Old Newtonian physics claimed that things have an objective reality separate from our perception of them. Quantum physics, and particularly Heisenberg’s Uncertainty Principle, reveal that, as our perception of an object changes, the object itself literally changes.
All risk is a wet finger in the air. A scientifically wet finger but a wet finger nonetheless. In large and complex programmes which have a fluid dynamic all of their own we are unable t0 define and analyse detailed statistical models in order give certainty to probabilistic analysis.
Why Bother with Risk?
Why bother with risk in an every changing programme, if our analysis will always be insufficient and caveated by a long list of exceptions? Why not just trust our technical experts and their inherently detailed understanding of the technical risks and their commercial contexts? There is a strong argument for letting technical expertise run the projects in the absence of structural control. There are far more powerful arguments which provide counterweight, though. The primary concern is, of course, that large and complex programmes – statistically – never achieve their cost and time parameters, usually causing embarrassment to the contractor and concern to the investors.
So, what should the ground-rules of Risk be to ensure that our analyses have a modicum of consistency in order to achieve some consensus in their predictability?
The 10 Commandments of Risk:
- Not all Genuine Concerns are Risks. In all honesty, most ‘Risk’ statements in Risk Registers are more generic problem statements; large aggregations of things that might have an adverse impact on the business. They are issues, assumptions and trends. To be a ‘Risk’ it has to be an atomic element of the business that can directly and quantifiably cause an impact in cost and/or time. If it can’t then it needs to be decomposed and deconstructed until it can. Which brings us to our second commandment,
- Risks Require Contingency (Assumptions Require Analysis). Risks are used to develop contingency. A business should have as few risks as they can in a Risk Register. The more risk, the more contingency (cost or time). CYA risks have no place in a Risk Register and it is the job of the CRO to ensure that all such Risks are weeded out. What is left can be sifted for legitimate concerns. In turn, these can then be decomposed and deconstructed in order to drive out the golden nuggets of risk which lie hidden inside such large, clumpy statements.
- Most Risks Need to Be Traced to Cost or Schedule. In order to determine contingency the Risk needs to be simulated within a cost model or schedule. In order to do this the Risk needs to be attached to a specific cost item or line in the schedule. There are some risks at the strategic level (corporate reputational risk) which are not attached to cost or time and we will delve into these when we show how risk frameworks are used to classify and categorise risks.
- Risks Need To Be Classified and Categorised. Categorising and classifying risks is an extremely useful way to ensure that duplication and redundancy is avoided. It is statistically likely that a relatively even spread of risks will occur in a large and complex project. In fact, in large technical delivery projects the majority of risks are usually technical because that is all that the business knows. Unnatural skewing should reveal where exposure is more likely. For instance, significant Risks around ‘resourcing’ often highlight capability gaps in processes or a lack of role clarity.
- Risks Require Resources. Real risks need accurate and adequately resourced mitigation plans. If the Risk Register is loaded with fanciful and fictitious risks then it would be astronomically expensive to actually mitigate them.
- Risks Must Be Hot, Sensitive & Weak. See our first blog.
- Risk Statements Must be Singular and Atomic. Risk statements must be singular and atomic if the ensuing Monte Carlo simulation is to have any meaning at all. Simulations founded on duplicated or overlapping risks will have no credibility at all.
- Risk Statements Must Articulate a Direct Causal Chain. A Risk statement must be made up of three direct elements of a causal chain: The transition statement (RISK), the structural weakness (CAUSATION) and the impact (direct causal impact on time/cost). Too often, Risk statements are taken from different parts of a causal chain and may only display loose and tenuous relationships between each other.
- Risk Causes Must Highlight a Structural Weakness. Causation must clearly and precisely point to some form of structural weakness. In a business, this may be legal, organisational, financial or technical. However, if accurate and delegable mitigations are to be created then then clear structural weaknesses must be identified.
- Causes Must Be Necessary and Sufficient. The test for causation is necessity and sufficiency. For instance, a fire needs both the presence of combustible material as well as the absence of fire retardant, to be a business risk. It is not sufficient to say that there is an electrical fault somewhere.
In future blogs we will delve deeper into some of these elements but together they form the core rules of risk identification and management. Indeed, by following these simple rules, along with the underlying context, Risk will become simpler and more meaningful.