“The risk people are the business prevention people,” said David Hillson, at the beginning of his presentation at the Gower Experts’ Forum at the National Centre for Project Management.
He pointed out that the results from the 2009 CHAOS report aren’t that much better than those when CHAOS started out: last year the survey reported 24% of projects falling into the ‘Failed’ category, 44% as being ‘Challenged’ and only 32% being successful. “Project Risk Management is supposed to help,” said Hillson. “Risk management gives us a clear focus on objectives.”
Hillson believes that risk management is the key driver for project success. Of course he would, he’s the self-styled Risk Doctor. But what he says does make a lot of sense. Risk management:
- makes us proactive, not reactive
- creates the space to manage effectively
- and ensures consensus and focus.
When it comes to getting better at risk management, Hillson presented 3 areas to improve: Principles, Processes and People.
Hillson defines risk as “uncertainty that matters,” i.e. uncertainty that could have a risk on our project objectives. “We don’t have every uncertainty in the world on our risk registers,” he said. We filter out what matters by whether it will affect our objectives. Different risks matter at different levels: what is important to project objectives may not be important to strategic objectives. Equally, we need to remember that risk is not always bad. “Opportunity and threat are the two flavours of risk, but they are both risks,” Hillson explained.
The final principle Hillson touched on was the concept that overall project risk is different from risk events. When a sponsor asks, “How risky is this project,” the answer is not, “Here is my risk register.” Instead, there is a different judgement applied to the concept of risk as distinct from risks. Risk is not equal to the sum of all the risks.
Two things are missing from our standard risk processes.
- When do we implement the risk response?
Hillson pointed out that most standard risk processes stop with working out what the mitigating actions should be. There is nowhere to actually do the doing of risk response. He explained that people tend to think that this will be naturally incorporated into the project tasks but in reality it could be better managed.
- When do we learn?
The risk management process is a circle – identify-assess-plan-review – so where does it stop? There is no final step at project completion to incorporate the learnings into the post-implementation review or lessons learned exercise.
People do projects, and our risk attitudes frame how we respond to risk. “If we understand and manage the way people position themselves with regard to risk, it will make our risk effectiveness better,” Hillson said. He talked about a spectrum of risk attitude, and where you fall on it depends on the event. For example, you may have a very cavalier approach to risk if you are gambling with matchsticks, but become much more cautious when abseiling for the first time. Where you should be on the spectrum depends on what you are trying to achieve.
“We focus on the tools and forget about the people,” Hillson concluded.