Managing risk in projects - New concepts

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

join me in welcoming to the podium whatever oh good afternoon everybody that's a very generous introduction Harry thank you - it's great to be here and the inaugural session of your risk faculty for the Institute I heard there are thousands tens of thousands of members in the Institute and something like 30 members in your risk faculty does that seem right to you okay but even so 30 risk specialists in New South Wales we've got some work to do haven't we and part of it I think as Harry said is understanding what our contribution really is how we can add value to the business how it can help our colleagues to do their work more easily some people call risk management their business prevention department you can't do that because it'll all go horribly wrong be careful and I think that's and if you're a risk specialist you'll know that's absolutely not characterizing our contribution to the business and Formula One drivers have discovered that brakes help you go more faster go faster brakes help you drive faster because you have a safer car and it's easier to stop when you need to so you can actually go faster when you don't need to and so actually risk management is offering us a facility like that to understand where the boundaries and constraints are and then we could within those constraints and boundaries with those risk appetites and risk thresholds now then perhaps our businesses can just know that little bit faster be more competitive and create more value so I would encourage you if you're a risk specialist and you know others who are also interested in risk management who are not part of the faculty then do get them involved and come to events like this sign them up because risk management is really our opportunity to make a difference as Harry said I've been involved in risk management for 25 years I started when I was very young that's a joke by the way you can laugh it's fine I know it's been recorded but you know nobody will know who laughed but please do and if you can't manage to laugh that nonverbal is groups you know that helps as well from this end so I've been doing this for a very long time and the reason that I do risk management is because it works because risk management genuinely helps us to understand the things that could drive us off-track that could affect our ability to achieve our goals our ability to succeed is directly proportional to our ability to manage risk effectively so we really make a difference or at least we should do and that's what gets me out of bed in the morning whether it's as a speaker or as a consultant or trainer or so do some of the thought leadership work that I do is to move that risk discipline forward and make it even sharp but even better focused so that we can make more of a contribution to our businesses and not just business but to wider society at large and perhaps even in our communities because there are risks everywhere as you know what we're going to do today is talk about risk in projects it's a very particular application area some of the concepts I'm going to introduce to you may not be new maybe they will we'll have to see but they don't just apply in the projects arena so you will if you're not interested in projects you will find some aspects here which were applicable elsewhere I plan to speak for about 40 minutes or so and then have some time for questions and then how you might have some something else up your sleeve towards the end if needs be so let's say get on with the material I'm going to make these slides available to you as well so you can take notes if you like but the slides will be available through through the Institute in terms of risk management for projects and there's a lot out there already there are standards as we know ISO 31000 but not just that's our generic risk management standard there's a six to one nine eight an update of IC sixty one nine eight coming out which is risk management in projects we've got a UK government standard we've got Canadian government standards there's lots of standards and there's a lot of activity here in Austin as you know in terms of and New Zealanders in the standards area so we have risk management standards we have risk professional bodies there's an institute of risk management in the project world there are project risk specialists bodies we have institute of operational risk we have you know all sorts of different specialist risk professional bodies and we do have a body of knowledge so you know people understand what risk is and what risk management is and the processes and so on and there's quite a good infrastructure to support that in terms of books and training courses and academic courses you can do doctorates and degrees in risk management we've got consultancies we've got tools and so on so the question that Harry raised I think is quite interesting is risk management a profession I don't know how you feel about that when you go down to the pub at night or you're at a dinner party and suddenly says what do you do and first of all day you say I'm a risk management specialist I'm a risk manager if you dare to say that then what follows oh is that insurance is that health and safety what exactly is that what do you do and then the question is how do we answer the question in terms of profession there's a lot of work on what a profession really is and Harry touched on some of those things but one of them is public recognition we all know what accountant is and a doctor and a priest and a lawyer which are the the traditional professions why don't people know what a risk manager is I think maybe we're not so close to being a profession as we think we are and so you know maybe people see it's a bit like this bunch of cowboys who try and scare people into giving us their money or their business it'll all go horribly wrong if you don't come and come and talk to me kind of talk to me and I'll make it all go away for you and sometimes our advice isn't really both well focused either you know we ought to be able to do better than that don't you think the world's a nasty place that might have you go so you know we've got some work to do I think in terms of persuading people that risk management is a contributor and if we look at how projects how risk management is practiced in the project arena it's quite widely accepted all of the project professional bodies the project management institute the various associations the Australian Institute of Product Management for example will include risk management within their bodies of knowledge and were included in their certifications and we basically know what it is and it's practiced right across industries different product types most countries and I've worked in 48 different countries and most of them will have been practicing some kind of risk management so you would expect with this kind of long history and good understanding of what it is and how it works that everything should be okay in the world of risk in products your experience here's the standards groups day to the chaos data which has been tracking product performance since 1994 and they divide projects into either succeeded they've met all of their objectives failed they've met none of their objectives or challenged where they've met some but not others and this and some detail here but you'll see we haven't really progressed very much in the last 20 years we still get a fifth of our products failing outright nearly half of our projects are failing in some aspect and only around a third are actually succeeding so so something isn't going right in the world of projects and risk management is supposed to help us risk management in theory is the thing that drives us to success whether it's in the world of projects or in the world of business or in the wider world why is that well because projects like the rest of life are risky actually risk is embedded into the nature of every project because projects are unique and complex they're based on dependencies and assumptions they're trying to create something that's never been created before within a series of conflicting constraints very often things change during the lifetime of a project and projects are done by people every characteristic of a project is risky and so project risk management ought to help us to identify and to manage that risk and risk management should help us achieve our goals in projects because it focuses on our objectives we'll come back to this a little bit later on but a risk is an uncertainty that will affect an objective you can't do risk management unless you know what your object and because of that relentless focus on objectives risk management in projects should help us it's always asking the question what are you trying to do here and what could affect you so that should be helpful it's about being proactive I talk about risk management being a forward-looking radar and it scans the future out there and says what's coming towards me and how do I need to prepare myself and position myself as the future gets ever closer and so we're doing things in advance being proactive not waiting for them to turn up and then trying to do decide what to do so we have thinking time we get space to think about how we're going to respond and not react and that's really important and if we have a risk process that involves the whole team and all of our stakeholders then it helps us to focus on the main issues what are the risks that really matter and how are we going to address them together as a team so risk management really should help but projects just keep failing and businesses keep being challenged and going out of business and so on so what's going wrong if risk management is supposed to help us and yet projects are still failing then something's wrong so what is it is there something wrong with the theory of risk management is there something wrong with the practice of risk management is there something wrong with the people side of how we actually do it and how we understand it and our relationships and so on well the answer is probably yes yes and yes to all of those things but I'd like to focus on one area in particular this afternoon and that's the way we think about risk because our thinking determines our behavior and actually our behavior determines our culture so if we're thinking about risk culture which some of us our culture comes from repeated behavior but behavior comes from thinking so we need to think right about risk otherwise we're not going to be able to manage it well and I think there's a lot of woolly thinking about risk and risk management out there even amongst us who call ourselves risk specialists or or risk professionals and I think if we don't think right about risk it's bound to be an effective risk management manages risk so what is risk and we dare we start at such a basic thing well let me start here and move you know fairly quickly to think about what we mean by risks so that we can get our concepts linking straight and then maybe it will help us to decide how to make it work better if we went around the room and asked for a definition of risk I think we might find a number of different views there are different opinions on what risk really means and it's a nice short simple word it's in public use everybody uses it but do we mean the same thing if we don't mean the same thing how on earth can we move towards being professional or to operationalizing the management of risk in our businesses and in our projects we've got to know what it is so let me start with that we're talking about new concepts for managing risk and let's start with the concept of what we mean by risk and so we'll start with something fairly basic what's the difference between risk and uncertainty are they the same thing they're synonyms they're interchangeable or is there a difference well you know there's a difference of course but what is the difference and all risks are uncertain but not all uncertainties are risks so there has to be a difference right risks are a subset of uncertainties but which subsets how do you know there are billions of risks out there in the universe if you have a risk register it has a limited number of things in it 10 20 50 100 but it won't have billions so somehow you've filtered that almost infinite world of uncertainty to create a world of risk but how did you do it there's a mathematical answer to do with known and unknown probability density functions and generation of random numbers which isn't very helpful there's a philosophical answer which is to do with different types of knowledge which also isn't really very helpful and so in the project world we try and approach these things quite simply and so here's a simple distinction between risk and uncertainty three words and if you don't remember anything else about new concepts in risk management these are the three words to remember risk is not the same as uncertainty risk is uncertainty that matter uncertainty that matters now that's really important first of all there are lots of uncertainties that don't matter is it good a train in Kazakhstan tomorrow afternoon don't know don't care it's an uncertainty might not I don't like doesn't matter I'm not gonna write that in any risk register or spend any time thinking about it worrying about it what it's not deciding what to do about it what's the exchange rate between the Russian ruble and the Chinese yen gonna be in 2040 don't know don't care you know their uncertainties that matter and how do we know what matters anything that matters is something that could affect achievement of our objectives objectives define what matters so in projects it's going to be our timeline our budget our scope at performance requirements our assumptions and dependencies all of those objectives define the things that matter so if there's any uncertainty out there that could affect one of my objectives I need to know about it I need to write it down I need to tell people I need to think about it and decide how to manage it so uncertainty that matters that's the key which which is going to help us that's the kind of filter that will help us turn uncertainties into risks which means we've got two things to think about if it's not uncertain it's not a risk and you will I'm sure like me see lots of things in risk predators which are not really uncertain people put problems in risk registers or issues or constraints or requirements or things that they wish weren't true but they are true they all go in the risk register why is that usually it's because we haven't got anywhere else to put them and we know they're important we know they need attention we have got anywhere to write them down so we feel at least if we put them in the risk register somebody will pick them up and do something about them but they're not risks and the problem with putting certainties in the risk register is that they hide the real risks and actually the risk process doesn't work for things that aren't uncertain this it's designed to handle uncertainties that matter so then if we put certainties in the risk register we hide the real risks and the risk process doesn't work everybody says well risk management isn't working for me that's because you put non risks in the risk register so it has to be uncertain and it has to matter so we find that risk has two dimensions and I'll come back to that again in just a moment so risk has if you ask how big is the risk we've got two questions how uncertain is it and how much does it matter now we might just say we're talking about projects here but different things matter to different people so what matters to some project team member who's a technical specialist and has some some piece of the project to work up and he's quite interested in the technical solution and the design and how it all works in here and some things matter to that which may not matter to the overall project manager who just cares about the deliverable and things that matter to the project manager may not matter to the sponsor and things that matter to the sponsor may not matter to the user and things that matter to the user may not matter to the end client we actually have a hierarchy of risks because we have different things mattering to different people we actually have a hierarchy of objectives we have strategic corporate objectives program and portfolio objectives project objectives technical objectives each level of objective has a level of risk associated with it which means that risks need to be owned in different places who should own a risk the person it matters to the person who owns the objectives as so much comes out of these three words uncertainty that matters there's another thing which comes out of here which we won't have time to talk about at least I don't intend to talk about but you can ask in the questions and that is if we ask the questions how uncertain and how much does it matter the answer to both of those questions are subjective our perceptions you might think something is really uncertain and I think it's it's quite clear you might be really really critically concerned that it really matters to you and I don't care at all so who's right and how do we decide and the whole issue of subjectivity and personal bias and personal preference comes out of these three words as well which means that risk is not just about process but risk is about people and about psychology and we need to think about that in our approach as risk specialists so a lot of things from just those three words and as I say if you just memorize those three words and use those and think about those reflect on them as you think about your work and what you're doing it might be helpful so if we're looking for a definition of risk a formal definition not just that sort of idea of uncertainty matters it has to have something to do with them uncertainty something to do with objectives the ISO standard I mentioned ISO 31000 has a very neat short definition just these few words risk is effective uncertainty on objectives not too bad in the world of projects we've got this group here the association of project management which is a UK professional body perhaps the leading independent national professional body and project management in our body of knowledge we have a different definition of risk which says the same thing but with more words so risk is an uncertainty it could be a specific event or a range of other things the key thing is it's uncertain so it might never happen if it does happen it matters because should it occur it will have an effect on achievement at objectives we're saying the same thing but with more words so here we have the connection between risk and objectives first key concept what about another key concept we're talking about uncertainty on objectives what what kind of uncertainty are we interested in and here I'd like to use some technical words if you've had more than one glass of wine you need to kind of pinch yourself at this point because it might just get a little bit kind of What did he say but as Harry said the idea is to try to explain these things simply there are a number of different types of uncertainty that we need to think about not just uncertain future events things that might or might not happen in the future I think we have a big job to do in terms of explaining to people and remembering ourselves what kinds of uncertainty matter in our projects in our business in our lives that in the world at large it's not just things that might or might not happen in the future there are other types of uncertainty we need to think about to be aware of be prepared for and handle through our risk process and you'll see that the APM definition didn't just say a risk is an uncertain event events that are uncertain are risks if they matter but it's also includes uncertain sets of circumstances what does that mean non-event uncertainties which are also posing a risk to our project or our business or our objectives the definition of risk is any uncertainty that matters any uncertainty that if it occurs could affect our objectives so what sort of things does that cover here's the here's the the jargon words one suggestion is obviously possible future events things that may or may not occur in the future and we might call those stochastic uncertainties now Sturken stochastic is just don't panic it's a it's a word that comes from the Greek which just means uncertain but it's tends tends to be used of events that either happen or don't happen so we're going to run a trial and the trial might fail and if it fails we run a second trial but if it doesn't fail we don't run the second trial so the second trial the repeat trial is a future event which may or may not occur so it represents a risk to our timeline or risk to our budget we are working with a contractor with a supplier and they provide key components to our solution and they may go out of business during the lifetime of the project they may not it's an event in the future that might or might not happen if it happens it matters and obviously we're very familiar with this idea most risks in our risk register apart from the UNAM risks most things that really are risks are of this type and we think about what could happen okay now I won't say much more about this because this is where most of our thinking is but there are other types of uncertainty that matter not just events in the future that could happen or not happen right here with me so far generally what they aren't and maybe you do know here's one it's called aleatory uncertainty the latin word alia means a dice the thing with a dice is it's got six sites they've got dots on them one two six and you throw the dice and you will get one of the answers one two three four five six you just don't know which one okay so there's a limited number of possible answers and when you throw the dice you will get one of them but you don't know which one this is not an uncertain future event you will get a result when you throw the dice you just don't know what it is it's not the same as things that may or may not happen you might say and that the sort of non jargon word for aleatory con certainty is variability when we do a task on our project so design tasks or some kind of implementation or a trial we expect our people to have a Productivity level there will be a target productivity level and an actual productivity level we hope that the actor will be the same as the target but it might not be it could be slower or it could be the same or it could be faster when we go out to buy equipment from overseas at using a foreign exchange currency then the exchange rate could be higher or it could be lower than what we'd expected when we dig a hole in the ground we're not quite sure what we're going to find we might find nothing we might find archaeological remains with my hit song pipe we might find buried treasure we're going to dig the hole digging the hole is not an uncertain event the question is what happens when we do it or how long how long does it take us or how much will it cost so we have variability around key characteristics of things that we're going to do anyway this is not the same as things that might or might not happen in the first place that distinction and it's a different kind of uncertainty that matters so when we're doing project plans if we're talking about risking projects and we have schedules or schedules and whatever you say here I can't remember and you put in a plan duration and a planned budget and a planned resource requirement it could be more or less so we do three point estimating minimum most likely maximum don't we don't we should and that's to handle this kind of uncertainty not this kind of uncertainty which just as a byline if you ever do quantitative risk analysis using Monte Carlo type models you need to take account of both of these and they're different so we should have estimating uncertainty as well as specific discrete risks both represented in our response I hope yours do okay any other types of uncertainty that matter not just stochastic events that happen or don't happen but aleatory variability of things we plan to do that could be more or less in some way well there is another type and that's known as epistemic uncertainty the Greek word a piston e means knowledge so epistemic uncertainties about things that we're not sure that we know or that we don't have enough information about things that aren't really clear and the non jargon the sort of simple natural language word for that is ambiguity ambiguity is when some part of what we're trying to do is not well understood we have a lack of knowledge and that introduces uncertainty that uncertainty is not an event it's not in the future we've got it now I don't know quite how this piece of kit will work I'm not entirely sure what the customer wants or what the requirement is I've got some sort of proposal from a key supplier I'm not really sure how we're going to interface there a bit of a solution with ours there's lack of knowledge it's a it's a present uncertainty and it matters and it's going to be handled in a different kind of way from these kinds of uncertainty and so we need to understand it record it think about its size it prepare for it included in our risk registers all right happy with that nonverbal is good all right one more and this one has a smart name as well as a kind of an ordinary name the smart name is on two logical uncertainty here we come across that one ontological uncertainty sometimes known as unknown unknowns sometimes known as black swans and an ontological uncertainty is to do with concept so ontology is is about the the thinking of origins it's about our mindset it's about our worldview us about our conceptual framework an ontological uncertainty are about the things that you can't even imagine the things that you can't think they're outside of your frame of reference and of course the problem with those and we say blind spots and the problem with those is that I can't list them for you because as soon as you say it you've thought it and if you thought it is one of these these are the ones that we can't think of which means we can't say them until they happen and when they happen they're not risks so there's a lot of garbage talked about black swans if I start some people just think they're a low probability high-impact risks which they're not there's a whole sort of theory of black swans which is much broader than that but I think people use they throw the term Black Swan around without really understanding what it is and they expect the risk process to take care of it I was just saying to somebody earlier on here Black Swan the of course the abbreviation for Black Swan is BS I don't say anymore do I so when somebody says to you does your risk process take care of black swans or the unknown unknowns well how can it how can it let me ask the question in a project context how many unknown unknowns are there that could affect your project I don't know that's the point there could be none and there could be a million and they could all just be queuing up to happen tomorrow or actually there may be nothing to worry about and we don't know that's the point so what can we do in a risk process we can't write anything in the risk register something might happen how do you respond to that now we can do it's not that we can do nothing because this is an uncertainty that matters so we have to manage it in some way and there are answers to dealing with black swans or unknown unknowns which are to do with resilience which are to do with flexibility which are to do with disaster recovery and preparedness which are to do with all of those issues around around organizational readiness and so we can be robust and flexible we can build in a culture of the ability to change into our organizations and projects so that if something happens and we don't know what it is then we can handle these kinds of blind spots when we suddenly see something but it's not really risk management it's really taking disaster recovery or business continuity thinking into the world of projects and it's slightly different but it's something we need to think about so I think the world of risk management needs to be much much broader it's any uncertainty that matters if it matters it needs to be managed okay and any of these kinds of uncertainty could affect your project or your business or your customer or your family or your career or your life okay and so when we do risk management first of all we need to be identifying all of these not just these not just the possible future events then we need to be preparing for them and assessing them to decide which of the big ones and developing responses not just to the events okay and the response is the reason we break them out into these types is not just to appear to be clever and smart and pseudo-intellectual by having smart names but it's because these things are different in nature and they need to be managed in a different way now here's a question for us as risk specialists would you ever tell a customer or a senior manager would you ever use those words to a customer or a senior manager in my risk register I'm going to divide into four sections sir and I'm going to put the stochastic and aleatory ones over here in the epistemic and ontological ones oh I don't think so this is for us this is for our thinking this is risk specialist thinking risk professional thinking it's for us to understand our discipline and our professional so we can then do our thing and translate that into their language and talk to them about what matters to them this matters to us and it matters to us because we have to think differently to pull these out and we have to act differently to manage them but we shouldn't really be using this language in our risk communication or risk reporting because it will drive most people crazy they will push them away I can't I don't know what you're talking about now just talk about risk yeah well this is risk no no I don't want that to give me give me the risks okay so this is for our thinking and we've got to work that out okay right so let's move to the next thing uncertainty that matters these are uncertainties shall we think about what matters and this is something that I think you guys in Australia should be much more familiar with and our Kiwi colleagues too when we think about risk being the effect of uncertainty on objectives and we just we ask the question how big is the risk and one of the questions there needs well how much does it affect my objectives then we've got to think about any uncertainty that matters don't take that off for a minute and let's think about this funny picture I found on the internet you might have seen this I think the mouse is a really good risk manager why is the mouse over a good risk manager because he's facing a an uncertain situation and he is doing some kind of assessment and thinking and preparation in order to make sure that he achieves his objectives so what is he seen what is the mouse thinking about well the mouse has seen the trap and so the mouse is very focused on the trap and it doesn't want to be killed or injured its objective is to stay alive and so he's done his preparation he's put his little helmet on and he's going to make sure that he minimized or avoids the possibility of getting killed or injured very good and he's a good risk manager we should be like the mouse because there are traps in our projects traps in our business things that could waste time that could waste money that could destroy reputation that could damage value that could kill or injure people and as risk people we have to look ahead and see those things they get ready and prepare and make sure that we minimize or avoid the chance of those things happening right that's what we do so we like the mouse facing the trap we have to make sure that we don't get killed or injured good is there anything else that the mouse is interested in is there any other uncertainty that matters in the picture well of course there is and it's this here this is another uncertainty that matters can I get that cheese off the trap because another objective of his is obviously to be eaten to grow strong and to have the energy to do whatever it is that mice to make more mice I suppose and so here's uncertainty he's got to make sure he gets them and that the cheese off the trap which he might not be able to do and he's actually got to manage that quite carefully in fact what he's got to do is manage two types of uncertainty at the same time he's got to make sure that he's not killed or injured and gets the cheese and of course if he only manages one of those then he's failed if he gets the cheese off but he's fatally wounded and dies in the process what he's failed if he's very very careful and doesn't spring the trap but he doesn't get the cheese then he's failed he's got to do both and we are like the mouse in our projects and in our businesses because we don't only focus on traps there are uncertain things that if they happen would damage us damaged reputation value and and cost and so on but those aren't the only things we're interested in in the world of projects we're trying to create value which one to deliver benefits we're trying to do things that have never been done before and because projects are risky there's no guarantee that we'll be able to do that we can't say for certain when we embark on a project that it's going to work that it's going to deliver any valuable benefits or create anything worth having at the end that's why we do the project that's why we need project management so we can't say for certain we're going to get the cheese out of this situation and as risk specialists working in projects we've got to do two things stop things going wrong on our projects don't allow people to damage reputation waste time waste money upset the customer all those things and get as much value and benefit as possible out of our project at the same time so if we deliver on time we don't waste time don't waste money don't upset the customer but we don't create any value we failed if we create value we deliver some benefits create some output from our project and then we upset everybody and we're double-o-double the budget we're too late for it so let's fail - we've got to do both of these things at the same time now why we concentrate all that is because there are two types of uncertainty that matter there are uncertainties as if they of the curve could have a negative effect on objectives the traps but they're also uncertainties that if they occur it could help us to work faster smarter cheaper to get to our goal in the best possible way to be most effective to be most efficient and those things matter there are uncertainties that help us as well as uncertainties that harm us both are important and both need to be managed if their uncertainties that matter then they come in to verse scope of the risk process they count as risks even though they're good there are good risks as well as bad risks really and our challenge as risk specialists is to find the best possible way to get as much cheese as possible out of our projects whilst having the minimum chance of springing the trap and there's always a better way and as specialists this is we should be advising on this right and how do we do it in the best possible way so what does this mean for risk in terms of our definitions and concepts we need to embody the cheese as well as the traps in our thinking as well as in our practice so here's a definition from the PMI the project management institute it's a global body nearly half a million members they've got chapters in Sydney and Melbourne and the port code and so on and they have a project management body of knowledge with the risk of chapter chapter 11 and I was one of the core authors of that chapter for about 15 years or so and there's a joke in the contents list of the pin Bock because for our American brothers we made risk management chapter 11 and only the Americans laugh you see so it was a joke over there it doesn't work anywhere else anyway here's our definition and risk is an uncertain event or condition it's the same as the APM definition it's events and other things it's uncertain so it might never happen if it does happen it matters because if it occurs it has an effect on an objective good what about the cheese and the traps well PMI has heard of cheese and traps and actually put it in the definition but we didn't put cheese and traps but we put these words the risk isn't uncertainty that if it occurs has a positive or negative effect on an objective now there's another name for uncertainty with a positive objective we call that an opportunity it might never happen you can't happens it helps we're pleased about opportunities that turn into reality so these are uncertainties that matter threats are uncertainties with negative effects on objectives they might never happen if they do happen we're sad about it we wish they hadn't because they damage achievement objectives these are both uncertainties that matter and so they both come into the scope of our concept of risk and our practice of risk management and in case you think this is just the Americans in PMI going crazy and doing American things you know just going a different way we have the same sorts of things in other professional standards is the ISO standard ISO says that risk is effective uncertainty on objectives footnote effect is deviation from expected positive or negative APM says the same thing in their body of knowledge again lots of words but it includes positive and negative opportunities and threats this is not weird thinking this is not PMI American and crazy thinking this is best practice this is standard concept of risks the risk includes threats and opportunities downside and upside good risk and bad risk and so we need to manage both that means that our risk process needs to handle both types of uncertainty that matters and the question is nice theory does it how many opportunities are there in your risk register and if there aren't any then why why is that that you don't have opportunities in your risk register uncertainties that matter because if they happen they help you to work faster smarter cheaper so you go to the boss with your risk list and you say I've got a list here of all of the big risks he says go away I don't want to hear about that so just deliver solutions just but give me things that are sorted out I don't hear about things that might never happen anyway you guys are full of doom and gloom you're only going to give me problems that might never happen I don't want to know about that excuse me sir but there are two sections in my risk report and in this side I've got all of the things that might go wrong and there are some and we've prioritized that we've thought about them we've got some actions to make sure they don't to minimize them and then on this side of my report I've got a whole set of things that might help us to achieve our goals in a more effective way to save time to save money to delete to improve performance to to enhance our reputation and along with those we've prioritized them when we've got some actions to try and make them happen but I guess you don't want to see my risk report do you hang on a minute yes I do I know there's some things to worry about what are these other things that sounds really interesting and actually change whole nature of the risk discussion if we start talking about things that could help as well as things that can hop and as risk professionals it's our it's our duty and also actually it's quite quite pleasant to be able to go to people with two lists some things to worry about with actions some things to get excited about with actions and we really need to do both if you've only got the downside in your risk process and your risk register and reports you're missing a trick you're not helping your projects or your organization in the way that you couldn't should I think all right okay and let me move on to something else we've talked about uncertainty that matters we've talked about four types of uncertainties stochastic aleatory epistemic and ontological we've talked about two different ways of mattering positive or negative I'd like to talk about something which you might or might not have thought about which I think we do need to think about and that's the difference between risk and risks at which point I can hear you thinking he's really lost it now you know versus yeah it was kind of bit of a stretch so far I think I kind of follow but this is just like no no what's the digits between risks and risks is there any real difference is it singular plural well I think there is a difference and let me illustrate it from the world of projects with this question how is risk seen from a higher perspective of outside the project whether it's the project sponsor or the program manager or an external client when they look at the project and they ask you this question how risky is your project how do you answer the question and if you give them the risk register and say this risk register with 30 40 50 risks prioritized threats and opportunities with actions this is the answer to the question how risky is your project is that what they're asking they are asking something different they're not asking about what the risks are they want to know how risky the project is this is about risks individual discrete things uncertainties that matter this is about something different we might call this overall project risk which is a different concept from individual risks so we have individual things that we write down in the risk register that we need to understand scope assess respond to and so on and then we've got some way of putting all of that together to talk about the risk of the project you might talk about the risks in the project versus the risk of the project now I think this is different this is a different concept and if we look in the bodies of knowledge you'll see that there are different definitions so we've got a definition in the APM body of knowledge of this thing called overall risk it's not about uncertain events or sets of circumstances now it's about the overall exposure of stakeholders to the consequences of variation in outcome it's about the accumulation of some individual risks and all sorts of other types of uncertainty anything that matters to the overall project deliverables is part of that overall project risk and there different PMI says exactly the same thing and has a practice standard for project risk management it says overall project risk is the effect of uncertainty on the project as a whole not the same as individual risks so there's something different to think about here we need to be thinking about what is the riskiness of my project which is different from all of those risks that I write down and try and deal with and just in case you're not so interested in the project world this actually applies right throughout the business if we're talking about what's the strategic or corporate risk exposure of our organisation is it the same as the content of the corporate risk register no it's not in the corporate risk register you have five ten twelve twenty individual risks and the board want to be interested in and so do our other stakeholders what is the overall risk exposure how do you convert one into the other we need to know how to do this so for the project manager back to project level the project manager is accountable for managing the overall risk exposure of the project and to do that he deals with the individual risks within the project as well so that means that as project risk people then we need a language and a process and techniques for dealing with overall project risk as well as individual project risks does that make sense so it's not just done at the higher level of enterprise risk management or program risk management this is part of the job of managing risk on projects and we've got to work up some kind of language or techniques or approach to deal with that now I'd like to suggest to you a way of thinking about it and we don't have time to go into lots of detail but maybe this just might be a start I call this implicit versus explicit risk management I'll demonstrate it at project level but it applies right the way up the risk hierarchy from projects to programs programs to portfolios portfolios to departments or functions departments and functions to the corporate so at every level we can do implicit implicit explicit by implicit risk management what I mean is the overall riskiness of the project which is driven by its structure and scope content and context what's in the project what is the project and our decisions about that will affect the overall riskiness of the project we don't manage individual risks we think about what the project is and every decision you make about the type of functionality or performance to include within your project about what assumptions you think will be true and what constraints you will accept everything you do in terms of our our performance targets around these questions affect how risky the overall project is we're not thinking about individual risks at all we're thinking about the characteristics of the project this is implicit it's built into the nature and the decisions about the project itself which will influence its riskiness okay once we've done that and we've defined our project with a given structure scope content in context in other words with a given level of overall risk then we take it into our experts at risk process which we're used to doing with identifying assessing developing responses and ribbons and like that and implementing and so on and then we deal with the individual risks within the project so we've got we've got the kind of the big picture what are we doing here and the smaller detail picture and how are we doing it and these are two levels of risk management two levels of thinking two levels of implementation and if we're risk specialists and our task is to support risk management on projects we need to help our stakeholders our project managers our customers to think about risk on these on both of these levels and we need to have thought about it ourselves first and we need to have clear processes in our minds for dealing with those things so we can help them through it okay I think I probably said enough to confuse you or hopefully not confuse you too much but to give you some things to be thinking about this thing of risk management it's not easy that's why it needs risk professionals risk specialists if it was easy everybody would do it and then we'd be out of a job and actually that might not be such a bad thing and part of our role maybe might be to work ourselves out of a job so people can manage their own risks without the kind of specialist support that we offer but at this stage in the development of the discipline and I would call it a discipline and perhaps not a profession and we've still got some things to help people with in terms of the concept of risk and the way the concept affects the practice in terms of what uncertainties that matter we include within the scope of the risk process that we talk to people about so when we facilitate risk workshops what kinds of things are we expecting to get out of it so we can help them to write those down if we've never thought about aleatory or ever steaming or ontological uncertainty then we won't help them to think about it those risks will remain unseen and unmanaged so we've got a job to do and I think it's not not necessarily an easy job it starts with that concept that risk is uncertainty that matters risk is any uncertainty that matters not just future uncertain events that includes good things and bad things opportunities as well as threats and we need to make sure that we manage both of those things through the risk process and we also need to be thinking about the next level up of riskiness of risk in addition to risks those discrete individual things that we manage through our explicit risk management process both of these things are important and if we want to be leading at helping our organizations to manage risk properly we need to be doing these things too so here are the questions for you I know you're supposed to ask me questions but here's the questions for you is this what do you think about risk you know we're talking about new concepts so are these your concepts and if not why not do you do it this way because you could and you should and if you want to do it this way what has to change you know we can come to these sort of seminars and sessions and watch the video and read the books and think more I never thought about that before and then off you go back to work this afternoon back into the routine and just do what you've always done and nothing changes here are some new ideas which are important and which we need to engage with and grapple with and reflect on and think about because they also affect our behavior project risk management is important because it's a contributor to the success of projects and projects contribute to the success of our businesses and businesses create value for society in the wider world so this is important we have a number of areas to think about and what we need to do is so think about them and what we need is people who are prepared to just kind of step out from the normal profession normal routine and say right I mean have a go at this thing you know I'm gonna go out of that door and do things differently I'm gonna try in my organization including some of these new concepts I might need to break some rules and I might need to do something that hasn't ever been done before but if you don't do it who's gonna do it I'm trying to do it in my world and with my clients and through through our risk doctor Network but you know I don't work with you you work with you and so you have to do these things otherwise they're not going to get done we really need some people to step up to the mark and to say okay this is not good enough you know we're not doing well enough in our risk management in projects and something needs to change and I'm going to make it happen so if we're the risk faculty of the Institute and we're the risk specialists then we're in the front we have to do something different and let me finish with two quotes Einstein said this insanity is doing the same thing over and over again what do you really meant to say I think which is perhaps a little easier to understand is that if you always do what you've always done you'll always get what you've always got and the question is is that good enough are we happy with what we've always got in the world of risk management is it delivering results and delivering value if not something has to change and Gandhi said something which is much wider than just risk management but it applies to us too if we're thinking about change you must be the change you wish to see in the world don't leave it to me you don't leave it to speakers and writers and you know people who run Institute's you're the ones on the ground engaging with your products and business you've got to be that change and embody it and make it happen it's not impossible it is difficult but it's worth doing so that's the challenge I'd leave you with I hope you found that interesting and useful all of those ideas are explored in lists of a book and there's a voucher on the table people 35 percent off get it on Amazon you get it on Kindle but I'm not here to sell books I'm here to enlarge your thinking and to help you to do a better job

Info

Channel: RiskDoctorVideo

Views: 18,710

Rating: 4.963964 out of 5

Keywords: risk, risk management, Risk Doctor

Id: SCb8p4OJa9I

Channel Id: undefined

Length: 50min 33sec (3033 seconds)

Published: Tue Nov 12 2013