Where Risk Management Fails and How to Fix It
Where Risk Management Fails & How to Fix It?
The term ‘Risk Management’ means different things to different people. For some, it invokes a kind of excitement – they think of taking and managing risk; for others, it invokes a sense of bureaucracy and management. However, if you look at it from a neutral point of view, you notice that risks are inevitable and actually quite desirable. How? Well, in a world without uncertainty and risk, life becomes a predictable, unrewarding and extremely boring thing.
Maybe ‘risk management’ needs dissecting, ‘risk’ is exciting but ‘management’ is boring? Without management risks become reckless and recklessness is not something you need too much of in life or indeed in business. In the business world, the risk takers are generally good at managing risks, or they won’t be in their jobs for long.
Different businesses also have different meanings for the term ‘risk management’. In the banking and finance world, risk management tends to be a financial process
for measuring (and if done properly, managing) financial exposure. Whereas to the manager of a power plant, risk management is the quite obvious, i.e. the avoidance of a total physical disaster. To the manager of a large change project, it’s all about making sure the final product is delivered on time, within budget and meeting all objectives. Defining the main areas of business risk management:
Financial Risk Management
The process of evaluating and managing financial risk in a business in order to decrease the business’s exposure to the risk. Financial managers must identify the risk, evaluate all the remedies and then take steps necessary to alleviate the risk. Indicators, losses, scenario analysis, stress testing and mathematical modelling are all ways these risks are analysed as a method of counteracting possible impacts. Financial risk management tends to concentrate on credit and market risk. Although thorough, financial risk management can’t protect a firm from all possible risks due to the broad variety of possibilities that cannot always be foreseen. All Financial Institutions have significant risk management departments and large corporations have scaled down risk management functions as part of their audit or treasury functions.
The promise of covering the risk of potential future losses in exchange for a payment. Insurance is designed to protect the financial well-being of an individual, company or other entity in the case of unexpected loss (Home insurance, phone insurance etc are all forms of this type of risk management). Agreeing to the terms of an insurance policy creates a contract between the insured and the insurer. In exchange for payments from the insured (i.e. premiums), the insurer agrees to pay the policyholder a sum of money upon the occurrence of a specific event. An example that most people can relate to is home or phone insurance, where if one is damaged etc it can be replaced by your insurer at no cost to you as you have already paid the excess on the item/product.
Operational Risk Management
The management of the non-(purely) financial aspects of the business. This focuses on the risk to the ongoing business processes and the potential for them to break down. For example, the risk of fraud in a bank’s payment system could lead to major unchecked losses or the fire in a data centre could lead to the serious breakdown of business continuity. This would also cover the reputational risk to the organisation if a process or product fails.
Programme/Project Risk Management
The management of a programme or project designed to initiate some kind of significant change to the business. This could be a new product development, a new IT system or a business process re-engineering. The risks are always focused on cost overruns, delays to plans and compromised objectives. This would also include reputational risk to the business if the project fails to deliver on all planned expectations, for example, the overrun (timescale and/or budget) of a new railway line.
Risk management, as defined in the world of banking and finance is effective – IF it is followed – There are many books on this subject and just about everything surrounding it. Similarly Insurance is a mature and well understood form of risk management. Operational risk management is also "mature" in the sense that it is managed primarily by experienced individuals who have worked in the business for many years and know what to look out for. It is generally Programme or Project risk management that is most neglected or least well developed form of risk management in most organisations. Either it is lumped in as part of Operational risk management and/or over simplified to the point of not ultimately doing its job. Ironically it the type of risk management that brings down organisations. For example, how many times have you heard about major programmes being very late or massively over budget with the related impact on the share prices and/or the reputations of all involved?
Traditional Project Risk Management – The Theory
Risk Management is essentially composed of risk assessment (passive) and risk control (active) and breaks down into the following six stages:
Stages of Risk Management
- Identify your risks: Common methods to identify risks are workshops, brainstorming and distributing standard templates for team members to complete
- Analyse: Traditionally you do this by allocating numbers or ratings to describe ‘impact’ and ‘probability’. Impact is normally described quantitatively, in terms of a financial loss if the risk occurs, or qualitatively by using a high/medium/low (HML) typescale. Probability is normally expressed as a percentage likelihood that the risk will occur (if no action is taken) but may also be allocated a HML type scale.
- Prioritise: Normally done by multiplying together the impact and probability to come up with a ‘risk exposure’. This will either be a number or HML type scale as before. Risks are then normally prioritised from highest to lowest risk exposure.
- Risk Management Planning: This involves deciding on your objectives for managing the risk; for example, do we mitigate the risk, accept it, transfer it, insure against it and so on?
- Risk Mitigation/Resolution: Breaking down the risk mitigation into steps deciding who is going to do what and by when.
- Risk Monitoring: Deciding on the governance process for how management will monitor risk management plans to ensure follow-through using regular risk meetings, putting risks as an agenda item in project meetings, virtual meetings and so on.
It all sounds very logical so why doesn’t it work particularly well in practice?
Traditional Project Risk Management – The Practice and Problems
Risk and Language: The Psychology
The fundamental problem with risk management comes down to the psychology of risk and the language used. With business and projects, in particular, the aim behind everything is to achieve your objectives within a set timescale and budget (i.e. thinking “positive”). Risk, as a term, is a “negative” concept and so to get people to think and talk openly about their risks can be quite a challenge due to human nature of not always wanting to share what makes us feel uncomfortable. So when we ask a project manager, “What are the risks?” this can have two main effects:
- The project manager’s brain is naturally thinking positively (i.e. “What do I need to do?”) and is suddenly asked a question that is pushing in completely the opposite direction (i.e. “What could go wrong?”). The effect is to ‘confuse’ the brain so that it starts thinking about things that might go wrong but are not necessarily linked to the objective of the project. This can generate spurious risks such as the building falling down or flooding. These might be ‘risks’ but they are very low probability (hopefully) and should not be the concern of, or managed by, the project manager
in any case.
- The project manager immediately starts to think things like “What are you going to do with this information?” and may feel threatened if you shared their fears with colleagues or superiors. The effect will be to tell you what the risks they are actually comfortable about managing and not the ones that are their real concern. This is again down to human nature, as people don’t wish to be judged on things that make them feel threatened.
Further Problems with Traditional Approach
This negative thinking can be a psychological barrier that can compromise risk identification and, therefore, can subsequently undermine the whole risk management process. In addition, there are further problems with traditional approaches that compromise quality and efficiency:
- There is a general tendency for people to focus on today’s problems or ‘issues’ rather than tomorrows risks. This results in issue management (i.e. reactive) rather than risk management (i.e. proactive). You need to implement effective risk management or you will always be managing issues – Fire Prevention vs Fire Fighting.
- Risk statements (e.g. ‘Insufficient resources’) are captured which are too generic to communicate the real concerns and, therefore, cause unnecessary confusion and give no insight to guide risk mitigation planning. This furthers the perception that the risk process is not adding value. At the opposite end of the scale, some risk statements may resemble essays and therefore never get read by busy managers.
- Quantitative analysis is often based on wild numerical guesses and leads to incorrect prioritisation and inappropriate action. People tend to concentrate on the risks that they can quantify, for example, contractual penalties or direct cost of resources, and play down risks that have ‘softer’ impacts that can’t be quantified, such as impacts on quality, relationships or reputation.
- Qualitative analysis is often based on HML type scales that leads to a default rating as ‘medium’ risk exposure and inappropriate prioritisation so that it is impossible to ‘see the wood for the trees’ for example, High Impact X Low Probability = Medium Risk Exposure i.e most risks are “Medium” priority.
- Such risk analysis results in very little real action other than work that was already planned and therefore the team does not see any significant value in the risk management process. Also, the actions required to manage the risks are often not specific enough and therefore not followed through.
- Traditional risk management approaches can be made to work by competent leaders and good teams but the administrative overhead involved in managing the problems described above tends to mean that, at best, the benefits are not justified by the cost and effort required to implement and support the risk management process.
Focusing on Assumptions, not Risks.
The key challenge with traditional risk management is the negativity aspect. So if we approach risk management from a positive perspective we avoid this problem. But risks are positive, so how can we be positive about a negative concept?
Identification of risks is essentially the wrong place to start – where do risks really originate? Risks do not exist in isolation. The risk is always to ‘something’ and that something is a set of objectives. For any business venture, we have to identify our objectives, i.e. what we are trying to achieve. We can then define the risks relative to the objectives. The problem with this is that objectives are, by their very nature, very high level and concise and therefore the risks will also be defined at a very high level. We have to take this a stage further.
If the objectives define what we are trying to achieve, the plans describe how we are going to achieve them. So we define the risks relative to the plans – correct? Well, nearly.
Inevitably, plans consist of some facts and a lot of assumptions. If the plan is to be successful, the assumptions will turn into facts. Some assumptions will be close to being facts and we should not concern ourselves with them. Inevitably many assumptions will be at risk and these are where we need to focus, i.e. on assumptions not risks.
Communication and Risk
There is also another side to the problem of ineffective risk management, – communication – or the lack of it. The root cause of almost all risk is communication – again, the lack of it. Excluding “acts of god”, almost all risks can be avoided, with clear, early and precise communication between involved parties. A few examples of communication in action are:
- A project is planning to undertake system testing in May. In the last week of April, one of the team discovers another project is dominating the testing facility and won’t be finished until the end of June. This means the project will have a one month delay. But had the test facility plan been communicated earlier, then alternative arrangements could have been made and both projects could have been dealt with and had due time to organise an alternative arrangements.
- A production line breaks down and leads to three days of downtime while maintenance takes place. The cause of the breakdown is an old component that had been showing fatigue for several month prior to the breakdown. If the people who knew had communicated earlier, the maintenance could have taken place during a weekend and reduce the time lost and a major failure taking place. Thus saving the company money and time and avoiding the risk of not hitting targets.
- A company invests heavily in a new product that will provide additional functionality to their most important client. After months of development they demonstrate the new product to the client only to find out that the client has news of his own – they’ll soon be changing strategy and the functionality of the new product will not be required. If the account managers had contacted the client before commencing their work, they could have realised that the strategy change was going to happen and developed something that would work with the new strategy instead.
Risks can be quite easily avoided by appropriate communication at the appropriate time. Communicating too much can lead to us being ignored, but communicate too little and the risks sneak back in and confront you. You need to ensure you communicate ‘enough’ and that criterion is met by the assumptions we make. Your assumptions will cover all the resources you need, the timescales you plan, to the complexities you understand and the decisions you are relying on etc.
For example, if you wanted to communicate everything you need people to know about your upcoming project, then you might release a detailed project plan. But this would only be effective for a handful of people. Whereas on the other end of the scale, you might consider communicating the objectives and a couple of key milestones in an email. People might read it but it won’t help avoid the majority of potential risks. However, if you capture the key assumptions you are making, say 20 of them, and then cross communicate those to key stakeholders, you are communicating something which is valuable and will probably get read.
ABCD Risk Management: A Better Project Risk Management Solution
ABCD stands for ‘Assumption-Based Communication Dynamics’ as it uses the cross-consumption of assumptions as it's core principle. ABCD was developed in the early 1990's to address the fundamental problems encountered with traditional risk management processes. It has evolved and been used successfully in hundreds of enterprises around the world, however the core principles are the same as those originally developed. Many of the principles of ABCD have been adapted over the years to traditional approaches but, as an integrated process, ABCD is still probably the best, most effective and efficient risk management process around.
Assumption Based Communication Dynamics (ABCD) is essentially a formal methodology that enables the capture of differing knowledge and viewpoints from stakeholders, in a form that facilitates communication of issues, assumptions and ensures proactive management of risks. By dramatically improving communication, risks are avoided or managed proactively and objectives are delivered on time and to budget.
ABCD works where other risk management approaches fail. One of the main reasons for this is that ABCD focuses on positives (ie assumptions) rather than negatives (ie risks) and is therefore seen as a positive exercise by people who would normally feel uncomfortable with a “risk assessment”.
ABCD is fully scalable – it can be used on everything from small projects to large- scale programmes and full business enterprises. However, it is most effective on large scale/complex programmes. Most importantly, ABCD can be scaled up to be a true enterprise risk management approach in that it handles all the hierarchies and escalation profiles that traditional methods normally fail to address and, therefore, ensures that management can “see the wood for the trees”.
ABCD embraces both quantitative and qualitative approaches. Quality Based Costing (QBC) is a Monte Carlo based technique that works efficiently and effectively where Schedule Risk Management (SRA) techniques consistently fail. Strategic Assumption Analysis (SAA) captures the really big risky assumptions that senior management need to be aware of and manage without getting lost in the noise of traditional “bottom-up” risk management
Over time, ABCD has evolved to become a lean and intuitive way of identifying and managing real risks. Deceptively sophisticated, it deals with the complexities of large/complex ventures much more effectively and efficiently than the other overly-simplified risk management tools that are extensively marketed.
“Everything should be made as simple as possible, but not one bit simpler” – Albert Einstein
Would you like to know more about ABCD risk management?
De-RISK is the only organisation providing ABCD risk solutions in the world. Key members of the De-RISK team have been involved in its development and implementation since its inception. We are confident that just an initial call will provide enough information to create a new outlook regarding the potential impact of improving the risk management in your business. Contact us today to find out how ABCD Risk Management can change the way you should manage the risks to your ventures.