Understanding the business of risk

Over the years Ive seen the management of risk go through many changes. From my early days in project management when risk could only be negative, through the positive thinking of managing opportunities, expanding its application from project to programme and portfolio (P3 ) management, as described in the BoK 6th edition, and moving to where I think we are today which is taking the management of risk as a given for successful project delivery. 

As a risk management consultant it may be that Im too close to the profession to hold a rational opinion.

This is my paradox: I know what the benefits are from adopting risk management at all phases of P3 but find that there is a significant number who do not share my view.   

At the start of my risk management presentations I usually open with the statement: Managing risk is the most positive thing you can ever do but Im often surprised by the reaction this draws. 

Typical responses are Isnt managing risk just about finding things to go wrong?, Dont risk managers just look for the negatives?, Risk management is just tools, techniques and process, whats positive about that? and my bugbear We dont have any risks in our work. 

Really? What can be done to convince these sceptics?  Why cant they see, as I do, that not taking risk management seriously is just like saying we dont need a contract for this project, we all know what is needed.  

Over the years Ive had many discussions on the merits of managing risk, or not, and, to be fair, although some may not perhaps adhere to a formal process, saying that they dont have the time in their already busy day for filling in risk registers or sitting in workshops, they still intuitively manage risk. 

Is this such a problem?  I would argue that managing risk in whatever form is better than doing nothing; however, the important point here is that, in the real world, things do go wrong and rather than simply applying experience in an attempt to manage risk would it not be better to apply a well tried and proven process to control it?

There are many tools and techniques used in risk management to identify, analyse and control risk; however, we should never forget that some, outside of the risk management profession, may not understand just how valuable they are and this could be one of the reasons sceptics exist. 

I have heard a few describing these techniques as mere aides supporting the risk management practitioners rather than playing an active part in successful project delivery. 

Perhaps there is a leadership role here for risk managers to recognise and take every opportunity to emphasise the benefits from the use of our risk tool kit rather than explaining what the tool box contains.

APM and RICS ran a join event in February 2013, at which I gave a presentation on Leadership in Risk Management, in this presentation I used Peter Druckers quote that Management is doing things right; leadership is doing the right things. 

I was making the point that perhaps there had been more focus on doing it right rather than doing the right things and this could be reinforcing the sceptics view.

In this context I was recognising that perception can be 9/10ths of reality and; therefore, it was important to address the sceptic issue. 

Ive had some success with this approach; for example, to emphasise the benefits in plain language rather than using risk terminology and not using the risk register as a reporting tool, instead providing a report showing what needs to be done, and when, has proven very successful in altering perceptions of what risk management delivers. 

Although I know many who would applaud the simplification of managing risk, a large amount of caution needs to be applied here.  It can initially appear very attractive to make things simple but simplification can, in itself, cause loss of clarity and accuracy.  The well-known acronym of KISS (Keep It Simple Stupid) does have its limitations! 

Risk management can deliver effective cost reductions; for example, an activity may be delayed through re-working or re-design, would it not be better to remove the need for this re-work? 

Getting it right first time is always more cost effective than having to revisit the work again.  Early identification of this risk could well deliver a benefit. 

Cost is not the only factor, we also look to meeting performance and time constraints: risk management helps here also.  Challenging the ability to meet cost, time and performance targets through risk analysis provides early warning of potential problems. 

Perhaps we, as risk practitioners, should think more of communicating the benefits risk management can, and does, deliver in support of achieving positive outcomes with the aim of reducing any misconception of our ability to deliver. 

What Im alluding to is being more proactive in recognising the various needs of project staff and articulating risk management as a method of supporting these specific requirements. 

For me, risk management is all about finding the problems and advantages in undertaking an activity and providing a level of assurance that the problems can be resolved and the advantages achieved. 

Taking this view means that you can apply risk principles in any project stage from the original idea, through design and implementation and on to decommissioning and replacement. Risk management is a very flexible and powerful tool, what it is not is simply a process.

It is essential to have senior management involvement and buy in to provide the authority required for risk management to be implemented correctly and for it to have credibility. 

However, senior management need the output from the risk process and not the detail of how it was developed.  Project managers, senior management or executives may not be bothered by how we, the risk managers, process risk data but Im sure they are interested in the findings, even the sceptics! 

Risk management is more than simply keeping a risk register, the register is an important working document and used in the right way greatly improves the chances of meeting objectives; however, intelligence is needed to ensure the message being delivered through the register is correctly understood.  

---

This article first appeared in Project magazine. APM members can read all feature articles from Project magazine over recent years by accessing the Project magazine archive.

Non-members can subscribe to the UK's best-read project management magazine for as little as 56.50 per year (12 copies), which includes access to the Project magazine archive. APM members automatically receive the magazine as part of their membership:

UK: 56.50

Europe: 66.50

International: 77

View a sample issue of Project

To order yours now, click "Subscribe" below: