"Managing risk in practice" workshop

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay let's have a look at risk management in practice and what I want to do is to start with some basic concepts then focus on two difficult areas in the risk process so I guess if I asked you to define the word risk you would have some idea of what it meant we might not have a formal definition that we could quote but we all have something in our minds when we hear the word risk this is what we think and maybe you think of things like this maybe you feel like this little guy facing some big ugly challenge that you know is just going to squash you flat maybe you feel like this guy this is a real job in North Korea and his job is to hold the target but other people to shoot at sometimes project managers have the target here we feel like everybody is shooting at us in our job or maybe you just know there's something nasty out there waiting to get you and maybe that's what you think of when you think of the word risk well that's partly true but it's not the whole truth risk is not the same as uncertainty risk is related to uncertainty but they're different so all risks are uncertain but not all uncertainties are risks if you have a risk register or a risk list you don't have a million items in it or you shouldn't you don't even probably have a thousand items in it you have a smaller number although there are millions of uncertainties in the world so how do we decide which uncertainties we're going to call risk and write them down and put them in our risk register and decide to do something about them clearly risk is a subset of uncertainty but which subset how do you know I think it's very simple to separate risk and uncertainty and I use three English words these words here risk is uncertainty that matters because most of the uncertainties in the world don't matter we don't care if it's going to rain in London tomorrow afternoon it might it might not it's irrelevant it doesn't matter we don't care what the exchange rate will be between the Russian ruble and the Chinese yen in 2020 it doesn't matter to us but there are things on our projects and things in our families and things in our country which are uncertain which do matter to us if it's an uncertainty that matters it's a risk so here's another question how do you know what matters in your projects what are the things that matter the things that matter in our projects are our objectives so we must always connect uncertainty with objectives in order to find the risks and if we look at some definitions of risk this is the ISO standard that I mentioned it connects those words very simply risk is the effect of uncertainty on objectives and we might look at another definition from the UK from our association for project management it says the same thing a risk is an uncertain event or a set of circumstances which is uncertain but it matters because should it occur it will have an effect on achievement of objectives uncertainty that matters so we should be looking in our risk register for two things is it uncertain we don't want problems in the risk register we don't want issues in the risk register we don't want constraints or requirements these things are certain what we want is uncertainties something that might happen or might not happen but the other important question for our risk register is does it matter which objective would be affected if this thing happened and then when we want to see how big the risk is we can ask those two questions how uncertain is it and how much does it matter and that will tell us how big the risk is so this idea of uncertainty that matters then develops into something which is useful by linking uncertainty to our objectives so we have two dimensions of risk we have an uncertainty dimension and we have a dimension that affects our objectives in projects we call these probability and impact we could call them other things there are other English words we could use but these are the ones most often we use and I would like to ask you with this quest this picture of the mouse what effect matters to the mouse so first of all clearly he's in a uncertain situation here and he's seen some risks his objective is to get the cheese and to stay alive and so one of the risks he's identified is a bad thing that might happen he might be killed or injured and so he's been a good project manager he's put his little helmet on and he's preparing so that it doesn't happen to him so that he doesn't get killed or injured very good and there are things in our projects that if they happened would kill or injure us they would waste time waste money damage reputation destroy performance maybe even injure real people and as project managers we have to see those things and stop them happening protect ourselves in advance avoid them are there any other uncertainties that matter for the mouse well there is the cheese there's an uncertainty here which matters a great deal will I get the cheese out of the trap he might or he might not and if he doesn't get the cheese out of the trap he's failed so he has two uncertainties to manage one of them is bad he might be killed or injured the other is good he might get the cheese and what he has to do what he has to do is to manage both of these at the same time and as project managers we have to do the same thing and also we have to do it in the best possible way sometimes there's a better way to get the cheese without being killed or injured in our projects we have to stop the bad things happening but we also have to get the cheese out of our projects so what does cheese mean in your project what is the cheese in your project cheese means value cheese means benefits cheese means products and services that people want and need cheese means customer satisfaction cheese is the good stuff that we're trying to get out of our difficult projects and if we don't do anything bad we don't waste time we don't waste money we don't damage reputation but we don't create value we failed if the mouse didn't die but he didn't get the cheese he failed if we create benefits but we waste time and waste money and destroy reputation we failed and if the mouse gets the cheese and he's killed he's failed so we have to do both of these things and when we think about risk and think about impact there are two kinds of impact that matter bad ones and good ones uncertainties that could hurt the project and uncertainties that could help the project both of these matter and both of these need to be managed and we have another word for those so here's the definition of risk from the project management institute the PMI from the pin Bock guide it's the same as the others that we've seen an uncertain event or condition that if it occurs affects an objective but PMI knows about the maus PMI knows about the cheese and the traps and has added three words to the definition of risk here it's not the words cheese and traps it's the word positive or negative what this tells us is that there are good risks as well as bad risks and we heard that in one of our keynote speeches earlier this morning in the uncertain situation that this country faces going forward with all the changes that there have been there are threats there are things that could go wrong and you need to see though and address them but there are also opportunities uncertain things that might happen that could be good and we also need to see those things and to try and proactively make them happen and that is equally true in our projects in our personal lives and also at the national level and I'll be talking about some of those things in my speech later on this afternoon so PMI has this definition the other standards have something very similar the ISO standard at the bottom here says risk is the effect of uncertainty on objectives note the effect can be positive or negative and the APM the Association for project management in the UK says the same thing so we have this new idea that risk is a double-sided concept and it's the same in Persian the word you have for risk we mostly think of bad things but it could be used for good things as well isn't that right it's an uncertain word and there are good risks as well as bad risks so in our project risk management process we should be looking out for the traps and avoiding them and protecting ourselves and preventing them happening but we should also be looking out for the cheese and chasing it and making it happen proactively so that we get the maximum benefit for the minimum cost that's why risk management is so important to project success because it effects our objectives it gives us the best possible chance to achieve our goals so how do we do that if we think about a risk management process the process has to do a number of things if risk is uncertainty that effects objectives we have to know what our objectives are then we have to identify the uncertainties the uncertainties that would matter to those objectives and remember that they could be good or bad threats and opportunities that gives us a long list of uncertainties that matter but they don't all matter the same so the next thing we have to do is to prioritize and ask the question how uncertain and how much does it matter then we get a prioritized list of risks we know which are the worst threats and the best opportunities so then we do something about it then we plan how to respond we think about what would be appropriate to stop the bad thing happening and to make the good thing happen and having decided we do it of course and then risk is constantly changing so we need to come back and do it again and see what has changed we could express this process as a number of questions that it's important to ask and keep on asking about our project in fact you can use these questions for anything you could use these questions for your next career move you could use these questions for deciding about your pension you could use these questions to decide how to bring up your children or to decide on how to invest the nation's wealth these are the questions what are we trying to achieve that's setting objectives then what could affect us in achieving that that's identifying risks then when we have the list of risks which are the most important ones that's prioritizing at assessing the risks then what could we do about it planning our responses and doing it implementing the responses and then did it work and what's changed reviewing the risk so if we look at a risk management process we could link each step in the process to one of these questions and this is why risk management is so easy because all we're doing is asking and answering obvious questions anybody who is doing anything important will ask these questions what am I trying to do what could affect me which are the big ones what shall I do about it did that work now what and you could ask those questions every Monday morning when you drove to work or every Saturday morning you can ask the question say what am I trying to achieve today this week what could affect me and which are the big ones what shall I do we can manage risk on a very simple basis or we can use this as the structure for a risk process which is much more complex which involves lots of meetings and lots of stakeholder groups and lots of analysis and statistics it's the same questions so I would like you to remember two important things one is risk ease uncertainty that matters and secondly these questions these six questions because that's the heart that's the basis of managing risk and it really is very very easy now in the time that we have I want to focus on just two parts of this process and then give us the opportunity to try out some of these things the identification step clearly very very important because if we don't identify the risks we can't manage them and then planning responses understanding how we can deal with the uncertainties that we've identified so let's think about these things identifying risks how do we find all of the risks well you can't you can't find all of the risks because there are risks that arrive that we hadn't seen before there are emergent risks new risks different risks and I'll be talking about those later this afternoon in my speech what we want to find are the knowable risks the risks that we could find we don't want somebody on our project team who knows a risk and they're not telling anybody so this process is about exposing the uncertainties that matter finding them so we can do something about them and there are lots of techniques brainstorming workshops checklists testing our assumptions and so on but I would like to answer a bigger question a different question from techniques and it's the question are we finding the real risks when you go to a risk workshop and you write things in your risk register are they really the uncertainties that matter for your project are these really the things that could drive you off track or really help you or are they just the obvious things where all projects have problems with requirements with resources with testing these are things that always come up and we have processes to deal with them but are they the real risks and I'd like to suggest to you that often in our risk registers we confuse real risks with other things often we confuse risks with their causes where does the risk come from or we confuse risk with their effects what do they do if they happen but risks are uncertainties that matter they are not causes or effects so causes are things that are true this is true that the project is difficult it is true that we don't have enough people on the project it is true that the customer hasn't signed the contract yet these are not risks they are facts they might be issues they might be problems but they're not risks because they're not uncertain and a lot of people write these things in our risk register we don't have enough time for this project it's a risk no it's a problem sometimes we confuse risks with their effects there could be an accident we could be late those are not risks either they are the effects of risks how do you manage we could be late if you're late it's too late what we want to know is why might you be late what unplanned thing could happen that would result in you being late so risks sit between causes and effects we can't manage causes because they're here now they're facts we don't want to manage effects because they may never happen what we can marriage is risks that sit in the middle because they happened yet so the risk management has two separate risks from their causes and risks from their effects and I find looking at hundreds of risk registers all around the world I've worked in in 48 different countries every continent every culture not the Antarctic that's too cold but nearly every continent and over half of the stuff in risk registers are causes or effects over half so the things we're trying to manage in the risk register are not risks and then people are surprised that it doesn't work so how do we separate cause risk and effect here's a little test and these statements are written in your notes or you can just think as we go each of these statements and they're very simple is one of these things a cause is something which is true today a risk is an uncertainty that might or might not happen the effect is why it matters to our objective okay so you have to think what these are the project is based in a third world country cause risk or effect what do you think course very good so this is a fact there might be uncertainties that come out of this fact so we may not get the resources we need there may be security concerns we may not get paid these are uncertainties that come from this fact interest rates might go down it's a risk or they could stay the same or they could go up and we could go over-budget it's an effect so a million things could take you over budget maybe interest rates is one of them okay they were easy how about this the weather might be better than usual so the risk could be the same or worse if would be a bad thing if you were selling umbrellas it would be a good thing if you were selling ice creams so it depends what your project is I'm allergic to prawns it's a course it's a fact what is the risk that comes from this fact this course do you think maybe I could be sick I could have a reaction I could be very ill I could die all of those things are effects aren't they but if something happens that I didn't plan because I'm allergic something might happen that makes me sick what's the some thing I might eat prawns without knowing so then I check are there prawns in this you know I avoid things with prawns in I manage the risk not the effect and not the cause okay we've got to use a new technique an unproven technique it's a fact it's a requirement we have to do it we might introduce design errors but it just is a factor a requirement of our project the contractor or contractor may not deliver on time is a risk this is going too fast it might not work for some reason you saw the color it's a defect okay I will go more slowly we don't have enough people it's a course yes and lastly there's a risk that we'll be late mmm mmm it's it's an effect is it because we want to know what is the risk that we'll be late being late is an effect so apart from the pawns all of the blue and green things we see in risk registers the project environment new technology lack of resources or going over budget lack of performance delivering late these are not risks these are causes or effects and if we looked at a real risk register and this is written in your notes for you if you want to do this afterwards we could do another exercise in fact the next page of the notes you turn over the page as these written a bit larger for you in English only I'm afraid we'll have to do something about that Raziel you could just try this little exercise on a real risk register this is one of my clients I asked them for their top ten risks this is what they gave me they're not risks they're all sorts of things mixed up really you should do this on your risk register but let me show you what happened when I did this on their risk register I found there was a hopster of mixture of things so the current hardware is not fast enough to support testing that's a fact it's a course this means that we may be unable to test performance until production hardware is used that's the risk so we have two things in this statement the next one down is just a fact a number of usability issues have been identified by the supplier okay so what what difference does that make let me color code this for you just to be slightly friendly but you'll have to do it on your own if you want to try the complete exercise and there's a whole range of different things in this so called risk register and I would expect that yours is the same that you will have things in your risk register that are just pure facts or things that are a mixture of risks and other things now there are two in this list that I think are particularly interesting it's this one and this one they have all three colors in them because they have a cause and a risk and an effect so let's take this one the team does not have a documented design for this function that's a fact so what well there's the risk that the architecture may not support the required functionality that might happen because we don't have a documented design why do we care about that if that happens it results in the requirements not being met or a higher number of defects that hits our performance objective and our quality objective so now we have three things we know what the risk is the risk is that the architecture might not support the function see we know why that's happening because we don't have a documented design and we know how it could affect the project in not meeting the requirement or delivering defects those are really useful things to know and it will be helpful if every risk description had those three things in it and so what we recommend is a structured description of risk that has three parts to it that says as a result of some fact a cause then an uncertainty might occur it might not but it might and if it did it will be a risk and if that thing actually happened it would lead to an effect on the objectives and we recommend and PMI recommends and the ISO standard recommends and best practice guidelines recommend that you describe your risk in these three stages what do we know what uncertainty does that give us and why does it matter and then we can use that to help us manage the risk in English we have definite words to describe facts this is true this has happened this does occur we have uncertain words to describe the risk it might it might not it's possible and then we have conditional words that say this would follow if the risk occurred maybe your language is a little different but we can use the language to help us perhaps so one of the things I'd like us to try in the short exercise we're going to do in a moment is to try describing risks in that three-part way what do we know what uncertainty does it give us and why does that matter to our objectives and I would recommend that you try that for your own real risk register on your project and see what difference it makes you might be surprised now let's think about the next question which is not well there's another question how do we prioritize them but the one I want to focus on is what could we do about the risks that we've identified planning risk responses here are the questions we need to ask what are we going to do based on the risk how manageable it is how bad or good it might be if we left it alone impact severity whether we have the people and the equipment and the skills to deal with it our resource availability and cost effectiveness can we spend a small amount to save a big amount we don't want to spend a big amount to save a small amount and the next important question who is going to do this what could we do to deal with risk often people think of four things four different types of things we could do to address uncertainties that matter and each of these has a name it's a strategy a strategy to focus our planning to focus our thinking and then once we've focused our thinking with a strategy we can develop tactics to address each individual risk so what are the four things that most people think of the first is risk avoidance is there something we can do to kill the risk to remove it altogether the second is something we call risk transfer can we give it away can we get somebody else to take it away for us the third is what we call risk reduction some people call this risk mitigation and here we're trying to make the risk smaller so that we could accept it and the fourth response after avoid transfer or reduce is the one that everybody forgets they think if we can't do anything about it we just have to hope and pray and wonder and wait other responses to take the risk we call that risk acceptance to recognize we're taking this risk and to include it in our baseline and to monitor it very carefully so you might see those four options as quite a good set of response strategies but there's a problem the problem is all these things only work for bad risks what about opportunities we don't want to avoid or give away or make smaller opportunities so how do you respond if you find a good thing that might happen on your project do you just wait and see and hope or is there something active that we could do fortunately there are four response strategies for opportunities that match the four response strategies for threats so here are the bad ones avoid a bad thing give it to someone to take away make it smaller or take the risk this is what those things are trying to achieve to remove the uncertainty to get somebody else to help to change the size of the risk or to include it in our project plan we could do all of those four things four opportunities how do you eliminate uncertainty for an opportunity you capture it you take up a strategy which makes it definitely happen in English we call this exploit exploit is the same as a void for a void you make the probability zero it can't happen for a threat it's a void for opportunity exploit is to make the probability 100% it will happen it must happen so they're aggressive strategies you kill the threat you capture the opportunity it's the same kind of thing could we do instead of giving away transferring a threat we want to involve somebody else to help us we could share the opportunity we could ask them to come come into our project and be involved with us in a joint venture or subcontract or a partnership where they help us to achieve this uncertainty that would help us all and we give them some part of the benefit we share the opportunity how could we change the size of an opportunity we don't want to reduce it we want to enhance it we want to grow it we want to make it more likely and bigger impact it's the same idea but the other way round for the opportunity and the last one if we can't do these active things we could just accept an opportunity and wait and see what happens but monitor it very closely if there's nothing else that we can do so what this slide tells us is that there's an equal variety of potential response types that we can choose between for our opportunities equal to the number that we have for threats you see the secret of thinking about opportunities is to recognize that an opportunity is the same as a threat the only difference is the sign of the impact so a threat has a negative impact an opportunity has a positive impact apart from that they're the same they are both uncertainties that matter they are both things that might or might not happen that could affect our objectives they can both be managed proactively they both make a difference to the chances of succeeding on our project and that's why risk management should manage threats and opportunities together in a single process because they are the same things and that may be new thinking for some of you those of you who always think of risk as the big ugly thing that's waiting to squash me or the unknown thing in the future that's going to hurt me there are some like that and we need to stop them happening and protect ourselves but there are also some very good things out there which might happen which we need to see and we need to chase them and make them happen so that our projects could be more successful there is another response strategy that we might try which is really not recommended just pretending that there are no risks and hiding away and saying maybe it will never happen we really don't recommend this at all in fact it's probably true that ostriches don't bury their heads in the sand it's just the way that the sand dunes kind of look and it's just a pretend story and sadly for project managers it's not a pretend story we hide our heads and we pretend there are no risks and then we get surprised well we can do better than that so let me finish here just to say we do need to do something about this apart there should be a person who owns the risk we need to make sure the person who takes ownership is the person who can make a difference and that's usually the person who owns the objective that would be affected if the thing happened so ownership of risk should go with impact of risk and then we should put input responses in our project plan and treat them like any other project activity something we need to do to make our project succeed okay so I think that's all I want to say in terms of the spoken part for the presentation part of our workshop and what I'd like to do is to give us an opportunity to try some of these things out the arrangement in the room with people sitting in rows is not so easy so I'm going to have to trust you to move around and talk to your neighbors but let me remind you of the key points that we've learned so far risk is uncertainty that matters that means we are looking for things that might not happen we are not looking for problems we are not looking for issues we're not looking for constraints or requirements we're not looking for things that we don't like about our project we're looking for future events or circumstances that may never happen but if they do happen they would affect us this includes both threats and opportunities bad ones and good ones and we should be looking for both they matter because they affect our objectives we need to separate out the risks from the things that cause them and the things that they that they would do if they resulted and their effects and we can use that structured description because of the cause we might get a risk that leads to the effect to separate out those three things we can have a structured approach to planning our risk responses choosing one of those four things for the threat and one of those four things for an opportunity and making sure that the right person takes action and then we can manage the risk okay that's all I want to say in this part but I'm going to give five or ten minutes just to see if there are any questions before we get to the exercise so if your question is going to be in Persian in Farsi that's fine because I have my translator with me so please

Info

Channel: RiskDoctorVideo

Views: 58,978

Rating: 4.8862877 out of 5

Keywords: risk, risk management, risk doctor, david hillson, risk identification, risk responses

Id: fVIqy51oyS4

Channel Id: undefined

Length: 35min 48sec (2148 seconds)

Published: Thu May 19 2016