Risk Management – Positively Useless?
Many of you will be familiar with ABCD risk management and its benefits. But have you really thought why it is so effective when compared to “traditional” risk management approaches? To explain this you really have to consider the psychology behind traditional risk approaches and how this tends to hinder the effective identification and management of the risks.
Small organisations tend to get things done with little fuss. As organisations get a little bigger, the concept of the “project” is introduced and they are generally successful as the projects are relatively simple. As organisations get bigger still the projects get larger, and more complex, and this is when things tend to go wrong – projects finish late and go over budget and often fail to meet their original objectives. Why is this?
At a fundamental level, it all comes down to communication – or the lack of it. Simple projects are done by small teams, very often collocated in the same office. When they need to communicate they do so verbally and face-to-face. The communication is understood and the understanding is confirmed. However, as projects get bigger, the teams get larger and before long it becomes very easy for plans to be miss-read, emails to be misinterpreted and the perspective on the objectives to be different between individuals on the project team, and associated stakeholders. In fact these problems start to emerge in surprisingly small projects and anything with a combined team and stakeholder group of more than about 10 people can easily go off the rails, particularly if the team is geographically dispersed. So if communication is the issue, how do we go about improving communication in an age of information overload?
Why is there so much resistance to risk management?
Most project management thinking would advocate the introduction of some form of formal risk management process for any significant project. Traditional approaches to project risk management are based on identifying risks, perhaps through some form of workshop; adding impact and probability ratings, either qualitatively or quantitatively, and then multiplying these together to come up with a Risk Exposure which allows prioritisation and action. It all sounds good in theory but in practice, there are likely to be significant problems with this approach.
The most fundamental problem comes down to the psychology of risk and language. Projects are all about achieving objectives by set timescales i.e. positive ventures, Risk is a negative entity so to get people to think and talk openly about their risks can be a challenge to say the least. For example, when you ask a Project Manager, “What are your risks?” this can have two primary effects:
- The Project Managers brain is thinking positively and is suddenly asked a question that is pushing in completely the opposite direction. The effect is to “confuse” the brain so that it starts thinking about things that might go wrong but are not linked to the objectives of the project. The effect is to generate spurious risks.
- The Project Manager immediately starts to think things like “what are going to do with this information?” and may feel threatened that their fears may be shared with colleagues and superiors. The effect will be that they tell you what risks they are actually comfortable about managing and not the ones that are their real concerns.
This psychological barrier can significantly compromise risk identification and therefore will undermine the whole risk management process.
In addition there are further problems with traditional approaches that compromise quality and efficiency:
- There is a general tendency for people to focus on today’s problems or “issues” rather than tomorrows risks. This results in Issue Management (reactive) rather than Risk Management (pro-active). You need to do both or you will always be fighting fires.
- Risk statements are captured which are too generic to communicate the real concerns (e.g. “Insufficient resources”) and therefore cause confusion and give no insight to guide risk planning. This furthers the perception that the risk process is not adding value. At the opposite end of the scale, some risk statements may resemble essays and therefore never get read or actioned.
- Quantitative analysis is often based on wild numerical guesses and leads to incorrect prioritisation and inappropriate action. People tend to concentrate on the risks that they can quantify (eg contractual penalties, direct cost of resources) and play down risks that have “softer” impacts that can’t be quantified (eg impacts on quality, relationships or reputation).
- Qualitative analysis is often based on HML type scales that leads to a default rating as Medium risk exposure and inappropriate prioritisation so that it is impossible to “see the wood for the trees” (eg High impact x Low Probability = Medium Risk Exposure).
- The risk analysis results in very little real action other than work that was already planned and therefore the process is not valued by the team. The actions required to manage the risks are not specific and therefore not followed through.
Traditional risk management approaches can be made to work but the administrative overhead involved in managing the above problems tends to mean that, at best, the benefits are not justified by the cost and effort.
Assumptions Analysis rather than Risk Analysis
If we accept that the basic problem is communication we must place this at the core of our approach. However, we must also remember that we must not overload stakeholders with information so efficiency is also a key factor.
The ABCD Assumption Analysis process was developed as part of an integrated risk management process that directly addresses the weakness seen in traditional risk management process, as described above. The main strengths of the process are:
- Assumptions allow people to think positively (what needs to happen?), rather than negatively (what may go wrong?). Therefore, people tend to communicate their assumptions more openly than their risks
- Plans consist of facts and assumptions and a lot more of the latter than the former. By capturing the key assumptions that knit the plans together, along with assumptions made about external constraints and interdependencies, a complete and consistent analysis of the risks is easily conducted. Also the analysis is focused on the plans and therefore the underlying risks are always relevant to the project under assessment
- Assumptions are naturally future focussed – you cannot make assumptions about things that have already happened and therefore the focus stays on risks rather than issues
- The root cause of any risk is in the underlying assumption(s). If we can deal with the root-cause rather than the impact, we can normally fix things easier and cheaper at source rather than spending a small fortune clearing up the mess. This leads to short, sharp action plans that tend to get done!
For more details on Assumptions Analysis visit De-Risk.com
Assumption Analysis in practice
Since its conception in the early 1990s, ABCD Assumption Analysis has been used on thousands of projects worldwide. These range from relatively small projects that would yield approximately 30 key assumptions to analyse and manage to some of the largest change programmes in the world that require the tracking of thousands of assumptions. The hierarchical rules in ABCD mean that ABCD can be scaled easily to accommodate programmes of any size. This means that the traditional problem of information overload, where large programmes result in too many risks being escalated to senior management, are controlled naturally in ABCD and you can always “see the wood for the trees”.
So by focussing on the assumptions (and communicating them) rather than risks, you should identify the real risks to your projects quickly and efficiently. By managing these risks you will have the confidence that your projects will deliver on-time, to budget and meet their critical objectives.