Covid-19 and the financial crash of 2008/2009 has shown us that we can be blinded to risk. In fact, relying solely on our experience, desire for gain and tunnel vision for success, can make us less aware of potential threats that later engulf us. Neither the pandemic or the crash was foreseen by ‘experts’. In hindsight, we know that these were both bound to occur in some way.
We need to apply these big lessons to our management of change projects in organisations. We know that 70% of change projects fail (1), and the poor management of risk is on one of the top reasons according to the Project Management Institute (2).
27% of change projects manages site lack of identification of risks as one of the causes for failure.
In this first part of my blog, I will discuss three things for Project Teams to think about when managing risk: Risk appetite, risk identification and managing of low-level risks.
1. Risk Appetite
Thinking about risk can never be in isolation to the benefits your projects will create. This should frame the appetite for how much risk your projects wish to take. For example, some people do adventure sports (e.g. skiing) not because they are blind to the risk (serious injury or death) but the benefit from them (the thrill or pleasure) outweighs the risk. Conversely, few people would take a risk of driving a car without wearing a seat belt as there is little benefit (perhaps slightly more comfort), when compared to the risk (serious injury or death).
But we can also be blinded to the level of risks that exist. For example, people who are scared of flying (chance of death per flight is 1 in 3,0000,000), won’t take the risk to go to a beautiful destination, even though the risk of a fatal car accident when driving to an airport is much higher (1 in 25,000). The emotional nature of risk means that we can make poor judgement on our risk appetite, the amount of risk we are willing to take and full clarity of the benefits.
Many Projects and Programme Governance do not consider risk appetite in comparison to the benefit. Often changes are based solely on strategic intent, or even a short-term goal (e.g. reduce costs) without considering its relation to risk. Sometimes, a director’s bonus is riding on Project success and they can be blinded to risk.
A good example in the UK, is the IT Change programme for Health records (NPFIT)(3), that was started without a full risk assessment and failed to identify major risks in the complexity of records, legacy systems and buy-in from clinicians.
There are two ways of managing projects with high risks. The first is not to embark on the project – it stops huge resource being tied up with issues that will occur (as the risk materialises) and secondly the same investment can be used to deliver less risky/more beneficial projects. We also know that once a project has started it becomes harder to stop , due to loss of face and the human intolerance of failure.
Some project carry high risks yet deliver high benefits. So the second way of managing risks is to have a well thought out process for risk management for existing risks and those that may emerge. For such projects adequate resources must be available to both mitigate and plan for contingencies. Shaving resources from high-risk projects can be very counterproductive as they can create a cliff edge towards failure, from unknown risk.
Projects can also build in redundancy as part as a way of mitigating high level risks. For the covid-19 pandemic, all the major vaccines commenced manufacturing before they were proved successful in their final trials. The benefit of being able to administer vaccines early was far far higher than the cost of having to throw some away.
For covid-19 pandemic, all the major vaccines commenced manufacturing before they were proved successful in their final trials. The benefit of being able to administer vaccines early was far far higher than the cost of having to throw some away.
2. Risk Identification
There are two fundamental errors in risk management in that risks are not fully identified and that the risk ratings can be based on poor judgement. I will write more about the latter in Part II of the blog.
Risk identification is not something that is the accountability of a Project Management Office(PMO) or solely the Project Manager, but by all stakeholders that are part of the system that the Project effects. The Project Management Institute (PMI) state that undefined opportunity and risks account for 27% of Project failures(1). From my experience, people are often unconsciously aware of risk, as it’s an innate skill in humans. However, if a risk is not brought into awareness(documented) then it can’t be managed properly.
My top 3 tips for identification are:
- During Project initiation or launch ensure the whole range of experts and stakeholders are available to help you identify risks
- Make risk identification/validation an ongoing process. Build this into your regular team meetings of forums
- Encourage a culture of reporting new risks (and sharing existing ones) as a way of bringing better awareness
3. Managing Low Level Risks
During complex projects we can often ignore what we consider to be low level risks i.e. those with low-level probability of occurrence but carry high impact if they did occur.
Let’s re-look at my earlier example of having a fatal car accident on any one trip. The probability (in the UK at least) is relatively low at 1 in 25,000. However most of us wear a seat belt! Why is that? It because we know that our chances of death are greatly reduced – in fact the reduction of death by wearing a seat belt is 50%. We also know that many low probability risks can add up-to a high risk overall when driving so for a car accident: the combination of poor weather, tired driver, fading daylight, lateness for work will increase our risk. So, in this example, a cheap solution (wearing a seat belt) is something we consciously do to reduce risk.
Similarly, in Projects we need to think about managing all high impact risks, even when the probability of occurrence is low. And particularly when the mitigation cost is low or none. Health and safety risk impact has decreased precisely due to many small mitigations is put in place to reduce accidents. An infrastructure project for an organisation I worked with, mitigated the risk of delays in construction by extending the ground survey (at a relatively low cost), which as it transpired saved huge cost in re-planning from the subsequent discovery of ground conditions.
In part two I will discuss asymmetric risk, the risks of depending on single experts, over-reliance on our experience and seeing opportunity as the positive side of risk.
If your organisation wants to implement a sound risk process for complex projects, one that will avoid future costs and delays, please contact me at email@example.com.
1. Michael Beer & Nitin Mohria. “Cracking the Code of Change”. Harvard Business Review, 00178012, May/Jun 2000
2. “Global survey of Project Management Practitioners”. Project Management Institute, 2017. Web
3. Dolfing, H. “Case Study 1: The £10 Billion IT Disaster at the NHS”. Henric Dolphin, Jan 2019. Web
4. Taleb N, et.al. The Six Mistakes Executives Make in Risk Management. Harvard Business Review
A. Based on UK only – 1700 fatalities per year, and 42M car journeys in 2019.