Risk management is fun
Admittedly the title is a considerable stretch, but it doesn’t have to be excruciatingly boring.
Turing award winner and computer scientist Alan Perlis is reported to have said, “Fools ignore complexity. Pragmatists suffer it. Some can avoid it. Geniuses remove it”.
Dom Moorhouse and I wondered if there’s space somewhere between fool and genius for people who delight in interpreting complexity, understanding uncertainty and distilling it into concrete and tangible actions in pursuit of a stated objective or outcome?
In our view these capabilities are the essence of effective risk management.
Over a recent virtual coffee, we were lamenting the inadequacies of mainstream corporate risk management solutions, which are essentially glorified spreadsheets with a few more bells and whistles.
The problem isn’t that such risk management systems lack functionality, if anything they have too much; they’re simply too complicated for busy practitioners.
We both agreed the absence of sound risk management practice isn’t due to process and tool availability – more the absence of excitement. If we are honest, reviewing a spreadsheet or a table of risks (even one with bells and whistles) is just painfully dull.
The logical retort might be ‘well, risk management is boring but also very important – just get on with it’ but the brutal reality is that so many don’t get past the ‘boring’ aspect, despite full acceptance of its importance.
So, how do successful project/programme/team/corporate leaders bring risk management to life?
Risk management ingredients
We pondered a view that a distilled form of ruthlessly pragmatic risk management has three essential ingredients.
Firstly, a well-managed risk needs to be unambiguously stated and clearly understood. There are a number of formulas for risk annotation but our preferred scheme is of the form:
- As a result of <certain condition>
- There is a risk that <uncertain event> may happen
- That will lead to <potential impact>
Secondly, each risk must have a single, nominated owner – equipped and empowered to do something about it.
Thirdly, there must be an unrelenting, primary focus on the forward-looking treatment of risks (and not endless pontification over the premitigation score, or the RAG status, of an ambiguously defined, ill-managed risk in some historical version of the corporate RAID Log).
What binds such ingredients together?
The answer: Visual management.
Visual management in risk management
The core purpose of visual management is to improve the effectiveness of team communications. As powerfully reinforced by the schools of kanban and lean manufacturing, visual aids and ‘teamboards’ can convey messages faster – and invite more interest and engagement than the written (or spreadsheet) equivalent.
Visual management in risk management, done well, can communicate a complex set of information in a form that requires little or no training to interpret.
So, to bring risk management to life we don’t need more complicated spreadsheets. We don’t need more bells and whistles. We need a way of visualising risks in a more meaningful and engaging way.
Whether it’s a major transformational programme or a company board meeting, the brutal reality with strategic risk management is that there is a finite amount of cerebral capacity for these critical conversations (and decisions). Especially so with respect to risks that require collective analysis, reflection and treatment – as the strategic ones invariably do.
The challenge, therefore, is to ensure a manageable set of risks via a mechanism that is collectively easy to navigate. The enemy is the long, poorly organised, visually disengaging list or table that even the brightest minds drift away from. At one level, graphical presentation may feel like a simplistic solution to an inherently weighty topic – but, alas, that is the reality of the busy executive condition.
The most effective programmes and company boards we have been part of have recognised this reality and were marked by a common feature: a refreshingly simple graphical representation of key risks.
We believe the optimal visual management of this exercise is a simple, classic risk matrix (X axis denoting probability; Y axis denoting scale of impact). One matrix (grid) for risks and another for key opportunities; importantly, say, no more than 15 risk or opportunity items respectively on each. Each of these items – unambiguously articulated and with clearly assigned, single owners – is then reassessed working logically (and visually) from the high probability, high impact (typically top right) corner.
The exercise doesn’t have to be an exhaustive review of every risk, and in actual fact, depending on the frequency of meetings and pace of change we’d commend shorter, punchier but regular reviews positioned near the top of a meeting agenda to get the most mileage out of finite attention spans. Regular, well facilitated, highly engaging ‘risk and opportunity moments’ could yield more benefit than several hours of low-energy, interminable workshops.
In conclusion, to the fools who ignore risk management and the pragmatists who suffer it on the grounds that it can be painfully dull, we say there is a better way.
Effective risk management has three simple and essential ingredients:
- Unambiguous and clearly understood risk statements
- Single, nominated risk owners
- An unrelenting, primary focus on forward-looking treatment
Bind them together with a generous helping of visual management and delight in your ability to interpret complexity, understand uncertainty and distil it into concrete and tangible actions in pursuit of your stated objective or outcome. At a (considerable) stretch you could almost describe that as fun.
You may also be interested in
- How to plan for the ‘unplannable’: human error
- Making risk work for your project on APM Learning
- The role of leadership in risk management
This blog was co-written by Ed Watson and Dom Moorhouse
Dom enjoys an entrepreneurial and pluralist career – with a current, heavy focus on his CEO role of Method Grid (methodgrid.com) - a "connected assurance" platform for engineering-consulting practices (and project-centric service delivery organisations generally). Previously, Dom founded Moorhouse, growing it from singleton start-up in 2004 to, now, one of the most respected business transformation companies in the UK, serving multiple premier/global clients; Dom handed over the MD reins in 2011.
Ed is a Chartered Project Professional with 14 years’ experience in delivering complex change initiatives in a variety of different industries and contexts, from Highways Engineering to Aerospace Manufacturing to Defence and Security. The common thread uniting them all, and his area of passion and expertise is in collaborative teamwork, building trust and using simple and effective communication to help turn strategic ambition into operational reality. Connect with him on LinkedIn
4 comments
Log in to post a comment, or create an account if you don't have one already.
I think you missed an important point after your 'hook' indicating that you were going to show how risk management is fun and then didn't illustrate how this can be so. Really this is more of an advertorial. A primary issue is surely that it is risks to delivery of the project objective that PM's are interested in and what type of risk is also a key factor schedule- slippage leds to financial, reputational. The 'fun' as such, is in being able apply it professionally and make it meaningful to the project delivery team so that it's not seen as some quick chore at the end of a project board. Agree that wizzy diagrams can look better presentationally but there's a tendency to make risk management some kind of surreal technical process that is not really linked to the delivery schedule. Risk owners need to be those people with some skin in the game e.g. the end user who is paying or will be operationaly affected by the risk impacting, but that's another issue.
Thanks for the feedback John. I agree with your point about a tendency to make risk management some kind of abstract technical process divorced from the realities of delivery. Risk management can be 'fun' (read professionally fulfilling) when we bind the three basic ingredients together with visual management. An example of how this can implemented is through short, punchy, but regular 'risk and opportunity moments' positioned near the top of a meeting agenda to get the most mileage out of finite attention spans. Diagrams don't necessarily need to be wizzy; a whiteboard with a five by five matrix and some post it notes would do the job nicely if meeting in person. There are many digital tools that do the job (including Powerpoint) but the main thing about the tool is that the tool's not the main thing... the absence of sound risk management practice isn’t (in my opinion) due to tool availability – more the absence of excitement, interest and attention (refer back to the three essential ingredients and visual management).
It was great to see an article relating to risk featured in the APM blog. I note that you are speaking more about enterprise risk management rather than project risk management, which is where APM’s focus is. Your views on risk management are therefore not totally aligned with those of APM’s Risk SIG. Interestingly you say that ‘mainstream corporate risk management solutions are essentially glorified spreadsheets’. Many of the corporations I work with take project risk management very seriously (note project risk management) and fully integrate their risk registers into their project activities. The bells and whistles support ongoing decision-making, trend analysis, and monitoring and control. This approach to project risk management is far from dull and is fundamental to the success of the project. I appreciated your reiteration of the use of three-part risk descriptions. My experience is that cracking this leads to an immediate improvement in risk management as everyone understands the risk, and a risk that is understood is a risk that can be managed. I also agree with the concept of a single risk owner, preferably a named individual, and the need to look forward. However, I do think the pre-response score is important information, but only if it is assessed correctly and by taking things into account like any existing controls that are in place. One of the corporations I alluded to above has certainly taken on board visual risk management and actually produces a ‘risk visual’ from its comprehensive ‘bells and whistles’ risk tool. I know others who do the same, so while visualising risk is not the norm it is also not unusual. Having said this, it’s a great aid and if it’s not already being done then why not do it. Using visualisation to highlight the key risks, both threats and opportunities, (note I’d never suggest a number) can really help those who find looking at pictures informative, but we must recognise that to some ‘a picture does not paint a thousand words’, and a list, or being told, what the key risks are maybe the best method of communication. Assuming your tool can be used for project risk management then maybe we could arrange a demonstration for the Risk SIG. By the way. I have always considered risk management as fun. Peter Simon HonFAPM, Chair APM Risk SIG
Hello Peter, so sorry for the very delayed response, having only just picked up your comment. Thanks for continuing the discussion -and yes I'd love to get involved in the Risk SIG, perhaps to demo, but equally and more pertinently to hear more of your thoughts and feedback. I'll drop you a note on LinkedIn to work that out... Relevant to your point about "a risk that is understood is a risk that can be managed", I got a soundbite quote from a regular email from writer James Clear this week. (James Clear is a writer and speaker focused on habits, decision making, and continuous improvement. ) "The more precisely you define the problem, the more easily you can find a solution. "I feel bad" can have a million causes. "I didn't sleep much last night and I haven't exercised in a week" has a very straightforward answer."