The failure of conventional risk management.
The importance of risk management cannot be overstated. A company that better manages risks is less vulnerable. Such a premise resonates with many organisations that are involved in high risk projects. But how could projects become a pariah of risk? What goes wrong with risk management, even when all conventional wisdom and best practices are followed?
The prescription for risk management consists of a standard operating procedure comprised of taken-for-granted forms of activities. Basically, risk management revolves around a three-stage process - forecasting individual risks, assessing their importance, and finding an appropriate response. Managers identify and single out uncertainties that may affect their objectives. By using risk analysis, they assess the likely consequences of these uncertainties as well as the likelihood that the uncertainties will become real. The risk management procedure then prompts a response to each significant risk.
Only 2% of the risks associated with critical events lacked any fundamental knowledge. Rarely was it a problem of ‘not knowing’; 98% of the risks were knowable. Rather, most problems stemmed from the way ‘knowable risks’ were managed (or not).
The Identification Gap – The Lure of the Familiar: The first step in risk management is risk identification. Out of the ‘knowable’ risks associated with critical incidents we studied, 94% were identified, but 6% were excluded from further treatment. We call this the Lure of the Familiar, where managers show a propensity to identify commonly recognized risks in some areas but to ignore other areas entirely. Managers concentrate on what is critical in their experience and disregard other risks.
The Assessment Gap – The Lure of the Measurable, causing on average 18% of the remaining key risks associated with a critical event to be ignored. Faith in the relevance of the risk is a further determinant of whether to ‘believe’ in it as a precursor to its management. Hence, all too often risk management rests upon what can easily be counted—what we have called the Lure of the Measurable. The risks that attract the most attention are the ones that are easier to imagine and measure.
The Response Gap – The Lures of Positivity, NonCommitment, Deterrent of Powerlessness Indecisiveness and Control: The biggest breakdown we found in risk management occurred with 28% of identified risks that were familiar and credible but nevertheless were not actively managed.
Overall, an extensive gap emerges between the prescription of how risk ‘should’ be managed and actual practice. On average, only 44% of all ‘knowable’ risks were not actively managed, yet with a considerable spread. The effectiveness of risk management ranged from the lower limit of just 40% to 83%
Impact of our research
If you wonder how vulnerable your project is to the established Lures, please complete the self-assessment questionnaire.
What practice-oriented tools can help project managers close the risk gap? Among others, one tool that fosters a wider thinking about risk is scenario planning. Scenario planning encourages the definition and consideration of multiple possible and plausible futures that could constructively challenge each other (Ralston and Wilson 2006, Miller and Waller 2003, Mulvey 1997). In comparison with traditional risk management, this approach would not aim to focus attention on individual risks that can be responded to in isolation; rather, it would provide multiple, more abstract projections.
Why the research was commissioned
The approach commonly employed consists of a set of customary and often mechanically performed activities. A plethora of canonical risk management standards has emerged, and these are promoted as being self-evidently correct.
We challenged this assumption and highlighted our results in two widely publicised journals (see below). The publication Does risk matter? Disengagement from risk management practices in information systems projects won the Stafford Beer Medal in 2013.