There is a great scene in the film version of World War Z where Brad Pitt’s character, Gerry Lane, goes to Jerusalem to learn how the Israelis had the foresight to build large walls around the city to keep the zombie hordes out while no other nation had taken similar measures. The explanation provided by the Mossad agent he meets is that since the Yom Kippur war, Israeli intelligence had established the equivalent of a devil’s advocate office to reduce the risk that group think wouldn’t lead to very minor but highly critical data being ignored with resulting major impacts to the country’s security.
In his 2007 book, The Black Swan, Nassim Taleb wrote about a similar challenge to the one faced by the Mossad. Highly impactful but extremely low probability risk events such as the terrorist attacks of 9/11 are rarely properly identified and managed.
Both of these references relate to one of risk management’s greatest challenges – dealing with Unknown Unknowns. Yes, in previous articles I have written about the difficulties in effectively implementing risk management practices to manage Known Unknowns, but Unknown Unknowns are equally capable of derailing a project.
The common practice for dealing with Unknown Unknowns is to establish management reserves which are drawn upon based on approval from sponsors or other governance bodies when such risks get realized. However, this assumes that use of management reserves can absorb the impacts of these issues.
In some cases, even a partially mitigated impact might still be lethal enough to cause project or even organizational failure.
Let’s consider the hypothetical scenario of a new regulation which establishes unlimited liability for non-compliance, regardless of the magnitude of the non-compliance. If an unknown risk is realized late in the life of the project which is focused on establishing organizational compliance with the new regulation, even a partial impact to schedule or scope could result in dire financial and reputational impacts to the organization.
I am not providing carte blanche for teams to expend effort on managing the most obscure risk events possible. That would clearly not be a good investment, nor would it help to raise the credibility in project risk management overall.
A project manager should ask the “What’s the worst the could happen if…” question regarding the project’s constraints to help scale the level of effort spent on risk identification and management. On some projects, identifying and actively managing or monitoring a very small percentage of the total population of risks might suffice whereas on others, greater effort might be warranted.
In summary, criticality needs to be considered alongside complexity and scale when answering the question “How much risk management should I be doing on this project?”