Beyond the Risk Register

A few months ago, someone in a program management office noticed that a new employee had taken a master's degree course in risk management.
A brief cackle burst forth, asking: "why would someone need a master's degree in risk management?"

It's a good question.

Risk management is, for many people in projects, one of the very basic things that anyone can do. It's not rocket science. To most people,
risk management is simply the risk register - often created because it
is a mandated part of the project management procedures - and not much
else.

And anyone can create a risk register. All you need is an Excel
spreadsheet and a template of the right headings, or a risk management
software, and start populating it.

Even the risk management framework is simple enough: identify the
risks, give an estimate of the likelihood, determine consequences,
identify controls, estimate residual risk, identify who is
responsible, and then rank the risks for prioritisation.

Brain surgery is equally simple: identify the area to be incised,
determine the likelihood of success, determine the risks, etc. People
know that not all surgeons are equally qualified to do brain surgery.
Even among brain surgeons, there is a qualitative difference in
experience and consqeuently, results.

Riding a bicycle is also equally simple, but everyone knows there is a
magnitude of difference in the performance of a rider at a Tour de
France level, and someone who rides for leisure.

But what about risk management? While anyone can come up with a risk
register, there can be a serious difference in the results.

Some areas where competence in risk analys would produce a marked
difference in results

* Risk identification - are we identifying the right risks? Are we
missing any? Are putting in risks that aren't risks? Missing a
critical risk can prove catastrophic to a project.

* Risk likelihood - are our estimates any good? Is there available
data we should be using? Overestimating can prove costly.
Underestimating can prove disastrous.

* Risk consequences - how credible are our estimates of consequence?
How complete is it? An inept analysis of the consequences will mean
poor preparation and mitigation of the consequences.

* Risk control - how realistic are the controls and mitigations we
have identified? How good is our decision-making on which controls to
implement? What is the impact of our controls

* Risk prioritisation - are using the right prioritisation approach?

No comments :

Checklists

Checklists and questionnaires belong in the toolbox of risk professionals. A checklist works best when used by the risk professional while interviewing an information source, whom we’ll call an interviewee. 

The checklist becomes far less effective when simply handed over to the interviewee because when you let the interview work by himself,  it raises new undesirable dynamics:

  • First, the interviewee loses the chance to ask questions about the questions being asked.  He may misunderstand what is being asked, but unaware of it.  In such a case, even if you informed the interviewee that they should ‘feel free’ to ask if they have questions, will not help much, because in this case, the interviewee is not even aware that they misunderstand.
  • Second, the interviewee may not have as much interest as the interviewer in the process of gathering data.  In cases like this, you can expect that only the minimum amount of information will be written down in the checklist.
  • Third, the interviewee may not see the whole point of the interview, and why they must fill in the checklist. As in the second dynamic above, this results in lacking information.
  • Fourth, a large number of checklists and forms are very badly designed, which can easily lead an interviewee to confusion. Many forms ask for too many things. The interviewer may have energy to fill in the first few entries, but a noticeable drop in energy due to a drop in interest can often be seen.

A well designed form helps much toward eliciting good information.  At the very least, the following should be addressed when designing questionnaires and checklists:

  • Who is going to use the contents of the checklist?
  • To what purpose are they going to use the contents?
  • Who is going to provide information to the checklists? (That is, who are the interviewees)
  • What kind of questions and prompts should the checklist contain in order to elicit the information required?
  • What kind of information does the current version of the checklist contain that are not needed?
  • In what ways can the questions and prompts be misunderstood?

It is vital that a checklist be tested on several interviewees first before finalising it use.

No comments :

Risk Management Software Packages

In a LinkedIn discussion someone asked for recommendations on a web-based risk management software package that’s suitable for a SME (small to medium enterprise).  The key need was for managing a risk register and for tracking risks.  Some of the recommendations were:

This is quite a handful of choices. I’m hoping to be able to spend some time lokking into each one.

No comments :

What is the difference between an impact and a risk?

Sit at any Risk Management 101 class or Risk Management introductory workshop and you will most certainly be introduced to the risk register. And in that risk register, you will be introduced to two columns: the Risk, and the Impact. 

You will be told that the Risk is an event that may or may not happen.  You will also be told that Impact is what will happen if the Risk occurs (or ‘eventuates’). Sounds clear, simple, direct. 

Now let’s apply what we’ve learned.  You are concerned (rightly) about crashing your car. Is that a risk? Or is it an impact?  (Avoiding the pun on crash and impact). It is not certain that your car will crash, so that is a risk.  What will be the impact?  Easy: you may experience fatality.  Or you may experience serious injury, or you may experience light injury. 

But why isn’t crashing the car an Impact? 

What caused the car crash? Did your brakes malfunction?  Was that a risk?  Was there a risk that your brakes would malfunction?  Were you hit by a drunken driver? Was that a risk you faced when you were driving? Absolutely.

So let’s say: Risk = Possibility of being hit by a drunker driver.  What is the impact?  Crashing your car.  What was the risk earlier is now the impact.

The distinction between risk and impact is not so clear.  What is a risk from one perspective is an impact from another.  But which perspective is the right one to take? And which perspective should you be taking when you fill in the risk register?  Do you put “Car crash” under Risk or under Impact?

No comments :

Winning and Risk Management

There’s a highly-regarded self-coaching book called “Sail, Race, and Win”, by Eric Twiname and Cathy Foster. In the book is a neat description of how to win in a race.  They ask the reader to imagine a descending escalator, with lots of people, representing the competitors, walking up the escalator.  The goal being to remain in the same spot they started in as much as they could manage to. They can walk up to the same pace that the escalator is going down, but they can't walk up faster than that.

  images

Since no one’s allowed to go faster than the pace of the escalator, the would-be winner will have to focus on not making mistakes rather than walking faster than the pace of the escalator.  Any mistake, no matter how momentary, will set you back a little, possibly allowing someone behind to move out in front of you.  The more mistakes and lapses you make, the more you are pushed back relative to your starting position, and relative to the other competitors.

Now since you can't go faster than the pace of the escalator, you can't make up the distance you lost by putting in extra effort. The best you can do is to make no more mistakes.  The only way you can get ahead of those in front of you is if they make mistakes.

escalator

I haven’t seen winning explained in this manner before, and despite its oddness, it has a certain valid point.  Twiname and Foster come from the world of sailing.  Perhaps the idea of not being able to outpace the escalator comes from their world, where your progress depends on the winds and the tides -- you can't go faster than what the elements or the environment allows.

The image seems rather useful when thinking about how risk impacts business.  A company cannot make more money than what its environment allows.  For example, if you are a consumer goods company, how much you can sell is moderated by the size of your market, the demand for your product, and the competitive dynamics of the industry you are in. In a market with 10,000 customers and 5 competitors, you just cannot make sales equivalent to a market of 20,000 customers.

And while you can't get ahead, you can definitely be set back.  The key to winning then becomes minimising the setbacks. From an operational basis, you are constantly being set back if your production costs are more than the competition’s. From a discrete and pulsating basis, you are set back each time a risk eventuates which impacts you negatively.  The longer and more expensive it takes you to recover, the more you are set back.  The key to winning in this case is to ensure that you minimise your risk eventuations and minimise their impacts.

You can look at risks as these setbacks.  It is in your interest to avoid them as much as possible, and to be able to recover as quickly as possible.  Even then, you can only recover to a point less better than where you started. Hence, reducing the occurrences of risks become a key factor in winning.

No comments :

Risk - What Can Go Wrong

There is so many definitions of risk. The newer versions include 'positive risk' and variations thereof. These definitions try to be very inclusive, to make sure they cover all possible perspectives and manifestations of risk. It can be a bit confusing. Some days I am tempted to find a simple, clear, usable definition of risk.

I am not yet convinced that 'positive risk' should have the word 'risk' appended to it. On those days when I look at risk management as 'the management of uncertainty' I have no problem accepting that positive risks belong to this domain.

But for now, I will use as the most basic definition of risk:

Risk = what can go wrong.

Risk management = managing what can go wrong

The ‘wrong’ already implicitly includes a reference to our objectives.  If something can go wrong from our point of view, it means something going wrong in relation to our interests.  Something that doesn’t affect us is not something going wrong. So I don’t have to extend it to ‘something that can go wrong with regard to our objectives’  (in any case, I prefer to use ‘interests’ rather than objectives).

The ‘managing’ in ‘managing what can go wrong encompasses identification, assessment, and mitigation.

Let’s see how far these definitions will let me go.

No comments :

Review of "The Failure of Risk Management: Why It's Broken and How to Fix It" Part 2

In Chapter two of his book, Douglas Hubbard's discusses where the risk
management industry has been and where it currently thinks it is.

The chapter starts out with a very brief history of risk management
('800 words' according to the author), tracing the route from the
discovery of mathematical probabilities, to its initial commercial
application in insurance, and finally down to the modern day emerging
'new character' or risk management, incarnated in regulations like
Basel II, and in applications like Enterprise Risk Management. His
history is not very complimentary, comparing today's state of risk
management as similar to the Old West gold rush towns, where things
look brightly painted and pretty, but built on shaky foundations and
filled with snake oil peddlers.

His history aligns quite well with Peter Bernstein's own summary,
although at a very very high level and, I suspect, very much framed to
support his thesis (which I suppose is what the rest of the book is
about).

Hubbard then makes a brief discussion of the common risk assessment
approaches (expert intuition, weighted scoring, probabilistic models,
etc) and suggests that some of these are not up to par for the role
risk management is playing (corporate growth survival, after all) and
will probably need to be dispensed with.

The next section covers risk mitigation approaches. He has a brief
treatment of the common approaches (what risk management book
doesn't?): avoid, reduce, transfer, retain. The most interesting part
of this section is his list of examples of concrete manifestations of
risk mitigation approaches (in contrast to the abstract approaches of
avoid, reduce, etc. His list includes selection processes, contractual
risk transfer, insurance, liquid asset position, etc.).

In the final section, Hubbard discusses 3 major surveys of enterprise
risk management, conducted by Aon, The Economist, and Protiviti. The
surveys show what the executives in these companies thought about what
their top risks are (reputation, market, human capital, and regulatory
environment figure very high). The surveys indicate that risk
management is present in those companies primarily because they are
being required to have it (a necessary evil). It also shows that risk
management is well represented and increasingly so at the board level.
The executives seem pretty confident that they are doing risk
management well.

Hubbard suggests that that is not the case at all.
No comments :
Subscribe to: Posts ( Atom )