De-RISK Blog

Issue management is a natural and essential part of project management. But if it is not set up correctly, it will compromise or even completely undermine your risk management.

Defining issues and risks is not as easy as it looks

On the surface, it’s quite clear: an issue is a problem today and a risk may become a problem in the future. In practice it’s not that simple and I have watched many organisations struggle with the question of “is it an issue or is it a risk?”

One reason for this confusion is that most risks will require actions and the first step is often urgent. Therefore “Risk Owners” tend to interpret any problems with getting the first step in the risk action plan as an “issue” and consequently raise a formal issue for virtually every risk with a risk plan. The result is effectively duplication of the same “concern” as both an issue and a risk and more data for the Project Manager to review leading to potential information overload.

Whilst dealing with the “issue” of crossing the snow-bridge, we had to consider the “risk” that we wouldn’t reach the summit and get down before dark.

When does a risk really become an issue?

Again it’s not as simple as it seems. The definitive answer is  - “when you can no longer stop the risk impacting, it is an issue”. This means that it doesn’t actually have to impact to become an issue. But who can determine this? Let’s look an analogy.

A missile coming over the horizon should be managed as a risk as we need to work out how to stop it impacting us. Once it has impacted, the resulting crater is an issue and then we need to work out how to clear up the mess.

At some point, an observing soldier may view that the missile is now too close to do anything to avoid impact. The soldier therefore declares the threat to now be an issue. However, the soldier is not aware that his commanding officer has access to the latest in anti-missile technology that could be used to knock out the missile just before impact. If the soldier had communicated the threat as a risk, albeit a very urgent one, then the missile could have been destroyed before impact rather than just accepting that impact was inevitable.

This is of course very much a state of mind, but a very important one that is fully exploited in the ABCD risk management process. ABCD forces people to capture and escalate risks in the form of assumptions even if the impact is close. It is surprising how much senior management can be motivated when things become Important and Urgent, as Stephen Covey once said…

Get the balance right

One of Stephen Covey’s insights from his excellent book, “The 7 habits of highly effective people” can be used to explain the balance required between issue and risk management. As Covey describes time management; everything we do can be categorised as Important and/or Urgent. We have to deal with the Important and Urgent things first but after that we tend get drawn into the Urgent but Not Important stuff i.e. we allow ourselves to get distracted (interuptions, phone calls, emails etc). The effect of this is we don’t spend much time on the Important and Not Urgent stuff. As Covey puts it – we need to spend more time on the Important and Not Urgent tasks and we will then have to spend less time on fixing the Important and Urgent things.

Transposing this to project management; the Important and Urgent things are “Issues”. Whereas “risks” are clearly Important (if not fixed they will become issues) but are not urgent as they are in the future. Applying Covey’s logic again, we need to spend more time on risk management and we will then need to spend less time on issue management.

 In practice this simply means getting the balance right and making sure that a focussed risk management process is not overwhelmed by the demands of issue management. In other words, if you have too many issues, then you are not spending enough time on risk management.

It always starts the same way  – “So what is it that you do, risk management? So you work for a bank?”  Err no. “So you are in insurance?”  No not quite. “Health and safety?” Definitely not!

So what exactly is “risk management” and where is it really valued -  it means so many things to so many people. To many it will mean financial risk management that forms the backbone of all banks (albeit a weak backbone as we saw when the financial crisis broke…). People will talk about Enterprise Risk Management without really expanding much beyond the financial aspects of risk. And if we get into H&S then we lose the “business” context of risk to a great extent and probably credibility, whether justified or not.

Rather than try and define all these different types of “risk management” (you have Wikipedia for that…), I was thinking about how risk management can bring the most “value” to your business. Value can be measured in many ways and perhaps the most obvious way to measure value in risk management is to look at the financial value of the risks identified. The problem with this approach is that it relies on estimates that may be no more than wild guesses. And when someone estimates the financial impact of a risk, where do they stop, at the immediate impact or the ultimate impact? For example, it could be claimed that every “showstopper” risk could be valued at the entire cost of a project or business process.

 The way I am going to describe value here works very well for an “uncertain” subject like risk management. Demonstrable value from a risk management process would be gained from helping to identify risks that are not obvious and would not have been identified without its application.

Which then leads us to look at the different areas of risk that fall under the Enterprise risk umbrella and assess their relative “difficulty” and therefore the opportunity to demonstrate value by identifying new risks  i.e.:

Operational risk management: True operational risk looks at the ongoing, recurring processes in the business and not the one-off projects. As such, the operational staff tend to be very familiar with the business processes – they do it every day – and therefore they can tell you the risks without the need for formal risk management. In situations like this, formal risk management tends to be seen as an administrative overhead as it doesn’t tend to identify “new” risks.

Strategic risk management: The risk to the business strategy is obviously a big deal – if the strategy fails, the entire business could fail. But when the strategy statement (assuming that there is one?) has been broken down into its constituent assumptions, there will be a reasonably small number to analyse. How they are rated may raise a surprise or two but completely new risks are unlikely.

Project risk management: Projects are one-off exercises, that is, you have never tried to achieve the specific objectives before or it would already be an ongoing business process. The sheer newness of a project will ensure that new risks are guaranteed and all will not be obvious from the start. The use of a formal risk management process is therefore entirely justified and will be valued.

Programme risk management: Programmes are made up from multiple projects that are interdependent. Therefore all that was said about project risk management above can be multiplied exponentially. A true programme risk management process like ABCD is required here to prioritise clearly and ensure that “you can see the wood for the trees”. Get this right and immense benefits will be realised in the form of risks that would never have been identified without the rigor and the perceived value will be very high.

The four types of risk management above have therefore been ranked in terms of perceived value from the lowest (operational) to the highest (programme). That is, you are more likely to identify new risks by using formal risk management processes in a programme than a project, or strategy or operations, in that order. And let’s be clear that we are talking about risks that require proactive management.  Black Swans introduce a whole new ball game, but that’s a different story…

ABS packs inflate via a rip-cord if you are caught in an avalanche – real risk management

Last week we looked at the first part of our trip to Kenya to see how Oxfam approach the subject of project and risk management. You can read the first part by clicking on the link at the top of this page - now for part 2.

Sunday: We spend the night in grass-huts that have just been built to try and establish a resort on the shores of Lake Turkana. This is a remote place and the challenges are clear but this is also one of the most beautiful places in the world that I have seen. After a very basic breakfast of tea and chapattis we head north in the Land Cruiser up the coast.

Along the way we see Turkanans walking vast distances, barefoot on the baking sand. We give some of them lifts in the back of the vehicle. In this area, they are unlikely to have seen many vehicles in their life let alone ridden in them. They seem to be very happy that their all-day walk has been compressed to 30 mins. We don’t offer a lift to the Turkanan waving his rifle at us.

We visit some of the villages to see how they live and their general state of health. The Turkana are nomadic so have very few belongings and rebuild their grass-huts whenever they move. There is virtually no evidence of Western influence or materialism at all. Relatively they seem in “good” health but clearly it would not take much in the way of drought and inevitable famine to tip them over the edge. The ravages of poverty are clear when we are introduced to a 90 year old woman who is actually only 60!

We dare not go further north towards the Sudan as this is a no-go area for NGOs where bandits and attacks are frequent. Most of this is caused by livestock rustling – the Turkanans value goats more than money – but it’s too easy to get in the middle of situations that are just too risky for aid workers.

We return to the paradise that is the beach of the lake with the juxtaposition of water and dessert still nagging our brains. We eat a fantastic meal of freshly caught Tilapia and rice as the sun-set gives way to an amazing moon-rise and then the malaria carrying mossies ignore the Deet and feast on us.

Monday: Very early start to drive back to Lodwar. This is a difficult place to leave but the mosquito bites make it a bit easier.

We arrive back in Lodwar to a “normal” Monday morning at the Oxfam office. The courtyard is marked out into parking slots with white stones and in each slot sits a Land Cruiser in full Oxfam regalia including flags on their massive radio antenna and the no-guns stickers on the side – just in case anyone wondered.

Inside the offices the day is already in full swing with the plans for site visits and project meetings. The operation appears very professional but yet obviously done on a very tight budget. We visit a project just outside Lodwar which was aimed at relocating displaced tribes. In the early years of this century, many Turkanans walked south to Nairobi where they had heard that the streets were paved with gold – or the Kenyan equivalent of jobs and food. Many ended up destitute and returned north where they wandered Lodwar starving and desperate. They were relocated onto government land which Oxfam very quickly distributed appropriately and supplied water and sanitation services. Today the site is a thriving new village with a school and smiling children running and playing in the sand.

We then set out for Kerrio, a very remote region to the south-east of Lodwar. The road quickly deteriorated into nothing as we bounced our way through the deep sand. We were to see food distribution in action for tribes who were badly hit by a drought in 2005. Back then they were in a bad way and have been receiving food-aid on a monthly basis since.

The trucks loaded with food had left on Friday but, due to problems of getting stuck in the sand, they only got there on Monday morning. This had been factored into the plans based on previous experience. Our journey there in the Land Cruiser took less than 2 hours.

The December delivery did not happen as the area was cut off by unusually heavy rain and floods (anyone for a climate change discussion…….). The tribes were therefore very hungry but nothing prepared us for the sight that greeted us when we reached the distribution point.

The Land Cruiser slithered between densely packed palm trees and we suddenly emerged into a clearing. To our left was a makeshift compound into which the food had been unloaded from the trucks and to our right there were over 700 women and children patiently waiting for their food allocation. Men were conspicuous by their absence as they cannot be trusted with the food (!)  Plus it also helps to preserve their dignity by not being at the food distribution.

The woman and children stared open mouthed at us. Not surprising as we learned later that most of them had probably not seen a white person before and those that had, may only have seen white people briefly when the emergency aid started in 2005.

Hungry they may have been but they were patient, ordered and good humoured as they came up to shake our hands in the traditional Turkanan way. They were fascinated by our cameras and we could have entertained the children all day with their own photographs but there was an important project to execute here. The people were pre-prioritised in terms of need and vulnerability and clustered into extended family groups of 5-10 people. Once registered by their thumb prints, the groups quietly filtered into the compound and collected their allocated sacks which they dragged off into a corner and divided up in an incredibly systematic way.

What was explained to us was a lesson to all businesses in terms of real empowerment and delegation. When the aid programme started, the tribes were told that the food was theirs and Oxfam was only there to see that it was distributed fairly. It was the job of the tribal elders to manage the process and Oxfam only stepped-in the case of disputes which were rare.  Thus what was potentially an explosive situation i.e. piles of food and very hungry people, was transformed into an orderly process that was managed by the beneficiaries themselves.

The process was indeed efficient and quickly the people disappeared for the trek back to their villages. For a while I played football (i.e. a ball of tied rags) with some young boys, who for once had never heard of Manchester United, until the heat became too much and we left.

About an hour later we stopped at a village that had a basic shop and drank warm coke. Across the road was a hut with something strange on the roof. On closer inspection this proved to be a satellite dish and scrawled on a blackboard by the entrance was the English Premiership games for this weekend. This is truly a place of extremes.

Tuesday: After a brief de-brief in the Oxfam office, we started the long trek home basically taking 24 hours to get back to the UK. The desert of Turkana was replaced by the relative cool of Nairobi to be subsequently replaced by the absolute freezing temperatures of the UK. I had missed the cold, or so I thought. Already I miss the heat. A bit.

On the return trip our brains reeled with the sights, sounds and smells from the trip. We were left with an overwhelming appreciation of the work that Oxfam do and in particular, the business like way in which they perform in extreme physical and emotional conditions. We now need to think how modern project and risk management can be applied effectively in Oxfam’s  projects and even what can modern business learn from these very different circumstances? It was a very special and valuable week.

Last week De-RISK started a new engagement with Oxfam GB (Horn East and Central Africa Region) to look at how the risk management techniques we have successfully employed in big corporations might be adapted for use in their work programmes. This blog diarises our first visit to the “front-line” in Kenya and subsequent blogs will look at some of the ideas we came up with along with what the corporate world can learn from the projects that Oxfam undertake in situations where success or failure really can mean life or death.

 Please note that the views expressed are those of De-RISK and not those of Oxfam GB.

Wednesday:  We arrive at Nairobi (or “Nairobbery” as the locals call it) at 11pm. Driving through the dark streets, one gets the idea that this is not a particularly safe place to explore on foot. Even very short journeys have to be done by taxi after nightfall. The other side of this is that security is big business – all significant businesses and larger dwellings have big gates, security guards and electric fences. Most of the people we talk to have been robbed on the street (some multiple times) and stories of car-jackings and failed attempts are common. It is understandable that risk management is focussed mainly on personal security.

Thursday: Everything looks better in the sunlight and we relax into breakfast by the pool while the electric fence fizzes over our shoulder. A free morning so we head to the Nairobi National Park. This is the only game park that you can see big animals so close to a city. Unfortunately today it seems like “Giraffic Park” as that is pretty much all that we see. After a couple of hours we escape the heat and head back to the bustling city centre only 30 mins away.

In the afternoon we give our first presentation to the Oxfam “Talent” group – a bunch of very bright, hand-picked individuals who are being groomed for senior management roles. We tentatively introduce some of our tools and techniques, clarifying that we do not yet understand their “business” but all seems to go down well. A pleasant dinner around the pool follows and the local mosquitoes get to work on our fresh white flesh.

Friday: We go into the city to the Oxfam office. The traffic at rush-hour is just a bad as central London but with no-one giving way and no traffic lights. Chaos and close shaves are the norm. We undertake a series of interviews with the regional management team. The idea is to do an initial Strategic Risk Assessment of the current programme organisation, tools, people and processes. We use a “standard” template complete with “corporate speak”. This is deliberate to see what terminology works and what jars. Surprisingly most works with a little tweaking (e.g. End-users become Beneficiaries).

One of the managers jokes about not needing risk management – “We drill a bore-hole and if we strike water we call it a well. If we don’t, we call it a toilet”.

An overall view seems to be that the balance between planning and doing is difficult to achieve when you are faced with a humanitarian disaster. It was felt that people tended to “tick the boxes” in the project management processes just so that they can get on with things. Understandable, but they generally recognise that this not necessarily the best thing to do in the long-run. I noted that this was not unique to the humanitarian aid “business” and we have the seen the desire to do rather than plan rather too often.

Saturday: Very early morning flight booked to the north of Kenya but my colleague announces that she has been up all night firing from both ends! We make our way to the airport still not sure that this is a good idea. If we need medical attention we need to get it in Nairobi. We check into the flight to be told that it is a 3 hour flight in a very small plane with no toilet. Her face is a picture when told this but I am the one who will be sitting next to her if something gives. Thanks to the power of Imodium we both arrive in Lodwar clean and safe.

Lodwar is the capital of the Turkana region of Kenya and has an area comparable to that of England. It is a bit of a wild-west town in the dessert with very basic infrastructure – the airport terminal is no more than a bus shelter. We are met by our driver and whisked out of town, stopping briefly at the local “supermarket” to stock up on basic food and bottled water. It is now hitting 35 degrees plus and the temperature varies little here over the year.

We drive north on a reasonable road for a while and then head east on a very rough sandy track which progressively disappears until we are effectively making our own tracks across the dessert. Hundreds of camels wander from one horizon to the other (yes, camels in Kenya!) – each one branded uniquely by its owner. We are alone but never alone. Every time we stop to take photos a Turkanan seems to appear from nowhere and stare at us. They very rarely see vehicles in this area and are as curious as we would be if a space shuttle landed in our back garden.

The Land Cruiser handles the sand efficiently and we eventually snake our way through the palm trees and suddenly burst out onto a beach with Lake Turkana stretching in front of us.

Lake Turkana is the largest dessert lake in the world and approximately eight times the size of Lake Geneva. The water looks all wrong next to the desert and here lies the rub – it is very salty and undrinkable. Drought is very common in this area and the Kenyan government have been talking about desalination projects for a long time. Just talking but not doing.

Part 2 next week – Extreme contrasts – tribes that have never seen white people and the influence of Manchester United.

This article was originally published in Project Manager Today in April 2008.

We all know that mountaineers take extreme risks but perhaps it’s not as simple as it seems. Good mountaineers are certainly superb risk managers but the nature of the terrain, conditions and competency all play very significant roles that can change the risk exposure from extreme down to highly manageable. In this article we look at how mountaineers cope with the extreme end of this continuum – on new mountain routes, at the highest altitudes and in conditions that can and do kill – and we contrast this with a programme/project manager facing the risks of an ambitious new project; doing something that has never been done before or at a scale that has never been attempted before. In particular, we look at how traditional approaches to risk management can break-down under extreme risk and what approaches have been proven to work in these circumstances.

 Mount Everest at sunset

The Mountaineer’s perspective

I fancy myself as a bit of a mountaineer. I have climbed all the “trophy” mountains in the Alps – including the Eiger, Matterhorn and Mont Blanc and have climbed in the Himalaya, Andes and many other places in the World. But some years ago, I was humbled to be in the presence of one of the truly great mountaineers, Sir Chris Bonnington. Grabbing my opportunity to speak with him I told him that “Everest – the Hard Way” was one of my favourite books of all time – in both mountaineering and project management! He smiled as he has always stressed the project management aspect of planning and leading a large scale expedition. The annexes to his book contains the detailed plans for the expedition and expose the incredible thought that went into the enterprise and show ultimately how accurate the plans were.

Everest – the Hard Way details the 1975 expedition to climb the South West Face of Everest. By the mid 1970s all the “easy” routes up Everest had been climbed and the leading mountaineers of the time were focusing on more difficult potential routes. I say “potential” as no one really knows if a route is physically possible until it is attempted. The SW face had been attempted once before in 1972. All this achieved was to prove that the SW face was very difficult, if not the most difficult, route up to the roof of the World.

Everest – South West Face

So back to my meeting with Sir Chris – given my risk management background, I just had to ask him “So when you are planning an expedition, how do you identify the risks?” His response surprised me somewhat – “I try not to think about the risks” he said! Now this was either a macho show of bravado or there was something else going on – as he was one of my heroes, I assumed it was the latter. “What do you mean?” I asked. He expanded, “When you are climbing a new route on a mountain like Everest, if you spend too much time thinking about the risks, you would never get out of the tent at Base Camp! You have to stay focused on your objectives and plans and stay positive. Risks are only relevant in their context and need to be kept specific and in perspective”.

All too soon our short time together was over but, before we parted, I did manage to understand the significance of what he was saying and to realise that it was very similar to my own philosophy regarding the risk management of large and complex “extreme risk” programmes.

In 1992 I was part of a team that was asked to look at why programme and project risk management wasn’t as effective as it should be – and, if possible, fix it! In particular we were looking at why “large” scale, programmes have more problems with making risk management work, relative to “smaller” projects.

We looked at lots of risk management processes and tools and a number of common problems emerged i.e.:

• There was a tendency to focus on today’s issues rather than tomorrows risks i.e. they were not really risk management processes!
• They tended to use generic risk statements that communicated very little in terms of the real underlying risk
• They often used distracting quantitative analysis that used “poor-quality” or unsubstantiated data
• Alternatively they used inadequate qualitative analysis using misleading HML (High, Medium, Low) type scales
• Prioritisation was often poor and misleading so that valuable time and resources were spent on the “wrong” risks
• There was a general inability to motivate anyone to actually do anything about the risks so there was a degree of “Risk Assessment” but very little “Risk Management”.

In addressing these problems we effectively came up with a new methodology – the ABCD risk management process. Since those early pioneering days, ABCD has been used effectively to manage some of the biggest and most complex programmes in the world and has become the standard for many businesses and Government departments. The advantages we believe ABCD has over traditional risk management approaches are that it:

Naturally forces people to look to the future (i.e. their assumptions – what needs to happen for people to meet their objectives) and therefore ensures an emphasis on proactive risk management rather than reactive issue or problem management

• Captures the specific root-causes of risks (i.e. the assumptions) that gives pin-point fixes
• Uses meaningful analysis that provides true insight and accurate prioritisation
• Provides clear prioritisation and escalation from projects through programmes to enterprise levels
• Ensures follow-through on actions via simple but effective roles and governance structures

At the most basic level ABCD works because it is an intuitive process that takes a positive rather than negative view of the challenges to the enterprise (i.e. what do you need to achieve your objectives – your assumptions, rather than what might go wrong  – your risks). This reflects the approach described by Chris where he focuses on ensuring that the key elements of the plans (i.e. the assumptions) hold true to get safely to the summit.

 Stay positive

I have always had a problem with the “negativity” of risk management. And so do many other people it seems – the whole idea of planning out a venture and then spending valuable time identifying what might go wrong can be, at the very least, demoralising as most people are fundamentally “positive” thinkers. Psychologically, people want to concentrate on what needs to be done – the positives – and to make them think about the risks – the negatives – can put their brains in a spin. Should we be surprised at the resistance we often find when we ask people to identify their “risks”? Most people consider themselves to be competent and want to get on with the project. Many understand that risk management can be a useful exercise but they see it as something to do if they have the time i.e. a “bolt-on” rather than a must-do.

Both mountaineers and project managers need plans to deliver success. All plans contain some facts and lots of assumptions. Perhaps the most effective way to manage and communicate the complexity of the plans is to distill out the key assumptions and assess the risk to these assumptions. This structured, assumption based, approach also ensures that key risks are not missed but stable assumptions are not emphasised as “risks” either.

When Chris Bonnington talks about keeping positive or you “would never get out of the tent” he is echoing this approach. A quick look at the Appendices of Everest the Hard Way shows how he approached the expedition. The plans showing the logistics of moving people and supplies from one camp to the next is classic project management – he breaks the complexity down into manageable chunks and thinks about what needs to happen – the assumptions – not what will go wrong. The risks to these assumptions are considered but are kept specific to the plans and in context with the situation.

As the risk increases this positive focus becomes even more important. People can get tunnel vision – summit fever as mountaineers call it – and there is a tendency for risk assessment to go out of the window as the pressure increases. People fall-back into managing problems as they arise but if these are “show-stoppers” then this will not work – and may kill you if you are high up on a mountain. You need to keep your head-up and look ahead, stay positive and understand what assumptions you are making about the terrain ahead and you need to objectively assess these assumptions. This could be the difference between success and failure or life and death – perhaps literally.

Prioritise appropriately

When you try and negotiate your way through a large and complex programme there are going to be risky assumptions – lots of them. Getting these prioritised accurately is the only way that you be able “to see the wood for the trees”. Too many times I have seen programmes so swamped by the number of risks raised and escalated that they effectively give up on the risk process.

On a big mountain like Everest the number of risks will overwhelm you if you let them. As Bonnington describes in his book, it’s very important to keep things in context. If it’s just snowed, then avalanche danger rises. If the ambient temperature increases, then rock-fall becomes more of a risk. If the Sherpa carries of supplies to higher camps have gone to plan, then running out of oxygen is not a risk. The Everest team was encouraged to think about what needed to be done and where the main challenges would be (and to communicate them, but more about that later) but not to escalate things inappropriately.

In ABCD the assumptions are prioritised on a 4×4 scale – not a three-point scale as “medium” allows people to sit on the fence and therefore doesn’t really tell you anything about their perspective. Captured assumptions that are both sensitive and unstable are treated as “risks” and action plans prepared. All other assumptions are monitored but no action is planned. In this way all the key assumptions that underpin the plans are assessed, but only the assumptions that need it are actioned. On a large project or programme, the risky assumptions are subsequently re-prioritised top-down and together this ensures a level playing field and avoids inappropriate escalation.

Be specific

When you are planning a route up a big and potentially deadly mountain, there is no point in just “brainstorming” the risks. What you might get if you did is something like…….

• Unexpected bad weather
• Significant avalanche
• Rock-fall
• Frost-bite
• Broken ropes
• Loss of team member
• and so on….

 “Risks are only relevant in their context” Chris said. For example, the threat of avalanche is minimal if your route is primarily up a rock-spur – any avalanches will just go around you. Frost-bite is only a problem if you expose skin in poor conditions – on most days, sun-burn will be more of a problem. So the list above is not specific enough to be useful and will probably be prioritised incorrectly because the context and causes are not captured.

Focusing on the assumptions means that you stay focused on the plans. That does not mean that you don’t consider external factors that are not explicit in the plan but it does mean that you consider such factors within the context of the plan.

Also, being specific is not just about getting more detail. Identifying the root-cause of a risk is a much better way of being specific. For example, rock-fall is always a risk on large mountains but if we have multiple teams on the same line at the same time, there is a much greater chance that the higher team will dislodge something that may impact the lower team – the root cause is in the plan to have multiple teams on the same line simultaneously.

In ABCD, the root-cause of any risk is in the underlying assumption. For example, in a project, there may be a risk that insufficient resources are available for testing. The assumption might be expressed as “10 resources with XXX specific skills will be available for YYY testing”. When rated using the grid above, the next logical step is to understand why the assumption has been rated in that way. So if the Stability has been rated as a “C” (which corresponds to “Uncomfortable”), the “why” might reveal that the root-cause of the potential lack of testing resources is due to a clash of schedules with another project. It is the “why” that reveals the root-cause and it is the root-cause that should be targeted by the risk action plans.

Dougal Haston climbing the Hillary Step just below the summit

 Communication under pressure

Bonnington preaches communication as the most important leadership skill. His book contains many examples where situations are described first-hand by different members of the team. These show good communication, where risks were avoided, and sometimes break-downs of communication where opportunities were missed. Mountaineers on big mountains tend to have lots of experience. As with any major project, the art is to harness that experience so that the relevant risks are identified and managed. Bonnington’s expeditions were notable for their team meetings – he forced the communications whether the team wanted to discuss things or not. He used the best radio communication systems that were available at the time and today’s expeditions on big peaks normally allocate a radio to all team members. Consequently, expeditions today lose far fewer people than they used to.

We therefore developed ABCD as more of a “communication enhancement” technique than just another risk management process. The premise is that most risks will be foreseen by some member of the team or the associated stakeholder group. If you can efficiently capture the combined knowledge in the form of the key assumptions that they are making and their priorities in the form of their ratings, you can get a complete and consistent risk profile.

Further, capturing, rating and sharing assumptions can lead to the identification of risks that would never have been identified by a traditional risk management approach. In recent years we have developed and used the “Assure” web-based tool to force cross-communication of assumptions even more effectively.

There are several good examples of assumption cross-communication in the book. On one occasion, the Everest team were discussing the push from Camp 3 to Camp 4. The consensus is to use a direct line with the assumption that this would to be protected from avalanches on both sides by rocks. This is pretty much agreed when Doug Scott returns from reconnoitring a site for Camp 5. When Doug is brought up to speed on the plans and assumptions regarding the direct line, he points out that on the 1972 expedition, he saw a big avalanche come down that way that was deflected onto the direct line by the angle of the cliffs higher up on the face. The plan was immediately changed and the decision probably saved lives – two days later a big avalanche came through the original planned route!

Accept that you are pushing the limit – Contingency Planning

On 24^thSeptember 1975, Doug Scott and Dougal Haston emerged from the South West face and onto the South ridge. They had climbed terrain that had never been climbed before but now they were on “familiar” ground. The problem was that night was fast approaching and they now had no chance of getting back to camp – their assumptions regarding timing had proved incorrect and now their lives, or at least their limbs, were at severe risk. At sunset they stood on the summit and euphoria quickly turned to desperation as the seriousness of their predicament sunk-in. However, they had a contingency plan. On the way-up, they had realised that they were not going to get back to the top camp that night and they had quickly scratched a basic snow-hole for a possible bivouac. They got back to the South summit in the half-light and dug-in for the night. The only problem was that no-one had ever survived a bivouac at that altitude and without bottled oxygen – Doug and Dougal were confident enough to assume that they could, based on their extensive experiences on other Himalayan peaks. And they did, and, against the odds, managed to keep all their fingers and toes.

Doug Scott on the summit of Everest at sunset

Extreme Conclusions

 So what is different when the risk goes from “normal” to “extreme”?

 You need to:

•  Keep positive – negativity turns people off, particularly when they are being pushed to the limit. Assumptions are natural and people relate to them. Risks are not and can demoralise.
• Prioritise effectively – you must make sure that you can “see the wood for the trees” or you will be swamped by risks as the pressure increases.
• Be specific – generalities are unhelpful at the best of times. When the risk is high, you must be specific so that you can fix risks at root-cause with minimal effort
• Communication breaks down when people are put under pressure. They withdraw into themselves, forget the bigger picture and do their own job as well as they can. Therefore you have to structure and force communications of the bare essentials to ensure that the team stay on the same page, are aware of each others key assumptions and consequently their perceptions of risk.

There is clearly a big difference between climbing a 1000m Scottish “Munro” and an 8000m Himalayan giant in the way you would view and manage risk. Similarly, simple and relatively informal approaches to risk management tend to work well on small projects but then fall-apart as the projects get bigger and become multi-project programmes. Perhaps the answer is not just more complex processes and software tools to capture loads of unusable data, but to take a fresher, more “positive” view of the challenges and focus on the identification and cross-communication of the assumptions to ensure success and “bag the summit” – safely. 

____________________________

Things that you probably didn’t know about Everest…………………

• Statistically, for every 10 people who successfully climb Everest, one will die (up to 1970 this was 1:1 and by 1990 this was still 1 in 3)
• There are over 100 visible corpses on Everest that no-one has tried to recover – its too risky
• The South West Face was first climbed in 1975 and a repeated accent has never been attempted
• Everest was first climbed in 1953 by Sir Edmund Hillary and Tensing Norgay. The first Briton to climb Everest was Doug Scott on the 1975 South West Face Expedition
• A place on a commercial Everest expedition costs around $50,000
• In recent years there has been lots of talk about “crowding” on Everest. This is obviously because there are more expeditions but it is mainly due to there only being an average of 5 “good weather window” days a year to attempt the summit
• On “summit day”, climbers normally leave the top camp before midnight and climb through the night. If they don’t reach the summit before 2pm, they should turn around or risk being stranded overnight in the “Death-zone” above 8000m
• Most of the people who die do so on the way down!

“Getting to the summit is optional, getting down is mandatory”

– Ed Viesturs, 5 times Everest summiteer

The following is taken from an interview with the CIMA  “Excellence in Leadership” magazine. To read the glossy version click here.
 
“Strategic Risk Management – Taking the Long View”
 
Most companies have risk management processes in place, but there is too much focus on operational risk and not enough on strategic risk, De-Risk’s Keith Baxter tells Mark Stuart.
 
Strategic risks are, by definition, the risks that could threaten your business strategy. Keith Baxter, who runs De-Risk, a specialised consultancy that provides enterprise risk management solutions across all business sectors, says: ‘Fail to identify the strategic risks and you fail as a business, no matter how well you manage your operational and project risks.
 
‘For example, you can successfully deliver a new product to market, but if the market has changed while you were designing and manufacturing and no longer wants the product, your strategy will fail. If this is a key new product, such as a car launch for instance, it could spell financial disaster.’
 
There is also confusion over the difference between enterprise risk and strategic risk. ‘Enterprise risk is the total risk to your business and strategic risk is a subset of enterprise risk,’ explains Baxter. ‘The strategic part is the most important, yet many companies don’t consider it.’
 
For Baxter, one big problem with identifying strategic risks is that you can’t brainstorm them: ‘You get too much noise and everyone gets distracted by irrelevancies. Instead, capture your business strategy first – write it down and make it specific with numbers and dates. Ensure that it is communicated to the rest of the board, and to at least
two management levels down.
 
The next step is to break down the strategy into its constituent assumptions – things that need to happen, both externally and internally – to ensure the strategy is met. Focusing on assumptions rather than risks works well, as people are more comfortable discussing positives than negatives.
 
Show these assumptions to the board and top-level management, and obtain ratings to identify which are “safe” assumptions, “risky” ones, etc. It is also important to test these assumptions by bringing in one or two industry experts to make sure that the board is not falling into the trap of insular thinking.
 
‘At that point you may start to see patterns – you’ll see where people have consensus on stable assumptions, where they agree that the assumptions are at risk and, most interestingly, where there’s a lack of consensus because different managers are not seeing eye-to-eye.
 
It’s the assumptions that some people think are safe and others believe to be risky that are the really dangerous ones – they represent risks that would not be identified by any traditional risk process.’
 
Baxter continues: ‘An effective strategic risk management process must also include escalated project and operational risks that have strategic implications. The danger here is that nothing gets escalated or too much gets escalated and the board can’t see the wood for the trees.
 
Only risks that have a potential impact on business strategy or require board intervention should be escalated. Everything else should be managed at lower levels in the organisation. To control this efficiently in a large organisation, you will need an automated software tool.’
 
Baxter sums it up by offering an example of his assumption-based strategic risk management approach in action. ‘We worked on a large government programme which was halfway through a five-year plan. Programme risks were being escalated but senior management perceived everything to be ticking along satisfactorily. We set up a strategic risk assessment with the executive team and in just a fortnight it became clear that the programme was not going to meet the strategic objectives of the department. They re-scoped it and re-launched it two months later and it is heading for a successful outcome.
 
‘It wasn’t a case of telling the board what we thought their risks were; it was simply a matter of capturing their assumptions and presenting them in such a way that the managers would realise that what they were planning wasn’t going to work. Our approach is about making senior management see the risks within their own strategic assumptions. It’s the purity of the process that gets the message over.’

Many of you will be familiar with ABCD risk management and its benefits. But have you really thought why it is so effective when compared to “traditional” risk management approaches? To explain this you really have to consider the psychology behind traditional risk approaches and how this tends to hinder the effective identification and management of the risks. 

Small organisations tend to get things done with little fuss. As organisations get a little bigger, the concept of the “project” is introduced and they are generally successful as the projects are relatively simple. As organisations get bigger still the projects get larger, and more complex, and this is when things tend to go wrong – projects finish late and go over budget and often fail to meet their original objectives. Why is this?

 At a fundamental level, it all comes down to communication – or the lack of it. Simple projects are done by small teams, very often collocated in the same office. When they need to communicate they do so verbally and face-to-face. The communication is understood and the understanding is confirmed. However, as projects get bigger, the teams get larger and before long it becomes very easy for plans to be miss-read, emails to be misinterpreted and the perspective on the objectives to be different between individuals on the project team, and associated stakeholders. In fact these problems start to emerge in surprisingly small projects and anything with a combined team and stakeholder group of more than about 10 people can easily go off the rails, particularly if the team is geographically dispersed. So if communication is the issue, how do we go about improving communication in an age of information overload?

Why is there so much resistance to risk management?

Most project management thinking would advocate the introduction of some form of formal risk management process for any significant project. Traditional approaches to project risk management are based on identifying risks, perhaps through some form of workshop; adding impact and probability ratings, either qualitatively or quantitatively, and then multiplying these together to come up with a Risk Exposure which allows prioritisation and action. It all sounds good in theory but in practice, there are likely to be significant problems with this approach.

The most fundamental problem comes down to the psychology of risk and language. Projects are all about achieving objectives by set timescales i.e. positive ventures, Risk is a negative entity so to get people to think and talk openly about their risks can be a challenge to say the least. For example, when you ask a Project Manager, “What are your risks?” this can have two primary effects:

1. The Project Managers brain is thinking positively and is suddenly asked a question that is pushing in completely the opposite direction. The effect is to “confuse” the brain so that it starts thinking about things that might go wrong but are not linked to the objectives of the project. The effect is to generate spurious risks.
2. The Project Manager immediately starts to think things like “what are going to do with this information?” and may feel threatened that their fears may be shared with colleagues and superiors. The effect will be that they tell you what risks they are actually comfortable about managing and not the ones that are their real concerns.

This psychological barrier can significantly compromise risk identification and therefore will undermine the whole risk management process.

In addition there are further problems with traditional approaches that compromise quality and efficiency:

• There is a general tendency for people to focus on today’s problems or “issues” rather than tomorrows risks. This results in Issue Management (reactive) rather than Risk Management (pro-active). You need to do both or you will always be fighting fires.
• Risk statements are captured which are too generic to communicate the real concerns (e.g. “Insufficient resources”) and therefore cause confusion and give no insight to guide risk planning. This furthers the perception that the risk process is not adding value.  At the opposite end of the scale, some risk statements may resemble essays and therefore never get read or actioned.
• Quantitative analysis is often based on wild numerical guesses and leads to incorrect prioritisation and inappropriate action. People tend to concentrate on the risks that they can quantify (eg contractual penalties, direct cost of resources) and play down risks that have “softer” impacts that can’t be quantified (eg  impacts on quality, relationships or reputation).
• Qualitative analysis is often based on HML type scales that leads to a default rating as Medium risk exposure and inappropriate prioritisation so that it is impossible to “see the wood for the trees” (eg High impact x Low Probability = Medium Risk Exposure).
• The risk analysis results in very little real action other than work that was already planned and therefore the process is not valued by the team. The actions required to manage the risks are not specific and therefore not followed through.

Traditional risk management approaches can be made to work but the administrative overhead involved in managing the above problems tends to mean that, at best, the benefits are not justified by the cost and effort.

Assumptions Analysis rather than Risk Analysis

If we accept that the basic problem is communication we must place this at the core of our approach. However, we must also remember that we must not overload stakeholders with information so efficiency is also a key factor.

 The ABCD Assumption Analysis process was developed  as part of an integrated risk management process that directly addresses the weakness seen in traditional risk management process, as described above. The main strengths of the process are:

•  Assumptions allow people to think positively (what needs to happen?), rather than negatively (what may go wrong?). Therefore, people tend to communicate their assumptions more openly than their risks
• Plans consist of facts and assumptions and a lot more of the latter than the former. By capturing the key assumptions that knit the plans together, along with assumptions made about external constraints and interdependencies, a complete and consistent analysis of the risks is easily conducted. Also the analysis is focused on the plans and therefore the underlying risks are always relevant to the  project under assessment
• Assumptions are naturally future focussed – you cannot make assumptions about things that have already happened and therefore the focus stays on risks rather than issues
• The root cause of any risk is in the underlying assumption(s). If we can deal with the root-cause rather than the impact, we can normally fix things easier and cheaper at source rather than spending a small fortune clearing up the mess. This leads to short, sharp action plans that tend to get done!

 For more details on Assumptions Analysis visit De-Risk.com

 Assumption Analysis in practice

Since its conception in the early 1990s, ABCD Assumption Analysis has been used on thousands of projects worldwide. These range from relatively small projects that would yield approximately 30 key assumptions to analyse and manage to some of the largest change programmes in the world that require the tracking of thousands of assumptions. The hierarchical rules in ABCD mean that ABCD can be scaled easily to accommodate programmes of any size. This means that the traditional problem of information overload, where large programmes result in too many risks being escalated to senior management, are controlled naturally in ABCD and you can always “see the wood for the trees”.

 So by focussing on the assumptions (and communicating them) rather than risks, you should identify the real risks to your projects quickly and efficiently. By managing these risks you will have the confidence that your projects will deliver on-time, to budget and meet their critical objectives.

In 2008, Nassim Nicholas Talib published a book called “The Black Swan”. A Black Swan is defined as being an event which has three characteristics; it is highly improbable, has massive impact and, in a strange way, appears almost inevitable after the event! Due no doubt to the timing of the book’s publication relative to world events, the term Black Swan has crept into business language. So how do we protect our businesses from Black Swans? 

Black Swan Events

Talib coined the term “Black Swan” from the story of the discovery that black swans existed. Before the discovery of the New World, the Old World assumed that all swans must be white. In other words, if a black swan had never been seen, then it was assumed that the possibility of a non-white swan was so improbable as to be non-existent. 

Examples of recent Black Swan events are 9/11, the success of Google and the current global financial crisis. Many people would say that any or all of these examples could have been predicted, but even if some people did foresee these events then no significant mitigating actions were taken or their impact would not have been so great. 

For most growing businesses, a Black Swan event would be a risk, that has not been explicitly considered and that would lead to a major setback for the business and even complete business failure. 

So why doesn’t risk management cope with Black Swans?

Traditional risk management relies on identifying risks based on the experience of the teams involved in the enterprise. If the risk is outside the experience of the group it is unlikely to be considered. Even if it is considered it is likely to be prioritised very low by being allocated such an extremely low probability rating. 

Risk management is not really designed to identify Black Swan events. Risk management concentrates of managing the risks to the enterprise that would have a significant impact and have a reasonable probability of occurring. This is simply a way of prioritising all potentially “bad events” so that time and resource can be allocated. It is appropriate for ongoing business operations to focus on risks in this way, but this means that by applying traditional risk management methods, most Black Swan risks will not be identified and any Black Swan risks that are considered will be not be actioned due to their very low probability. 

Brainstorming risks is highly unlikely to capture Black Swans. The exercise will either be too narrow, by staying within the comfort zones of the participants, or too broad by considering risks that are not relevant to your business (eg earthquakes in a non-earthquake zone). 

In addition, the negative connotations of the word “risk” means that people have to change the way in which they think in order to identify negative events. A much more effective way to operate is to use ABCD Risk Management and consider the strategic assumptions of the business ie what are the things that must happen for your business strategy to succeed. Thinking assumptions rather than risks also helps to keep you focussed on the objectives of the business and grounds any “out-there” risks in the context of your enterprise. 

The assumptions are analysed for risk using Sensitivity and Stability. Assumptions that are rated as CC or above are considered to be “risky assumptions”. However, up to this point, this is still a form of risk analysis and not Black Swan analysis.  

Black Swan Assumption Analysis

So how do we use Assumption Analysis to identify Black Swans? Firstly we need to identify the strategic assumptions for our business. The strategy statement should be broken down into its constituent assumptions i.e. the things that need to happen to ensure that the strategy is achieved. Aim for about 10-20 assumptions and ensure that you consider both internal and external factors as much as possible. 

The Sensitivity of the assumptions should all be rated as Cs or Ds or they are not really strategic! The Stability ratings could take any rating from A-D. However, unlike risk management, it is not the CC and above rated assumptions that we are interested in – these would be handled as “risks” and be part of the ongoing (strategic) risk management process. Black Swan assumptions will be rated as Sensitivity D and Stability A or B ie they will have a massive impact if they don’t hold but are considered to be fairly or very stable. 

 We then need to further test the assumptions by considering relevant risk drivers in the world that could potentially affect our business strategy to a massive extent eg:

• Market changes eg oil prices, currency fluctuations, credit availability etc.
• Socio-political changes eg change of government, adoption of Euro etc.
• Health crises eg flu pandemic, fall-out from dirty bomb etc.

Note that we are not looking for minor events here (eg oil prices rise by 10% per annum) but massive events (eg oil prices triple in 12 months) and the compound effect of events occurring together. 

We can then use these drivers to challenge the Sensitivity and Stability ratings and change them if appropriate. It is important to note that it may not be possible to undertake an effective assessment of risk drivers without engaging an external industry expert to challenge the internal thinking. Some limited degree of academic input or management consultant involvement may pay dividends in breaking down what Irving Janis calls “Groupthink” – i.e. the tendency for homogeneous teams to fight too hard for consensus and to not consider alternative viewpoints – and therefore miss Black Swans. 

An effective risk driver approach will inevitably move more assumptions into the risk management category where they can be dealt with appropriately. This will leave us with a small number of assumptions that are rated as D Sensitivity and A or B Stability and these are our potential Black Swan assumptions and events. 

Managing Black Swans

These Black Swan assumptions will need to be considered completely separately from the risks. By their very nature, you do not think that they will happen and therefore you will not be pre-disposed to take action. You basically have one choice – to de-sensitise your business to the effects of the assumptions, but you have two ways in which this can be accomplished – proactively or reactively. 

Proactive means that you will take action now to reduce the potential impact later. This could be done by building in redundancy or standby systems, creating emergency systems, tightening procedures etc. 

Reactive would be to define contingency plans if the Black Swan did materialise. These may range from quite sophisticated to very basic if that is all that can be realistically done eg replacing automatic systems with totally manual ones. 

The highly unlikely nature of Black Swans will tend to lead you towards reactive rather than proactive approaches but this is not always the right thing to do – think 9/11! 

And of course the big factor is likely to be cost but this must be weighed against the potential massive impact if the Black Swan materialises. In the tsunami of 2004, 230,000 lives were lost and $15B of damage was done because the cost of a warning system, estimated at around $30m, was considered too expensive. That works out at $130 per life lost. 

Good Black Swans

A final point to note is that Black Swans can be good as well as bad for your business. Some of the biggest business successes seemed highly unlikely but today Google and eBay are massive global businesses, the iPod has outsold all expectations and more recently the use of Twitter seems to be growing exponentially. Consequently, when considering your strategic assumptions, don’t just look for the risks, look for investment opportunities.