Risk Insights from The Risk Doctor

Welcome to 2018! In many languages the month January is named after Janus the two-faced Roman god of doorways, and the start of a new year is traditionally a time for review, looking back at the past 12 months and looking forward to the next. There is also a widespread custom of making “new year resolutions” to change something in the year ahead. Unfortunately, these resolutions usually last only a few weeks before old habits reassert themselves!

Calling someone “two-faced” isn’t usually a compliment, but when it comes to managing risk, it might actually be something to aim for. How can we be like Janus in our management of risk, looking backwards as well as forwards, at the same time?

Risk management is obviously about looking forwards, scanning the uncertain and unclear future in an attempt to discern what awaits us. It offers businesses, projects and individuals a “forward-looking radar”, identifying threats to be avoided and opportunities which might be captured. Even though the precise details of such uncertainties may remain unclear, the “risk radar” can make us aware of their location and size, helping us to formulate appropriate action plans in advance.

But what about the other direction, the “rear-view mirror”? Does the past have any relevance to risk management? How can risk management look backwards?

Strictly speaking there is no risk in the past, since it has already occurred (although we may remain uncertain about what actually happened and what it means!). But George Santayana said “Those who cannot remember the past are condemned to repeat it.” So we must review the past in order to learn for the future. For risk management this means addressing the following questions:

• What types of risk can be identified on my project or business? Are there any generic risks that might affect similar projects?
• Which identified risks actually occurred, and why? This includes problems that could have been foreseen as threats, and missed opportunities that could have been captured.
• What preventative actions could have been taken to minimise or avoid threats? What proactive actions could have been taken to maximise or exploit opportunities?
• Which identified risks did not occur, and why? Which responses were effective in managing risks, and which were ineffective?
• How much effort was spent on the risk process, both to execute the process, and to implement responses?
• Can any specific benefits be attributed to the risk process, e.g. reduced project duration or cost, increased business benefits or client satisfaction etc?

The results from this type of lessons-learned exercise can be used to update risk identification tools such as checklists, to incorporate preventative risk response strategies into future projects, and to improve the effectiveness of risk management. It might also be possible to estimate return on investment (ROI) for the risk process, by comparing specifically attributable benefits with process costs.

If we do not learn lessons from our past, we will repeat it. I often hear people say “This risk affects all our projects, and it usually happens!” This is shocking, from a risk perspective!! For a risk to happen once is understandable, since uncertain events can occur even on the best-managed projects. If the same risk occurs twice, that is unfortunate, because the chances should be less than the first time. But for the same risk to happen a third time is unacceptable, as it exposes a lack of learning from the past.

So as we stand on the threshold of another new year, we should look behind us as well as in front, using the rear-view mirror as well as the forward-looking radar. Of course, we must focus on the challenges ahead and use the risk process to help us move forward safely towards our objectives. But we must also remember our past, learn the lessons from our journey to this point, and not repeat the same mistakes. Happy New Year!

The word “risk” is a common and widely-used part of today’s vocabulary, relating to personal circumstances (health, pensions, insurance, investments etc.), society (terrorism, economic performance, food safety etc.), and business (corporate governance, strategy, business continuity etc.). One area where risk management has found particular prominence is in the management of projects, perhaps because of the risky nature of projects themselves.

So why are projects risky? There are some factors which are found in all projects, and which make them inherently risky, including:

• Uniqueness, involving at least some elements that have not been done before
• Complexity of various kinds, including technical, commercial, interfaces or relational
• Assumptions and constraints about the future, both explicit (open) and implicit (hidden), which may prove to be wrong
• Objectives, defining the measures by which project success will be determined, which are usually fixed and sometimes conflicting
• People, including project team members and management, clients and customers, suppliers and subcontractors, all of whom are unpredictable to some extent
• Stakeholder requirements, expectations and objectives that can be varying, overlapping and sometimes conflicting
• Change, since every project is a change agent, moving from the known present into an unknown future
• Environment within which the project exists, including both the internal organisational environment, and the external environment where changes outside the project’s control can occur

These risky characteristics are built into the nature of all projects and cannot be removed without changing the project. For example, a “project” which was not unique, had no constraints, involved no people and did not introduce change would in fact not be a project at all. Trying to remove the risky elements from a project would turn it into something else, but it would not be a project. Indeed projects are undertaken in order to gain benefits while taking the associated risks in a controlled manner. It is impossible to imagine a project without risk.

Of course some projects will be high-risk, while others have less risk, but all projects are by definition risky to some extent. The “zero-risk project” is an oxymoron – it does not and cannot exist. This of course is why risk management is such an important part of effective project management: since all projects are exposed to risk, successful projects are the ones where that risk is properly managed.

A project management magazine recently contained an article on innovation which was somewhat provocative when it stated that “Project management is about processes and risk management, and that’s the absolute antithesis of innovation.” This challenge to risk management deserves a response!

The purpose of risk management in projects and business is to seek out significant uncertainties and address them proactively. It is most effective when it considers both threats and opportunities, as recommended by most best-practice guidelines (including the PMI PMBOK Guide). Surely achieving this goal requires a great deal of innovation?

The first area where creativity is essential is in risk identification. This requires thinking the unthinkable, not being constrained by “the Plan”, but considering other options and alternatives. It asks questions such as “What if… Why not… If only… How about…?” Potential problems (threats) and unexpected benefits (opportunities) can be identified using a range of creative techniques, including brainstorming, assumptions-busting, root-cause analysis, visualisation, scenario analysis, or futures thinking. Indeed it is probably not possible to identify risks without being innovative and thinking new thoughts.

But a second part of the risk process also requires fresh thinking, namely development of effective risk responses. Einstein reputedly said “It is not possible to solve a problem using the same thinking that created it.” Just identifying risks is not enough, and if appropriate action is not taken then risk exposure will remain unchanged. However deciding what is “appropriate” for each risk demands a degree of innovation, being prepared to consider and implement actions which were previously not thought necessary. Einstein also defined insanity as “Doing the same thing over and over again and expecting different results”, which might be rephrased as “If you always do what you always did, you’ll always get what you’ve always got!” As the Chinese proverb says, “If we don’t change direction we’re likely to end up where we’re headed.”

It seems likely that the person who wrote that “risk management [is] the absolute antithesis of innovation” was probably reacting to an outdated caricature of risk management. If the aim of risk management is perceived as preventing variation from plan at all costs, desperately clinging to the original approach and refusing all change, then it is true that creativity and innovation will be stifled. But modern risk management is very different. It actively embraces and welcomes change, recognising that some risks present an opportunity to improve on the original plan by working “smarter, faster, cheaper” – there is upside as well as downside.

“Uncreative risk management” is an oxymoron which cannot exist, and risk management without innovation merely rehearses and records the inevitable. To be effective the risk process must embody innovative and creative thinking in both risk identification and response development, proactively seeking potentially significant uncertainties and addressing them appropriately. Anything less does not deserve to be called risk management.

As we seek to manage risk effectively, questions of cost are inevitable since risk management is not free. But is it worth it? There is no “zero-cost option” for risk management, and the costs to be paid fall into three categories : one-off, ongoing, and occasional.

First are the costs of entry, paid once to establish a risk management capability. The primary cost here is for the “Three T’s”: techniques, tools and training. Any organisation wishing to manage risk has to invest in the necessary infrastructure to support the risk process. Techniques and procedures must be developed and rolled out. Tools to support the process must be bought or developed. And staff must be trained to use the techniques and tools effectively. If the entry cost is not paid, risk management remains merely a good intention, with no capability to deliver.

The second type of costs are for ongoing maintenance, to preserve an effective organisational risk management capability. It is important to keep the risk process fresh and up to date. Without ongoing development of the risk process, there is a danger of losing effectiveness. Risk management is a developing discipline, and new techniques and tools emerge regularly. Even the conceptual basis continues to grow as new ideas become accepted into the mainstream. Effective risk management requires refresher training to maintain and develop staff skills, as well as revitalising the process to incorporate recent developments and new approaches. On average an organisation should aim to refresh its risk process every 2-3 years to stay up to date.

Lastly there are the costs associated with managing risk on projects. Each project faces a unique risk challenge, and managing this incurs costs for assessing risk and for addressing risk.

• Assessing risk : These are the costs of implementing the risk process on the project, including spending time and resources in risk identification workshops or interviews, performing risk assessments and analyses, attending risk reviews, writing risk reports etc.
• Addressing risk : This covers the cost of executing risk response plans, those actions which were not originally in the project plan, but which are deemed necessary in order to deal appropriately with identified risks. Proactive actions are needed to avoid or reduce threats, and to exploit or enhance opportunities. Contingency and fallback plans must be put in place in case risks occur. These costs would not have been incurred if risks had not been identified, but they are necessary to optimise the chances of achieving project objectives.

If an organisation is serious about managing its risk, it must be prepared to pay these costs. This is particularly true of projects, which tend to have fixed budgets. Risk management will never be effective if it is seen as an optional zero-cost extra. The cost of assessing risk must be included in the overall project management budget, and there must be adequate contingency in the project budget to cover the costs of addressing risks.

Of course there is a cost-benefit relationship from investing in risk management. Risk management delivers a wide range of benefits to the organisation and to its projects, clients  and staff. Although it is hard to measure the return on investment for risk management, it is certain that no benefits will be realised unless the organisation is prepared to pay these costs. Indeed, not paying the cost to implement risk management exposes an organisation to another unnecessary cost – unmanaged risk. This includes threats which turn into problems which could have been avoided, as well as missed opportunities which could have delivered extra benefits.

In my view, the answer to the question “Is it worth it?” is a definite yes. If we pay the cost of managing risk, we will surely reap the benefits.

Following on from my last blog posting (“Risk Management: Important or Effective (or both)?”), you might be interested in the stats from our research. We had 561 responses, and the number of respondents choosing each option were as follows:

   1. Risk management is important and effective

           228 responses (41%)

   2. Risk management is important but not effective

           236 responses (42%)

   3. Risk management is not important and not effective

           93 responses (17%)

   4. Risk management is not important but it is (somehow) effective

           4 responses (<1%)

It’s encouraging to see that the vast majority (83%) believe that risk management is important, but it’s also worrying that only half of these people, teams and organisations feel that their risk management is effective. Clearly there is work to be done in applying risk management in practice. This is likely to involve the Three T’s (Tools, Techniques, Training), and a lot of support and advice is available in the marketplace for these areas.

Even more worrying are the 17% who say that risk management is not important! This means that one in six individuals, teams and organisations believe that they do not need a structured approach to enable them to look ahead and prepare for what’s coming. Instead they are happy to be reactive, deal with things as they arrive, and hope for the best. Those of us in the majority who recognise the importance of risk management have some persuading to do! We need to be selling the benefits of risk management to our colleagues, explaining how and why it helps us to be more successful, and demonstrating the value of risk management in action.

Maybe we should conduct this research again in a few years and see if the position has improved. It would be great if everyone knew that risk management was important, even if we aren't all fully effective (yet) in managing risk in practice.