Making sense of risk

Barry Trebes and Michael Ocock, authors of Making Sense of Challenging Projects, give practical advice on managing risk the smart way.

Underperforming projects are not a modern phenomenon. Past assessments of a wide variety of poorly performing projects have reached markedly similar conclusions, and in doing so have highlighted ineffective communications, weak management, inadequate planning, poorly defined roles and responsibilities, absence of adequate risk assessments, uncertain or contested objectives, ineffective control systems and lack of common purpose.

Securing successful project outcomes

As each assessment is published, calls are heard for even tighter controls to be imposed by management teams and for better performance all round. Yet, despite this evidence, and even after the called‑for improvements have been introduced, too many projects fail to deliver what is expected of them. If we know why major projects can fail, why is it that we let it happen time and time again?

Fortunately, there is evidence that better project outcomes are more likely when:

• management structures, policies and processes combine to encourage imaginative management, good team working, shared decision‑making and the active participation of all those with a primary stake in the project;
• a responsive management team processes information from many sources, including a wide stakeholder base, to achieve good situational awareness and to be continually alive to the possibility of a range of potential problems and ways of solving them;
• effective communication channels are established from the very start, so that information flows easily and quickly to and from management at all levels and throughout the project;
• management openly encourages questioning and constructive challenges to its plans and decisions;
• project strategies recognise the benefits of dividing the project into phases so that it can be taken forward incrementally and be easily adapted or modified to suit changing circumstances and/or the experience gained from earlier phases;
• a risk management culture is built on mindfulness, ie an approach to handling risk that avoids ‘tunnel vision’ and which, when unexpected problems appear, encourages action by assuming the worst until it’s proved otherwise; and
• a strategic oversight of the project and its current situation in the wider world is constantly maintained by the sponsor so that comparisons can be regularly made with the assumptions and data that underpin the project’s business case.
  
  

What destabilises a project?

There is also evidence that the critical factors contributing to the destabilisation of a project are likely to include one or more of the following:

• failure to set clear priorities;
• failure to properly communicate intent and plans;
• failure to recognise the importance to management of the vested interests, perceptions and views of the project’s primary stakeholders;
• excessively centralised decision‑making;
• failure to delegate and devolve management responsibilities;
• failure to consult and deal constructively with dissenting views;
• failures of foresight and underestimating the significance of unexpected events;
• inadequate monitoring of project performance and failure to take into account the project’s evolving situation in the wider world;
• preoccupation with minor problems;
• failure to fully understand the concept of risk; and
• poor leadership.
  
  

Barriers to learning lessons

Organisations responsible for failing projects usually vow to learn lessons from their past efforts, but this can be a lengthy process with no certainty of success, not least because legal and other restrictions on the exchange of information can prevent the sharing of knowledge and sensitive information. Reporting can be biased and feedback ambiguous, thereby generating conflicting interpretations of the facts. Those involved might also unwittingly reconstruct history in the course of ‘telling it like it was’.

There is also a concern that analysis could take place in a politicised environment in which attempts to allocate blame and claim credit become more important than understanding what happened; and that ultimately, the underlying causes of failure and success may be impossible for anyone to determine with certainty.

What matters most when making a project into a highly reliable organisation is for both its sponsor and the project’s management to commit to the avoidance of complacency and the encouragement of higher standards of performance. This is more likely to be achieved through devolved decision‑making, empowerment and the creation of an organisational culture that supports no‑fault reporting and open speaking, especially about serious difficulties.

Projects should be set up and managed in ways that create highly reliable organisations where performance is guaranteed, safety is paramount and organisational learning is continually used to create and sustain a competent and reliable organisation.

Making decisions about risk

The management of risk is central to the way a project is steered through to its conclusion. Decisions about the way risks are to be assessed and managed throughout the entire project, and possibly beyond, must therefore involve the project sponsor as the primary risk taker. Risk can be viewed as uncertainty that matters at the time when a decision is taken or a plan is constructed.

Project risk is not simply the sum of items in a risk register, it can just as easily arise from poorly functioning teams, corporate decision‑making beyond the reach of the project or lack of preparedness for the unexpected. Some believe the task of identifying organisational frailty and the risk it poses is an impossible one – the Achilles heel of risk assessment. Others maintain that what is not easily recognisable as a specific risk cannot be managed.

Unfortunately, these beliefs can give rise to endless technical and numerical risk assessments, diverting attention from the need to uncover those primary organisational weaknesses and other underlying fault lines that are more likely to present the highest risk to any project.

Deep‑seated causes of risk

Risk assessments are only aids to decision‑making and planning and are not themselves decision‑making processes. Many deep‑seated causes of risk to projects and systems in general can be linked to human and organisational factors. The quality of a project risk assessment therefore depends largely on the ease with which it is possible to determine how people and organisations shape and interact with the project and the impact they may have on it. Risk assessment processes can only be truly effective if they take into account these influences and the significant impact they can have on risk profiles.

Sponsors, planners and other decision‑makers should recognise that risk assessments inevitably contain assumptions that should be checked, uncertainties that must be accepted and limitations that cannot be ignored. Over‑reliance on quantitative risk assessment (QRA) is a particularly risky strategy. Questions, such as those below, should be asked about any QRA intended to support plans and decisions on which much is to depend:

• Are the assumptions used fully explained, used consistently and tested for reasonableness?
• Is the analysis supporting the assessment checked for its accuracy, eg of the calculations used?
• Is the model used for calculation well defined, and has it been validated by testing against experimental results and observational data?
• Are uncertainties clearly indicated, including those in the data, models and calculations?
• Are the results explained and discussed so that they clearly indicate what conclusions they can and cannot support?
  
  

Five questions to ask on project risk management

1. Is the project sponsor’s corporate culture seen by the project’s management to be supportive of risk management being central to the management of the project? If not, what effect could that have on the project team’s attitude to risk and how might the project be affected?
2. How formalised will the risk management process be? Will it amount to no more than unstructured guessing? Will the process, formal or otherwise, be intended to have a material effect on the desired outcome of the project? If not, why not? What resources will be devoted to risk management?
3. How will the principal assumptions on which the business case and plans for the project are based be kept under review?
4. What options for handling risk are available, eg mitigating actions by the project team to directly ‘control’ selected risks, or transferring of risk through contractual arrangements to other parties reported as better able to handle them, or complete avoidance through adjustments to the project’s scope and objectives?
5. What means will be used to characterise the risks – ie to determine the nature of the risk (a risk to what) and to whom the risk matters – and then, where necessary, to quantify them and assess the probability of their occurrence, and to identify the root causes?
   
   

Assigning blame

“Large organisations influence their employees’ views and actions. How then should blame be assigned when things go dramatically wrong? How much responsibility should be apportioned to those who manage an organization and how much to those who carry out its productive tasks? How should blame be apportioned when technical errors are a byproduct of prior organisational choices?”

Eda Kranakis, Fixing the Blame: Organizational culture and the Quebec Bridge collapse, Technology and Culture 45 (2004): 487–518.

 

This article is an edited extract from Making Sense of Challenging Projects: Things to know, questions to ask.

Barry Trebes and Michael Ocock

THIS ARTICLE IS BROUGHT TO YOU FROM THE AUTUMN 2021 ISSUE OF PROJECT JOURNAL, WHICH IS FREE FOR APM MEMBERS.