• +44 20 8798 0569 / +1 (646) 461-7475 / +61 (02) 8091 4747
  • info@irisintelligence.com

Top 10 Myths of Risk Management

Top 10 Myths of Risk Management

© March 2015, Dr David Hillson PMP FAPM FIRM FRSA

Remember not to blur fact with fiction when you manage the threats and uncertainties associated with your project, advises.Since the dawn of time, mankind has used myths to make sense of the uncertainty that surrounds us. More recently, in the world of business and projects, risk management has performed the same role. Unfortunately, myths have also grown up around risk management. Like many myths, risk myths have some basis in truth, but they are far from an accurate representation of reality.

Here are the top 10 risk myths, and how you can counter them.

1. All risk is bad “Risk? No thanks!” Risks are potential problems, and if they happen, then we’re in trouble. For projects, risks mean threats to the budget and schedule, and the result of a risk that has an impact means overspend or delay. Even when we consider other objectives, such as performance, safety or regulatory compliance, risk is bad news for the project. Starting from the idea that risk is ‘uncertainty that matters’, we reach a different conclusion. Some uncertainties might have helpful outcomes if they happen, saving time or money, enhancing performance or safety, or helping us to achieve project objectives. Best-practice risk management recognises that risk includes both threats and opportunities, and both need to be managed proactively through the risk process.

2. Risk management is a waste of time “Qué será, será.” Most risks are outside our control, and we shouldn’t waste time trying to address them in advance. Instead, we should rely on fire-fighting, dealing with issues as they arise. The good project manager is a hero or heroine who can handle any crisis as and when it happens. In reality, risk management provides a forward-looking radar. We can use it to scan the uncertain future to reveal things that could affect us, giving us sufficient time to prepare in advance. We can develop contingency plans even for so-called uncontrollable risks, and be ready to deal with likely threats or significant opportunities.

3. What you don’t know won’t hurt you “Ignorance is bliss.” We’re so busy dealing with what we do know that we don’t have time to think about anything else. Hope is not a strategy! Uncertainties exist out there that can hurt us and our projects very badly. Unforeseen events can cause major delays, result in significant additional cost or even cause accidents. Failing to spot risks will result in avoidable problems happening or benefits that could have been captured being missed. Not knowing about the risks that we face can prove to be very costly indeed.

4. The risk manager manages risk “The clue is in the job title!” Just as the project manager manages the project or the quality manager manages quality, so the risk manager manages risk. That means the rest of the project team don’t have to worry about risk if they have a risk manager (or risk champion or risk coordinator). Right? Wrong! The title of risk manager is hugely misleading and should be banned. There is no way that one person can understand or manage all the risks on a project, even if they are super-competent. Instead, risks need to be managed by the people who understand them and can deal with them effectively. Every member of the project team should be a ‘risk manager’, tackling the risks that affect their area of responsibility, leaving the risk manager to facilitate the risk process and ensure that it is working properly.

5. All risk can and should be avoided “The only good risk is a dead risk.” Whenever a risk is encountered on our project, only one response is possible: avoidance. We need to do whatever it takes to ensure that the risk cannot happen, no matter what cost or effort is involved. Of course, not all risks can be avoided. Sometimes it would be too expensive, or take too long, to avoid a risk completely, so another strategy is required. Options for downside risks (threats) include risk transfer, risk reduction or risk acceptance. And clearly we don’t want to avoid upside risks (opportunities) – these should be exploited, shared or enhanced. The title of risk manager is hugely misleading and should be banned. There is no way that one person can understand or manage all the risks on a project, even if they are super-competent. Project processes are indeed developed to handle routine risks. And maybe such ‘business-as-usual risks’ don’t belong in the risk register because they will be handled by existing processes. But what about risks that we’ve never seen before? Risks that are specific to this project, this environment, this client? We need a focused risk process that identifies these novel risks, assesses their importance and develops targeted responses.

6. Our projects aren’t risky “No risk, please – we’re project managers!” The absence of risk is a sign of a successful project manager and a well-run project. Where risk rears its ugly head, it needs to be killed off as quickly as possible, so that we can return to our zero-risk nirvana. Risk is built into all projects, as we seek to create a unique service, product or outcome with limited resources, conflicting constraints and competing stakeholders. Risk is also linked to reward, since we take risk to create value. So the zero-risk project is neither possible nor desirable.

7. Risk management requires statistics “You can’t manage risk without understanding statistics, probability theory and Monte Carlo simulation.” It’s pointless to record risks in a risk register, assess their probability and impact, and develop appropriate responses. Only quantitative risk analysis (QRA) can reveal the true level of risk exposure in our project. QRA is a powerful method for analysing the overall effect of risk on project outcomes, but it requires time, effort, specialist tools and expertise. Many risks cannot be easily quantified either, so a qualitative approach is needed. Even on very risky projects, the data used in QRA are based on the risk register, so qualitative assessment is always required, while QRA is optional.

8. Risks are covered by routine processes “We manage risk all the time – it’s part of the day job.” We know all the risks faced by our project and we have processes in place to deal with them, so we don’t need to do separate risk management. Project processes are indeed developed to handle routine risks. And maybe such ‘business-as-usual risks’ don’t belong in the risk register because they will be handled by existing processes. But what about risks that we’ve never seen before? Risks that are specific to this project, this environment, this client? We need a focused risk process that identifies these novel risks, assesses their importance and develops targeted responses.

9. Contingency is for wimps “We’ve agreed the project plan and we’re sticking to it.” A strong project manager stays within the budget and timeline, and meets all targets. Setting aside time or money for things that might never happen is pointless. Not even the best project manager can perfectly foresee the future. Unexpected things happen. And all projects are risky, being complex undertakings based on assumptions and dependencies, delivering change through people. So including a specific risk budget for known risks, as well as a contingency amount for unforeseen risks, is a sign of wisdom, not weakness.

10. Risk management doesn’t work “We tried risk management once…” The risks we identified never happened, and the things that did happen weren’t in the risk register. Our responses made no discernible difference to project outcomes, so we gave up. The risk process can fail to identify the real risks, focusing instead on the ‘usual suspects’. So we need to explore what people are worrying about (threats), or excited about (opportunities). We also need to create and implement targeted actions that change our risk exposures. When we identify the real risks and implement effective responses to them, then risk management maximises our chances of project success. Done properly, risk management always works.

For more information visit www.risk-doctor.com