This is a great question, one which should be asked more often. As managers, we are often asked to also become managers of risk. Whilst we can quickly define risks as events of uncertainty, the management of these events is going to vary based upon the situation.
Story 1: The fundamentalist approach
I recall conducting my first “formal” risk management exercise, and it looked something like this:
Day 1: Fill out the Organisational risk template
- Think of around 10 things which could go wrong,
- write them down,
- put some numbers from 1-5 for what I think the possibility of it happening is and another number for how badly I think it’s going to hit my project
- Multiply those numbers together to get the risk rating
- Realise that some of the numbers looked a bit high
- Reassess the probability and consequence
- Submit the form
This was excellent, 20 minutes of work and I was done with risk management.
When I started running the project I found two things were true;
- None of my 10 identified risks ever happened
- A whole load of other ones did
To sum things up:
- I wasted 20 minutes doing faux risk management
- I wasted a lot of time and effort reacting to risks as they surprised me
In hindsight, I would have been better off not doing anything. I would have saved 20 minutes (plus, all the extra time arguing why it was pointless) and I would not have been lured in a false sense of security when running the project. I learned; doing risk management for the sake of it does more harm than good.
Sadly, this vision of risk management can still be found in many workplaces across the world.
Story 2- The extremist approach
Not that kind of extremist, but just as feared, is the notion that the more effort spent on risk management the better the project will be. Working for a government department I was tasked to manage- well I’m going to say a small task, but it was referred to as a project.
Without exaggerating over 80% of the project’s effort was directed to risk management. Now you’re probably thinking it was a super high-risk complex project- it wasn’t. It was a trivial low value, low impact procurement project. The issue was that the departmental process was developed with high-risk projects in mind and as a result every project was managed in the same manner regardless of size or complexity.
So what did risk management look like?
- The establishment of a working party- now this sounds rational, but it took more time to establish the working party than it would have taken to complete the project.
- A series of risk workshops- I can remember at least one a week for the duration of the project. The first being useful, the others simply there to meet the policy guidelines.
- Lots and lots of documentation- I think a whole forest was cleared for this project
- Even more approvals, meetings, waiting time for signatures
- Spreadsheets- Normally I love spreadsheets, but this was ridiculous, there were spreadsheets linked to spreadsheets
- Risk reporting- on a daily basis- now this may work in a dynamic environment, but nothing changed, nor was likely to within the implementation timeframe
Now with all of these controls it’s of no surprise that the project succeeded and everyone was happy they focussed on risk management- nope; the project was so far over budget and schedule it was canned. Ironically the reason it ran over time and cost was the money spent on risk management.
So, what should risk management look like?
This question should never be answered without an understanding of the risk context.
Firstly, assess the nature of the environments; the external, internal and project environment. How much uncertainty exists? How fast does change occur? How capable is the project team? How sensitive is this project in terms of impacting on the organisations; brand, budget, organisational capacity, workflow, safety and future operations?
The risk management methodology should be based upon the risk context;
if the risks are low, perhaps a more fluid efficient risk methodology should be applied;
if the risks are high, a more robust risk methodology should be in place.
The “one size fits all” approach to risk management should be put aside and the “right sized” risk management approach should be undertaken.
The salient point here is that the establishment of a risk management methodology should commence with an assessment of the risk context.