Risk Insights from The Risk Doctor

“The future is another country; they do things differently there”, to adapt the opening words of L P Hartley’s novel “The Go Between”. A large part of the risk management process involves looking into the future and trying to understand what might happen and whether it matters. One important quantitative technique which might help is decision tree analysis. This has been neglected in recent years but is enjoying something of a revival. Some people feel it should be reserved for strategic decisions, and others regard the technique as complex and difficult. But at heart it is really quite simple, and can be applied to many different uncertain situations.

The decision tree approach recognises that there are two major factors which affect the future – choice and chance. And in evaluating these we need to consider two parameters – costs and consequences. These four elements form the basis of decision tree analysis.

• The first step in building a decision tree is to identify the choices we must make in trying to achieve our objectives. These choices form the branches of the tree. For example “make or buy”, “in-house or out-sourced”, “fast-track or traditional”, “innovative or proven approach”, “supplier A or B”, “low or high priority”. Each of these decisions leads to different outcomes, which are reflected in the decision tree using the other three elements.
• The simplest factor associated with alternative choices is cost, including both implementation cost and opportunity cost. In some cases this may be negative, reflecting a saving. But it is important to accept that making a choice is rarely a zero-cost action, and an estimate of this must be included against each branch of the decision tree.
• Chance is also an important variable associated with different decision options. Each alternative could have a range of possible outcomes, though some choices could lead only to one certain result. For example different technology options may have different chances of success, or alternative contractors may be more or less reliable. Where there is uncertainty over the result of a decision, this must be identified and assessed, including the estimated probability of each outcome. And some chance events might also open up the possibility of new choices, producing a series of nested branches within the tree.
• Finally the decision tree must address consequences. If a particular decision option were to be taken, incurring both cost and risk, the final result must be estimated, which is usually the payoff for implementing that decision. This is typically expressed in financial terms, though other measures can be used. The decision tree structure describes the predicted outcome of each choice/chance combination, representing the leaves at the end of each branch.

Having built the decision tree from these four components, it can then be analysed to determine the most favourable choice, taking into account the related costs, chances and consequences. First each possible forward path through the tree is followed and its value is calculated by accumulating the costs and payoffs from beginning to end. Then using these path values and working backwards from the end of each branch, the “expected value” of each choice is calculated, taking probability-weighted consequences when chances occur. The branch with the highest expected value becomes the recommended decision option.

There are several challenges in using decision trees effectively, including the practical limitation of the technique to analysing a small number of decision options with a limited range of possible risks. The typical project involves many decisions at different levels, each with a wide range of associated risks, and trying to reflect this in a single decision tree could result in a massive and unusable model. The technique also require all factors to be represented quantitatively – cost and consequences are usually expressed in financial terms, and probability must be estimated for all chances. And decision tree analysis also assumes a “risk-neutral decision maker” whose choices are based on highest expected value – which is rarely the case.

Despite these limitations, decision tree analysis presents a powerful quantitative technique for assessing possible futures, taking into account the effects of both choice and chance and estimating both costs and consequences.

Following on from my last blog posting (“Risk Management: Important or Effective (or both)?”), you might be interested in the stats from our research. We had 561 responses, and the number of respondents choosing each option were as follows:

   1. Risk management is important and effective

           228 responses (41%)

   2. Risk management is important but not effective

           236 responses (42%)

   3. Risk management is not important and not effective

           93 responses (17%)

   4. Risk management is not important but it is (somehow) effective

           4 responses (<1%)

It’s encouraging to see that the vast majority (83%) believe that risk management is important, but it’s also worrying that only half of these people, teams and organisations feel that their risk management is effective. Clearly there is work to be done in applying risk management in practice. This is likely to involve the Three T’s (Tools, Techniques, Training), and a lot of support and advice is available in the marketplace for these areas.

Even more worrying are the 17% who say that risk management is not important! This means that one in six individuals, teams and organisations believe that they do not need a structured approach to enable them to look ahead and prepare for what’s coming. Instead they are happy to be reactive, deal with things as they arrive, and hope for the best. Those of us in the majority who recognise the importance of risk management have some persuading to do! We need to be selling the benefits of risk management to our colleagues, explaining how and why it helps us to be more successful, and demonstrating the value of risk management in action.

Maybe we should conduct this research again in a few years and see if the position has improved. It would be great if everyone knew that risk management was important, even if we aren't all fully effective (yet) in managing risk in practice.

We recently conducted some research in partnership with Peter Kulik to investigate how organisations perceive the value of risk management. The survey addressed a number of different aspects, but two questions were particularly interesting. The first question asked “How important is risk management to project success?”, with possible answers chosen from extremely important, very important, important, somewhat important, not important. The second question asked “How effective is risk management on your projects?”, with answers ranging from extremely effective, very effective, effective, somewhat effective, or ineffective. Of course the raw data was interesting in itself, but the correlation between answers to these two questions was fascinating. If the answers to each question are simplified into two options (positive or negative), then there are four possible combinations :

1. Risk management is important and effective
2. Risk management is important but not effective
3. Risk management is not important and not effective
4. Risk management is not important but it is (somehow) effective

Perhaps the fourth combination is not really feasible, since it would be unusual for risk management to be effective if the organisation does not consider it to be important. Indeed if it is viewed as unimportant it might not be done at all. But the other three combinations represent different levels of risk management maturity, and organisations in each of these three groups might be expected to act in very different ways.

Where risk management is seen as important and it is also effectively delivering the promised benefits (Combination 1), those organisations could become champions for risk management, demonstrating how it can work, and persuading others to follow their lead. These risk-mature organisations might be prepared to supply case studies and descriptions of best-practice, allowing others to learn from their good experience.

If an organisation believes that risk management is important but is not finding it to be effective in practice (Combination 2), then they should consider launching an improvement initiative to benchmark and develop their risk management capability. Tackling the Critical Success Factors (CSFs) for effective risk management will lead to enhanced capability and maturity, allowing the organisation to reap the expected benefits. Key CSFs include a risk-aware culture, efficient processes, experienced and skilled staff, and consistent application, among others.

It is not surprising that risk management is ineffective in organisations which believe that it is unimportant (Combination 3), as it is not possible to manage risk effectively without some degree of commitment and buy-in. These risk-immature organisations should be persuaded and educated about the benefits of risk management to the business – a task best performed by convinced insiders who can show how proactive management of risk could be applied to meet the specific challenges of the organisation.

It is a good idea for every organisation to review its position on risk management against the two dimensions of importance and effectiveness, and to take appropriate action to move up the scale of risk management maturity. Risk management offers genuine and significant benefits to organisations, their projects and their stakeholders, but these will never be achieved without recognition of the importance of managing risk at all levels in the business, matched with operational effectiveness in executing risk management in practice.

Five frogs are sitting on a log; Four decide to jump off :
How many frogs are on the log?

Which is the most difficult step in the risk management process? Where do most businesses and projects fail to gain the benefits of their attempts to manage risk proactively? If your organisation is typical, there’s one particular step where it all seems to go wrong, and the risk management process becomes just another frustrating hoop to jump through, with no tangible benefits.

So, is it the initial risk management planning step, defining project objectives and setting the context and scope for the risk process? Although many try to start identifying risks without first defining their objectives, this is not inherently difficult to do.

There are many well-tried techniques for risk identification, and most projects seem well able to list a number of uncertainties that could affect them. Of course it’s vital to ensure that risk identification identifies risks, and not related non-risks (e.g. causes, effects, problems or issues), but this step is usually OK.

Prioritising risks using qualitative assessment techniques to estimate probability and impact is easy, as long as terms are defined and agreed in advance, and thresholds are set to determine which risks are significant. Quantitative analysis using simulation techniques such as Monte Carlo simulation may seem technically difficult to the non-expert, but these methods are not always required, and good user-friendly risk analysis tools exist to help in the analysis.

How about risk response planning, where strategies are selected to address each identified risk in a way that will be appropriate, affordable and achievable, and actions are developed and agreed to implement those strategies? Again, given a structured approach to response development, this shouldn’t pose too many problems, if the risks are well understood.

What comes next, after response planning? Is the risk process complete when responses have been agreed? This is the point where analysis needs to be turned into action if the risk process is to influence the risk exposure of the project. The process so far has just provided information about the risks facing the project, but identification, assessment, analysis and planning do not actually affect the risks. Only action can make a difference.

And it is precisely at this point where most organisations allow their risk process to falter, without making the vital transition from plans to actions. If risk responses are not implemented proactively and effectively, the risk process will be a waste of time, since nothing will change.

What has this to do with frogs? Well the answer to the riddle is … five. There are still five frogs on the log, because there’s a big difference between deciding and doing!

And if the risk process ends with merely deciding what could be done about each risk, but doesn’t go on to implement those plans, the frogs are still sat on the log. So how can we get the frogs off the log?

A few simple steps will ensure that risk responses become more than just wishful thinking or good intentions, but that instead they are translated into effective action:

1. Make sure that each risk response has an agreed owner to be responsible & accountable for its execution
2. Allocate realistic durations, budgets and resources to each agreed risk response
3. Add agreed risk responses to the project plan as new activities
4. Monitor each risk response like any other project activity, reviewing & reporting progress etc.

Of course it is vital to go through the earlier stages of the risk process, to identify risks, assess their significance, plan responses and decide actions. But risk cannot be managed unless “deciding” is turned into “doing”. So next time you finish planning how to respond to your risks, remember to go the next step, leap into action, and get the frogs off the log!

Some say that risk identification is the most important phase of the risk management process, since it is impossible to manage a risk unless it has first been identified. As a result, many risk identification techniques have been developed, including brainstorms, interviews, questionnaires, checklists and prompt lists, assumptions/constraints analysis, SWOT analysis, Delphi groups, nominal group technique, root cause analysis, failure modes analysis and others. Some of these methods are creative and others draw on past experience; some can be undertaken by individuals while others require group input; some approaches are simple and rapid where others are labour-intensive and take time.

Whichever risk identification technique is used however, they all require one factor to make them effective. This powerful characteristic is possessed by all but forgotten by most. Every person is born with it, and some people work to develop theirs into a mature capability while it remains dormant in others. This risk identification tool exists in the human head, and is called the imagination.

All risk identification techniques require people to imagine potential future conditions which do not currently exist. The success of risk identification depends on people’s ability to envisage imaginary circumstances and possible futures. Without imagination, risk identification is limited to what has happened before, and specific new risks which challenge the current situation cannot be foreseen.

A range of techniques are available to stimulate the imagination, including visualisation, scenario painting, rich pictures, appreciative enquiry, story-telling and other creativity approaches. Risk practitioners should consider using these to develop their own ability to imagine possible risks, as well as to help their colleagues during the risk identification process.

One simple and fun way to encourage the imagination is the use of “fantasy questions” to expose risks in a non-threatening way. These can be employed during risk identification interviews, though they might also be used with other techniques. You can ask yourself, or you can question others. Example fantasy questions might include:

• “If you were dreaming about your project and it turned into a nightmare, what would be happening?” (this question encourages people to talk about perceived threats)
• “I am your fairy godmother and you have three wishes to use on your project – what will you do first?” (this might result in identification of new opportunities)
• “If an alien joined your project team, what would they find most unusual?” (this aims to expose blind spots)

These examples are light-hearted and may not be appropriate for all situations or organisations, but the principle can be applied in a more serious way. Questions can be asked during risk identification interviews which stretch the imagination and encourage the interviewee to consider options beyond their normal experience. For example:

• “If you were a new employee and this was your first project, what questions would you ask?”
• “How might this project be different if it took place in a foreign country?”
• “When your client lies awake at night, what is he worrying about?”
• “What are your supplier’s best hopes for this project?”

Questions like these (and other creativity approaches) use the imagination to take us beyond the present and the familiar, opening doors to new possibilities. In a sense all risks are imaginary since they do not yet exist, and imagination-based techniques can be powerful aids to risk identification. If you can imagine something, it could happen.

Set your imagination free and see what risks emerge!