Is risk considered a four-letter dirty word and, therefore, ignored in managing projects in your organization?
Or do you at least acknowledge it but formally do nothing about it?
If the answer is yes to either one of these questions, you’re likely practicing what I call Project Risk Management (PRM) 0.0. That is, you use no formal methodologies, processes, or tools to manage project risks. And in fact, you’re ignoring risks altogether.
If you were not using any formal methods in the old days, say, through the early 1990s, you had a good excuse. You didn’t probably need them and, even if you did, they were hardly available.
But PRM has evolved over the last few decades. It’s not a dirty word anymore. PRM is now front and center of project management.
1G project risk management
PRM arrived on the global stage circa 1990s, thanks to the confluence of many factors.
Technology was taking center stage. Teams were becoming global. Projects were growing in number, size, and complexity. Risks were increasing. Stakes were becoming high. The industry had no choice but to embrace formal risk management practices.
First generation (1G) PRM commonly consisted of risk registers and qualitative risk analysis. A key characteristic of qualitative analysis is that you estimate the probability of occurrence of identified risk events and their impact on project schedules and costs using descriptors such as low, medium, and high.
A risk register is a chart or a spreadsheet where you document, among other things:
- Risk events identified for the project
- Results of your analysis of severity of each event. Severity being a function of its probability of occurrence and impact (if it occurs) on project objectives
- Ranking of the events based on their severity
- A list of possible response actions for each event and their advantages and disadvantage.
A risk matrix, also called a “heat map,” is a common tool that shows the positions of the risk events you’ve identified based on their probability and impact.
2G project risk management
As we advanced into the new millennium, 2G PRM enters.
In the early 2000s more established industries such as oil and gas, petrochemicals, mining, construction, defense, aerospace, etc. started to adapt quantitative tools for analyzing risk events. They primarily involved quantitative estimation of probability and their impact on project schedules and costs.
The new product development industry typically faces ambiguity regarding the success vs. failure of their projects due to unknown or untested technologies. So, they found decision tree analysis to be an effective tool to account for the ambiguity risk in making profitability (benefit vs. cost) estimates.
Quantitative analysis at that time was primarily in terms of deterministic (single value) rather than stochastic (probabilistic) estimation. Although stochastic methods consisting mainly of Monte Carlo simulations existed at the time, they were not common, because:
- The tools were generally costly.
- Simulation calculations took a long time due to computational limitations.
- Skilled people were scarce.
Quantitative analysis is the main distinguishing feature of 2G risk management compared to 1G, which is characterized by qualitative analysis.
Key characteristics of 3G risk management
The onset of 3G PRM may have occurred in the 2010s, but it is starting to show advancement in the 2020s.
3G may not involve a whole new set of tools but offers new ways of applying old ones. Take Monte Carlo methods, for example, which have been around for a long time. Now they have new applications. Plus, it’s so much easier to use them today due to the enormous power and speed of modern computers.
Let’s look at five key characteristics of 3G risk management and what each adds to the process.
1. Account for four types of risks (and opportunities)
As I discussed in previous blogs, there are four types of project risks, namely, variability, events, ambiguity, and emergent, that you must account for, so your project schedule and cost estimates are more realistic. If you do not, the chances of reaching schedule and cost targets would probably be less than 10%! (Yup, that’s right, less than 10%!!!)
Furthermore, under events risk, if you only consider negative risk events, referred to as threats, cost and schedule estimates can become overly pessimistic and may unnecessarily jeopardize a project’s benefit-cost equation. Therefore, project teams must also identify and leverage opportunities with positive impact on project cost, schedule, and technical performance.
2. Apply stochastic methods
The commonly used deterministic (single value) estimates of project costs, schedules, profitability (e.g., net present value), etc. do not account for any uncertainty associated with those estimates.
Stochastic methods involve simulations and deal with ranges of possible values of inputs to your estimation models as well as the estimates (outputs). They help you with sensitivity analysis, what-if scenario assessment, risk prioritization, reserves estimation, and so on.
Results from stochastic methods give decision makers better insight into required investment and return on those investments.
The basic application of stochastic methods includes estimation of project costs, schedules, reserves, and profitability. Advanced applications consist of decision trees, optimization models, “real options” methodologies, etc. at project, program, and portfolio levels.
3. Leverage “strategic ambiguity”
Ambiguity risk is associated with projects that involve new technologies, technical complexity, and evolving requirements. Artificial intelligence/machine learning, digital transformation, biotechnology, and big pharma projects are good examples.
For such projects, a great opportunity exists to leverage the ambiguity, which I call “strategic ambiguity,” for competitive advantage. Depending upon the nature of the project, you may adjust your project management approach (agile, waterfall, hybrid, etc.). Also, you can proactively develop strategic options and make appropriate contingent decisions in a timely manner as the project unfolds.
4. Integrate schedule and cost risks
In many organizations, especially those with “project controls” function, project cost and schedule risks are analyzed separately by teams in different silos ignoring their combined effect on project objectives.
It’s well known that any schedule delay invariably causes cost increases. Acceleration of schedule by fast tracking or by addition of more resources also increases costs. To account for the impact of schedule changes on project cost, you need to integrate the risks in both areas.
Using a common risk register and integrating schedule and cost risk analysis will give you more realistic project estimates.
5. Analyze project, program, and portfolio risks holistically
Projects, especially in large organizations, are often implemented as part of programs and portfolios.
Risks are typically analyzed, if at all, separately at these levels. At the project level, the focus is on the triple constraints (scope, cost, time). At the program level, it’s about the risk related to project dependencies and benefits delivery. At the portfolio level, there’s a risk of selecting the wrong projects or wrong mix of projects.
A unified approach that accounts for risks at all three levels will improve your overall “risk efficiency” and ultimate project success across the entire organization.
3G risk management is not a substitute but a supplement to 2G as well as 1G. All three generation tools can coexist. Their application primarily depends on project size and complexity and your organization’s overall project management maturity.
[…] next generation tools have become available recently. We are into the third generation, that is, 3G Risk Management, which is the subject of my next […]