“The mastery of risk is the foundation of modern life, from insurance to the stock market to engineering, science, and medicine. We cannot see the future, but by calculating probabilities, we can do the next best thing: make intelligent decisions–and take control of our lives–on the basis of scientific forecasts.” Peter Bernstein, Against the Gods: The Remarkable Story of Risk.
“I am used to thinking three or four months in advance about what I must do, and I calculate on the worst. If I take so many precautions, it is because it is my custom to leave nothing to chance.” Napoleon I, in a conversation with Marshall Murat, March 14, 1808.
With the current deepwater oil spill crisis in the Gulf of Mexico occupying much of the news lately, we have heard a lot of rhetoric about “risk” and how BP and the United States should have developed a risk management plan as a contingency in case such an event were to occur. It is obvious that many people feel that the principal parties involved in the exploration, drilling, and production had no risk management plan in place.
I suspect that is far from the truth.
Modern project management practices include risk analysis and risk management as key and integral components of any operating and business plan involving assets and resources.
Every operational move in the portfolio of projects has key risk management activities that are focused on the two key aspects of risk:
1. The probability of an event occurring.
2. The impact of that event if it should occur.
These aspects are then analyzed based on prior information, other incidents, and events, in order to determine a four-quadrant layout of potential risk outcomes. Typically, companies place the most emphasis on the quadrant of high probability of occurrence and high impact when developing their mitigation and contingency plans.
The truth is that most mitigation plans and contingency plans are never revealed to the public by project teams unless an event sparks a response. But that does not mean that the mitigation and contingency plans don’t exist.
Even prior to the project being initiated, most larger companies employ a risk analysis in their overall Internal Audit plan in order to identify risks involving the geopolitical climate for projects, the resource risk, the technology risk, etc. The Audit universe of projects is then subject to scrutiny as to which possible risks present the greatest exposure to the company. In other words, which possible risks represent the greatest adverse implications for revenue and profit generation (and possibly, environmental outcomes).
This analysis, in turn, identifies whether the company should focus additional key resources on areas of high potential for risk events. For example, if software or hardware development or new technology is considered a high-risk component of a project, then the Internal Audit staff usually provides key IT or other technology resources to guide the project team development in that area.
At the planning stage of major projects, risk is analyzed as an integral part of the Project Charter and Business Case development to alert the Authorizing Leadership Group of potential upside and downsides from project activities. Indeed, a key and integral part of the decision to pursue the project often focuses on “risk.”
Throughout the project, risk is monitored closely. Adjustments are made when new risks emerge, and some risks are moderated by project activities. For example, if the project involves the proveout of new technology during the course of the project, the new technology development is monitored throughout the project so that mitigation plans can be employed at a moment’s notice.
As part of the Lessons Learned exercise at the completion of a project, the risk management plan is reviewed for its completeness and accuracy of depiction of the events of the project.
So far my discussion has been somewhat “textbook” in nature following the usual Planning, Execution, Close and Lessons Learned aspects of any well defined process.
But, if we examine the reality of the risk management process with actual practice, you will see that there are two aspects of risk analysis and risk management that we have not introduced to this point–the concepts of interpretation and judgment.
These concepts are concerned with the Leadership aspects of projects. The actual application of interpretation and judgment to real life risk cases can vary all over the board based on the corporate culture and the context and climate within which risk is defined and managed.
The aspects of “good interpretation” and “good judgment” should be emphasized more in our understanding of risk in projects. Noel Tichy and Warren Bennis in their book “Judgment: How Winning Leaders Make Great Calls” emphasize that judgment is the core–the nucleus–of Leadership. With good judgment, little else matters. Without it, nothing else matters. Risk analysis and risk management without good interpretation and good judgment are devoid of the key elements of Project Leadership.
In your PMO, do you have a well defined risk analysis and risk management plan in place for your programs? How are the concepts of interpretation and judgment carried out? Who carries them out? Top management? Or the engineers and planners at the heart of the project details?
If your overall approach to “risk” in your PMO needs examination and updating, take this opportunity to boldly propose new approaches and new viewpoints. The value addition from such exercises can be enormous.
As usual, your comments are welcome.