Projects hit the same risks over and over again:
- The requirements may not be adequately defined, causing re-work;
- The team members may not collaborate adequately, causing delays and cost overruns; and/or
- The client may prove mercurial, causing delays, cost overruns and re-work.
As you look at those three risks, you probably have a reasonably high confidence level that they’ve happened on your own projects. They’re common. They’re pedestrian. They happen on virtually every project. People are human and change their minds. Requirements are generally difficult to define. And yet, we still act surprised when these three things evolve on our own projects.
Assuming you are immune to common risks is like assuming you are immune to the common cold. It’s a lovely thought, but…
It is clearly important for us to understand the nature of a risk properly if we are to manage it effectively. Many people only consider a limited number of risk characteristics, leading to a limited ability to manage risk. Effective risk management requires a deeper understanding.
One way to improve understanding is to explore the “anatomy of risk”. Anatomy can be defined as “separating or dividing into parts for detailed examination.” If we separate and divide risk into its constituent parts, we find seven elements. Four of these relate to the nature of the risk itself, and three are connected to people.
Have you ever been asked “How risky is your project?” Most project managers find it hard to answer this question. Your Risk Register lists all the risks you’ve identified, and these are prioritised for attention and action, with responses and owners allocated to each risk. But how can a list of risks answer the “How risky” question? We need a different concept to describe the overall risk exposure of a project, which is different from the individual risks that need to be managed.
The Project Management Institute (PMI®) has addressed this in the Practice Standard for Project Risk Management, which has two distinct definitions of risk. The first is individual risk which is defined as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.” It also defines overall project risk as “the effect of uncertainty on the project as a whole.” The UK Association for Project Management (APM) also has two similar definitions of risk in its Body of Knowledge.
The term Enterprise Risk Management (ERM) describes a comprehensive and integrated framework for managing risk at all levels within an organisation. Four organisational characteristics are required if ERM is to work properly:
Defined objectives at all levels. Risk is defined in terms of objectives and without clearly defined objectives it is not possible to identify or manage risk. Objectives exist at various levels in an organisation, forming a hierarchical structure. ERM requires these objectives to be clear (everyone knows and agrees what they are), aligned (all objectives contribute to the overall goal) and coherent (fitting together as a set, both top-down and bottom-up).
There is currently a hot debate about what the term “risk” really means, and whether it is always and only about negative things. The traditional position is to define risk as “an uncertainty that could have an adverse effect leading to loss, harm or damage”. This has influenced the scope of the risk management process, which aims to avoid or minimise potential problems by acting proactively. Indeed traditional risk management has been very successful in this aim, and it is now seen as a major contributor towards achieving project and business objectives.
However, using the risk process to deal only with the downside of uncertainty is an inevitable one-way street. If the process identifies only threats that could have an adverse effect, then responses designed to address these threats can only at best bring the project or business back on target. It is much more likely that recovery of any deviation will be partial at best, leaving a shortfall in performance.
Where is the physical universe heading? While there is no doubt that the universe is currently expanding, scientists disagree about what might happen next. Will our universe continue to expand indefinitely, or will it reach a maximum and then collapse, or will it cycle between expansion and collapse?
The universe of risk management has the same three possibilities:
Sustainability has become increasingly important to organisations across the world in recent years, as both a business objective and a necessary constraint. But what does it mean? And how should it be included in the risk process?
The word sustainability has changed its meaning significantly over time in the business world. At first it only referred to impact on the environment. Then in 1995 John Elkington from British consultancy SustainAbility introduced the idea of the “triple bottom line” of “Profit/People/Planet”, suggesting that an organisation needs to be sustainable financially, socially and environmentally. More recently, work on sustainability in 2007 by the Forum for the Future expanded this further, identifying five areas that contribute to the production of value by an organisation, and which need to be managed sustainably. They call these The Five Capitals of Sustainability.* They are:
Edward de Bono is famous for promoting creative thinking, and he has written many books to explain his radical ideas. Perhaps his best-known technique is the Six Thinking Hats®, encouraging people to adopt a range of different perspectives when thinking about an issue. Indeed the Six Thinking Hats can be very helpful in risk identification.
One of de Bono’s other thinking tools is the Six Value MedalsTM. These describe different types of value which are important to people and organisations, and against which we can perform a “value scan” when making decisions or determining courses of action. The Six Value Medals have many potential uses, as we seek to create and protect value. But they may also help us to think about risk in a new way.
It is quite common for risk professionals not to talk to senior executives or Board members. After all, they probably think we are technical staff, or analytical specialists, involved in the detail of the business, and not relevant to the strategic direction of the organisation. And perhaps we think that executives are too important or too busy to waste their valuable time listening to us. These two attitudes are both completely wrong!
The truth is that risk professionals hold crucial information on key threats and opportunities that could have a major effect on the overall business. Senior decision-makers who set the strategy for the organisation need to be aware of these risks in order to avoid potential pitfalls and create maximum value. So it is important for those of us who understand risk to have a voice at the highest level.
For most projects, it is important to finish on schedule. For example, it might be necessary to supply gas on a certain date that drives gas exploration and production, processing or pipeline projects. Or there may be liquidated damages for late completion. The economic viability of a project may be determined by the finish date of a project, combined with the capital expenditure (CAPEX). For these and other reasons a schedule risk analysis is often conducted on larger projects.