Read an Excerpt

Identifying and Managing Project Risk

Essential Tools for Failure-Proofing Your Project

AMACOM

Why Project Risk Management?

Those who cannot remember the past are condemned to repeat it. —George Santayana

Far too many of today's projects retrace the shortcomings and errors of earlier work. Projects that successfully avoid such pitfalls are often viewed as "lucky," but there is usually more to it than that.

The Doomed Project

All projects involve risk. There is always at least some level of uncertainty in a project's outcome, regardless of what the Microsoft Project Gantt chart on the wall seems to imply. Modern projects are particularly risky, for a number of reasons. First, they are complex and highly varied. These projects have unique aspects and objectives that significantly differ from previous work, and the environment for complex projects evolves quickly. In fact, the very opportunities that give rise to today's projects contain significant uncertainty, increasing the differences from one project to the next. In addition, modern projects are frequently "lean," challenged to work with minimal funding, staff, and equipment. To make matters worse, there is a pervasive expectation that, however fast the last project may have been, the next one should be even quicker. The number and severity of risks on these projects continue to grow. To avoid a project doomed to failure, you must consistently use the best practices available.

Good project practices come from experience. Experience, unfortunately, generally comes from bad project management. We can learn what not to do by doing it and then dealing with the consequences. Fortunately, we can also benefit from experience even when it is not our own. The foundation of this book is the experiences of others—a large collection of mostly plausible ideas that did not work out as well as hoped.

Projects that succeed generally do so because their leaders do two things well. First, leaders recognize that much of the work on any project, even the highest of high-tech projects, is not new. For this work, the notes, records, and lessons learned on earlier projects can be a road map for identifying, and in many cases avoiding, many potential problems. Second, they plan project work thoroughly, especially the portions that require innovation, in order to understand the challenges ahead and to anticipate many of the risks.

Effective project risk management relies on both of these ideas. By looking backward, past failures may be avoided, and by looking forward via project planning, many future problems can be minimized or eliminated.

Risk

In projects, a risk can be almost any uncertain event associated with the work. Not all risks are equally important, though. Project leaders must focus on risks that can materially affect project objectives, or "uncertainty that matters." There are many ways to characterize risk. One of the simplest, from the insurance industry, is:

Loss multiplied by likelihood

Risk is the product of these two factors: the expected consequences of an event and the probability that the event might occur. All risks have these two related but distinctly different components. Employing this concept, risk may be characterized in aggregate for a large population of events (macro risk), or it may be considered on an event-by-event basis (micro risk).

Both characterizations are useful for risk management, but which of these is more applicable differs depending on the situation. In most fields, risk is primarily managed in the aggregate, that is, in the macro sense. As examples, insurance companies sell a large number of policies, commercial banks make many loans, gambling casinos and lotteries attract crowds of players, and managers of mutual funds hold large portfolios of investments. The literature of risk management for these fields (which is extensive) tends to focus on large-scale risk management, with secondary treatment for managing single-event risks.

As a simple example, consider throwing two fair, six-sided dice. In advance, the outcome of the event is unknown, but through analysis, experimenting, or guessing, you can develop some expectations. The only possible outcomes for the sum of the faces of the two dice are the integers between 2 and 12. One way to establish expectations is to figure out the number of possible ways there are to reach each of these totals. (For example, the total 4 can occur in three ways from two dice: 1 + 3, 2 + 2, and 3 + 1.) Arranging this analysis in a histogram results in Figure 1-1. Because each of the 36 possible combinations is equally likely, this histogram can be used to predict the relative probability for each possible total. Using this model, you can predict the average sum over many tosses to be 7.

If you throw the dice many times, the empirical data collected (which is another method for establishing the probabilities) will generally resemble the theoretical histogram. However, because the events are random, it is extraordinarily unlikely that your experiments rolling dice will ever precisely match the theory. What will emerge, though, is that the average sum generated in large populations (100 or more throws) will be close to the expected average of 7, and the shape of the histogram will also be similar to the predicted theoretical distribution. Risk analysis in the macro sense takes notice of the population mean of 7, and casino games of chance played with dice are designed by "the house" to exploit this fact. On the other hand, risk in the micro sense, noting the range of possible outcomes, dominates the analysis for casino visitors, who may play such games only once; the risk associated with a single event—their next throw of the dice—is what matters to them.

For projects, risk management in the large sense is useful to the organization where many projects are undertaken. But from the perspective of the leader of a single project, there is only the one project. Risk management for the enterprise or for a portfolio of projects is mostly about risk in the aggregate (a topic explored in Chapter 13). Project risk management focuses mainly on risk in the small sense, and this is the dominant topic of this book.

Macro Risk Management

In the literature of the insurance and finance industries, risk is described and managed using statistical tools: data collection, sampling, and data analysis. In these fields, a large population of individual examples is collected and aggregated, and statistics for loss and likelihood can be calculated. Even though the individual cases in the population may vary widely, the average loss-times-likelihood tends to be fairly predictable and stable over time. When large numbers of data points from the population at various levels of loss have been collected, the population can be characterized using distributions and histograms, similar to the plot in Figure 1-2. In this case, each "loss" result that falls into a defined range is counted, and the number of observations in each range is plotted against the ranges to show a histogram of the overall results.

Various statistics and methods are used to study such populations, but the population mean is the main measure for risk in them. The mean represents the typical loss—the total of all the losses divided by the number of data points. The uncertainty, or the amount of spread for the data on each side of the mean, also matters, but the mean sufficiently characterizes the population for most decisions.

In fields such as these, risk is managed mostly in the macro sense, using a large population to forecast the mean. This information may be used to set interest rates for loans, premiums for insurance policies, and expectations for stock portfolios. Because there are many loans, investments, and insurance policies, the overall expectations depend on the average result. It does not matter so much how large or small the extremes are; as long as the average results remain consistent with the business objectives, risk is managed by allowing the high and low values to balance each other, providing a stable and predictable overall result.

Project risk management in this macro sense can be useful at the project portfolio and enterprise levels. If all the projects undertaken are considered together, performance primarily depends on the results of the "average" project. Some projects will fail and others may achieve spectacular results, but the aggregate performance is what matters to the business's bottom line. Chapter 13 explores managing risk at these levels and the relationship of portfolio and enterprise risk management to project risk management.

Micro Risk Management

Passive measurement, even in the fields that manage risk using large populations, is never the whole job. Studying averages is necessary, but it is never sufficient. Managing risk also involves taking action to influence the outcomes.

In the world of gambling, which is filled with students of risk on both sides of the table, knowing the odds in each game is a good starting point. Both parties also know that if they can shift the odds, they will be more successful. Casinos shift the game in roulette by adding zeros to the wheel but not including them in the calculation of the payoffs. In casino games using cards such as blackjack, casino owners employ the dealers, knowing that the dealer has a statistical advantage. In blackjack, the players may also shift the odds by paying attention and counting the cards, but establishments minimize this advantage through frequent shuffling of the decks and barring known card counters from play. There are even more effective methods for shifting the odds in games of chance, but most are not legal; tactics like stacking decks of cards and loading dice are frowned upon. Fortunately, in project risk management, shifting the odds is not only completely fair, it is an excellent idea.

Managing risk in this small sense considers each case separately—every investment in a portfolio, every individual bank loan, every insurance policy, and, in the case of projects, every exposure faced by the current project. In all of these cases, standards and criteria are used to minimize the possibility of large individual variances above the mean, and actions are taken to move the expected result. Screening criteria are applied at the bank to avoid making loans to borrowers who appear to be poor credit risks. (Disregarding these standards by deviating from this policy and offering so-called subprime mortgages was responsible for much of the disastrous 2008 worldwide economic downturn.) Insurers either raise the price of coverage or refuse to sell insurance to people who seem statistically more likely to generate claims. Insurance firms also use tactics aimed at reducing the frequency or severity of the events, such as auto safety campaigns. Managers of mutual funds work to influence the boards of directors of companies whose stocks are held by the fund. All these tactics work to shift the odds—actively managing risk in the small sense.

For projects, risk management is almost entirely similar to these examples, focusing on aspects of each project individually. Thorough screening of projects at the overall business level attempts to select only the best opportunities. It would be excellent risk management to pick out and terminate (or avoid altogether) the projects that will ultimately fail—if only it were that easy. As David Packard noted many years ago, "Half the projects at Hewlett-Packard are a waste of time and money. If I knew which half, I would cancel them."

Project risk management—risk management in the small sense—works to improve the chances for each individual project. The leader of a project has no large population, only the single project; there will be only one outcome. In most other fields, risk management is primarily concerned with the mean values of large numbers of independent events. For project risk management, however, what generally matters most is predictability—managing the variation expected in the result for this project.

For a given project, you can never know the precise outcome in advance, but through review of data from earlier work and project planning, you can improve your predictions of the potential results that you can expect. Through analysis and planning, you can better understand the odds and take action to change them. The goals of risk management for a single project are to establish a credible plan consistent with business objectives and then to minimize the range of possible outcomes, particularly adverse outcomes.

One type of "loss" for a project may be measured in time. The distributions in Figure 1-3 compare timing expectations graphically for two similar projects. These plots are different from what was shown in Figure 1-2. In the previous case, the plot was based on empirical measurements of a large number of actual historical cases. The plots in Figure 1-3 are projections of what might happen for these two projects, based on assumptions and data for each. These histograms are speculative and require you to pretend that you will execute the project many times, with varying results. Developing this sort of risk characterization for projects is explored in Chapter 9, which discusses quantifying and analyzing project risk. For the present, assume that the two projects have expectations as displayed in the two distributions.

For these two projects, the average (or mean) duration is the same, but the range of expected durations for Project A is much larger. Project B has a much narrower spread (the statistical variance, or standard deviation), and so it will be more likely to be completed close to the expected duration. The larger range of possible durations for Project A represents higher risk, even though it also includes a small possibility of an outcome even shorter than that expected for Project B. Project risk increases with the level of uncertainty, both negative and positive.

Project risk management uses the two fundamental parameters of risk—likelihood and loss—just as any other area of risk management does. Likelihood is generally characterized as probability and may be estimated in several ways for project events (though often by guessing, so it can be quite imprecise). For projects, loss is generally referred to as impact, and it is based on the consequences to the project if the risk does occur. Impact is usually measured in time (as in the examples in Figure 1-3) or cost, particularly for quantitative risk assessment. Other risk impacts include increased effort, issues with stated deliverable requirements, and a wide range of other more qualitative consequences that are not easily measured, such as team productivity, conflict, and impact on other projects or other operations. Applying these concepts to project risk is covered in Chapter 7.

Managing project risk depends on the project team understanding the sources of variation in projects and then working to minimize threats and to maximize opportunities wherever it is feasible. Because no project is likely to be repeated enough times to develop distributions like those in Figure 1-3 using measured, empirical data, project risk analyses rely heavily on projections and range estimates.

Opportunities and Risks

The topic of opportunities arises frequently when discussing risk. Both topics are complex, and there is no question that they are interrelated. In the project environment, there are at least three types of opportunity. The first relates to choices made concerning the specifications and other aspects of the expected project deliverable. The second type of opportunity that projects deal with relates to decisions made in planning and executing the work, generally involving trade-offs. A third type of opportunity involves uncertainties regarding project activities having a range of outcomes that may either be adverse or beneficial to the project (similar to the duration estimates in Figure 1-3). All three of these meanings for opportunity relate to risk, and each is covered in some detail in this book.

---

Excerpted from Identifying and Managing Project Risk by TOM KENDRICK. Copyright © 2015 Tom Kendrick. Excerpted by permission of AMACOM.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---