Heaps of Risks (Why Managing Too Many Risks is Too Risky)

May 20, 2008 from Raven's Brain: Project Management

Vote This Post DownVote This Post Up (No Ratings Yet)
Loading ... Loading ...


A post by Rolf Götz, guest voice inside Raven’s Brain.

Risk management is a source of unusual human behaviour: euphoria or excessive gambling when risk is underestimated, and panic attacks or depression when we predict that things are riskier than they really are. Both are risks by themselves.

In this post I'll address a risk that is also closely related to human behaviour and presents a risk: Overly extensive risk registers, i.e. a list of several dozens of risks for a given project.

This is a fluffy topic, more fluffy than the concrete principles, rules and processes I usually write about over at Clear Conceptual Thinking. However, it is an interesting one I wanted to write about for quite some time. Thank you to Raven for letting me share it.

Some Context

An issue is a problem that must be dealt with NOW.

A risk is a potential issue that can be avoided with the right mitigation.

A risk register is a table documenting risks, often including an assessment of probability and damage potential for each risk.

I have seen risk registers with close to a hundred risks that were all actually being managed on a bi-weekly basis. Oh dear, that's what I call risk-driven project management. While these presumably are extremes, risk registers tend to grow instead of shrink. Among the root causes are very human ones:

  • Fear ('I need to cover my ass here!')
  • Uncertainty ('Huh, honestly I don't know what to do best. This is an unsettling feeling.')
  • Lack of experience ('I have never been in this kind of situation before...')

In essence, these causes threaten the success of the entire project.

A word of WARNING: Please don't just add the risks presented here to your risk register.

Fear

Long (or ever growing) risk registers can be a sign of the behavior of some individuals aiming at creating an excuse in case of project failure. "Look, our project had so many risks, it was kind of impossible to achieve the project's goal!" This is an excellent argument to ensure that risk-countering measures are not effective. Every risk cancelled out is a risk to this strategy. (It also is an excellent argument for investing a lot of effort in risk management, for self-preservation reasons, as we will see below.)

Uncertainty and unsettling feelings

Besides this observation of mine, recent neurological studies by Professor Peter Bossaerts (http://www.sciencedaily.com/releases/2008/03/080312093854.htm) suggest that risk is assessed in the area of the brain (anterior insula) which otherwise integrates and processes emotions. Therefore 'rational' risk prediction seems to always involve emotions – they seem to help (or hinder?) the process somehow.

Risks stay in the register, because we do not think of the actual time-gestalt of risks. Therefore, we really don't know whether our mitigation strategies take the desired effect. I bet 8 out of 10 risk registers do not make visible how the assessment of the various risks have evolved over time and what the counter measures have to do with it.:

  • Concerning the time-gestalt of risk assessment, my hypothesis is that even if there's no new information, people cannot keep their assessment of a non-trivial set of interrelated risks consistent. This needs proof, of course, and I haven't done that yet. (Information, anyone?)
  • The real effect of counter measures is quite difficult to find out, as in the majority of cases there is a considerable time-lag between 'action taken' and 'effect noticable' on one hand, and there are complex cause-effect relationships in any non-trivial project on the other hand, so you can never be sure whether this is the only measure which has affected this other risk (Doerner 2007).

We, that is today's business people, tend to conserve a positive self-image as a person who is competent and capable of acting. So everything that could harm this image falls prey to a self-preserving process that excludes several strategies from our thinking, like: building sophisticated hypotheses (that would be easier to falsify), gathering more contrary, telling information (that could lead to uncertainty by itself), or elaborating on the effect of risk-mitigation (that could take time and therefore would hinder action).

On the other hand, we can work on our risk registers at length to 'show' our competence in planning and risk management. One advantage of elaborate work on gathering information, discussing risks and detailing mitigation strategies (e. g. planning) is that we can postpone when we have to come in contact with reality.

Lack of Experience

There's a significant correlation between 'years of experience in decision making' and 'outcome of decisions' (Doerner 1997, Putz-Osterloh 1987). What percentage of risk managers in your organization would you say is experienced? Inexperienced people tend to revert to methods, 'best practices' and the like. To them it seems like a good idea to shop at directories of pre-defined risks, like common project risk checklists and the like. A rather unconfident risk manager thankfully accepts the suggestions of these lists. "One way or the other, this specific risk could affect us, too!" There goes another risk on the register.

Curiously risk registers seldom play a role in post-mortems, lessons-learned or whatever your organization calls the reflection on a project after it has been labelled a success ;-). All of a sudden, the risk register, still containing great many risks with a certain probability and potential damage, falls prey to some collective amnesia. Wouldn't it be nice to challenge the remaining (all?) risks after the fact? Are they really that probable and potentially damaging? Is this why we learn so much more from failure than from success?

Speaking of lack of experience, self-reflection has a statistically proven record as being quite effective towards learning.

In conclusion, my advice two-fold:

1) Focus on planning value in, not on planning risk out.

2) While it is wise to do risk managment, keep your risk register brief, perhaps a dozen or fewer items and focus on really clearing out risks and removing them from the register but not the history. New ones will pop up on their own.

My friend Sven Biedermann says, risk is inseperable from project organizations. An endeavour without risk would be conducted by a line organization, i.e. existing staff.

If you are a project manager, risk manager or a method-savvy person in general, read more about project risks, objectives and ways of incorporating real-life models into daily work at my blog at http://www.clearconceptualthinking.net/. I’d be happy to discuss this post’s topic there, too.

Resources

  • I highly recommend reading: Doerner, D, The Logic of Failure, Basic Books 1997
  • Putz-Osterloh, W. and Lemme, M., Knowledge and its Intelligent Application to Problem Solving. German Journal of Psychology, 11/1987, p. 286-303
  • http://en.wikipedia.org/wiki/Risk_management

This was a guest post by Rolf Götz. Learn more about him at Clear Conceptual Thinking.

Guest post by Rolf Götz at Raven's Brain under Project Management
Technorati tags: Planning, Project Management, Risks, Risk Management, Risks Registers, Risks Assessment


This article is syndicated from Raven's Brain: Project Management . The original article is available here. Read more in Project Management News, Raven's Brain: Project Management .

No tag for this post.
Popularity: 4%
Reminder : PMToolbox has ZERO tolerance to copyright violation and agrees to follow strictly PMI's Professional Responsibility. That's why each post on this site includes a link to the original version at its source site.

Related Posts

Comments

Got something to say?






[?]