A few months ago, someone in a program management office noticed that a new employee had taken a master's degree course in risk management.
A brief cackle burst forth, asking: "why would someone need a master's degree in risk management?"
It's a good question.
Risk management is, for many people in projects, one of the very basic things that anyone can do. It's not rocket science. To most people,
risk management is simply the risk register - often created because it
is a mandated part of the project management procedures - and not much
else.
And anyone can create a risk register. All you need is an Excel
spreadsheet and a template of the right headings, or a risk management
software, and start populating it.
Even the risk management framework is simple enough: identify the
risks, give an estimate of the likelihood, determine consequences,
identify controls, estimate residual risk, identify who is
responsible, and then rank the risks for prioritisation.
Brain surgery is equally simple: identify the area to be incised,
determine the likelihood of success, determine the risks, etc. People
know that not all surgeons are equally qualified to do brain surgery.
Even among brain surgeons, there is a qualitative difference in
experience and consqeuently, results.
Riding a bicycle is also equally simple, but everyone knows there is a
magnitude of difference in the performance of a rider at a Tour de
France level, and someone who rides for leisure.
But what about risk management? While anyone can come up with a risk
register, there can be a serious difference in the results.
Some areas where competence in risk analys would produce a marked
difference in results
* Risk identification - are we identifying the right risks? Are we
missing any? Are putting in risks that aren't risks? Missing a
critical risk can prove catastrophic to a project.
* Risk likelihood - are our estimates any good? Is there available
data we should be using? Overestimating can prove costly.
Underestimating can prove disastrous.
* Risk consequences - how credible are our estimates of consequence?
How complete is it? An inept analysis of the consequences will mean
poor preparation and mitigation of the consequences.
* Risk control - how realistic are the controls and mitigations we
have identified? How good is our decision-making on which controls to
implement? What is the impact of our controls
* Risk prioritisation - are using the right prioritisation approach?