will always be able to surprise even the most expert user of the “risk radar”. But routine updates will minimise additional surprises from risks which are unforeseeable today but which become visible later.

For many people the idea of using the risk process to identify and manage opportunities is new, since their focus has previously been on dealing with threats. As a result, people are sometimes unsure where to find opportunities. A common concern is that proactively seeking opportunities may result in scope creep, as a result of looking for extra unplanned benefits in addition to those already defined in the agreed scope. Pursuing these optional extras might distract attention and effort from the original objectives, and could even be counter-productive.

A colleague illustrated this when he set himself an objective to lose some weight, and decided to take up running. He realised that he might discover that he really enjoyed running, and might even be quite a talented runner, so that perhaps he might be able to join a club or take part in a marathon. But do these count as opportunities, and should he be exploring them proactively? They have nothing directly to do with his original objective to lose weight, so aren’t they just additional scope to the weight-loss project?

The same situation might occur at work. If while we are trying to enhance an existing product we discover a gap in the market for a completely new product, is this a genuine opportunity to be pursued or just potential scope creep?

The answer to this important question is to treat opportunities in the same way as threats. So what happens if during a project risk assessment we identify a threat where the potential negative impact would be outside the scope of the project? Do we take responsibility for addressing this threat within our project, since if we identified it we should manage it? In fact an out-of-scope threat should be escalated to someone outside the project who can decide what to do, perhaps the project sponsor or someone in another part of the organisation.

In the same way, if we identify an opportunity which is outside the boundaries of our responsibility, we cannot just decide to include it in our project. Instead we should escalate the out-of-scope opportunity to someone who is able to decide whether and how to address it.

The key to deciding whether to escalate a risk or deal with it ourselves is to remember that all risks, both threats and opportunities, must be defined in relation to objectives. So the only risks which should be managed through a project risk process are those which could affect a project objective. Any threat or opportunity where the potential impact is outside the agreed project scope should be escalated. This ensures that these types of risk do not automatically result in scope creep, although of course a positive decision could be made to change scope to include a particularly good new opportunity or to avoid a serious wider threat.

Instead of worrying about scope creep, the search for opportunities should consider anything that might help us reach the agreed objectives. We are looking for ways of working “smarter, faster, cheaper” within the existing scope, and not trying to increase the scope. My colleague needs to find creative ways to help him lose weight more quickly with less effort, and not worry about running a marathon – unless he wants to launch a new project with a different objective.

Describing risk as “uncertainty that matters” allows for different types of consequences, and leading standards and guidelines define the concept of risk to include both upside as well as downside impacts. This means that the word “risk” can be used to describe uncertainties which if they occurred would have a negative or harmful effect, and the same word can also describe uncertainties which if they occurred would be helpful. In short, there are two types of risk: threats and opportunities.

Accepting this in principle is one thing; using it in practice is another. The traditional risk process (initiate, identify, assess/analyse, plan responses, implement, review) can clearly be used to handle both threats and opportunities. But people who have only used this process to identify and manage threats sometimes have problems extending it to deal effectively with opportunities. And the difficulties start right at the beginning: how can we identify opportunities?

The first step is to be clear about what we are looking for: uncertainties which might or might not occur, but which if they did happen would help us to achieve our objectives, for example allowing us to work smarter, faster or cheaper.

Equally important is to know where to look for opportunities. There are at least four distinct ways of finding them:

1. Some opportunities arise from the absence of threats. If the bad thing does not happen we might be able to take advantage of something good instead. For example, if poor industrial relations do not lead to a strike, we might be able to introduce an incentive scheme and turn the situation round from negative to positive.
2. Other opportunities are the inverse of threats. Where a variable exists on a continuous scale and there is uncertainty over the eventual outcome, instead of just defining the risk as the downside it might also be possible to consider upside potential. For example, where the productivity rate on a new task is unknown, it might be lower than expected (a threat), or it might be higher (an opportunity).
3. We should also remember secondary risks, which are introduced by implementing a response to another risk. Sometimes by addressing one risk we can make things worse (the response creates a new threat), but it is also possible for our action to create a new opportunity. Avoiding potential delays to my car journey by taking the train might also allow me to do some useful work during the journey.
4. Lastly, we must not neglect “pure opportunities” which are unrelated to threats. These are simply unplanned good things which might happen. For example, a new design method might be released which we can apply to benefit our project. Or a new recruit to the team may unexpectedly possess a skill needed to solve a problem. This type of opportunity needs to be actively sought out, requiring fresh thinking and awareness of how potential additional benefits might be created.

Opportunities cannot be managed unless they are identified. People familiar with identifying threats can start with these, then ask whether their absence or inverse might present an opportunity. Planned actions should also be examined to see whether they open up new possibilities to help us achieve our objectives. But “pure opportunities” must not be forgotten, since these often present the greatest potential upside of all.

Some say that risk identification is the most important phase of the risk management process, since it is impossible to manage a risk unless it has first been identified. As a result, many risk identification techniques have been developed, including brainstorms, interviews, questionnaires, checklists and prompt lists, assumptions/constraints analysis, SWOT analysis, Delphi groups, nominal group technique, root cause analysis, failure modes analysis and others. Some of these methods are creative and others draw on past experience; some can be undertaken by individuals while others require group input; some approaches are simple and rapid where others are labour-intensive and take time.

Whichever risk identification technique is used however, they all require one factor to make them effective. This powerful characteristic is possessed by all but forgotten by most. Every person is born with it, and some people work to develop theirs into a mature capability while it remains dormant in others. This risk identification tool exists in the human head, and is called the imagination.

All risk identification techniques require people to imagine potential future conditions which do not currently exist. The success of risk identification depends on people’s ability to envisage imaginary circumstances and possible futures. Without imagination, risk identification is limited to what has happened before, and specific new risks which challenge the current situation cannot be foreseen.

A range of techniques are available to stimulate the imagination, including visualisation, scenario painting, rich pictures, appreciative enquiry, story-telling and other creativity approaches. Risk practitioners should consider using these to develop their own ability to imagine possible risks, as well as to help their colleagues during the risk identification process.

One simple and fun way to encourage the imagination is the use of “fantasy questions” to expose risks in a non-threatening way. These can be employed during risk identification interviews, though they might also be used with other techniques. You can ask yourself, or you can question others. Example fantasy questions might include:

• “If you were dreaming about your project and it turned into a nightmare, what would be happening?” (this question encourages people to talk about perceived threats)
• “I am your fairy godmother and you have three wishes to use on your project – what will you do first?” (this might result in identification of new opportunities)
• “If an alien joined your project team, what would they find most unusual?” (this aims to expose blind spots)

These examples are light-hearted and may not be appropriate for all situations or organisations, but the principle can be applied in a more serious way. Questions can be asked during risk identification interviews which stretch the imagination and encourage the interviewee to consider options beyond their normal experience. For example:

• “If you were a new employee and this was your first project, what questions would you ask?”
• “How might this project be different if it took place in a foreign country?”
• “When your client lies awake at night, what is he worrying about?”
• “What are your supplier’s best hopes for this project?”

Questions like these (and other creativity approaches) use the imagination to take us beyond the present and the familiar, opening doors to new possibilities. In a sense all risks are imaginary since they do not yet exist, and imagination-based techniques can be powerful aids to risk identification. If you can imagine something, it could happen.

Set your imagination free and see what risks emerge!

No-one knows the future with perfect certainty, which of course is why we need risk management. But sometimes we try to guess what might happen, and use that information as a basis for planning or decision-making. The proper name for such a guess is an “assumption”, and these are an important source of risk, for projects, businesses and life in general.

An assumption is a way of dealing with an uncertain future when there are a number of possible options. In its simplest form an assumption is a decision to proceed on the basis that one option will turn out to be correct and the others will not happen. For example, we might assume that our suppliers will deliver on time, or that our client will sign-off all approvals within two weeks, or that all key members of our project team will remain for the duration of the project. But what happens if we assumed the wrong thing? In most cases a false assumption would lead to a problem for the project, since we usually tend to assume that things will go the way we want.

Of course not all assumptions matter equally. There are some assumptions which might prove false without having a significant effect on the overall project, but there are others where a different outcome could be serious. Fortunately there is a simple process for testing how risky assumptions might be, and for including them in the risk process if necessary. A simple IF-THEN statement can be written for each assumption, in the form : 
“IF this assumption proved to be false, THEN the effect on the project would be …”

The IF side tests how likely the assumption is to be unsafe, and the THEN side tests whether it matters. Another way of describing this is to see the IF statement as reflecting probability, whereas the THEN phrase is about impact. And probability and impact are the two dimensions of risk. This simple approach can be used to turn project assumptions into risks. Where an assumption is assessed as likely to be false and/or it could have a significant effect on one or more project objectives, that assumption should be considered as a candidate risk.

This type of Assumptions Analysis is a powerful way of exposing project-specific risks, since it addresses the particular assumptions made about a given project.

There are however two dangers with this technique :
1.    The first weakness is that this technique can only consider explicit assumptions, which have been consciously made and openly communicated. There are however many implicit or hidden assumptions which we all make every day, some of which are very risky. 
2.    Secondly this approach tends only to identify downside risks, threats that a particular assumption may prove false and result in a problem for the project. Assumptions Analysis is not good at identifying opportunities because most of our assumptions are optimistic.

The first shortcoming can be overcome by a facilitated approach to identifying and recording assumptions, using someone independent and external to the project to challenge established thinking. To be fully effective, Assumptions Analysis needs full disclosure.

For opportunity identification, the technique can be extended to address and challenge constraints. These are restrictions on what the project can or cannot do, how it must or must not proceed. But some of these constraints may not be as fixed as they first appear – indeed some of them might be assumed constraints. In fact it might be possible for a constraint to be relaxed or perhaps even removed completely. In the same way that assumptions can be tested to expose threats, a similar IF-THEN test can be applied to constraints to identify possible opportunities: 
“IF this constraint could be relaxed or removed, THEN the effect on the project would be …”

Instead of making assumptions about the future, or accepting that stated constraints are unchangeable, being prepared to challenge assumptions and constraints can expose significant threats and opportunities which can then be addressed through the risk process.