Tag Archives: risk management

The Risks of Risk Management

What could be a more effective risk management practice than wearing a seat belt when driving? Surely that sort of improvement benefits everyone? Actually, economists have shown that it’s not that simple and there are lessons for project managers from this lesson too.

If you engage in risk management, as all project managers do, then be aware of the work of the Chicago economist Sam Peltzman.

What Peltzman identified is that behavior can change substantially in response to risk management policies. For example in the case of seat belts, people tend to drive faster and have more collisions when they use seat belts because of the sense of security it gives them. This is not to say that seat belts are ineffective, it seems that traffic safety overall (especially in terms of road deaths) has improved as a result of them, but not as much as you would have expected, because of this behavioral offset.

And more omniously, though drivers are safer from seat belts, cyclists and pedestrians are more at risk with seat belts because drivers tend to drive faster and those outside the car don’t have any offsetting protection.

Similar studies have shown the same phenomena in NASCAR racing, when safety improves drivers then notch up the risks they are willing to take, offsetting some of the benefit.

photo credit: Roger Barker

So the question for the project manager is are your risk management policies changing behavior? This is not to say you shouldn’t bother with risk management, just as with seat belts the overall benefit is likely to be positive, but pay attention to how behavior is changing as a result of the changes you implement. Are people less cautious knowing there is a more robust monitoring process in place for their projects? Are team members less focused on escalating problems knowing that someone else is watching out for them?

The lessons from other areas such these unintended consequences may be more important than you may initially suspect.

The Myth Of Impossibility

Innovations throughout history are sometimes viewed as literally impossible by the people who didn’t create them and have most to lose from their success:

In 1830 when the French King sent an engineering expert to observe the fast British steam train the Rocket, he declared it impossible, not understanding the developments in boiler design. (source Tony Judt’s book Memory Chalet)

According to Electronista the makers of the Blackberry thought “The iPhone “couldn’t do what [Apple was] demonstrating without an insanely power hungry processor, it must have terrible battery life,” “Imagine their surprise [at RIM] when they disassembled an iPhone for the first time and found that the phone was battery with a tiny logic board strapped to it.”

Just as we have trouble assessing risk, we also have problems assessing what is within the realm of possibility, especially when it conflicts with our own interests.

Managing Risk – Part 3

photo: Paul Belson (via Flickr)

One of the reasons risk management goes wrong is a psychological phenomenon called anchoring. Anchoring means that once an idea is out there (such as estimate of when a project will end) it has a lot of power and influence, even if it’s not intended to.  Lots of academic research documents this across various settings and context and it’s pretty robust. Once an ‘anchor’ is set, even unintentionally, it is notoriously hard to move it.

What does this mean for risk management? Well it means that once a project plan is out there, the initial estimate will be changed more slowly that it should because of these psychological factors. If the project is was initially meant to cost $3M and then a revised estimate comes in at $4M, the estimate is more likely to move to $3.5M than all the way to $4M, because of the impact of the initial estimate, even though it’s now out of date.

Good risk management should ensure that only the latest information is factored into any estimate, effectively starting from a ‘blank slate’ each time. However, even though this sounds obvious, the impact of anchoring does mean that it’s hard to do in practice.

Managing Risk – Part 2

Risk involves some form of estimation, as Flyvberg has shown, the best estimates are based on past, factual reference data, but for most projects that’s hard to obtain and so project managers are left to rely on their estimation skills. There’s an exercise on estimation here that I think everyone should do at least once. Most people are over confident in many areas.

Do you think you are a better driver than average? 93% of people put themselves in that category (of course it should be 50%). The same is true of estimation, and it’s an area that’s key to risk management, the temptation is to be excessively precise in one’s estimates, and this level of false precision understates true risk.

source: Joe Futrelle

Managing Risk – Part 1

This is the start of a 5 part series on managing risk. Risk management is second only to communications as a core skill for project managers and this week’s 5 part series offers a quick refresher on some of the important concepts.

What is Risk?

The pyramid below lists stages of understanding ranging from low (to bottom of the pyramid) to high (the top).

The first stage is pure uncertainty. I’ll use a coin flip to illustrate these different stages, you’re going to flip a coin but you’ve absolutely no idea of what the outcomes could possibly be. You’ve no ideas that heads is more likely than the coin disappearing in a puff of smoke.

The second step is to understand at least some (but not all) of the potential outcomes, for example if I flip a coin, it could be heads.

The third step is the complete set of outcomes. If I flip a coin it could be heads or tails and no other outcomes are possible.

The forth step is to know the probabilities associated with an outcome for example 50% heads and 50% tails.

The final step is to know the outcome. This doesn’t work so well with coin example because a coin flip is designed to maintain a balance of uncertainty between two outcomes, but if you were a physics genius and knew exactly how the coin would be flipped, how clean the coin was on each side, and the impact of wind direction, then you would know in advanced how the coin would land.

But, hang on, you ask, in this final example risk management isn’t needed?

Exactly, that’s the point. Risk management is a way of dealing with our imperfect understanding of the world and can be done away we get to a total understanding of the situation so as to predict the outcome. Just as a perfect driver wouldn’t need a seat belt. In most cases, though, we’re not this good and risk management is still needed.

What We Can Learn From Near Misses

Interesting article from the Wall Street Journal here referencing the work of Scott Shappell and Douglas Wiegmann. The argument is that major disasters are rare, but by measuring near misses we can form a better estimate of how likely these disasters are to occur. Plane crashes are a good example. They are rare, but near misses are a lot more common. Of course, this concept is equally applicable to project management, there’s a lot of sophistication around measuring the actual outcomes. It’s easy since the data is relatively black and white, but measuring what almost succeeded or failed, adds useful data to make better predictions.

You can see one of Shappell and Weigmann’s papers here. One of their key findings on airline safety is that now just about all sources of errors have been corrected, except for human error, where engineering a solution is more problematic. They also point out that given the relentless focus on safety, flying is one of the safest ways to travel.

2010 US Census and Project Management

We know that many projects fail, perhaps the more interesting follow-up question is why this happens. Following on from investigations of project failure at the Sydney Opera House and the H1N1 Vaccination Program this post examines the 2010 US Census which has experienced several project management problems in recent years. The US Census occurs every ten years to count the number of people in America so as to inform policy discussions, allocate budget and apportion seats to the House of Representatives.

Whilst it’s true that the US Census will happen (a delay to the program would be illegal) elements of the project are a failure. One of the goals of this census was to use automation to “improve coverage accuracy and efficiency”, in part by providing 500,000 handheld computing device to eliminate the need for those walking the streets collecting census data to print out questionnaires and maps. This process was “relying as never before on contractor provided technology”. $3 billion of the $11.5 billion census budget was to be spent on automation including the devices, which cost approximately $600 million. However in early testing in certain locations these devices experienced 27% downtime as well as other issues.

Reports from the US Government Accountability Office showed “an increased probability that the system would not be delivered on time and within budget or perform as expected.”

This situation occurred for the following reasons:

Lack of clear requirements

“The contractor is overwhelmed by a substantial increase in requirements having thousands of unreconciled (that is, not validated) requirements.”

Poor risk management

Some risks have been identified some risks, but there is no formal process or resource allocation to mitigate them should they occur. “Because they did not develop complete mitigation plans, the project team could not ensure that for a given risk, techniques and methods would be invoked to avoid, reduce and control the probability of the occurrence.”

Partial cost management plan

The program had initiated Earned Value, but not selected detailed performance measures to implement full cost management.

Executive reporting and communication gaps

The review calls for reporting on a “periodic and event driven basis”, but there was no evidence to document that risks were discussed with executives.

Of these issues the primary one appears to have been requirements management, because of the reliance on a vendor to provide the technology, this was a critical part of the process. It is not enough to give the vendor requirements, this was happening. Indeed the vendor received thousands of requirements, the need is for consolidation and validation of requirements.

It is likely that imprecise requirements is what caused cost overruns. Precise requirements could also have supported risk management because the timing of requirements and the mitigation strategies if they were not met could have been part of the process.

Whilst project management is a complex and interconnected discipline, it appears that similar to the example of the Sydney Opera House, imprecise requirements and scope management were a significant part of the problem.

Book Review – Too Big To Fail

Andrew Ross Sorkin’s recent book, Too Big To Fail gives a dramatic account of the intense moments of the peak of the financial crisis around September 2008, and the unprecedented government actions taken in response. It is an engaging, fast paced first draft of history, as the author states “this book isn’t so much about the theoretical as it is about real people, the reality behind the scenes”. It is a very entertaining book for anyone with an interest in finance or politics, though those seeking deep theoretical discussions of topics like moral hazard will be disappointed.

It is striking how risk management was apparently neglected by Lehman which entered bankruptcy, whereas JP Morgan, who emerged from the crisis in a far stronger position, took risk management more seriously.

For Lehman, the approach to risk appears cavalier at best:

  • “While the firm [Lehman] did employ a well-regarded chief risk officer…her input was virtually nil…she was often asked to leave the room when issues concerning risk came up at executive committee meetings.”
  • “Though he was not by nature…a risk manager, Gregory played a pivotal role … in {Lehman’s] increasingly aggressive bets.”
  • “Walsh seemed immune to risk…They gave Walsh free rein and he used it to ram through deals [for Lehman].”

Conversely, for JP Morgan, risk management had far more credibility

  • “Barry Zubrow [chief risk officer], a relative newcomer to JP Morgan was quickly becoming one of its key executives.”
  • And a meeting  “Wieseneck [Lehman’s head of capital markets] was particularly worried about the imbalance of people from JP Morgan’s risk department, compared to the deal-making bankers he had expected.”

Though anecdotal, the correlation between effective risk management and successfully navigating the financial crisis seems clear. As always, the value of risk management only becomes clear after the event, but this is another reminder of the importance of the discipline.

Peter Drucker and Risk

“People who don’t take risks generally make about two big mistakes a year. People who do take risks generally make about two big mistakes a year.” Peter Drucker

Are you taking enough risk?

Also, on a related note, have you read enough Peter Drucker? The book The Effective Executive is a good introduction.

Article on Risk Management

I recently contributed to an Arras People newsletter on risk management, focusing on the human side of risk management you can see the article here.