Risk Insights from The Risk Doctor

The risk management process is not difficult, because it is just a structured way of dealing with significant uncertainty. All you need to do is determine which objectives are at risk, then identify uncertainties that might affect their achievement. The next step is to prioritise identified risks and decide how to respond, and then take action. But although this process is simple to describe, it seems hard to make it work in practice. And the hardest part of all is the last step – implementation.

For some reason, we seem well able to identify and assess risks, and to devise appropriate responses. The problem arises with putting our plans into action, and actually doing the agreed responses. Why does this happen?

A common problem is lack of time or effort for response implementation. Many of us are so busy doing our normal tasks that we have no time to do the extra work involved with risk responses. But if we are “too busy to manage risks”, then we are “too busy”. Since risks by definition are uncertainties which if they occurred would affect accomplishment of our objectives, then addressing them is essential. Risk responses are not “optional extras”, but are vital to the successful achievement of our goals. Removing threats and capturing opportunities should be part of our normal job as we seek to maximise our chances of success. Instead we seem to believe that risk responses are additional tasks, to be performed if and when we get time, and only after we have done all our “proper work” first. Many project teams identify and assess risks, develop response plans and write a risk report, then “file and forget”. Actions are not implemented and the risk exposure remains the same. How can we overcome this barrier?

One answer is to treat agreed risk responses as normal work, with the same priority as pre-planned tasks. The following steps might help:

• Ensure that every risk response is fully defined, with a duration, cost, resource requirement, owner, completion criteria etc.
• Add an extra task to the project plan for every agreed response (accepting that this might also require changes to the project budget or timeline).
• Monitor progress on these risk response tasks in exactly the same way as for all other tasks, including requiring progress reports from owners, and reviewing at project meetings.

Giving risk responses equal importance with other project tasks will encourage people to implement them. When response owners realise that these actions are important to project success, and that risk responses will be treated as legitimate project tasks, then they will give them the same degree of attention and effort as their other tasks. Viewing risk responses as “extra work, optional, different” gives them second-class status behind “real work”. Accepting that they are valid and essential tasks which make a significant contribution to achieving objectives makes sure that they will be treated seriously and actually implemented. After all, identifying risk responses but not doing them is a complete waste of time. Only when we put agreed responses into action can we change the risk exposure and improve our chances of meeting our goals.

Five frogs are sitting on a log; Four decide to jump off :
How many frogs are on the log?

Which is the most difficult step in the risk management process? Where do most businesses and projects fail to gain the benefits of their attempts to manage risk proactively? If your organisation is typical, there’s one particular step where it all seems to go wrong, and the risk management process becomes just another frustrating hoop to jump through, with no tangible benefits.

So, is it the initial risk management planning step, defining project objectives and setting the context and scope for the risk process? Although many try to start identifying risks without first defining their objectives, this is not inherently difficult to do.

There are many well-tried techniques for risk identification, and most projects seem well able to list a number of uncertainties that could affect them. Of course it’s vital to ensure that risk identification identifies risks, and not related non-risks (e.g. causes, effects, problems or issues), but this step is usually OK.

Prioritising risks using qualitative assessment techniques to estimate probability and impact is easy, as long as terms are defined and agreed in advance, and thresholds are set to determine which risks are significant. Quantitative analysis using simulation techniques such as Monte Carlo simulation may seem technically difficult to the non-expert, but these methods are not always required, and good user-friendly risk analysis tools exist to help in the analysis.

How about risk response planning, where strategies are selected to address each identified risk in a way that will be appropriate, affordable and achievable, and actions are developed and agreed to implement those strategies? Again, given a structured approach to response development, this shouldn’t pose too many problems, if the risks are well understood.

What comes next, after response planning? Is the risk process complete when responses have been agreed? This is the point where analysis needs to be turned into action if the risk process is to influence the risk exposure of the project. The process so far has just provided information about the risks facing the project, but identification, assessment, analysis and planning do not actually affect the risks. Only action can make a difference.

And it is precisely at this point where most organisations allow their risk process to falter, without making the vital transition from plans to actions. If risk responses are not implemented proactively and effectively, the risk process will be a waste of time, since nothing will change.

What has this to do with frogs? Well the answer to the riddle is … five. There are still five frogs on the log, because there’s a big difference between deciding and doing!

And if the risk process ends with merely deciding what could be done about each risk, but doesn’t go on to implement those plans, the frogs are still sat on the log. So how can we get the frogs off the log?

A few simple steps will ensure that risk responses become more than just wishful thinking or good intentions, but that instead they are translated into effective action:

1. Make sure that each risk response has an agreed owner to be responsible & accountable for its execution
2. Allocate realistic durations, budgets and resources to each agreed risk response
3. Add agreed risk responses to the project plan as new activities
4. Monitor each risk response like any other project activity, reviewing & reporting progress etc.

Of course it is vital to go through the earlier stages of the risk process, to identify risks, assess their significance, plan responses and decide actions. But risk cannot be managed unless “deciding” is turned into “doing”. So next time you finish planning how to respond to your risks, remember to go the next step, leap into action, and get the frogs off the log!

It is easy to understand why some people think that the risk response development phase is the most important part of the risk process. This is where we get the chance to make a difference to the risk exposure of our project. If we design and implement good risk responses to address the risks we have identified and assessed, we will be able to minimise threats and maximise opportunities, and so optimise the likelihood of achieving our objectives. But if our risk responses are ineffective (or not implemented), the level of risk exposure remains unchanged – or may even get worse!

But how can we tell if our risk responses are good enough? Can we assess their potential effectiveness before we decide to implement them? Here are seven “Grade A” criteria by which you can test whether your planned risk responses are likely to work. To be effective, all proposed risk responses should be:

1.    Appropriate – The correct level of response must be determined, based on the significance of the risk. This ranges from a crisis response where the project cannot proceed without the risk being addressed, through to a “do nothing” response for minor risks. We should not spend large amounts of time or effort developing aggressive responses for minor risks, but we must also not spend too little time considering how to deal with key risks.

2.    Affordable – The cost-effectiveness of risk responses must be determined, so that the amount of time, effort and money spent on addressing the risk does not exceed the available budget or the degree of risk exposure. Each risk response should also have an agreed budget, added to the approved project cost plan.

3.    Actionable – An action window should be determined, defining the time within which risk responses need to be completed in order to address the risk. Some risks require immediate action, while others can safely be left until later. We must be careful not to leave it too late before we act.

4.    Achievable – There is no point in describing risk responses which are not realistically achievable or feasible, either technically or within the scope of our capability and responsibility. If your planned response is “Hope for a miracle” or “Invent a radical new solution”, you may be disappointed! 

5.    Assessed – All proposed risk responses must work! The “risk-effectiveness” of a response is best determined by making a “post-response risk assessment”. This assesses the level of residual risk assuming effective implementation of the response, including secondary risks of course. The situation after implementing the risk response must be better than before!

6.    Agreed – The consensus and commitment of relevant stakeholders should be obtained before agreeing responses, especially if the proposed response might affect a part of the project in which they have an interest.

7.    Allocated & Accepted – Each risk response should be owned by a single person (and accepted by them) to ensure a single point of responsibility and accountability for implementing the response. Allocating risk responses requires careful delegation, including provision of the necessary resources and support to allow effective action to be taken.

Each proposed risk response should be assessed against these seven criteria before it is accepted. A “Grade A” response will pass all these tests, and is more likely to achieve the desired effect than a response which has not been properly considered or evaluated.