Many of you will be familiar with ABCD risk management and its benefits. But have you really thought why it is so effective when compared to “traditional” risk management approaches? To explain this you really have to consider the psychology behind traditional risk approaches and how this tends to hinder the effective identification and management of the risks.
Small organisations tend to get things done with little fuss. As organisations get a little bigger, the concept of the “project” is introduced and they are generally successful as the projects are relatively simple. As organisations get bigger still the projects get larger, and more complex, and this is when things tend to go wrong – projects finish late and go over budget and often fail to meet their original objectives. Why is this?
At a fundamental level, it all comes down to communication – or the lack of it. Simple projects are done by small teams, very often collocated in the same office. When they need to communicate they do so verbally and face-to-face. The communication is understood and the understanding is confirmed. However, as projects get bigger, the teams get larger and before long it becomes very easy for plans to be miss-read, emails to be misinterpreted and the perspective on the objectives to be different between individuals on the project team, and associated stakeholders. In fact these problems start to emerge in surprisingly small projects and anything with a combined team and stakeholder group of more than about 10 people can easily go off the rails, particularly if the team is geographically dispersed. So if communication is the issue, how do we go about improving communication in an age of information overload?
Why is there so much resistance to risk management?
Most project management thinking would advocate the introduction of some form of formal risk management process for any significant project. Traditional approaches to project risk management are based on identifying risks, perhaps through some form of workshop; adding impact and probability ratings, either qualitatively or quantitatively, and then multiplying these together to come up with a Risk Exposure which allows prioritisation and action. It all sounds good in theory but in practice, there are likely to be significant problems with this approach.
The most fundamental problem comes down to the psychology of risk and language. Projects are all about achieving objectives by set timescales i.e. positive ventures, Risk is a negative entity so to get people to think and talk openly about their risks can be a challenge to say the least. For example, when you ask a Project Manager, “What are your risks?” this can have two primary effects:
- The Project Managers brain is thinking positively and is suddenly asked a question that is pushing in completely the opposite direction. The effect is to “confuse” the brain so that it starts thinking about things that might go wrong but are not linked to the objectives of the project. The effect is to generate spurious risks.
- The Project Manager immediately starts to think things like “what are going to do with this information?” and may feel threatened that their fears may be shared with colleagues and superiors. The effect will be that they tell you what risks they are actually comfortable about managing and not the ones that are their real concerns.
This psychological barrier can significantly compromise risk identification and therefore will undermine the whole risk management process.
In addition there are further problems with traditional approaches that compromise quality and efficiency:
- There is a general tendency for people to focus on today’s problems or “issues” rather than tomorrows risks. This results in Issue Management (reactive) rather than Risk Management (pro-active). You need to do both or you will always be fighting fires.
- Risk statements are captured which are too generic to communicate the real concerns (e.g. “Insufficient resources”) and therefore cause confusion and give no insight to guide risk planning. This furthers the perception that the risk process is not adding value. At the opposite end of the scale, some risk statements may resemble essays and therefore never get read or actioned.
- Quantitative analysis is often based on wild numerical guesses and leads to incorrect prioritisation and inappropriate action. People tend to concentrate on the risks that they can quantify (eg contractual penalties, direct cost of resources) and play down risks that have “softer” impacts that can’t be quantified (eg impacts on quality, relationships or reputation).
- Qualitative analysis is often based on HML type scales that leads to a default rating as Medium risk exposure and inappropriate prioritisation so that it is impossible to “see the wood for the trees” (eg High impact x Low Probability = Medium Risk Exposure).
- The risk analysis results in very little real action other than work that was already planned and therefore the process is not valued by the team. The actions required to manage the risks are not specific and therefore not followed through.
Traditional risk management approaches can be made to work but the administrative overhead involved in managing the above problems tends to mean that, at best, the benefits are not justified by the cost and effort.
Assumptions Analysis rather than Risk Analysis
If we accept that the basic problem is communication we must place this at the core of our approach. However, we must also remember that we must not overload stakeholders with information so efficiency is also a key factor.
The ABCD Assumption Analysis process was developed as part of an integrated risk management process that directly addresses the weakness seen in traditional risk management process, as described above. The main strengths of the process are:
- Assumptions allow people to think positively (what needs to happen?), rather than negatively (what may go wrong?). Therefore, people tend to communicate their assumptions more openly than their risks
- Plans consist of facts and assumptions and a lot more of the latter than the former. By capturing the key assumptions that knit the plans together, along with assumptions made about external constraints and interdependencies, a complete and consistent analysis of the risks is easily conducted. Also the analysis is focused on the plans and therefore the underlying risks are always relevant to the project under assessment
- Assumptions are naturally future focussed – you cannot make assumptions about things that have already happened and therefore the focus stays on risks rather than issues
- The root cause of any risk is in the underlying assumption(s). If we can deal with the root-cause rather than the impact, we can normally fix things easier and cheaper at source rather than spending a small fortune clearing up the mess. This leads to short, sharp action plans that tend to get done!
For more details on Assumptions Analysis visit De-Risk.com
Assumption Analysis in practice
Since its conception in the early 1990s, ABCD Assumption Analysis has been used on thousands of projects worldwide. These range from relatively small projects that would yield approximately 30 key assumptions to analyse and manage to some of the largest change programmes in the world that require the tracking of thousands of assumptions. The hierarchical rules in ABCD mean that ABCD can be scaled easily to accommodate programmes of any size. This means that the traditional problem of information overload, where large programmes result in too many risks being escalated to senior management, are controlled naturally in ABCD and you can always “see the wood for the trees”.
So by focussing on the assumptions (and communicating them) rather than risks, you should identify the real risks to your projects quickly and efficiently. By managing these risks you will have the confidence that your projects will deliver on-time, to budget and meet their critical objectives.
[…] 11th Aug, 2009 Risk Management – Positively Useless? Read more […]
Isn’t the problem that risk management (RM) has been turned by some in to a cottage industry and ‘bolt on/after thought’ of the project management (PM) process, rather than be an integral state of mind for PMs? All risk management techniques rely on participant honesty, highlighting potential problems really early and empowering people to address issues rather than rely on ‘the management’ to sort it out. Even the de-risk ABCD process, suffers from dishonesty and not wishing to be a naysayer: the issue is that people are reluctant to raise negative issues and too ready to accept ‘evidence’ or ‘assurance’ that an issue/topic is under control and no longer a risk. I have found that using ABCD is more likely to succeed as it asks ‘what do we need to happen for this project/stage to be successful’, rather than the traditional ‘what is likely to go wrong’ approach. However, when assessing the risks that are identified, to properly mitigate any risks requires all to be honest-this is where short-term financial, time and other pressures can undermine the process. We must also refrain from making the process too ‘process-monkey’ driven and declutter and simplify the tool or process if we expect busy PMs and others to fully engage in the RM process and use the tools. Whilst we are fighting the crocodiles nearest the canoe, we should also keep an eye out for the hippo easing itself off the shore and heading our way. In essence, RM must be an integral element of PM and must become simple, intuitive and achieve quick win results if it is to be effective.
Keith – what do you think about the practice of taking the risks and working backwards to the assumptions. I have used this approach and it seems to work.
Maurice – couldnt agree more. The whole point of ABCD is to simplify risk management by making it intuitive and therefore an integral part of project management. The problems you describe are often avoided by making sure that ABCD is implemented rigorously eg senior management can “beleive” that a previoulsy unstable assumption is now stable, and therefore no longer a risk, but the formal status is not changed until the assumption originator has agreed that appropraite action has been taken and the assumption is indeed sufficiently stable.
Jon – “Reverse engineering” risks has its merits but can also be very dangerous. The big problem is that you may get to an underlying assumption but it very often is not the one that you would have got to if you had started by asking for key assumptions. For example, if you start with a risk that says something like “May not be able to meet desktop roll-out targets”, you may then deduce that the underlying assumption is “Desk-top roll-out targets will be acheived”. So far so good, but assumption analysis will result in the Sensitivity and Stability ratings with their associated reasons and the reason behind the stability rating may be something like “C = Challenging targets”.
Now lets say that you are pushing for key assumptions instead. The assumption might be “The current discussions with Unions will be resolved by 10 Sept in order to meet the desktop roll-out schedule”. The reasons behind the Stability rating will explain any concerns regarding these discussions and this will guide action plans. The the essence is that you often get directly to the true cause with assumption analysis which is very difficult if you start with a statement of “risk”.
While holidaying in the Alps last week, I was reminded of the parallels between assumption based risk management and, what might be loosely described as, sports psychology.
For instance, if I thought about all the risks that I am subjecting myself to when I am mountain biking, I would end up in a heap by the side of the trail or just simply not do it! So I make calculated assumptions regarding the grade of the decent, my equipment, the conditions etc and then I go with the flow and focus on my objective. In fact if I start to think about the risks in the middle of a decent, that