Originally Published for allPM.com
Risk management avoidance is the tendency to ignore risk. When risk is ignored in project initiation and planning the result is usually unrealistic expectations and the ripple effects that result from them. Ripple effects are schedule and/or budget overruns, benefits shortfall, quality shortfalls and disharmony among the stakeholders. When risk is ignored the project team loses the opportunity to avoid or mitigate risks. Ignoring risk promotes reactivity. Risk management supports a proactive approach.
Risk avoidance is the tendency to avoid situations which may involve loss or failure or in which there is significant uncertainty. Risk avoidance may be a problem because it can lead to missed opportunities based on emotional rather than analytical motivations. Risk management avoidance is always a problem in PM.
The Zen of PM seeks to “see things” as they are, to avoid conditioned responses and be as realistic as possible. Being realistic mean acknowledging positive and negative possibilities as well as the inevitable uncertainty involved in any complex effort performed over time.
At some companies, it is common to inhibit the identification and analysis of project risk because those that bring up the risks are considered pessimists and defeatists. Project proponents are eager to convince sponsors and clients to authorize their projects. To them, risk analysis gets in the way. It makes an idea harder to sell if the uncertainty of expected returns is highlighted. Some project and product champions are deluded in thinking that their concept is actually perfect. They don’t see the reason to take a “Black Hat” perspective, thinking that since the idea is perfect nothing would come out of risk assessment.
At a professional services firm risk assessment is inhibited because sales people, their clients and senior managers dislike uncertainty. They want single point estimates and guarantees. They want certainty.
Many, if not most people find uncertainty to be at least annoying, if not unacceptable. Yet, the only certainty we have is uncertainty and death (even taxes are uncertain, depending on who is in political power and how good your tax accountant is).
How to Overcome Risk Management Avoidance
So, how do we overcome risk management avoidance?
The answer is simple, though not necessarily easy. Change the culture to accept the reality of uncertainty and then use effective risk management techniques to assess and address it.
Changing the culture is the hard part. Highlight the “pains” caused by unrealistic estimates and schedules. Here, it is necessary to raise the uncomfortable subject of past failures and chronic problems. How to do this is a subject warranting an article of its own. Remember, without motivation there is no managed change. Pain is one of the greatest motivators. We are reminded of the result General George A. Custer’s failure to assess risk by Angyne Shock-Smith in her PMI conference paper on Risk IQ and EQ. He and all of his men were killed.
Until you can get the attention and support of critical sponsors you can only work from the bottom-up assuming the PM’s are motivated. Once you have sponsorship, top-down driver change become possible.
Once there is an awareness of the connection between chronic problems and risk management the next step is to get people to understand two key principles:
1. Uncertainty is a certainty.
2. Identifying and analyzing risk does not magically increase the probability of its occurrence. In fact, identifying risk actually enables planners to avoid or reduce the probability and/or impact of the occurrence of risk events.
Among the ways to get people to get past their RM avoidance is to use of Edward DeBono’s Six Hats approach. DeBono’s process has problem solvers look at the project from six perspectives.
White Hat: Focus on the data available.
Red Hat: Look at problems using intuition, gut reaction, and emotion.
Black Hat:
Using black hat thinking, look at all the bad points of the possible solutions. Look cautiously and defensively. Try to see why something might not work. This is important because it highlights the weak points in a solution. It allows you to eliminate them, alter them, or prepare contingency plans to counter them.
Black hat thinking helps to make your solutions tougher and more resilient. It can also help you to spot fatal flaws and risks before you embark on a course of action. Black hat thinking is a benefit of this technique, because many successful people get used to thinking positively and they cannot see problems in advance. This leaves them under-prepared for difficulties.
Yellow Hat: The yellow hat represents the optimistic viewpoint that helps you to see all the benefits of the possible solutions and the value in it.
Green Hat: The green hat stands for creativity.
Blue Hat: The blue hat stands for process control.
The thinking is that one can’t be effective unless all perspectives are taken. Within this model the Black Hat perspective implies risk management. The model makes this more palatable by seeing it in the context of the multiple views.
The Risk Management Process
Using this thinking we are more likely to bring people into the risk management process. The process according to PMI’s PMBOK® Guide, Third Edition is:
· Risk Management Planning
· Risk Identification
· Qualitative Risk Analysis
· Quantitative Risk Analysis
· Risk Response Planning
· Risk Monitoring and Control.
Risk planning is a critical element. It is where in the process the buy-in for performing risk management is obtained, roles and responsibilities are identified and the process is tailored to the needs of the project. It is a best practice to have a consistent approach across many projects if not the entire organization. It is wise to make sure there is sufficient flexibility to enable the process to be adapted to the needs of the project.
One of the common rationales people use for avoiding risk management is that it is too complex, requires a statistician and/or requires sophisticated tools. Depending on project size and complexity and on the maturity of the organization regarding risk management, risk management can be done across a broad continuum of levels of precision and complexity. This continuum ranges from simple brainstorming and subjectively based qualitative analysis to the use of sophisticated quantitative risk management tools like Monte Carlo analysis.
Risk identification and analysis are often referred to as risk assessment. Risk identification can be as simple as brain storming likely risks. However, it is far more effective to use risk checklists, based on past experience. Most risks are known. They have either occurred before in similar circumstances. We can know them through anecdotal evidence, informally or through more formal, statistically valid evidence. Either way the kinds of things that can happen are predictable based on past experience.
This is the basis for effective RM. This is where lessons learned processing meets risk management.
Risk analysis, qualitative and quantitative, is performed to identify the probability of occurrence and impact of risks so as to prioritize them and analyze them for their effect on the project as a whole. Here the project manager must scale the technique to the needs and capabilities of the project team.
Response planning, monitoring and control are summed up as “handling the risk”. This is where the payoff comes for doing the assessment. Because we have identified and analyzed risk it is possible to decide consciously on how best to address it and how best to monitor it during project life.
Risk management is an iterative process that is performed across the project life cycle. It begins with a preliminary or high level assessment This is coupled with making decisions and developing responses that can avoid or mitigate risks. Preliminary risk assessment is taking a project-wide or phase-wide view, coupled with the first or early waves in rolling wave planning. As example, early assessment might identify a high probability risk that the sources of requirements (e.g., product users, sponsors, support people, etc.) won’t be available during detailed requirements definition or that a particular design will require knowledge not available in the project organization. These realizations become the impetus for getting the sponsor and client to commit to the assignment of dedicated and knowledgeable subject matter experts and to the decision to either avoid the design option or mitigate the risk by training or arranging for consulting assistance.
Detailed risk analysis is performed as the team approaches bottom up estimating based on a more refined definition of project and product scope. It is associated with the later waves of rolling wave planning.
High-level and detailed risk assessment leads to the identification of reserves and pessimistic, most likely and optimistic estimates and schedules. These are used to set expectations and enable effective GO/No Go decision making. The range of expected outcomes is the direct result of risk management. Expressing all estimates in terms of the range of probable outcomes and their probability of occurrence is the surest way of communicating the uncertainty that is present in projects at various points in the life cycle.
Conclusion
To sum it up, there is a tendency in some organizations to avoid addressing risk.
If they fail to take a well thought out risk management approach, performed across the project life cycle as an integral part of the planning and estimating process, they will promote reactivity. They will lose the opportunity to squeeze unnecessary risk out of the project by proactively avoiding or mitigating it.
Effective risk management is performed in the context of the progressive elaboration of project scope and rolling wave (i.e., iterative refinement) estimating. Progressive elaboration provides increasingly detailed views of the project and product. Rolling wave planning makes use of these views to refine estimates and schedules by narrowing the range of possible outcomes. The range can be narrowed because uncertainty decreases as knowledge increases.
The wise project manager makes sure that expectations are managed through the use of risk management.
