What Is Risk Management – When we take on a project — either as managers or as sponsors — we want the project to succeed. It doesn’t matter what type of project we’re talking about. It could be an information technology implementation (IT) such as installing a new server. Or it could be a construction project such as building a new home or bridge. Or it could be a business creation project such as developing a shared strategic vision or designing the organizational structure.
Whatever the type of project, we will be spending time, energy and money on that project. And success is important to avoid wasting those assets.
Unfortunately, no matter how simple the project there is never any guarantee that a project will succeed. And the more complex the project the more certain it is that something will happen to make life difficult.
There are many reasons that projects hit the rails. Our assumptions may have really been a set of untested beliefs. We may have failed to keep key individuals apprised of our efforts, achievements and difficulties. May have failed to get buy-in from the people who would be left behind when we finished. We may have failed to correct false impressions and expectations that were out of step with reality. All of these reasons are controllable. And a failure to manage them represents a mistake on the part of the project manager and the sponsoring management.
But there is another type of failure possible. These are events and issues that might occur. There is no guarantee they will occur. But there is no guarantee they won’t. They exist in a state of uncertainty.
We call these risk events and the processes and tools to manage them, risk management.
Risk management is a discipline that has developed in order to manage risk events. With many events — if not most — we know that they will or won’t occur. They exist in a state of certainty. However, there are three other classes of events. These events exist in a state of uncertainty — or risk. Each of those classes requires a different method of management.
The first class of risk event is where we can identify what they are, their probability (risk) and their effect. One simple version of risk management for those events consists of a four-step process:
1. Identification
2. Rating
3. Planning
4. Monitoring, Affecting & Reacting
Planning for these events becomes a matter of selecting which we care about, and determining methods to avoid, encourage, mitigate or recover from them.
One of the problems with English is that we tend to use very precise terms very imprecisely. Risk has a very specific meaning. Unfortunately, we tend to use it to mean a risk event with a negative value. In other words, a threat. In fact, risk events can be either good or bad. And of course, as part of risk management we want to encourage the good or positive value events and discourage the negative or bad events. There are four ways to deal with a negative event.
We can reduce the probability of their occurrence (their risk). And also reduce their effect if they do occur. We call this mitigation. Third, we can avoid the risk effect usually by insurance or letting someone else take on the issue. Or we can simply accept and deal with it. Especially in the latter case, we will want to know if the event is occurring so that we can institute whatever plans we have developed to deal with the event if it occurs. Typically, to accomplish this we will add tasks to our project. These tasks will allow us to monitor for risk events.
The second class of event is where we can’t identify them in advance. We use terms such as “out of left field” to describe these. Wherever possible we want to avoid this type of risk event. Why? Because they are the ones that tend to destroy projects. Because we can only react after the fact, there is very little that we can do to prevent, mitigate or encourage them. The only alternative is to estimate their overall effect and develop some form of insurance to cover them. This can (and should) take the form of an allowance within the budgeting process for this type of event. However, typically it is managed by the management committee and simply absorbed as overage. Unfortunately, this tends to both mask true management errors and scapegoat the project manager.
The third class of event is not really a risk management issue. These are statistical variations. We often refer to them as estimation errors although they really aren’t errors.