Identifying Risks – Who is that Person?

When it comes to identifying risks, there are a wide range of formal and informal techniques you can use.  I have no doubt that I will return to some of them in future blogs.  However, there is one way to get a jump start on the process.

Is there somebody you know …

… who always seems sceptical about your new ideas, innovations or initiatives?  You know the person I mean; their favourite response when you propose making changes is to suck air between their teeth, shake their head slowly, and say something like:

“I don’t think I would do that if I were you”

Harness the power of scepticism

You may or may not find that level of scepticism (some will call it cynicism) draining.  You may even share those traits yourself.  But whatever your attitude, my advice is to harness it.  Some people do seem to have an innate ability to see problems ahead.  They are not so much “glass half empty” people: they are more “I’d better not take my eyes off the glass or someone will drink it” people.

If you know someone like that, they can be a huge asset when you are starting to plan a new project, an organisational change, or an innovative product.

So sit them down, explain your plans, your ambitions and your hopes, and then ask the question:  “so, what do you think?” When you get that answer, ask the next, more important question:

“Tell me twenty ways it could all go wrong?”

They will.  And instantly, you have your first set of risks identified and ready to analyse.

The “so what?”

Use every resource you have to identify risks, the sceptics are among your most valuable resource, harness their insights into failure modes

That said, of course, analysing the risks they have identified is your responsibility.  What may seem, to your sceptic, an inevitable point of failure may, on careful analysis, be a remote (but real) possibility.  Of course, estimating these likelihoods is far from easy – but that’s another story.


6 thoughts on “Identifying Risks – Who is that Person?

  1. Glen B. Alleman

    This approach will overload the risk register unless those skeptics can provide a probability of occurrence and the related mitigation or retirement plan.

    Simply making lists is the easy part assessing the risk, handling them, and ordering them (paired comparison of Borda Ranking) is needed before it can be called Risk Management.


    for some background on the steps needed for an effective risk management program.

    The US Navy Research Lab has done extensive work on the psychology of capturing and ranking risk. The skeptic may or may not be the best source, since the skeptic will rank everything as “possible” in the absence of the “subject matter understanding,” of the actual risk and then drive the risk register into a costly mitigation process.

    You are correct in than “everyone” must contribute, but then the risk analysis process must be used to process this information.

    Finally these mitigations or retirements must be embedded in the master schedule in some way. Otherwise when the risk becomes and issue, there will be not funding or allocated schedule time to handle them and the project will be late and over budget. Just as if the risk management process was not present in the first place.

    Glen B. Alleman
    VP, Program Controls

    1. Mike Clayton Post author

      Glen – thank you for taking the time to post such a full comment and I can only agree with it. I am not in any way saying that suggested risks should be taken at face value – and a low enough estimation of likelihood may quite properly result in a “Tolerate” strategy.

      However, just because a risk comes up that is “inconveniently implausible” it does not mean you should not assess it and make a documented decision on how to handle it (or to tolerate it). To do otherwise is a failure of project governance. Rather than describing this as “overloading” the risk register, I would rather see PMs use an effective sort or filter strategy when using their register as a risk management tool. They can then feel free to add risks – however unlikely – to their register in its other primary role of part of the project governance and audit trail.

      A lovely story from a former colleague: “Mike” he said, over a beer, “you know we used to wonder whether to record the wildly unlikely risks that came up at a risk identification workshop, and you always said we must. Well, one of them was that an office might flood. And one of our offices just did. We’ve activated a contingency plan.”

      1. galleman

        Did say ignore. But the risk management processes we use in space and defense have a “risk review board.” This is where the assessment of the credibility of the risk takes place.

        The RRB’s job to to question the submitter regrading the risk, it’s source, the other details of the risk and its impact. In other words did the submitter do her homework, or is this risk just off the top of her head?

        Without this process, the risks that get put on the register have no qualifications and you might as well just make a list.

        So for the office might flood risk, was there a credible source of the flooding? Was this source verified that it might actually cause flooding. The anecdotal example we use to stop this type of behavior is to ask “what’s the probability of the comet hitting the building while we’re in it?”

        So if people are adding risks, no matter how implausible, who do you vet those risks? Or does the register just grow without bound and consume all the available management resources simply responding to the risks in the Risk Board Meeting?

  2. Josh Nankivel

    Glen has a solid point. On my last project we held a risk brainstorming session which yielded a list of probably 50-60 risks, yet 5-10 out of that list were actually addressed as risks.

    For the shortlist of about 10-20 candidates, we went through a careful definition phase to properly form them and assess whether or not they were valid. You’ll see in some cases that they aren’t risks at all. Remember the syntax for definition, it will make the evaluation and quantification process much easier:

    Given that [situation]
    there is a possibility of [event]
    resulting in [consequence(s)]

    Some of the other risks were valid, but just not likely/big enough to make the short list. Sometimes individuals will be very nervous about a risk, but it’s a local impact and less important than other risks when you are looking from a project/program perspective. On a large project like the one I was on, we had mini-risk boards for the element levels, so they dealt with those smaller risks and escalated to the IPT or project level as needed. At the element level it’s mostly team leads being aware of the risks and doing what they can to mitigate and prepare for them as needed.

    Just as the minute details of the work don’t need to be managed “from on high”, minute and local risks should also be managed at the appropriate levels.

    Josh Nankivel

    1. galleman

      Josh and Mike,
      To get calibrated, I’m currently working 3 program as the PP&C advisor. They range in size from $50M to $500M. Two are software intensive and the 3rd is a DOE construction project.

      Each has around a dozen risks in the register. They range from things like – feedwater make up contamination undetected from he flue tack to the algae farm to flight dynamics of attachment ring oscillates faster than control loop can handle during upset condition.

      In many cases we experience, risks are confused with known issues. Resource availability is an issue, behaviour of COTS software is an issue.

      You should think about risks in four ways:
      – Variation
      – Foreseen Uncertainty
      – Unforeseen Uncertainty
      – Chaos

      These notions were first developed through the work of Arnoud De Meyer,Christoph H. Loch, and Michael T. Pich. They can be found on the INSEAD site.

      The variation items should be treated as issues with “handling” guided by the degree of variance. The Foreseen Uncertainty is just that “foreseen,” and can be addressed directly as “larger issues.” It’s only when you get to Unforeseen Uncertainty that “risk management” starts.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s