Proposing more effective risk management is essentially suggesting a change to the way people do things. People resist change for a variety of reasons. One constructive form of resistance is the use of honest inquiry, in which one seeks to understand why a change should be made. This is a good thing because if you can show why a change might be an improvement over the status quo, the people you are asking to change might be more likely to consider what is proposed. Some forms of resistance are less constructive, and they can lead colleagues to dismiss your proposal without consideration.
What follows are seven dismissive remarks you might encounter if you propose increased risk-management rigor, as well as some thoughtful responses to consider.
1. Stop sniveling: High risk equals high reward.
This is really a fallacy. While it is true that team members taking on valuable projects often must deal with higher levels of risk, that doesn’t mean risk implies value. For example, while you could juggle chainsaws in your front yard—certainly a risky activity—doing so is of questionable value. A way to turn the discussion in a more productive direction is to observe that there are certain choices that could be made to reduce risk without reducing value. The question for the team is, “Is the analysis to identify and address those risks cost effective?” Only time will tell, but you must begin more effective risk management to gather data on the merits of that approach.
2. You can’t be sure X is going to happen.
The best definition of risk I’ve encountered was from risk management expert David Hillson, who described risk as “uncertainty that matters.” If we are sure that a risk is going to occur, it wouldn’t be a risk; it would be a fact of life that must be addressed. The purpose of risk management is to identify uncertain events that matter and look for cost-effective ways to reduce the likelihood of their occurrences or decrease their impact on the project. Risk management is like a life-insurance policy; we buy it not betting we are going to die, but rather because the cost of the premium is seen as a reasonable expense to offset harm.
3. We can’t eliminate all risks, so why bother?
While it’s true that the only way to eliminate all project risk is to cancel a project, we can make informed decisions about the identified risks that we believe can be addressed in a cost-effective manner. By identifying and discussing the risks we can reduce the threats to the project; these include our conscious choices about risks that have been identified as well as the effects of risks that have not been identified. A reduced threat means a higher chances of success.
4. I’m tired of that theoretical Project Management Body of Knowledge (PMBOK) garbage!
It’s common that people who have never been exposed to risk management or have only been exposed to theoretical (or overdone) risk processes might be skeptical of the value of formal risk management. Despite the snotty presentation of this fourth remark, this comment can represent a valid concern. Rather than fight, I might be inclined to agree that risk management, time management, and software quality can all be taken to extremes of questionable value; that doesn’t mean they must. When it comes to dealing with skeptical people, you should ease them into risk management gently and monitor whether they see the value in a discussion of risk. On Agile Connection, you can read an example of a risk management process that might not be overwhelming or too theoretical. A description of risk management that might help sway executives who aren’t sure risk management is a good investment can be found on StickyMinds.
5. Let’s not write that down because it will worry the client/sponsor.
I see this as a statement of questionable ethics, but that doesn’t mean the people proposing it are proposing something they see as ethically challenged—they may not know any better. This gets to the heart of project management in my mind: project management is about supporting informed decisions. If your clients won’t support a project because of risks that really exist, then perhaps they should have the opportunity to weigh in on those risks. If you were sponsoring a project and I knew of risks that might break the business case or cause outright failure, wouldn’t you want me to share them with you? I suggest you pursue this line of inquiry but be on the lookout for someone who is ethically challenged.
6. We succeeded before without risk management.
While we all know that projects that have succeeded without risk management, the question is, “Are they more likely to succeed with risk management?” In my career as a paratrooper, I had over 100 parachute jumps. I carried a reserve parachute with me on every jump, though I never had to use it. By the logic of this argument, I could dispense with the reserve parachute, saving money and weight. If I’m allowed an informed choice, however, I think I’ll keep the reserve, thank you. Risk management improves your chances of success by addressing common or severe threats.
7. ...and we might all be killed by a meteorite, too
Some people find talking about risks exhausting (or perhaps pointless) because there is an infinite number of risks and not all can be addressed. People who have worked on projects that can drift toward risk overkill (for example, a project centering on what to do if a building burns down) might be particularly skeptical. Remind your team members that the point of risk identification is to build a robust list of risks, but the next step—prioritization—helps to identify those risks that the sponsor and team think are worth mitigating based on an assessment of their likelihood and impact. While getting struck by a meteor is a high-impact event, it is unlikely and not something easily mitigated; in fact, it’s probably not worth considering (unless you are working on a space station—in which case it is VERY relevant).
There are a thousand bad reasons for not considering risks, but no good ones. Even a small and simple project might benefit from briefly considering the team’s experiences on similar projects and whether any of those projects’ risks and outcomes might be worth addressing during the current project’s planning stage. If nothing else, doing so empowers a team to find new and creative ways to fail, which usually provides a better learning experience.
If your team members have no experience (or no positive experiences) managing risk, you will need to gently ease them into risk management. Build support for risk management in a series of small steps, trying to demonstrate the benefits of the effort as you go. Try to engage with your team rather than steamroller them. I hope the counterpoints presented above can help you overcome some of the more common ways people present resistance.