I’m a good example of Colleen Wilcox’s quote that “A pessimist is an optimist with experience“. I advocate the need for effective risk management in both projects and operations, so it would seem odd that I would choose to write an article about having too much of what I feel is a good thing.
In the article “Taking Risk Management Outside the Box” in the October 2012 issue of PM Network, the author writes (the bold words are my highlights) “…effectively identifying all risk that can be incurred in a project and, even more critical, defining adequate risk responses to the identified and analyzed risks.” Later in the same article, this passage also caught my eye “...it is even more critical to foster creative thinking while developing and structuring responses to all individual risks in the risk register.”
Don’t misunderstand me, I believe the author understands that risk management needs to be cost/benefit driven and that the effort expended in identifying, analyzing and responding to all risks will not be cost-justified and is more likely to impact the credibility in the discipline and reduce its future utility within their organization. However, without providing this qualification, there is the risk (no pun intended!) of novice practitioners taking his advice literally.
The effective risk management practitioner needs to remind themselves of Dr. Hillson’s simple but powerful definition of risk as “uncertainty that matters”. While it might be academically interesting to identify all risk, the costs of doing this are not justifiable. It is more useful to classify risks as falling into one of the following categories:
- Medium to high uncertainties that matter – these are the risks that need to be given the full treatment including response development, response implementation and regular monitoring.
- Low severity uncertainties that matter – these risks and the early warning signs that they might be realized should be identified and monitored on a watch list, but don’t merit detailed analysis and response development or implementation.
- Uncertainty that doesn’t matter – other than ensuring that management reserves are in place, further effort shouldn’t be spent on these risks
Some ideas to consider:
- Cast a wide net when identifying participants for a risk identification workshop to ensure broad coverage of risk sources. This doesn’t have to mean inviting a “cast of hundreds” if you can avoid redundant participation.
- Use a structured approach to risk identification including the use of tools such as a risk breakdown structure
- Have an assistant observe the body language of participants to alert you when focus in a particular risk source or category is waning
- Use Delphi or other methods to overcome individual risk biases when deciding which risks are severe enough to warrant detailed analysis and response
development and implementation
Overspending on risk management is the same as having too much insurance – short term safety gains are outweighed by long term opportunity costs.