Top Ten Risk Management Mistakes

Are You Making These Risk Management Mistakes? Text of a talk first given at the Association for Project Management (APM) KnowledgeShare event in May 2010

By Bryan Barrow MAPM MBCS CITP

Speech Notes

© 2010 Bryan Barrow

All Rights Reserved. No part of this publication may be duplicated or copied in any way without the express, prior permission of the publishers.

No responsibility for loss caused to any individual or organisation acting or refraining from action as a result of the material in this publication can be accepted by the publisher or author.

Tel: 07050 192277 Email: [email protected] Web: www.bryanbarrow.com

Copyright © 2010 Bryan Barrow www.bryanbarrow.com - 2 -

Are You Making These Risk Management Mistakes? Speech Notes

A t the 2008 Beijing Olympics 110-metre hurdler Lolo Jones was on course to win her first gold medal. Jones had failed to qualify for the previous Games but four years later she was

fitter, she was faster and she was the firm favourite. With eight hurdles behind her Jones was less than 100ft from the finish. Then disaster struck.

Jones’ right heel clipped the ninth hurdle. Not very hard, but it was enough to knock her off her stride. By the time she had recovered her rhythm the other runners had overtaken her. Jones finished seventh.

Sometimes one mistake is all it takes.

I’m Bryan Barrow and in my work as a project consultant I’ve seen first hand how dozens of companies manage their risks. Today we’re going to talk about:

• Why risk management is so important;

• We’ll take a look at key risk management mistakes that we need to avoid, and;

• We’ll look at a way of identifying and managing project risks that is both easy and effective.

Why Manage Risks? Let’s start off with why we manage risks Now I’m not going to quote you all kinds of statistics on the cost of failed projects. I’m sure you could quote some at me too. But when you look at the whole bunch of them the key message is pretty much the same: too many of our projects are delivered late and over budget, if at all and too many fail to deliver the expected benefits.

The cost of this failure is measured in billions. One investigation by the Times newspaper and Computer Weekly magazine put the cost of project overruns at almost £19Bn a year. Nineteen. Billion. That’s almost a Bernie Madoff every other year. It’s criminal, but no-one’s going to jail over this. What other part of business could get away with that? If the insurance industry ran like this it would go broke.

Copyright © 2010 Bryan Barrow

Are You Making These Risk Management Mistakes?

www.bryanbarrow.com - 3 -

Speech Notes

One study put the cost of failed projects in the UK at almost £19Bn. That’s almost a Bernie Madoff every other year

“

”

And it’s not that we are not capable of delivering great results. We are. A good example of what great project management can achieve is Y2K. Here was a problem

• That had existed since the sixties;

• That people were aware of since the seventies;

• That people were talking about in the eighties;

• But only finally got around to doing something about in the late nineties.

The cost of fixing legacy code and preparing for the turn of the century is put at around $300Bn. When the clock ticked Jan 1, 2000 no major problems were reported. Almost every bank worked fine, no major power outages were reported, aeroplanes still flew and the whole world went on with its normal business. Some say that the whole thing was a hoax, a con, a put-up job. But we know different.

So we are capable of delivering, but all too often we fall short of that standard.

Let’s take an entirely fictional project manager: we’ll call him Buddy. Buddy’s in a jam. He’s in danger of getting fired because his latest project is late and way over budget. The one before was too. Buddy’s running around doing a hundred things at once in an effort to “save” his project and his career. He’s stressed up to his eyeballs and he’s working late every night. He’s living on a combination of strong black coffee and Red Bull. Buddy hardly sees his family and when he does he’s not the easiest person to be around.

I bet some of you know someone … just like Buddy.

Here’s some stuff that Buddy doesn’t know. We’ve all seen something like this:

• Time along here and Cost down here;

• This green area is where we want to be;

• The yellow area – a little bit over budget and a little bit late – is a bad place to be;

• This red area here – here be dragons! Here is where you really don’t want to be, but here is precisely where many of our projects end up.




Speech Notes

Instead of looking at time versus costs, look at time versus risk

“ ”

But here’s another way of looking at it. Instead of time versus cost we’re looking at time versus risk. If Buddy fails to control his project’s risks they get up to here and then suddenly it’s all hands on deck. The only problem is that Buddy is on the deck of his own personal Titanic – he can rearrange the chairs all he wants, his ship is still heading toward the iceberg.

While Buddy is running around trying to bail out his sinking ship, the people on his team are weighing up their options. Some of them are already leaving, like rats off a sinking ship. You can’t blame them; they can see for themselves what is happening. But the first rats off the ship are the strongest swimmers. These are the ones that Buddy needs if he’s to save his project. And while Buddy has his hands full with his first problem, along comes another. Then another. And now Buddy’s in permanent fire fighting mode.

It was Buddy’s failure to keep his risks under control that did for this project. It is Buddy’s inability to learn from his mistakes that means that his next project will also fail.

I reckon some of you have someone like Buddy in your organisation.

So why does someone like Buddy allow risks to rise to this level? To me it boils down to four things:

• People mistakes;

• Process mistakes;

• Publicity mistakes, and;

• All of the above!

Let’s start with the people mistakes first:

• The first of these is not involving our teams in risk assessments, with Project managers trying to understand and manage all of the risks for their project.

• The second? Ignoring the people risks in your projects. Projects are all about people, whether sponsors, team members, suppliers, customers. But few projects stop to consider people risks.




Speech Notes

So why does someone allow risks to rise to this level? To me it boils down to four things

“

”

• The third one is more of a human nature thing. It’s assuming that the worst can’t happen.

Next up, process mistakes:

• The first of these is identifying vague, not specific risks. This makes it difficult to develop effective mitigation plans.

• The second is not developing contingency plans in advance. This brings projects to a halt while people try to figure out a plan B.

• The third is mistaking risks for issues and treating them in the same way. Risks are things which have yet to go wrong. If you deal with risks at the appropriate time then they don’t go on to become issues in the first place.

• The fourth is not looking for new risks on a continual basis, so projects fail over risks that weren’t known at the outset of the project and weren’t discovered until it was too late.

Next, publicity or communication mistakes.

• The first one is not publicising the risks to key stakeholders. This means that too many projects get a green light that they probably don’t deserve because the stakeholders are unaware of the real level of risk they are running when they authorise the project.

• The second is excluding partners from risk reviews. One consequence of this is that third parties often have to charge more to handle what to them are “unknown” risks, when with a bit of dialogue and good planning you could reduce both the costs and the risks to each other.

Finally there are those people who have no plan at all! There are way, way too many of these. Including Buddy.

So what can you do to avoid becoming like Buddy?

You have to do three things:

• Identify your key risks and produce an effective risk management plan;

• Communicate your risks in a way that gets you the resources you need, and;

• Manage your risks so that you avoid making mistakes that sink your project.




Speech Notes

Too many projects get a green light that they probably don’t deserve because the stakeholders are unaware of the real level of risk they are running when they authorise the project

“

”

Here’s a straightforward approach that will work for just about anyone.

Identifying risks

Start off by looking at the products - or deliverables - your project needs to deliver and for each one identify the potential risks. Linking risks to deliverables gets you off to a flying start because:

• It will help you to make sure that you don’t overlook anything in your search for potential risks;

• You’ll identify specific, not vague risks. Specific to your organisation, specific to your project and specific to the team running this project, and;

• You’ll get a better idea of the proximity of the risks and – by linking the risks to your timeline - when they need to be resolved by.

Don’t just do this on your own; involve your team and your key stakeholders in this. They may come up with risks that you wouldn’t have thought of if you did this exercise on your own.

Once you’ve identified your potential risks, quantify them. Many of you will be familiar with the idea of ranking the probability and impact of risks as high, medium, or low. I don’t recommend this approach because it’s not clear which of the group of high risk items requires my attention first. Instead, use a percentage for the probability and, for the impact, the actual time (or money) it would take to fix the problem. Multiply these two together and you’ll see the likely impact on the project. This is much better because now you can rank your risks by likely impact and proximity and see straight away which ones you have to deal with first.

Once you’ve quantified the risks, the next step is to decide on what you can do about them. You need to look both at what you can do to prevent the risks as well as what you’ll need to do to limit their effects if you fail to prevent them. You may identify several things that you can do for each risk, both in terms of preventative and contingency actions. Spend more time thinking about preventative actions - these are usually cheaper and easier to implement.

Once you’ve looked at your preventative actions, move on to your contingency planning. By preparing your contingency plans and budgets now you will avoid delays later on if you need to switch to your “Plan B”. If you have your backup plans ready and a team that knows what




Speech Notes

Many of you will be familiar with the idea of ranking the probability and impact of risks as high, medium, or low. I don’t recommend this approach

“

”

to do, then you can switch from preventative action to your contingency immediately if you need to. There is a strong possibility that you will never need your fallback plan. However, it is better to have a plan that you don’t need than need a plan that you don’t have.

OK, so you’ve identified, quantified and prioritised your risks; what now? Now you have to tell people about your risks in a way that creates action. So the second thing is to communicate your risks. Here’s how you do that.

Communicating risks First produce a risk management plan that:

• Summarises the project in terms of its business goals, scope, expected benefits, key milestones and the overall budget;

• Identifies the key risks to the project and describes the actions that you’re planning to take to manage them;

• Describes any significant change to the project’s timeline, budget or expected benefits if the risk management plan is adopted and, most importantly;

• Confirms whether or not you think the project is viable, once the management of risks is factored into the revised plans, budgets and timeline. Not starting a doomed project is the smartest thing that you can do.

You may have identified a number of significant risks which have both a high likelihood of occurring and a high cost to mitigate. If these risks cannot be prevented or avoided and the cost of dealing with them is too high, then your project is a non-starter and you have the arguments – and the evidence - to persuade your sponsors to stop the project. If your stakeholders still want you to continue with the project it will be based on a better understanding of the risks and the likely outcome.

Next, you’ll need to create a realistic project budget. Many of you will work in organisations where ten percent of the project budget is added, “as contingency”. Why 10%? Your true project budget must cover:

• The cost of the work you aim to complete – the in-scope project costs;

• The cost of dealing with the risks you’ve already identified, and;

• The cost of dealing with the as yet undiscovered risks. Your contingency or reserve.




Speech Notes

Not starting a doomed project is the smartest thing that you can do

“ ”

From your risk assessment you already have an idea how much it may cost you to deal with the risks that may occur. Once you’ve created your contingency plans you can decide how much you should spend to deal with the identified risks. This method is easy and far more accurate than just praying that 10% will do.

Once you’ve created your contingency plans and budget, organise a meeting to take your sponsors through your plans.

Now, most projects seeking authorisation present a rosy picture. For them, the costs are always outweighed by the benefits, but that’s because they forget to include both the cost of dealing with the known risks and unknown risks. It’s no surprise then that these projects come in way over budget.

Here’s where you’ll be different. Present the big picture:

• If your project is not viable you will be able to explain why, using the information gathered on the risks, the potential impact and the cost of your contingencies;

• If your project is viable, but has significant risks, tell them about the risks and your proposals for managing them. Your goal here is to educate them and get their backing for your approach, including your approach to managing the risks, and;

• Even if the project appears to be low risk, explain what you’ve done to assess the threats to the project’s success.

The final thing you need to do is secure the contingency funding that you need, in advance. You’ll be able to explain precisely what extra money you need for your contingencies and when. If your sponsors can’t afford the cost of the contingencies you can work with them to alter the scope of the project, avoiding the biggest risks. Securing your contingency project funding now also helps you to avoid delays later on, because you will be able to draw it down as you need it, rather than having to stop and wait for the money. More important, your finance director won’t be hit with a request for funding out of the blue, but instead they’ll be able to plan for the expenditure. Believe me they will love you for this!

Now you’ve completed two of the three essential steps. You’ve identified your key risks and developed strategies for dealing with them and you’ve communicated the risks and secured the commitment and the funding to deal with them. The third essential step is to actively manage your risks.




Speech Notes

“ This method is easy and far more accurate than just praying that 10% will do ”

Managing risks Start off with your top ten risks and take the actions that you set out in your risk management plan, starting with the preventative actions. The Pareto principle applies here: 20% of your risks will cause 80% of your problems, delays and fire-fighting. Now, I’m not suggesting that you only work the top ten risks; you need to work on all of them, but let your project team members be responsible for managing the risks on the products that they are working on. If you’re the project manager you should keep your personal focus on the top ten.

I carry a list of my top ten risks everywhere and I recommend that you do too. By dealing with these first you’ll overcome the biggest obstacles. You’ll deal with the root cause of what would have been future issues by taking action in time to avoid problems, the kind of problems that tripped Buddy up. As a result you’ll be able to spend more time on the remaining risks. Pretty soon you’ll see that you have more time available to work on planned project work, rather than firefighting all day. This in turn means more risks get resolved faster and increases the certainty of success. This will help you to build the kind of momentum that eventually makes your project unstoppable.

However, this will only happen if you keep on top of your risks. So the second thing you need to do is to review your top ten risks on a regular basis. I include a review of both risks and issues as part of my weekly team meetings. The key thing is to review the risks before looking at the issues, so that we don’t overlook the long term actions we need to take if we’re to avoid future issues from flaring up. Each week we work through the top ten risks – as a team. We discuss progress, we record agreed actions and, when appropriate, we update the ratings for both probability and impact of the risk. Both of these should change as a result of our efforts.

If we’re unable to prevent a threat we can immediately implement our contingency plans. When our risk mitigation actions are unsuccessful we raise new issues. We agree how these issues will be managed and whether they need to be escalated to the project board.

The result is that at any time my whole team know which risks to focus on, how we are doing with them and what we need to do to maintain momentum. As we bring our biggest risks under control, others will replace them on the top ten risk log, but hopefully the overall level of risk will continue to fall. That’s what we want to see happen.




Speech Notes

The final step in managing risks is in keeping people updated on the status of the risks. Send out an updated top ten risks log regularly:

• It keeps everyone updated about your progress in eliminating threats to your success;

• People outside the team also know which risks to focus on and;

• It shows your key stakeholders how, over time, you are reducing your risks and achieving your goals.

Once your stakeholders see that you’re taking action this creates a force which becomes overwhelming. People love to back winners and when they see that your project is moving ahead and under control they give it their support. This is what eventually drives your project forward towards a successful outcome.

If, on the other hand, things get worse as the project progresses, despite all your efforts, your updates will say this. Your stakeholders will know exactly what’s going on, no matter what. It may be that the project reaches a point where you need to pull the plug. If that’s the case you’ll make that recommendation, rather than waste time, money and effort. Not starting a doomed project is the smartest thing you can do. Stopping a doomed project before it bleeds you dry is the second smartest.

Don’t be like Buddy. If you take these steps:

• Your project’s risk levels will fall as you take proactive measures to reduce your risks;

• You’ll see that as you approach your target delivery date your risk levels will be low and falling, rather than high and rising, and;

• You’ll deliver on time, you’ll generate benefits sooner and you’ll be able to return your unspent contingency funds.

So, to wrap up. Today we’ve talked about why we need to manage risk if we’re to tackle the criminal level of waste and failure associated with projects. We’ve looked at the key people, process and publicity mistakes. We’ve explored steps we can take to identify risks, communicate them and, if our project is worth doing, to manage them.

There will come a time when all projects are managed this way. The question is when and by whom? May it be now: may it be you.




Speech Notes

Stopping a doomed project - before it bleeds you dry - is the second smartest thing you can do

“

”



“Are You Making These Risk Management Mistakes?” By Bryan Barrow

Risk Management Consultant and professional speaker

www.bryanbarrow.com Do you complete your projects on time, on budget, every time? Or are you too busy fixing today ’ s problem to think about tomorrow ’ s deadline or the finishing line? If you would like to take complete control of your project and deliver it successfully then this talk will help you.


Speech Notes

The Business Case for Project Risk Management This briefing paper for senior managers spells out the benefits of improving your teams’ project risk management skills. This White Paper was published in Mar 2010 Read The Business Case For Project Risk Management

Other white papers in this series:

Effective Risk Management In The Real World This talk was first delivered to the Bristol Chapter of the British Computer Society in February 2008. It explains why risk management matters, examines key mistakes that most projects make in managing risks and goes on to offer real world solutions. Read Effective Risk Management In The Real World

About the author

Bryan specialises in helping IT Directors who are frustrated because they can't get their projects delivered on time and on budget. With Bryan's help they are able to complete projects faster and at a lower cost, so they go on to profit from delivering on time. Bryan works as a professional speaker and consultant. He runs risk management seminars and workshops and provides executive coaching.

Documents

Top Ten Risk Management Mistakes