Do you set an alarm to wake up in the morning?
Many of us do. We want to minimize the likelihood of showing up late at work or missing an early morning flight. Being aware or not, we use many other preventive steps in our personal lives.
We buckle up when we drive our cars to minimize the consequences should we get into an accident. You may arrange, as Plan B, for your spouse or somebody else to pick up Johnny at school, in case you can’t, because of an important deliverable you need to finish by day’s end. This is contingency planning.
You may sometimes skip your usual route from work to home and take a different one to avoid heavy traffic. Most of us buy automobile, home, and other types of insurance and transfer our risk of potential liability to a third party. We may accept certain highly unlikely risks by doing nothing about them. For example, most of us travel by plane regularly, despite the chance of a fatal crash because of its infinitesimal likelihood.
Four types of risks in project management
The above risks are called “event risks,” because they are caused by specific events. They are significant risks and managing them has become common practice in project risk management in recent years. However, there are three additional types of risks that deserve equal attention: variability, ambiguity, and emergent.
Variability risk, which is virtually 100% guaranteed, is a non-event risk caused by the uncertainty associated with various project estimates such as benefits, costs, and schedules. It’s the difference between the estimated and actual values.
Ambiguity risk is often caused by uncertainty about how the project scope will unfold. It may be due to technology complexity, evolving project requirements, or new technology.
Emergent risk, also referred to as “unknown unknowns,” is event-based and not predictable. It only becomes evident after it has happened (e.g., tsunami).
I defined and discussed these risk types with examples and management methods in more detail in four separate previous blogs. Below I offer tips on effective strategies to manage them in a collective and coherent fashion. The accompanying chart summarizes definitions, examples, and management tools and techniques for these risks.
Cultivate a new risk mindset
Starting at the helm and all the way down into your organization’s trenches, everybody needs to understand that risks are inherent to our projects—as well as our overall business—and we cannot afford to ignore them. We cannot treat risk as a four-letter dirty word. Risk management should be part of our daily conversations. It should be on the agenda of meetings in project war rooms as well as executive boardrooms. Unless we manage risks effectively, our cost of business can increase making us less competitive.
Risk management is not just about minimizing threats but it’s also about maximizing opportunities. We must manage them by design rather than default. Fighting fires costs orders of magnitude higher than preventing fires. Be proactive.
Differentiate tactical vs. strategic risks
Event and variability risks are tactical in nature, whereas ambiguity and emergent are strategic. They require different tools for analysis and management action. We typically use qualitative tools for analyzing tactical risks and quantitative ones for strategic risks. The responsibility of managing tactical risks lies with project teams, whereas management is responsible for strategic risks.
The impact of tactical risks, especially the event type, is negative resulting in, for example, project cost overruns and schedule delays. They are managed at the project level by taking proper upfront preventive action based on an analysis of their characteristics including the likelihood of occurrence and impact.
Ambiguity risk involves future uncertainty about the project scope that may lead to project failures or successful outcomes involving new opportunities. Emergent risks can disrupt not just project activities, but the whole enterprise. The stakes are greater with both these risks. That’s why management has to take the responsibility.
Identify and prioritize risks constantly
Risk management is not a one-time event in managing projects. It should be a continuous process spanning the entire project life cycle. It’s because old risks may disappear and new ones appear as a project progresses. Furthermore, the characteristics of a risk event (e.g., its likelihood and impact) can change over time.
There’s no point in taking preventive action on every risk you’ve identified. The cost would be too prohibitive. The likelihood of every identified risk materializing is miniscule. Therefore, it’s only prudent to take preventive action on the more significant ones. Sensitivity analysis is a common tool applied for prioritization. Identify, re-identify, prioritize, and reprioritize risks—constantly.
Develop and implement proactive measures
As mentioned before, project teams are responsible for tactical risks and management for strategic ones. To reduce variability risks, project teams need to improve their estimation models and methods dealing with, for example, project benefits, costs, and schedules.
For event risks, consider various proactive measures as illustrated at the outset with examples from our personal lives. They include minimizing the likelihood or consequence of the event, planning contingencies, transferring the risk to another party, and avoiding it by eliminating its cause.
To optimize ambiguity risks, develop a clear strategic roadmap outlining go/no-go project investment decisions, future success vs. failure outcomes, and possible alternative executive actions following each outcome, and so on. Furthermore, allow project teams to apply the right project development approach. Rolling wave or incremental planning, progressive elaboration of project requirements and scope, and other adaptive and agile methods are more appropriate than the waterfall/predictive models when ambiguity risk is involved.
The answer to emergent risks or unknown unknowns lies in building an adaptive and resilient organization. The entire organization as well as project teams must be able to swiftly adapt in the aftermath of a disruptive event and bounce back as quickly as possible.
Establishing reserves may be the most simple, crude, and common method to manage all types of risks but not the most effective. Several next generation tools have become available recently. We are into the third generation, that is, 3G Risk Management, which is the subject of my next blog.
Vivekanandan says
Dear sir,
Concepts were explained with a lot of clairty
Dr. Prasad S. Kodukula, PMP, PgMP, DASM, DASSM says
Thank you.
Trudy says
Great information. How do you manage one set of risks that are being management strategic risks and project risks in the one risk management tool.
Dr. Prasad S. Kodukula, PMP, PgMP, DASM, DASSM says
Typically, variability and event risks are managed at the project level by the project manager/team and the strategic (ambiguity and emergent) risks are managed at the management level. Therefore, they use different tools.