Like quality management a decade ago, project risk management has become such a “check-the-box” exercise in some organizations that vocal critics are clamoring for its elimination as pointless overhead. In this article, Payson Hall suggests that you consider a grown-up conversation with the leaders in your organization about the capabilities and limitations of your risk management efforts.
When we explain things to children, we are often mindful of complexity and subtlety and try to simplify so that they can understand without being overwhelmed. Wars have “good guys” and “bad guys,” and the good guys win. Moral complexity and ambiguity is usually deferred until we believe the children are mature enough to deal with them.
I would like to have an adult conversation about risk management. I assume, fair reader, that you are mature enough for a sophisticated discussion. What follows may not be news to you, but I want to get directly to the point without sugar coating. I encourage you to react and give me feedback in the comments section.
The goal of risk management is to anticipate problems (or opportunities) that may arise in the future. The future is an uncertain place; people engaging in effective risk management need to be aware of that.
There are six truths about risk management:
1. All projects have elements of risk. There is no project guaranteed to succeed. Any project has possible events that could cause it to go out of bounds in terms of schedule, resources, or scope and quality. Some risks are so extreme that they could cause what most would consider outright failure.
2. Some risks should be anticipated. There are patterns of risk in organizations. There are patterns of risk in different disciplines. This is why all cars are sold with a spare tire; the flat tire is a common failure mode. If you are doing a project in a domain with history, you are foolish if you don’t consider historical risks with similar projects.
3. Some risks are difficult to anticipate. There are “black swans” that you can’t imagine because you haven’t experienced them. That doesn’t make you foolish.
4. Some risks cannot be prevented or avoided; all you can do is reduce their probability or impact. If you are worried about your car breaking down on a long road trip, you can take it for a tune up/check up before you leave, but this only reduces the likelihood of failure, it doesn’t make your car indestructible.
5. If you ignore some risks, they might not get you. If you play one round of Russian roulette with a six-cylinder revolver and a single shell, you are 82 percent likely to survive. Survival doesn’t suggest that you were clever or skillful or that playing again is safe.
6. Despite your best efforts at avoiding some risks, they will bite you anyway. You can check vendor references and financials and write an iron clad contract, but that doesn’t stop a vendor from going out of business and letting you down for reasons having nothing to do with your project.
In fairy tales, we teach children that risk management efforts, like the little pig building its house from bricks, will result in successful, high-visibility risk avoidance. The big bad wolf comes and is thwarted by the pig’s efforts. The third little pig saved the day and got promoted—end of story.
In the real world, risk management is messier. Some of the risks that you spend time mitigating won’t happen, and some of the risks you attempt to avoid will happen anyway, despite your best efforts. Additionally, some risks will occur that you didn’t anticipate. Reasonable people can disagree about the likelihood or impact of a specific risk on the project, making risk planning sometimes contentious. This is where the adult part comes in. It is easy to second-guess even the best-risk management efforts, particularly after the fact.
Consider the following questions and statements surrounding some problems:
“Why did you waste time and money doing weekly backups? The hard drive never failed.” Or, “The time invested doing backups was wasted because we still lost some data when the power failed.”
“Why did we buy all those reserve parachutes? None of the mains failed.” Or, “Jeff died parachuting when his main and reserve parachutes both failed to deploy, so those expensive reserve parachutes must not improve safety.”
The only remedy for these problems is to set realistic expectations with your project team and sponsors. Have an adult conversation with them and recognize that there absolutely are trade-offs that must occur when a project seeks to mitigate risk. You need to have an honest discussion about the amount of time and energy the organization is willing to invest in risk identification and risk mitigation, in light of the knowledge that you can never completely eliminate risk. You should also acknowledge that some of the investment in risk mitigation may not seem valuable in hindsight. There should also be a candid discussion about the organization’s tolerance for ways that the project might fail.
Projects can fail in “project ways,” such as significantly exceeding budget, significantly exceeding schedule goals, and failing to deliver some or all functionality at desired quality levels. Projects can also fail in bigger ways, including embarrassing the organization, damaging relationships with staff or customers or business partners, running afoul of regulations, or causing damage to property or harm to people.
A discussion of what an organization has to lose and what it is willing to invest in in order to protect varied interests is both vital and challenging because there are no guarantees. These difficult discussions set the context and bounds of risk management. That’s the ambiguity that adults must face in the workplace; don’t trouble children with it, they aren’t ready for the discussion.
Nice read Payson. Couple of other points I'd like to add under 6 truths to know about risks are:
1. Not all project members, including the project sponsors will have the same level of risk tolerance, making risk management a very important discussion to have in determining the levels of risk the group wants to take - this will also help arrive at a mitigation plan that has group consensus.
2. Sometimes taking risks would result in better returns. So weighing risks against returns is important in determining the right balance between the two.