Risk management – I just don’t get it.
Ever heard that statement? Normally what they really mean is “I get it, but why does it have to be so formal?”
The deciding factor on how much formality is appropriate should be based on the size and complexity of the project or programme. In ABCD we have the Criticality/Complexity Diagram (CCD) that can be used to explain this. The CCD is also a useful mechanism for stopping fixation with the size of the project and making management take account of what is really making the project potentially risky ie the complexity
On the CCD, the project is positioned, relative to other projects in the organization. If the position is agreed to be in the top right hand corner, formal risk management is justified. If the project is positioned outside the top RH corner, then simpler, less formal risk management approaches are appropriate. Simple eh? But lets look deeper at the psychology of what can happen here…
Good project and programme managers often have strong personalities and the problem is that this can verge on arrogance. For example, the Programme Manager of a large-scale programme looks at the risk management process and concludes that it is a sound system but he/she can identify all the key risks themselves without the help of the process. To them the formal process is (mistakenly) just an unnecessary overhead.
The PM of a small to medium sized project should indeed be able to identify all the key risks without the need for a complex risk process. However, as soon as the scale of the enterprise gets larger, and in particular the number of stakeholders becomes significant, it becomes inevitable that key risks are going to be missed. This is going to happen simply because of the challenges in communicating all the relevant data will mean that things will get missed, miss-interpreted, or inappropriately prioritized (and by the way, did I mention “assumptions”? We discussed the psychology of traditional risk identification vs assumption-based in an earlier blog…. ).
In a large/complex programme, a formal, rigorous process like ABCD is not just justified, its essential. But again, arrogance can raise its ugly head and this time the PM insists that the “simple” risk management processes that they used effectively before on smaller projects will work perfectly adequately here “just scale them up a bit”…
Well no they won’t….
Simple risk management processes tend to come a cropper when applied to large-scale initiatives ie
- The scale of the programme means that so many risks are raised that the management can’t assess priorities appropriately and lose focus, or…
- Inappropriate escalation between layers in the programme mean that very few risks get escalated and senior management incorrectly assume that all is well.
- This situation is exacerbated by a manual escalation process that means that PMs do not escalate when they should do, but try and solve the risks themselves. If they fail, it could be fatal for the programme, and comes a big surprise to senior management.
- This also causes an unhealthy shift from risk management to issue management – the subject of an earlier blog.
- The team can also be inhibited from escalating risks by the knowledge that their “arrogant” programme manager will try and squash their concerns because they don’t conform with their view of the world.
So the message is clear – when the project is critical and relatively complex, appropriately formal risk management processes are essential is you are going to identify all key risks.
And if you are still not convinced, ask yourself this question – How many showstopper risks do you need to miss before one stops the show?
And just in case you were wondering – how many times do people fail to “get it” after ABCD has been implemented? Just once in my experience, but that may be the subject of an interesting case study in a later blog…