Risks and Risk Management

We continue with our series on the taxonomy of failures in project knowledge areas  looking at risk management. In this case turning our breakdown of the project failures toward risk management.  Risk management is fundamental to project management as we reduce or navigate the potential impediments to the success of our project.  With poor risk management, we may take a project on that should perhaps never be undertaken.  We are not able to balance the risk versus reward equation if we have no idea of the risks.

Risk Breakdown

Though this is not so complicated, to be effective requires a diversity of perspectives and thinking.  We can classify risks into three categories[1]:

• known-knowns – we have pretty good knowledge here, perhaps we have done this type of work before and we have experience, training, and perhaps historical record to help navigate these risks.
• known-unknowns – we are able to question because we have some knowledge of the area and are aware things can go wrong.
• unknown-unknowns – we have not idea, we are not able to ask questions about since we have never experienced this risk event

With unknown-unknowns we are talking about the often referred to as black swan events.  Black swan event is a term coined by Nassim Nicholas Taleb used to describe those events that are beyond the realm of prediction without the benefit of hindsight.  There is not much you can do about these.  To be successful here, you would have to theorize the many things that you have never seen happen or heard about occurring.  It is very difficult to imagine that being productive.  The other areas, we either know or we know enough to ask questions.  This questioning is sometimes born from the juxtaposition or extrapolation of ideas and experiences that can occur in collaborative efforts. Effectively executed, we can generate answers or devise ways (tests and experiments) to get the answers.

Taxonomy of Risk Failures

Below we provide a brief list of the things that can go wrong in our risk management approach. 

• insufficient vetting of strategy for the project and product
• no risk management strategy or plan
• poorly communicated risk strategy or plan
• no analysis (statistical) of depending risks
• insufficient time spent uncovering the risks
• missing talent within the team to identify risks
• risk log is populated but never reviewed
• little or no monitoring during execution
• failure to promptly respond to team members discussing what they see as a soon to be failure
• poor use of historical record
• lack of systems thinking (future consequences)
• insufficient or no metrics identified for specific risks
• unknown responsibility for monitoring metric that predicts imminent failure
• no quantification of risks
• no qualification of risks
• risk identification focused on large unlikely events
• risk identification hyperfocused on easy to solve potential risks
• insufficient dissemination of previous risks and failures to the team
• an overwhelming optimism of the team and organization
• no contingency budget
• randomly generated contingency budgets
• contingency budgets not allocated to specific risks
• hyper focus on one risk category (ex. technical) to the exclusion of the many other areas
• poor match of risk to risk mitigation (Avoid, Accept, Reduce, Transfer)
• poorly executed risk mitigation
• disassociation of risk from stakeholder or sponsor

Risk Management Review

There is no panacea or great cure-all for risk management. While not complicated we must not get the idea that this is not important or easy. Successful projects require an active approach to the risks with a mix if imagination and a perspective grounded in reality and not optimism.  Effective planning allows us to find alterative approaches where possible or quickly implement identified actions rather than watching the clock tick and damage to the project and our reputation as we figure out the course of action.