I am amazed by the number of project management commentators who flatly refuse to recognise that risk = uncertainty that matters and that uncertainty can be positive or negative (ie, it’s uncertain).
The latest commentator in a long line of negative thinkers is Michael Hatfield in PMI’s Voices on Project Management blog. His approach to risk suggested in ‘PMBOK® Guide for the Trenches, Part 4: Risk’ is simplistic and assumes all uncertainties are negative…..
There are numerous problems with this simplistic view of the world:
- Firstly the same risk – a future uncertainty – can have both an upside and a downside. Failing to manage the upside equates to guaranteeing failure (or at least missing opportunities).
- Future weather conditions are a risk; they could be good or bad. A major motorway near my home town was finished months early and under budget because they were lucky enough to build the project at the tail end of a 10 year drought. The last few months have had above average rain. If the people building the road only worried about the ‘downside’ risk the road would only just be finishing now.
- A similar example is the management actions taken to accelerate work on the Panama Canal through the GFC to take advantage of then upside risk of lower construction costs.
- Second, the environment around projects does not stop changing just because someone has signed off a cost performance baseline. Ongoing risk assessments are critical to avoid surprises; good or bad! The more warning of changed circumstances the project team have the more likely they are to manage the situation effectively.
One of our key areas of expertises is stakeholder management – each stakeholder can be a threat to the project if badly managed and a supporter if well managed. The Stakeholder Circle® methodology has been explicitly developed to first prioritise stakeholders then focus on the important high priority stakeholders to achieve an optimal level of support to allow the project to succeed (for more see http://www.stakeholder-management.com/)
Where we do agree with Michael is on the mumbo jumbo of statistical paralysis many so called risk management systems bog down in. The purpose of risk management is to identify opportunities and threats and then actually do something about them. Recording risks in a risk register and then qualitatively and quantitatively analysing them is a complete and total waste of time unless someone actually takes action. This is the focus of our ‘How To’ build a Risk Management Plan workshop – yes we have a cute Excel risk register but the purpose is action not documentation.
The biggest weakness in the current version of the PMBOK® Guide is the total omission of a process for treating risks. The idea of risk treatment is implied, but not overtly set out as a process, which allows people to think identification and analysis is the end game. Unfortunately managers need to make decisions based on the risk assessment and then take actions if risk management is going to deliver any benefits at all. Hopefully the 5th Edition will fix this.
Pat Weaver
Lynda Bourne
Aavssitedev's Blog
Pat,
Risk management is not a PMI strong suit. But there is also confusion between risk and uncertainty.
The weather is “uncertain,” this impact on farmers from weather is a “risk.”
As well in the uncertainty paradigm there is a different between probability and statistics. There is a probability that rain will fall today over the forecast area (chance of rain). The statistical processes of cloud formation and other sources of precipitation on the Front Range of the Rocky Mountains determines if rain will actually fall on our house.
PMI speaks in non of these terms. Starting with the forbidden mathematical operation of multiply probability of occurrence with the consequences of that occurrence. They were asleep in the calculus class! Both those operands are integral equations (probability density functions) and multiplication is not an operation between integration equations except in the Laplace space – which is not the approach they take.
I’d strongly conjecture that the supposed mumbo jumbo is simply lack of understanding. DID 81650 (Google will find that for you) is an indispensable tool for providing information to the program manager on the Probability of Program Success (PoPS) (Google will find that for you as well).
When I hear someone say want Michael states, I think – “they haven’t really managed programs with these tools have they?”
The mumbo jumbo only comes from failing to understand how to use the tool. There are numerous resources for Monte Carlo Simulation and Bayesian Risk Network. Applying them is mandated on our programs.
Here’s a starting point for this critical topic
Glen has 2 great posts on this subject:
http://herdingcats.typepad.com/my_weblog/2010/04/probability-versus-statistics.html
http://herdingcats.typepad.com/my_weblog/2010/04/probability-and-statistics-for-schedule.html
Agree,
Developing an understanding of what’s important and also identifying those elements that firstly matter and secondly can be responded to are the important first steps in taking focused action.
But if there is no action based on the analysis, there is no point in analysing…. The topic is risk MANAGEMENT, not risk analysis.
Hi Pat,
I’m interested in your views regarding what you consider to be the omission of a process for treating risks.
Would you agree that this process, when looking at it more generically, is just another aspect of a decision making process? In other words, would you expect the PMBOK to detail, in a generic process way, how decisions are to be made?
There is no PMBOK Process for treating risks. Treating risks = actually doing things.
Treatment is implied in the PMBOK® Guide in the Plan Risk Response process but planning without acting and then dealing with the consequences of the actions is as pointless as the rest of the risk processes if they are not followed by actions to physically change the project to enhance opportunities and mitigate threats.
Risk treatment is a proactive process to change the project. This is quite different to preparing risk response plans to implement if an accepted risk event occurs. Most risk managment standards include risk treatment as an overt element.
The Practice Standard for Risk Management is a pretty good starting point, but it doesn’t speak much handling the risks.
I’ve sat through many risk management workshops where that has been the only risk management effort! Its a sort of superstitious gesture that hopes risk is thus controlled; but without a management framework (and action, as you say), and I think, without risk events being costed, and their mitigation or abatement also being costed, it ain’t risk management.
Risks are known and unknown, mitigation of risk involves acknowledging the known with prioritizing. Even within the known there are the unknown, such as your project is located in the south eastern part of the country, known for tornadoes. Your risk mitigation plan allows for managing the side effects an possible damage of a tornado, will you know the level of damage, the exact measurement of destruction, when a tornado will touch down – no; this is the unknown part that will require guess-estimation.