Five frogs are sitting on a log; Four decide to jump off : How many frogs are on the log?
Which is the most difficult step in the risk management process? Where do most businesses and projects fail to gain the benefits of their attempts to manage risk proactively? If your organisation is typical, there’s one particular step where it all seems to go wrong, and the risk management process becomes just another frustrating hoop to jump through, with no tangible benefits.
So, is it the initial risk management planning step, defining project objectives and setting the context and scope for the risk process? Although many try to start identifying risks without first defining their objectives, this is not inherently difficult to do.
There are many well-tried techniques for risk identification, and most projects seem well able to list a number of uncertainties that could affect them. Of course it’s vital to ensure that risk identification identifies risks, and not related non-risks (e.g. causes, effects, problems or issues), but this step is usually OK.
Prioritising risks using qualitative assessment techniques to estimate probability and impact is easy, as long as terms are defined and agreed in advance, and thresholds are set to determine which risks are significant. Quantitative analysis using simulation techniques such as Monte Carlo simulation may seem technically difficult to the non-expert, but these methods are not always required, and good user-friendly risk analysis tools exist to help in the analysis.
How about risk response planning, where strategies are selected to address each identified risk in a way that will be appropriate, affordable and achievable, and actions are developed and agreed to implement those strategies? Again, given a structured approach to response development, this shouldn’t pose too many problems, if the risks are well understood.
What comes next, after response planning? Is the risk process complete when responses have been agreed? This is the point where analysis needs to be turned into action if the risk process is to influence the risk exposure of the project. The process so far has just provided information about the risks facing the project, but identification, assessment, analysis and planning do not actually affect the risks. Only action can make a difference.
And it is precisely at this point where most organisations allow their risk process to falter, without making the vital transition from plans to actions. If risk responses are not implemented proactively and effectively, the risk process will be a waste of time, since nothing will change.
What has this to do with frogs? Well the answer to the riddle is … five. There are still five frogs on the log, because there’s a big difference between deciding and doing! And if the risk process ends with merely deciding what could be done about each risk, but doesn’t go on to implement those plans, the frogs are still sat on the log. So how can we get the frogs off the log ?
A few simple steps will ensure that risk responses become more than just wishful thinking or good intentions, but that instead they are translated into effective action :
1. Make sure that each risk response has an agreed owner to be responsible & accountable for its execution
2. Allocate realistic durations, budgets and resources to each agreed risk response
3. Add agreed risk responses to the project plan as new activities
4. Monitor each risk response like any other project activity, reviewing & reporting progress etc.
Of course it is vital to go through the earlier stages of the risk process, to identify risks, assess their significance, plan responses and decide actions. But risk cannot be managed unless “deciding” is turned into “doing”. So next time you finish planning how to respond to your risks, remember to go the next step, leap into action, and get the frogs off the log!
[© Copyright 2003, David Hillson/Risk Doctor & Partners]