• Book Reviews
• Cultural Diversity
• Project Management
• Risk
• Technology

You are here:

1. Home »
2. PM Topics »
3. Risk Management and a Return to the Roots

Risk Management and a Return to the Roots

Faithful followers of this series of articles know that in the first two articles I focused primarily on the necessity of changing behaviors and the attendant challenges.  The following three articles mainly delineated aspects of risk assessment.  In this article, in order to address aspects of risk management, I will have to "return to my roots" - that is, I will revert a bit to the discussion of human behaviors and the complexities of organizations.

As you probably have noticed, I am a "splitter" rather than a "lumper" when it comes to considering risk.  I make a distinction between risk assessment and risk management.  I closed the previous article with a diatribe about needing to get across a yard in which there is a vicious dog.  I'm sure your sides are still aching from laughing at that humorous rendering, so I won't repeat it here.  The story attempts to make the point that before we can manage something - including a risk - we must first have assessed the beast.  The steps we might take in management depend almost entirely on a concise and accurate assessment.  

The subject of risk management has been elucidated well in many prominent books.  I direct readers to A Guide to the Project Management Body of Knowledge, Third Edition (PMBOK) which, with regard to risk management, contains the sections:

• Risk Management Planning
• Risk Identification
• Qualitative Risk Analysis
• Quantitative Risk Analysis
• Risk Response Planning
• Risk Monitoring and Control

Another excellent guide to risk management is the book Project Risk Analysis and Management Guide. Many other books address the subject.

In these guides, the fundamentals of project risk management are described.  In Project Risk Analysis and Management Guide, the risk management steps are presented as: Initiate, Identify, Assess, Plan Responses, and Implement Responses.  Presentations of risk management in other texts are, essentially, variations on this theme.  Given that risk management processes are so eloquently described in many texts, it would be folly for me to attempt to recount even the essence of risk management in these short newsletter articles.  So, then, why is this not the last sentence?


It's not what to do - it's how to get it done!

The texts listed above and other books on the subject do an excellent job of relating to the reader the steps associated with risk assessment and, mainly, risk management.  When, lo those many years ago, I began to practice the assessment and management of risk, it became blatantly obvious right off that the main challenges were not procedural or technical, but were behavioral, cultural, and organizational.  I noted that there existed plenty of books that addressed the processes/techniques of assessment and management of risk, but none that focused mainly on challenges and advice relating to getting people to want to implement the recommended risk processes.  My latest book:  Modern Corporate Risk Management: A Blueprint for Positive Change and Effectiveness tries to address the issues related to implementation of the risk methods.  So, in these remaining articles, I will focus on how to get people and organizations to take up risk management.

Figure 1 is a simple but powerful rendering of the typical contemporary risk management situation and the risk management world that we strive to create.  To understand this plot, we first must re-plow some old ground.  Those of you who have read the early articles in this series will remember that in my world, risks are both threats and opportunities.  The plots in Figure 1 deal with only threats, but remember, similar treatment of opportunities is valid.  Also, the term "mitigation" relates to actions we can take to prevent a risk (in this case a threat) from ever materializing and does NOT mean what we can do about a risk after it has bitten us.

 

The bottom plot in Figure 1 shows the typical contemporary situation. We go along our merry way until a threat actually occurs.  Then, with big bags of cash, we beat it into submission.  Firefighting of this sort is the stuff of which some careers are made.

Conversely, the plot at the top of Figure 1 shows to where we would like to drive an organization.  In this plot, we have held an early-in-the-project risk identification event and have spent resources - in this case money - to take actions to prevent those threats from materializing at some time in the future.  As this plot shows, sometimes we don't foresee a risk (T5) and often we take mitigation actions early in the project thinking that we have "fixed" that risk only to find that our mitigation actions were ineffective (T2).  It's an imperfect world!

Well, if the top plot in Figure 1 is where we would like to be, why is it so difficult to get there?  As I pointed out in the first of this series of articles, we typically get rewarded for successfully launching projects, but not necessarily for launching successful projects.  That is, people responsible for the early stages of a project are not necessarily motivated by benefits that might be realized well beyond their tenure.  Also, if we live in the realm of the bottom plot, it is clear that when something bad happens, you either have to give up or fix it.  In the world of the top plot, risk-process proponents have to try to convince project managers, who are under time and cost pressure, they should spend significant sums of money on mitigation actions related to risks that might or might not materialize at some point in the future.  This is a tough sell!


A few more hurdles and proposed solutions

In past articles I have reflected on risk-management-implementation hurdles such as the reward system and inconsistent language.  In this article I will add to the list of implementation impediments one more salient stumbling block - that of the inability to implement.  In future articles, I will address and propose solutions for other major problems.

Although people in most corporations are aware of the things they should do, know how to do those things, and actually wish to do those things, they sometimes fail to execute. 
Cultural, organizational, procedural, and other trammeling impediments provoke implementation paralysis.  This inability to implement stems from many sources, just a few of which are time pressure, cost pressure, internal misunderstandings, and proven value and lack of support.  I will here briefly address the latter two issues, but a much more complete description of these maladies is available in the book Modern Corporate Risk Management: A Blueprint for Positive Change and Effectiveness.
   
I have in previous articles described the internal misunderstandings that can emanate from failure to establish a consistent and universal glossary of terms (i.e., language) related to risk assessment and management.  I have proposed the "High German" solution for this potential source of misunderstanding.

Yet another barrier to implementation can come from misaligned or misunderstandings-about expectations.  A proponent of a risk methodology might poorly communicate, consciously or unconsciously, the time, cost, and organizational upheaval inherent in risk-process implementation.  Project managers can be surprised by the real-world price tag associated with the effort, and resistance typically is the result.  To alleviate this situation, clear, concise, "un-embellished," and episodic (but often!) communication with stakeholders is the successful path.  Doing one's homework with respect to the needs and expectations of the organization can help prevent disappointments and misunderstandings.

The inability of an organization to implement risk practices can also result from lack of support from upper management.  A dearth of backing can, in turn, be the result of management's reticence to support a process that does not have a proven track record of success.  That is, the proposed risk process does not have proven value.

Nothing sells like success, and to that end, the proponent of a risk assessment/management process should take the time, as practicality allows, to gather relevant testimonials-about and examples-of successful implementation.  Prior to any effort to assail the lower echelons of the organization with the benefits of adopting a risk approach, such testimonials and examples should be used to obtain real backing for the project from those who will have to fund and staff the effort. 

So, I'll close this article by reiterating that success in the risk management business is not so much about knowing what to do - lots of books can tell you that.  The wellspring of success is the ability to get people, and the organizations that those people compose, to actually view the uptake of the risk process as beneficial to them and to the organization as a whole.  Next time, more solutions to implementation problems.

By:  Glenn R. Koller

References:

A Guide to the Project Management Body of Knowledge, Third Edition, Project Management Institute, Inc, Newtown Square, Pennsylvania.

Bartlett, John, et al, Project Risk Analysis and Management Guide, APM Publishing, Buckinghamshire, U.K.

Koller, G. R., Modern Corporate Risk Management - A Blueprint for Positive Change and Effectiveness, J. Ross Publishing, Ft. Lauderdale, FL, 2007.

Koller, G. R., Risk Assessment and Decision Making in Business and Industry, A Practical Guide:  2nd Edition, Chapman & Hall/CRC Press, Boca Raton, FL, 2005.

Koller, G. R., Risk Modeling for Determining Value and Decision Making, Chapman & Hall/CRC Press, Boca Raton, FL, 2000.