Risk Insights from The Risk Doctor

Describing risk as “uncertainty that matters” allows for different types of consequences, and leading standards and guidelines define the concept of risk to include both upside as well as downside impacts. This means that the word “risk” can be used to describe uncertainties which if they occurred would have a negative or harmful effect, and the same word can also describe uncertainties which if they occurred would be helpful. In short, there are two types of risk: threats and opportunities.

Accepting this in principle is one thing; using it in practice is another. The traditional risk process (initiate, identify, assess/analyse, plan responses, implement, review) can clearly be used to handle both threats and opportunities. But people who have only used this process to identify and manage threats sometimes have problems extending it to deal effectively with opportunities. And the difficulties start right at the beginning: how can we identify opportunities?

The first step is to be clear about what we are looking for: uncertainties which might or might not occur, but which if they did happen would help us to achieve our objectives, for example allowing us to work smarter, faster or cheaper.

Equally important is to know where to look for opportunities. There are at least four distinct ways of finding them:

1. Some opportunities arise from the absence of threats. If the bad thing does not happen we might be able to take advantage of something good instead. For example, if poor industrial relations do not lead to a strike, we might be able to introduce an incentive scheme and turn the situation round from negative to positive.
2. Other opportunities are the inverse of threats. Where a variable exists on a continuous scale and there is uncertainty over the eventual outcome, instead of just defining the risk as the downside it might also be possible to consider upside potential. For example, where the productivity rate on a new task is unknown, it might be lower than expected (a threat), or it might be higher (an opportunity).
3. We should also remember secondary risks, which are introduced by implementing a response to another risk. Sometimes by addressing one risk we can make things worse (the response creates a new threat), but it is also possible for our action to create a new opportunity. Avoiding potential delays to my car journey by taking the train might also allow me to do some useful work during the journey.
4. Lastly, we must not neglect “pure opportunities” which are unrelated to threats. These are simply unplanned good things which might happen. For example, a new design method might be released which we can apply to benefit our project. Or a new recruit to the team may unexpectedly possess a skill needed to solve a problem. This type of opportunity needs to be actively sought out, requiring fresh thinking and awareness of how potential additional benefits might be created.

Opportunities cannot be managed unless they are identified. People familiar with identifying threats can start with these, then ask whether their absence or inverse might present an opportunity. Planned actions should also be examined to see whether they open up new possibilities to help us achieve our objectives. But “pure opportunities” must not be forgotten, since these often present the greatest potential upside of all.

Risk management is essential for business and project success, because it focuses on addressing uncertainties proactively in order to minimise threats, maximise opportunities, and optimise achievement of objectives. However, in practice risk management often fails to meet expectations, as demonstrated by repeated business and project failures. Foreseeable threats materialise into problems and crises, and achievable opportunities are missed leading to lost benefits. Clearly some essential ingredient is missing.

There is wide agreement that people are the most significant Critical Success Factor for effective management of risk. Risk management is undertaken by people, acting individually and in various groups, with a multitude of influences both explicit and covert. People adopt risk attitudes which affect every aspect of the risk process, even if they are unaware of it. Understanding and managing these attitudes would significantly increase risk management effectiveness – so what are they?

“Risk” can be defined as “uncertainty that could have a positive or negative effect on one or more objectives”, and “attitude” is “chosen state of mind, mental view or disposition with regard to a fact or state”. Combining the two gives a working definition of “risk attitude” as “chosen state of mind with regard to those uncertainties that could have a positive or negative effect on objectives”, or more simply “chosen response to perception of significant uncertainty”.

Risk attitudes exist on a spectrum from risk-aversion (uncomfortable with uncertainty), through risk-tolerant (no strong response), to risk-seeking (welcoming uncertainty). They are active at individual, group, corporate and national levels, and where they are recognised their influence on the risk process can be diagnosed and understood.

But diagnosis is different from treatment. Sometimes the risk attitude initially adopted by an individual or group may not support effective management of risk, for example if a product innovation team is risk-averse, or if a nuclear safety inspector is risk-seeking. In these cases action may be required to modify risk attitude. Recent advances in the field of Emotional Intelligence and emotional literacy provide a means by which attitudinal change can be promoted and managed, for both individuals and organisations. The key is to recognise that all attitudes are a choice, and can therefore be modified.

This subject is so big that it could fill a book*, but the first step in applying emotional literacy to the management of risk attitude is self-awareness. This applies to both individual and groups. To start the process of understanding and managing risk attitude, four simple questions can be asked (replace “I/my” with “we/our” for a group) :

1. How do I feel in this uncertain situation?
2. Why do I feel that?
3. Is my response appropriate to help me achieve my objectives?
4. If not, what am I going to do about it?

Risk psychology has been studied by academic researchers for many years, but there has not been much practical guidance on workplace application. Because risk attitude has such a major effect on all elements of the risk process, it is time to pay attention to this vital topic. Emotionally literate individuals and groups understand why they respond to risk in a particular way, and can adopt attitudes which are appropriate to the situation, helping them to maximise their risk management effectiveness.

* See Hillson D. A. & Murray-Webster R. 2007. “Understanding and managing risk attitude” (second edition). Aldershot, UK: Gower.

Today marks the start of a new era of uncertainty, following the referendum vote yesterday by the UK population to leave the European Union (EU). The forthcoming British exit from the EU (so-called “Brexit”) will raise the degree of uncertainty to new high levels in many areas, including politics, trade, international relations, travel, employment, and so on. The result has already produced major volatility on global stock markets and financial exchanges, and the British Prime Minister has already announced his intention to step down within the next three months.

You may view this new reality as a good thing or you may not, or perhaps you have no strong opinion either way. In any case, the fallout is likely to affect many of us in ways that we cannot currently predict. One thing is clear: the UK’s exit from the EU is not a Black Swan because it will certainly happen. But the rustling of wings is becoming louder, and we’re bound to see one or two newly-hatched cygnets emerging in the near future.

How can risk-based thinking help us in this situation?

• Firstly, we need to recognise that uncertainty is natural, inevitable and to be expected.
• Secondly, we should have confidence in our ability to respond to uncertainty appropriately, either in proactive and protective ways for foreseeable risks, or in developing resilient contingency plans for the unforeseen.
• And thirdly, perhaps most importantly, we must remember that risk includes both upside and downside. There is no doubt that some of the risks we face threaten us with unpleasant consequences, and we need to minimise these threats wherever we can. But the new political realities will also present us with new opportunities, which we should identify, exploit and maximise as far as possible.

Those of us who understand risk and who practise effective risk management are well placed to handle the inevitable uncertainties that face us today and that will emerge in the coming weeks, months and years. We are also in an ideal position to advise and assist others who are less well equipped in their ability to respond to uncertainty. Now is the time for risk practitioners to step up and make our contribution.

The risk management process is not difficult, because it is just a structured way of dealing with significant uncertainty. All you need to do is determine which objectives are at risk, then identify uncertainties that might affect their achievement. The next step is to prioritise identified risks and decide how to respond, and then take action. But although this process is simple to describe, it seems hard to make it work in practice. And the hardest part of all is the last step – implementation.

For some reason, we seem well able to identify and assess risks, and to devise appropriate responses. The problem arises with putting our plans into action, and actually doing the agreed responses. Why does this happen?

A common problem is lack of time or effort for response implementation. Many of us are so busy doing our normal tasks that we have no time to do the extra work involved with risk responses. But if we are “too busy to manage risks”, then we are “too busy”. Since risks by definition are uncertainties which if they occurred would affect accomplishment of our objectives, then addressing them is essential. Risk responses are not “optional extras”, but are vital to the successful achievement of our goals. Removing threats and capturing opportunities should be part of our normal job as we seek to maximise our chances of success. Instead we seem to believe that risk responses are additional tasks, to be performed if and when we get time, and only after we have done all our “proper work” first. Many project teams identify and assess risks, develop response plans and write a risk report, then “file and forget”. Actions are not implemented and the risk exposure remains the same. How can we overcome this barrier?

One answer is to treat agreed risk responses as normal work, with the same priority as pre-planned tasks. The following steps might help:

• Ensure that every risk response is fully defined, with a duration, cost, resource requirement, owner, completion criteria etc.
• Add an extra task to the project plan for every agreed response (accepting that this might also require changes to the project budget or timeline).
• Monitor progress on these risk response tasks in exactly the same way as for all other tasks, including requiring progress reports from owners, and reviewing at project meetings.

Giving risk responses equal importance with other project tasks will encourage people to implement them. When response owners realise that these actions are important to project success, and that risk responses will be treated as legitimate project tasks, then they will give them the same degree of attention and effort as their other tasks. Viewing risk responses as “extra work, optional, different” gives them second-class status behind “real work”. Accepting that they are valid and essential tasks which make a significant contribution to achieving objectives makes sure that they will be treated seriously and actually implemented. After all, identifying risk responses but not doing them is a complete waste of time. Only when we put agreed responses into action can we change the risk exposure and improve our chances of meeting our goals.

As we seek to manage risk effectively, questions of cost are inevitable since risk management is not free. But is it worth it? There is no “zero-cost option” for risk management, and the costs to be paid fall into three categories : one-off, ongoing, and occasional.

First are the costs of entry, paid once to establish a risk management capability. The primary cost here is for the “Three T’s”: techniques, tools and training. Any organisation wishing to manage risk has to invest in the necessary infrastructure to support the risk process. Techniques and procedures must be developed and rolled out. Tools to support the process must be bought or developed. And staff must be trained to use the techniques and tools effectively. If the entry cost is not paid, risk management remains merely a good intention, with no capability to deliver.

The second type of costs are for ongoing maintenance, to preserve an effective organisational risk management capability. It is important to keep the risk process fresh and up to date. Without ongoing development of the risk process, there is a danger of losing effectiveness. Risk management is a developing discipline, and new techniques and tools emerge regularly. Even the conceptual basis continues to grow as new ideas become accepted into the mainstream. Effective risk management requires refresher training to maintain and develop staff skills, as well as revitalising the process to incorporate recent developments and new approaches. On average an organisation should aim to refresh its risk process every 2-3 years to stay up to date.

Lastly there are the costs associated with managing risk on projects. Each project faces a unique risk challenge, and managing this incurs costs for assessing risk and for addressing risk.

• Assessing risk : These are the costs of implementing the risk process on the project, including spending time and resources in risk identification workshops or interviews, performing risk assessments and analyses, attending risk reviews, writing risk reports etc.
• Addressing risk : This covers the cost of executing risk response plans, those actions which were not originally in the project plan, but which are deemed necessary in order to deal appropriately with identified risks. Proactive actions are needed to avoid or reduce threats, and to exploit or enhance opportunities. Contingency and fallback plans must be put in place in case risks occur. These costs would not have been incurred if risks had not been identified, but they are necessary to optimise the chances of achieving project objectives.

If an organisation is serious about managing its risk, it must be prepared to pay these costs. This is particularly true of projects, which tend to have fixed budgets. Risk management will never be effective if it is seen as an optional zero-cost extra. The cost of assessing risk must be included in the overall project management budget, and there must be adequate contingency in the project budget to cover the costs of addressing risks.

Of course there is a cost-benefit relationship from investing in risk management. Risk management delivers a wide range of benefits to the organisation and to its projects, clients  and staff. Although it is hard to measure the return on investment for risk management, it is certain that no benefits will be realised unless the organisation is prepared to pay these costs. Indeed, not paying the cost to implement risk management exposes an organisation to another unnecessary cost – unmanaged risk. This includes threats which turn into problems which could have been avoided, as well as missed opportunities which could have delivered extra benefits.

In my view, the answer to the question “Is it worth it?” is a definite yes. If we pay the cost of managing risk, we will surely reap the benefits.