De-RISK Blog

Ever heard that statement? Normally what they really mean is “I get it, but why does it have to be so formal?”

The deciding factor on how much formality is appropriate should be based on the size and complexity of the project or programme. In ABCD we have the Criticality/Complexity Diagram (CCD) that can be used to explain this. The CCD is also a useful mechanism for stopping fixation with the size of the project and making management take account of what is really making the project potentially risky ie the complexity.

On the CCD, the project is positioned, relative to other projects in the organization. If the position is agreed to be in the top right hand corner, formal risk management is justified. If the project is positioned outside the top RH corner, then simpler, less formal risk management approaches are appropriate. Simple eh? But lets look deeper at the psychology of what can happen here…

Good project and programme managers often have strong personalities and the problem is that this can verge on arrogance. For example, the Programme Manager of a large-scale programme looks at the risk management process and concludes that it is a sound system but he/she can identify all the key risks themselves without the help of the process. To them the formal process is (mistakenly) just an unnecessary overhead.

The PM of a small to medium sized project should indeed be able to identify all the key risks without the need for a complex risk process. However, as soon as the scale of the enterprise gets larger, and in particular the number of stakeholders becomes significant, it becomes inevitable that key risks are going to be missed. This is going to happen simply because of the challenges in communicating all the relevant data will mean that things will get missed, miss-interpreted, or inappropriately prioritized (and by the way, did I mention “assumptions”? We discussed the psychology of traditional risk identification vs assumption-based in an earlier blog…. ).

In a large/complex programme, a formal, rigorous process like ABCD is not just justified, its essential. But again, arrogance can raise its ugly head and this time the PM insists that the “simple” risk management processes that they used effectively before on smaller projects will work perfectly adequately here “just scale them up a bit”…

Well no they won’t….

Simple risk management processes tend to come a cropper when applied to large-scale initiatives ie

• The scale of the programme means that so many risks are raised that the management can’t assess priorities appropriately and lose focus, or…
• Inappropriate escalation between layers in the programme mean that very few risks get escalated and senior management incorrectly assume that all is well.
• This situation is exacerbated by a manual escalation process that means that PMs do not escalate when they should do, but try and solve the risks themselves. If they fail, it could be fatal for the programme, and comes a big surprise to senior management.
• This also causes an unhealthy shift from risk management to issue management – the subject of an earlier blog.
• The team can also be inhibited from escalating risks by the knowledge that their “arrogant” programme manager will try and squash their concerns because they don’t conform with their view of the world.

So the message is clear – when the project is critical and relatively complex, appropriately formal risk management processes are essential is you are going to identify all key risks.

And if you are still not convinced, ask yourself this question – How many showstopper risks do you need to miss before one stops the show?

And just in case you were wondering – how many times do people fail to “get it” after ABCD has been implemented? Just once in my experience, but that may be the subject of an interesting case study in a later blog…

The “Fast-Track to Success: Risk Management” is now published and available on Amazon.com and Amazon.co.uk 

Business is all about managing risk and taking opportunities. However, this is normally approached in an informal way which leads to highly unpredictable results. Let’s look a number of common roles in business and how these can be improved by techniques within the ABCD risk management process.

Sales:

Typical situation – Sales executives are given a sales target based on a percentage increase from last year, irrespective of the economic climate. Sales are tracked, retrospectively, month by month and multiplied by 12 to see if target is likely to be met. At the end of the year, the optimism is shown for what it is with the targets being missed by a significant margin.

Using risk management – Quality Based Costing (QBC) can be used to reflect the true feelings of the Sales Executives in each target (i.e. “Brick”). Monte Carlo analysis then gives a predicted percentage chance of meeting the end of year target that truly reflects the chances of success. Moreover, the driving assumptions are laid bare to show where the sales executives need help to manage risks and take opportunities to deliver the upper end of the target. The inevitable result is that targets are more likely to be met or exceeded and bonuses are bigger.

Project Manager:

Typical situation – The PM inherits a “successful bid” that gives her insufficient budget to deliver ambitious objectives in virtually impossible timescales. The PM prepares a plan that meets the constraints but doesn’t really believe that it is achievable.  The project progresses until key milestones start to be missed and eventually a “big problem” results in down-scoping of the project to meet the timescales or additional budget being added or substantial delays being agreed in order to meet original objectives.

Using risk management – The PM carries out an Assumption Analysis on the plans and identifies and communicates all assumptions that are at risk. This starts to manage expectations early but also gives stakeholders the maximum amount of time to proactively manage the risks so that the original objectives/budget/timescales can be met (assuming that they are achievable). Using QBC to undertake cost and timescale risk assessments will quantify the chances of success and show a “road map”, in the form of the assumptions that need to be managed to achieve the objectives. The result is that PMs deliver to their targets and impossible projects are stopped early.

Operations Manager:

Typical situation – The Operations Manager is running ongoing processes that are perceived to be “low risk” i.e. they rarely go wrong, but “high risk” i.e. very high impact, if they do go wrong.  In reality they are low probability but high impact – not so much a “Black Swan” but more a black chick! Inevitably, ongoing operational processes depend upon the experience of the team to do risk management in an intuitive way, with little or no formal process. Therefore, when something goes wrong, it tends to be down to the failure of individuals to alert senior management of the danger and very often costs the Operations Manager their job.

Using risk management – The combined knowledge of the operational team are captured in the form of a set of operational assumptions i.e. what are the key things that need to happen in order for the operations to run smoothly. These are built into a “scorecard” that is rated regularly by all key personnel and therefore all concerns are flagged as early as possible and preventative maintenance is undertaken so that time between failures increases. The result is that the Operations Manager can point to the improved performance at their next pay review.

Board member:

Typical situation – The organisational strategy is not captured or communicated. At best, it is poorly expressed and interpreted very differently by each Board member and senior management. This leads to leadership pulling in different directions creating risk which is not even realised until it’s too late and some major (i.e. strategic) catastrophe hits the organisation.

Using risk management – The strategy is captured in a specific and measurable way and then decomposed down into its constituent assumptions. These strategic assumptions are then rated by the senior stakeholder group and the patterns are examined for risk due to concurrence or lack of consensus.   Major strategic risks are identified and captured by this approach, impossible strategies are revised and, at the very least, the Board and senior management get “on the same page”.

The bottom-line with most business roles is that for a very small investment in effective, formal risk management, the benefits will be significant in terms of measurable, improved personal performance and therefore can contribute directly to your career advancement.

Issue management is a natural and essential part of project management. But if it is not set up correctly, it will compromise or even completely undermine your risk management.

Defining issues and risks is not as easy as it looks

On the surface, it’s quite clear: an issue is a problem today and a risk may become a problem in the future. In practice it’s not that simple and I have watched many organisations struggle with the question of “is it an issue or is it a risk?”

One reason for this confusion is that most risks will require actions and the first step is often urgent. Therefore “Risk Owners” tend to interpret any problems with getting the first step in the risk action plan as an “issue” and consequently raise a formal issue for virtually every risk with a risk plan. The result is effectively duplication of the same “concern” as both an issue and a risk and more data for the Project Manager to review leading to potential information overload.

Whilst dealing with the “issue” of crossing the snow-bridge, we had to consider the “risk” that we wouldn’t reach the summit and get down before dark.

When does a risk really become an issue?

Again it’s not as simple as it seems. The definitive answer is  - “when you can no longer stop the risk impacting, it is an issue”. This means that it doesn’t actually have to impact to become an issue. But who can determine this? Let’s look an analogy.

A missile coming over the horizon should be managed as a risk as we need to work out how to stop it impacting us. Once it has impacted, the resulting crater is an issue and then we need to work out how to clear up the mess.

At some point, an observing soldier may view that the missile is now too close to do anything to avoid impact. The soldier therefore declares the threat to now be an issue. However, the soldier is not aware that his commanding officer has access to the latest in anti-missile technology that could be used to knock out the missile just before impact. If the soldier had communicated the threat as a risk, albeit a very urgent one, then the missile could have been destroyed before impact rather than just accepting that impact was inevitable.

This is of course very much a state of mind, but a very important one that is fully exploited in the ABCD risk management process. ABCD forces people to capture and escalate risks in the form of assumptions even if the impact is close. It is surprising how much senior management can be motivated when things become Important and Urgent, as Stephen Covey once said…

Get the balance right

One of Stephen Covey’s insights from his excellent book, “The 7 habits of highly effective people” can be used to explain the balance required between issue and risk management. As Covey describes time management; everything we do can be categorised as Important and/or Urgent. We have to deal with the Important and Urgent things first but after that we tend get drawn into the Urgent but Not Important stuff i.e. we allow ourselves to get distracted (interuptions, phone calls, emails etc). The effect of this is we don’t spend much time on the Important and Not Urgent stuff. As Covey puts it – we need to spend more time on the Important and Not Urgent tasks and we will then have to spend less time on fixing the Important and Urgent things.

Transposing this to project management; the Important and Urgent things are “Issues”. Whereas “risks” are clearly Important (if not fixed they will become issues) but are not urgent as they are in the future. Applying Covey’s logic again, we need to spend more time on risk management and we will then need to spend less time on issue management.

 In practice this simply means getting the balance right and making sure that a focussed risk management process is not overwhelmed by the demands of issue management. In other words, if you have too many issues, then you are not spending enough time on risk management.

It always starts the same way  – “So what is it that you do, risk management? So you work for a bank?”  Err no. “So you are in insurance?”  No not quite. “Health and safety?” Definitely not!

So what exactly is “risk management” and where is it really valued -  it means so many things to so many people. To many it will mean financial risk management that forms the backbone of all banks (albeit a weak backbone as we saw when the financial crisis broke…). People will talk about Enterprise Risk Management without really expanding much beyond the financial aspects of risk. And if we get into H&S then we lose the “business” context of risk to a great extent and probably credibility, whether justified or not.

Rather than try and define all these different types of “risk management” (you have Wikipedia for that…), I was thinking about how risk management can bring the most “value” to your business. Value can be measured in many ways and perhaps the most obvious way to measure value in risk management is to look at the financial value of the risks identified. The problem with this approach is that it relies on estimates that may be no more than wild guesses. And when someone estimates the financial impact of a risk, where do they stop, at the immediate impact or the ultimate impact? For example, it could be claimed that every “showstopper” risk could be valued at the entire cost of a project or business process.

 The way I am going to describe value here works very well for an “uncertain” subject like risk management. Demonstrable value from a risk management process would be gained from helping to identify risks that are not obvious and would not have been identified without its application.

Which then leads us to look at the different areas of risk that fall under the Enterprise risk umbrella and assess their relative “difficulty” and therefore the opportunity to demonstrate value by identifying new risks  i.e.:

Operational risk management: True operational risk looks at the ongoing, recurring processes in the business and not the one-off projects. As such, the operational staff tend to be very familiar with the business processes – they do it every day – and therefore they can tell you the risks without the need for formal risk management. In situations like this, formal risk management tends to be seen as an administrative overhead as it doesn’t tend to identify “new” risks.

Strategic risk management: The risk to the business strategy is obviously a big deal – if the strategy fails, the entire business could fail. But when the strategy statement (assuming that there is one?) has been broken down into its constituent assumptions, there will be a reasonably small number to analyse. How they are rated may raise a surprise or two but completely new risks are unlikely.

Project risk management: Projects are one-off exercises, that is, you have never tried to achieve the specific objectives before or it would already be an ongoing business process. The sheer newness of a project will ensure that new risks are guaranteed and all will not be obvious from the start. The use of a formal risk management process is therefore entirely justified and will be valued.

Programme risk management: Programmes are made up from multiple projects that are interdependent. Therefore all that was said about project risk management above can be multiplied exponentially. A true programme risk management process like ABCD is required here to prioritise clearly and ensure that “you can see the wood for the trees”. Get this right and immense benefits will be realised in the form of risks that would never have been identified without the rigor and the perceived value will be very high.

The four types of risk management above have therefore been ranked in terms of perceived value from the lowest (operational) to the highest (programme). That is, you are more likely to identify new risks by using formal risk management processes in a programme than a project, or strategy or operations, in that order. And let’s be clear that we are talking about risks that require proactive management.  Black Swans introduce a whole new ball game, but that’s a different story…

ABS packs inflate via a rip-cord if you are caught in an avalanche – real risk management

Last week we looked at the first part of our trip to Kenya to see how Oxfam approach the subject of project and risk management. You can read the first part by clicking on the link at the top of this page - now for part 2.

Sunday: We spend the night in grass-huts that have just been built to try and establish a resort on the shores of Lake Turkana. This is a remote place and the challenges are clear but this is also one of the most beautiful places in the world that I have seen. After a very basic breakfast of tea and chapattis we head north in the Land Cruiser up the coast.

Along the way we see Turkanans walking vast distances, barefoot on the baking sand. We give some of them lifts in the back of the vehicle. In this area, they are unlikely to have seen many vehicles in their life let alone ridden in them. They seem to be very happy that their all-day walk has been compressed to 30 mins. We don’t offer a lift to the Turkanan waving his rifle at us.

We visit some of the villages to see how they live and their general state of health. The Turkana are nomadic so have very few belongings and rebuild their grass-huts whenever they move. There is virtually no evidence of Western influence or materialism at all. Relatively they seem in “good” health but clearly it would not take much in the way of drought and inevitable famine to tip them over the edge. The ravages of poverty are clear when we are introduced to a 90 year old woman who is actually only 60!

We dare not go further north towards the Sudan as this is a no-go area for NGOs where bandits and attacks are frequent. Most of this is caused by livestock rustling – the Turkanans value goats more than money – but it’s too easy to get in the middle of situations that are just too risky for aid workers.

We return to the paradise that is the beach of the lake with the juxtaposition of water and dessert still nagging our brains. We eat a fantastic meal of freshly caught Tilapia and rice as the sun-set gives way to an amazing moon-rise and then the malaria carrying mossies ignore the Deet and feast on us.

Monday: Very early start to drive back to Lodwar. This is a difficult place to leave but the mosquito bites make it a bit easier.

We arrive back in Lodwar to a “normal” Monday morning at the Oxfam office. The courtyard is marked out into parking slots with white stones and in each slot sits a Land Cruiser in full Oxfam regalia including flags on their massive radio antenna and the no-guns stickers on the side – just in case anyone wondered.

Inside the offices the day is already in full swing with the plans for site visits and project meetings. The operation appears very professional but yet obviously done on a very tight budget. We visit a project just outside Lodwar which was aimed at relocating displaced tribes. In the early years of this century, many Turkanans walked south to Nairobi where they had heard that the streets were paved with gold – or the Kenyan equivalent of jobs and food. Many ended up destitute and returned north where they wandered Lodwar starving and desperate. They were relocated onto government land which Oxfam very quickly distributed appropriately and supplied water and sanitation services. Today the site is a thriving new village with a school and smiling children running and playing in the sand.

We then set out for Kerrio, a very remote region to the south-east of Lodwar. The road quickly deteriorated into nothing as we bounced our way through the deep sand. We were to see food distribution in action for tribes who were badly hit by a drought in 2005. Back then they were in a bad way and have been receiving food-aid on a monthly basis since.

The trucks loaded with food had left on Friday but, due to problems of getting stuck in the sand, they only got there on Monday morning. This had been factored into the plans based on previous experience. Our journey there in the Land Cruiser took less than 2 hours.

The December delivery did not happen as the area was cut off by unusually heavy rain and floods (anyone for a climate change discussion…….). The tribes were therefore very hungry but nothing prepared us for the sight that greeted us when we reached the distribution point.

The Land Cruiser slithered between densely packed palm trees and we suddenly emerged into a clearing. To our left was a makeshift compound into which the food had been unloaded from the trucks and to our right there were over 700 women and children patiently waiting for their food allocation. Men were conspicuous by their absence as they cannot be trusted with the food (!)  Plus it also helps to preserve their dignity by not being at the food distribution.

The woman and children stared open mouthed at us. Not surprising as we learned later that most of them had probably not seen a white person before and those that had, may only have seen white people briefly when the emergency aid started in 2005.

Hungry they may have been but they were patient, ordered and good humoured as they came up to shake our hands in the traditional Turkanan way. They were fascinated by our cameras and we could have entertained the children all day with their own photographs but there was an important project to execute here. The people were pre-prioritised in terms of need and vulnerability and clustered into extended family groups of 5-10 people. Once registered by their thumb prints, the groups quietly filtered into the compound and collected their allocated sacks which they dragged off into a corner and divided up in an incredibly systematic way.

What was explained to us was a lesson to all businesses in terms of real empowerment and delegation. When the aid programme started, the tribes were told that the food was theirs and Oxfam was only there to see that it was distributed fairly. It was the job of the tribal elders to manage the process and Oxfam only stepped-in the case of disputes which were rare.  Thus what was potentially an explosive situation i.e. piles of food and very hungry people, was transformed into an orderly process that was managed by the beneficiaries themselves.

The process was indeed efficient and quickly the people disappeared for the trek back to their villages. For a while I played football (i.e. a ball of tied rags) with some young boys, who for once had never heard of Manchester United, until the heat became too much and we left.

About an hour later we stopped at a village that had a basic shop and drank warm coke. Across the road was a hut with something strange on the roof. On closer inspection this proved to be a satellite dish and scrawled on a blackboard by the entrance was the English Premiership games for this weekend. This is truly a place of extremes.

Tuesday: After a brief de-brief in the Oxfam office, we started the long trek home basically taking 24 hours to get back to the UK. The desert of Turkana was replaced by the relative cool of Nairobi to be subsequently replaced by the absolute freezing temperatures of the UK. I had missed the cold, or so I thought. Already I miss the heat. A bit.

On the return trip our brains reeled with the sights, sounds and smells from the trip. We were left with an overwhelming appreciation of the work that Oxfam do and in particular, the business like way in which they perform in extreme physical and emotional conditions. We now need to think how modern project and risk management can be applied effectively in Oxfam’s  projects and even what can modern business learn from these very different circumstances? It was a very special and valuable week.

Last week De-RISK started a new engagement with Oxfam GB (Horn East and Central Africa Region) to look at how the risk management techniques we have successfully employed in big corporations might be adapted for use in their work programmes. This blog diarises our first visit to the “front-line” in Kenya and subsequent blogs will look at some of the ideas we came up with along with what the corporate world can learn from the projects that Oxfam undertake in situations where success or failure really can mean life or death.

 Please note that the views expressed are those of De-RISK and not those of Oxfam GB.

Wednesday:  We arrive at Nairobi (or “Nairobbery” as the locals call it) at 11pm. Driving through the dark streets, one gets the idea that this is not a particularly safe place to explore on foot. Even very short journeys have to be done by taxi after nightfall. The other side of this is that security is big business – all significant businesses and larger dwellings have big gates, security guards and electric fences. Most of the people we talk to have been robbed on the street (some multiple times) and stories of car-jackings and failed attempts are common. It is understandable that risk management is focussed mainly on personal security.

Thursday: Everything looks better in the sunlight and we relax into breakfast by the pool while the electric fence fizzes over our shoulder. A free morning so we head to the Nairobi National Park. This is the only game park that you can see big animals so close to a city. Unfortunately today it seems like “Giraffic Park” as that is pretty much all that we see. After a couple of hours we escape the heat and head back to the bustling city centre only 30 mins away.

In the afternoon we give our first presentation to the Oxfam “Talent” group – a bunch of very bright, hand-picked individuals who are being groomed for senior management roles. We tentatively introduce some of our tools and techniques, clarifying that we do not yet understand their “business” but all seems to go down well. A pleasant dinner around the pool follows and the local mosquitoes get to work on our fresh white flesh.

Friday: We go into the city to the Oxfam office. The traffic at rush-hour is just a bad as central London but with no-one giving way and no traffic lights. Chaos and close shaves are the norm. We undertake a series of interviews with the regional management team. The idea is to do an initial Strategic Risk Assessment of the current programme organisation, tools, people and processes. We use a “standard” template complete with “corporate speak”. This is deliberate to see what terminology works and what jars. Surprisingly most works with a little tweaking (e.g. End-users become Beneficiaries).

One of the managers jokes about not needing risk management – “We drill a bore-hole and if we strike water we call it a well. If we don’t, we call it a toilet”.

An overall view seems to be that the balance between planning and doing is difficult to achieve when you are faced with a humanitarian disaster. It was felt that people tended to “tick the boxes” in the project management processes just so that they can get on with things. Understandable, but they generally recognise that this not necessarily the best thing to do in the long-run. I noted that this was not unique to the humanitarian aid “business” and we have the seen the desire to do rather than plan rather too often.

Saturday: Very early morning flight booked to the north of Kenya but my colleague announces that she has been up all night firing from both ends! We make our way to the airport still not sure that this is a good idea. If we need medical attention we need to get it in Nairobi. We check into the flight to be told that it is a 3 hour flight in a very small plane with no toilet. Her face is a picture when told this but I am the one who will be sitting next to her if something gives. Thanks to the power of Imodium we both arrive in Lodwar clean and safe.

Lodwar is the capital of the Turkana region of Kenya and has an area comparable to that of England. It is a bit of a wild-west town in the dessert with very basic infrastructure – the airport terminal is no more than a bus shelter. We are met by our driver and whisked out of town, stopping briefly at the local “supermarket” to stock up on basic food and bottled water. It is now hitting 35 degrees plus and the temperature varies little here over the year.

We drive north on a reasonable road for a while and then head east on a very rough sandy track which progressively disappears until we are effectively making our own tracks across the dessert. Hundreds of camels wander from one horizon to the other (yes, camels in Kenya!) – each one branded uniquely by its owner. We are alone but never alone. Every time we stop to take photos a Turkanan seems to appear from nowhere and stare at us. They very rarely see vehicles in this area and are as curious as we would be if a space shuttle landed in our back garden.

The Land Cruiser handles the sand efficiently and we eventually snake our way through the palm trees and suddenly burst out onto a beach with Lake Turkana stretching in front of us.

Lake Turkana is the largest dessert lake in the world and approximately eight times the size of Lake Geneva. The water looks all wrong next to the desert and here lies the rub – it is very salty and undrinkable. Drought is very common in this area and the Kenyan government have been talking about desalination projects for a long time. Just talking but not doing.

Part 2 next week – Extreme contrasts – tribes that have never seen white people and the influence of Manchester United.

This article was originally published in Project Manager Today in April 2008.

We all know that mountaineers take extreme risks but perhaps it’s not as simple as it seems. Good mountaineers are certainly superb risk managers but the nature of the terrain, conditions and competency all play very significant roles that can change the risk exposure from extreme down to highly manageable. In this article we look at how mountaineers cope with the extreme end of this continuum – on new mountain routes, at the highest altitudes and in conditions that can and do kill – and we contrast this with a programme/project manager facing the risks of an ambitious new project; doing something that has never been done before or at a scale that has never been attempted before. In particular, we look at how traditional approaches to risk management can break-down under extreme risk and what approaches have been proven to work in these circumstances.

 Mount Everest at sunset

The Mountaineer’s perspective

I fancy myself as a bit of a mountaineer. I have climbed all the “trophy” mountains in the Alps – including the Eiger, Matterhorn and Mont Blanc and have climbed in the Himalaya, Andes and many other places in the World. But some years ago, I was humbled to be in the presence of one of the truly great mountaineers, Sir Chris Bonnington. Grabbing my opportunity to speak with him I told him that “Everest – the Hard Way” was one of my favourite books of all time – in both mountaineering and project management! He smiled as he has always stressed the project management aspect of planning and leading a large scale expedition. The annexes to his book contains the detailed plans for the expedition and expose the incredible thought that went into the enterprise and show ultimately how accurate the plans were.

Everest – the Hard Way details the 1975 expedition to climb the South West Face of Everest. By the mid 1970s all the “easy” routes up Everest had been climbed and the leading mountaineers of the time were focusing on more difficult potential routes. I say “potential” as no one really knows if a route is physically possible until it is attempted. The SW face had been attempted once before in 1972. All this achieved was to prove that the SW face was very difficult, if not the most difficult, route up to the roof of the World.

Everest – South West Face

So back to my meeting with Sir Chris – given my risk management background, I just had to ask him “So when you are planning an expedition, how do you identify the risks?” His response surprised me somewhat – “I try not to think about the risks” he said! Now this was either a macho show of bravado or there was something else going on – as he was one of my heroes, I assumed it was the latter. “What do you mean?” I asked. He expanded, “When you are climbing a new route on a mountain like Everest, if you spend too much time thinking about the risks, you would never get out of the tent at Base Camp! You have to stay focused on your objectives and plans and stay positive. Risks are only relevant in their context and need to be kept specific and in perspective”.

All too soon our short time together was over but, before we parted, I did manage to understand the significance of what he was saying and to realise that it was very similar to my own philosophy regarding the risk management of large and complex “extreme risk” programmes.

In 1992 I was part of a team that was asked to look at why programme and project risk management wasn’t as effective as it should be – and, if possible, fix it! In particular we were looking at why “large” scale, programmes have more problems with making risk management work, relative to “smaller” projects.

We looked at lots of risk management processes and tools and a number of common problems emerged i.e.:

• There was a tendency to focus on today’s issues rather than tomorrows risks i.e. they were not really risk management processes!
• They tended to use generic risk statements that communicated very little in terms of the real underlying risk
• They often used distracting quantitative analysis that used “poor-quality” or unsubstantiated data
• Alternatively they used inadequate qualitative analysis using misleading HML (High, Medium, Low) type scales
• Prioritisation was often poor and misleading so that valuable time and resources were spent on the “wrong” risks
• There was a general inability to motivate anyone to actually do anything about the risks so there was a degree of “Risk Assessment” but very little “Risk Management”.

In addressing these problems we effectively came up with a new methodology – the ABCD risk management process. Since those early pioneering days, ABCD has been used effectively to manage some of the biggest and most complex programmes in the world and has become the standard for many businesses and Government departments. The advantages we believe ABCD has over traditional risk management approaches are that it:

Naturally forces people to look to the future (i.e. their assumptions – what needs to happen for people to meet their objectives) and therefore ensures an emphasis on proactive risk management rather than reactive issue or problem management

• Captures the specific root-causes of risks (i.e. the assumptions) that gives pin-point fixes
• Uses meaningful analysis that provides true insight and accurate prioritisation
• Provides clear prioritisation and escalation from projects through programmes to enterprise levels
• Ensures follow-through on actions via simple but effective roles and governance structures

At the most basic level ABCD works because it is an intuitive process that takes a positive rather than negative view of the challenges to the enterprise (i.e. what do you need to achieve your objectives – your assumptions, rather than what might go wrong  – your risks). This reflects the approach described by Chris where he focuses on ensuring that the key elements of the plans (i.e. the assumptions) hold true to get safely to the summit.

 Stay positive

I have always had a problem with the “negativity” of risk management. And so do many other people it seems – the whole idea of planning out a venture and then spending valuable time identifying what might go wrong can be, at the very least, demoralising as most people are fundamentally “positive” thinkers. Psychologically, people want to concentrate on what needs to be done – the positives – and to make them think about the risks – the negatives – can put their brains in a spin. Should we be surprised at the resistance we often find when we ask people to identify their “risks”? Most people consider themselves to be competent and want to get on with the project. Many understand that risk management can be a useful exercise but they see it as something to do if they have the time i.e. a “bolt-on” rather than a must-do.

Both mountaineers and project managers need plans to deliver success. All plans contain some facts and lots of assumptions. Perhaps the most effective way to manage and communicate the complexity of the plans is to distill out the key assumptions and assess the risk to these assumptions. This structured, assumption based, approach also ensures that key risks are not missed but stable assumptions are not emphasised as “risks” either.

When Chris Bonnington talks about keeping positive or you “would never get out of the tent” he is echoing this approach. A quick look at the Appendices of Everest the Hard Way shows how he approached the expedition. The plans showing the logistics of moving people and supplies from one camp to the next is classic project management – he breaks the complexity down into manageable chunks and thinks about what needs to happen – the assumptions – not what will go wrong. The risks to these assumptions are considered but are kept specific to the plans and in context with the situation.

As the risk increases this positive focus becomes even more important. People can get tunnel vision – summit fever as mountaineers call it – and there is a tendency for risk assessment to go out of the window as the pressure increases. People fall-back into managing problems as they arise but if these are “show-stoppers” then this will not work – and may kill you if you are high up on a mountain. You need to keep your head-up and look ahead, stay positive and understand what assumptions you are making about the terrain ahead and you need to objectively assess these assumptions. This could be the difference between success and failure or life and death – perhaps literally.

Prioritise appropriately

When you try and negotiate your way through a large and complex programme there are going to be risky assumptions – lots of them. Getting these prioritised accurately is the only way that you be able “to see the wood for the trees”. Too many times I have seen programmes so swamped by the number of risks raised and escalated that they effectively give up on the risk process.

On a big mountain like Everest the number of risks will overwhelm you if you let them. As Bonnington describes in his book, it’s very important to keep things in context. If it’s just snowed, then avalanche danger rises. If the ambient temperature increases, then rock-fall becomes more of a risk. If the Sherpa carries of supplies to higher camps have gone to plan, then running out of oxygen is not a risk. The Everest team was encouraged to think about what needed to be done and where the main challenges would be (and to communicate them, but more about that later) but not to escalate things inappropriately.

In ABCD the assumptions are prioritised on a 4×4 scale – not a three-point scale as “medium” allows people to sit on the fence and therefore doesn’t really tell you anything about their perspective. Captured assumptions that are both sensitive and unstable are treated as “risks” and action plans prepared. All other assumptions are monitored but no action is planned. In this way all the key assumptions that underpin the plans are assessed, but only the assumptions that need it are actioned. On a large project or programme, the risky assumptions are subsequently re-prioritised top-down and together this ensures a level playing field and avoids inappropriate escalation.

Be specific

When you are planning a route up a big and potentially deadly mountain, there is no point in just “brainstorming” the risks. What you might get if you did is something like…….

• Unexpected bad weather
• Significant avalanche
• Rock-fall
• Frost-bite
• Broken ropes
• Loss of team member
• and so on….

 “Risks are only relevant in their context” Chris said. For example, the threat of avalanche is minimal if your route is primarily up a rock-spur – any avalanches will just go around you. Frost-bite is only a problem if you expose skin in poor conditions – on most days, sun-burn will be more of a problem. So the list above is not specific enough to be useful and will probably be prioritised incorrectly because the context and causes are not captured.

Focusing on the assumptions means that you stay focused on the plans. That does not mean that you don’t consider external factors that are not explicit in the plan but it does mean that you consider such factors within the context of the plan.

Also, being specific is not just about getting more detail. Identifying the root-cause of a risk is a much better way of being specific. For example, rock-fall is always a risk on large mountains but if we have multiple teams on the same line at the same time, there is a much greater chance that the higher team will dislodge something that may impact the lower team – the root cause is in the plan to have multiple teams on the same line simultaneously.

In ABCD, the root-cause of any risk is in the underlying assumption. For example, in a project, there may be a risk that insufficient resources are available for testing. The assumption might be expressed as “10 resources with XXX specific skills will be available for YYY testing”. When rated using the grid above, the next logical step is to understand why the assumption has been rated in that way. So if the Stability has been rated as a “C” (which corresponds to “Uncomfortable”), the “why” might reveal that the root-cause of the potential lack of testing resources is due to a clash of schedules with another project. It is the “why” that reveals the root-cause and it is the root-cause that should be targeted by the risk action plans.

Dougal Haston climbing the Hillary Step just below the summit

 Communication under pressure

Bonnington preaches communication as the most important leadership skill. His book contains many examples where situations are described first-hand by different members of the team. These show good communication, where risks were avoided, and sometimes break-downs of communication where opportunities were missed. Mountaineers on big mountains tend to have lots of experience. As with any major project, the art is to harness that experience so that the relevant risks are identified and managed. Bonnington’s expeditions were notable for their team meetings – he forced the communications whether the team wanted to discuss things or not. He used the best radio communication systems that were available at the time and today’s expeditions on big peaks normally allocate a radio to all team members. Consequently, expeditions today lose far fewer people than they used to.

We therefore developed ABCD as more of a “communication enhancement” technique than just another risk management process. The premise is that most risks will be foreseen by some member of the team or the associated stakeholder group. If you can efficiently capture the combined knowledge in the form of the key assumptions that they are making and their priorities in the form of their ratings, you can get a complete and consistent risk profile.

Further, capturing, rating and sharing assumptions can lead to the identification of risks that would never have been identified by a traditional risk management approach. In recent years we have developed and used the “Assure” web-based tool to force cross-communication of assumptions even more effectively.

There are several good examples of assumption cross-communication in the book. On one occasion, the Everest team were discussing the push from Camp 3 to Camp 4. The consensus is to use a direct line with the assumption that this would to be protected from avalanches on both sides by rocks. This is pretty much agreed when Doug Scott returns from reconnoitring a site for Camp 5. When Doug is brought up to speed on the plans and assumptions regarding the direct line, he points out that on the 1972 expedition, he saw a big avalanche come down that way that was deflected onto the direct line by the angle of the cliffs higher up on the face. The plan was immediately changed and the decision probably saved lives – two days later a big avalanche came through the original planned route!

Accept that you are pushing the limit – Contingency Planning

On 24^thSeptember 1975, Doug Scott and Dougal Haston emerged from the South West face and onto the South ridge. They had climbed terrain that had never been climbed before but now they were on “familiar” ground. The problem was that night was fast approaching and they now had no chance of getting back to camp – their assumptions regarding timing had proved incorrect and now their lives, or at least their limbs, were at severe risk. At sunset they stood on the summit and euphoria quickly turned to desperation as the seriousness of their predicament sunk-in. However, they had a contingency plan. On the way-up, they had realised that they were not going to get back to the top camp that night and they had quickly scratched a basic snow-hole for a possible bivouac. They got back to the South summit in the half-light and dug-in for the night. The only problem was that no-one had ever survived a bivouac at that altitude and without bottled oxygen – Doug and Dougal were confident enough to assume that they could, based on their extensive experiences on other Himalayan peaks. And they did, and, against the odds, managed to keep all their fingers and toes.

Doug Scott on the summit of Everest at sunset

Extreme Conclusions

 So what is different when the risk goes from “normal” to “extreme”?

 You need to:

•  Keep positive – negativity turns people off, particularly when they are being pushed to the limit. Assumptions are natural and people relate to them. Risks are not and can demoralise.
• Prioritise effectively – you must make sure that you can “see the wood for the trees” or you will be swamped by risks as the pressure increases.
• Be specific – generalities are unhelpful at the best of times. When the risk is high, you must be specific so that you can fix risks at root-cause with minimal effort
• Communication breaks down when people are put under pressure. They withdraw into themselves, forget the bigger picture and do their own job as well as they can. Therefore you have to structure and force communications of the bare essentials to ensure that the team stay on the same page, are aware of each others key assumptions and consequently their perceptions of risk.

There is clearly a big difference between climbing a 1000m Scottish “Munro” and an 8000m Himalayan giant in the way you would view and manage risk. Similarly, simple and relatively informal approaches to risk management tend to work well on small projects but then fall-apart as the projects get bigger and become multi-project programmes. Perhaps the answer is not just more complex processes and software tools to capture loads of unusable data, but to take a fresher, more “positive” view of the challenges and focus on the identification and cross-communication of the assumptions to ensure success and “bag the summit” – safely. 

____________________________

Things that you probably didn’t know about Everest…………………

• Statistically, for every 10 people who successfully climb Everest, one will die (up to 1970 this was 1:1 and by 1990 this was still 1 in 3)
• There are over 100 visible corpses on Everest that no-one has tried to recover – its too risky
• The South West Face was first climbed in 1975 and a repeated accent has never been attempted
• Everest was first climbed in 1953 by Sir Edmund Hillary and Tensing Norgay. The first Briton to climb Everest was Doug Scott on the 1975 South West Face Expedition
• A place on a commercial Everest expedition costs around $50,000
• In recent years there has been lots of talk about “crowding” on Everest. This is obviously because there are more expeditions but it is mainly due to there only being an average of 5 “good weather window” days a year to attempt the summit
• On “summit day”, climbers normally leave the top camp before midnight and climb through the night. If they don’t reach the summit before 2pm, they should turn around or risk being stranded overnight in the “Death-zone” above 8000m
• Most of the people who die do so on the way down!

“Getting to the summit is optional, getting down is mandatory”

– Ed Viesturs, 5 times Everest summiteer

The following is taken from an interview with the CIMA  “Excellence in Leadership” magazine. To read the glossy version click here.
 
“Strategic Risk Management – Taking the Long View”
 
Most companies have risk management processes in place, but there is too much focus on operational risk and not enough on strategic risk, De-Risk’s Keith Baxter tells Mark Stuart.
 
Strategic risks are, by definition, the risks that could threaten your business strategy. Keith Baxter, who runs De-Risk, a specialised consultancy that provides enterprise risk management solutions across all business sectors, says: ‘Fail to identify the strategic risks and you fail as a business, no matter how well you manage your operational and project risks.
 
‘For example, you can successfully deliver a new product to market, but if the market has changed while you were designing and manufacturing and no longer wants the product, your strategy will fail. If this is a key new product, such as a car launch for instance, it could spell financial disaster.’
 
There is also confusion over the difference between enterprise risk and strategic risk. ‘Enterprise risk is the total risk to your business and strategic risk is a subset of enterprise risk,’ explains Baxter. ‘The strategic part is the most important, yet many companies don’t consider it.’
 
For Baxter, one big problem with identifying strategic risks is that you can’t brainstorm them: ‘You get too much noise and everyone gets distracted by irrelevancies. Instead, capture your business strategy first – write it down and make it specific with numbers and dates. Ensure that it is communicated to the rest of the board, and to at least
two management levels down.
 
The next step is to break down the strategy into its constituent assumptions – things that need to happen, both externally and internally – to ensure the strategy is met. Focusing on assumptions rather than risks works well, as people are more comfortable discussing positives than negatives.
 
Show these assumptions to the board and top-level management, and obtain ratings to identify which are “safe” assumptions, “risky” ones, etc. It is also important to test these assumptions by bringing in one or two industry experts to make sure that the board is not falling into the trap of insular thinking.
 
‘At that point you may start to see patterns – you’ll see where people have consensus on stable assumptions, where they agree that the assumptions are at risk and, most interestingly, where there’s a lack of consensus because different managers are not seeing eye-to-eye.
 
It’s the assumptions that some people think are safe and others believe to be risky that are the really dangerous ones – they represent risks that would not be identified by any traditional risk process.’
 
Baxter continues: ‘An effective strategic risk management process must also include escalated project and operational risks that have strategic implications. The danger here is that nothing gets escalated or too much gets escalated and the board can’t see the wood for the trees.
 
Only risks that have a potential impact on business strategy or require board intervention should be escalated. Everything else should be managed at lower levels in the organisation. To control this efficiently in a large organisation, you will need an automated software tool.’
 
Baxter sums it up by offering an example of his assumption-based strategic risk management approach in action. ‘We worked on a large government programme which was halfway through a five-year plan. Programme risks were being escalated but senior management perceived everything to be ticking along satisfactorily. We set up a strategic risk assessment with the executive team and in just a fortnight it became clear that the programme was not going to meet the strategic objectives of the department. They re-scoped it and re-launched it two months later and it is heading for a successful outcome.
 
‘It wasn’t a case of telling the board what we thought their risks were; it was simply a matter of capturing their assumptions and presenting them in such a way that the managers would realise that what they were planning wasn’t going to work. Our approach is about making senior management see the risks within their own strategic assumptions. It’s the purity of the process that gets the message over.’