Managing Risks in the Past

Risk management is about looking forwards, scanning the uncertain and unclear future in an attempt
to discern what awaits us. It offers businesses, projects and individuals a “forward-looking radar”,
identifying threats to be avoided and opportunities which might be captured. Even though the precise
details of such uncertainties may remain unclear, the “risk radar” can make us aware of their location
and size, helping us to formulate appropriate action plans in advance.

But what about the other direction, the “rear-view mirror”? Does the past have any relevance to risk

Strictly speaking there is no risk in the past, since it has already occurred (although we may remain
uncertain about what actually happened and what it means!). But George Santayana said “Those who
cannot remember the past are condemned to repeat it.” So we must review the past in order to learn
for the future. For risk management this means addressing the following questions:

  • What types of risk can be identified on my project or business? Are there any generic risks
    that might affect similar projects?
  • Which identified risks actually occurred, and why? This includes problems that could have
    been foreseen as threats, and missed opportunities that could have been captured.
  • What preventative actions could have been taken to minimise or avoid threats? What
    proactive actions could have been taken to maximise or exploit opportunities?
  • Which identified risks did not occur, and why? Which responses were effective in managing
    risks, and which were ineffective?
  • How much effort was spent on the risk process, both to execute the process, and to
    implement responses?
  • Can any specific benefits be attributed to the risk process, e.g. reduced project duration or
    cost, increased business benefits or client satisfaction etc?

The results from this type of lessons-learned exercise can be used to update risk identification tools
such as checklists, to incorporate preventative risk response strategies into future projects, and to
improve the effectiveness of risk management. It might also be possible to estimate return on
investment (ROI) for the risk process, by comparing specifically attributable benefits with process

If we do not learn lessons from our past, we will repeat it. People often say “This risk affects all our
projects, and it usually happens!” For a risk to happen once is understandable, since uncertain events
can occur even on the best-managed projects. If the same risk occurs twice, that is unfortunate,
because the chances should be less than the first time. But for the same risk to happen a third time is
unacceptable, as it exposes a lack of learning from the past.

So as we stand on the threshold of the New Year, we should look back as well as forward. Of course
we must focus on the challenges ahead and use the risk process to help us move forward safely
towards our objectives. But we must also remember our past, learn the lessons from our journey to
this point, and not repeat the same mistakes.

© 2004, Dr David Hillson