Spot Threats

What can go wrong, and how to prepare for it

As a teenager, I devoured Isaac Asimov’s non-fiction book, “A Choice of Catastrophes”, which catalogued the ways the world can end. There are doubtless newer books on this theme to cheer yourself with on a dull day.

Businesses and projects daily face less awful disruptions – but significant nonetheless, in their own way.  What can go wrong and how can you prepare for it?

Each year since 2002, the Chartered Institute of Management (MI) and the Cabinet Office have published a survey of business disruptions suffered in the previous year.  You can download the last two reports from the CMI website: 2011 and 2012, and an archive of earlier reports from the Cabinet Office site.

The Top Business Threats

The CMI report shows consistency in the top threats that have been suffered in the last few years: extreme weather, loss of IT, loss of people, loss of telecommunications, transport disruptions, and loss of access to site. In the 2012 survey, two other threats rose to near the top of the list: industrial action and school/childcare closures. You have no excuse for any of these catching you unaware in 2013!

The Top Project Threats

In my book, “Risk Happens!” I list the ten main threats that cause projects to fail. Of these, I seem to have been hearing more examples of some than others lately. So, my anecdotal top four in the UK currently are: lack of engagement and active support from senior leaders, stakeholders across the organisation holding unrealistic expectations, an over-focus on contract costs, rather than a more sophisticated assessment of the balance of risk, cost and value, and an over-commitment of the organisation to more projects and initiatives than it has the resources for.

Spotting Threats is Not Enough

Whether you are responsible for business as usual, a project, or your children’s birthday party, spotting threats is not enough: you need to do something. The underlying process is always the same and can be adapted to risk management, contingency planning and even business continuity preparations. It consists of five steps.

Step 1: Identify

Understand the context in which the threats will arise, the priorities that dominate, and the scenarios that could arise. Use these to identify as many threats as you can: what could go wrong. There is a wide range of techniques you can use beyond the familiar (and useful) approach of brainstorming.

Step 2: Analyse

How seriously should you treat each threat? Play out scenarios to understand the effects on processes and priorities. Cost these impacts in terms of what matters most to you: cash, delay, reputation, harm, etc. Also estimate the relative likelihoods and the proximity of the threat and combine these factors to prioritise them. For business continuity threats, the CMI report tells you, for example, that over the last three years, on average, 57% of respondents experienced disruptions due to bad weather. If bad weather could affect your business, you have ten months to prepare.

Step 3: Plan

If you have any, evaluate your existing plans and either strengthen them or develop new ones to reduce threat levels and prepare your organisation or project for adverse scenarios. Contingency and business continuity plans need to address all critical process areas, like IT, staff, communications, data and core operations.

Step 4: Action

Put your plan into action on four fronts:

  • manage threat levels and risk likelihoods downwards
  • prepare for adverse contingencies
  • Rehearse continuity and recovery plans
  • Communicate roles and responsibilities robustly

Step 5: Monitor and Control

Exercise your continuity plans and review outcomes.  Assess the impact of threat reduction measures. Continually scan for new risks. The diligent process of plan-do-review is your best defence against complacency. By introducing new people to the process regularly, you can get independent views on your work so far and fresh eyes on the threats you face.

Expect the Unexpected

Nassim Nicholas Taleb coined the term Black Swan events to represent events that are beyond our normal expectations, that have significant disruptive impact and for which convincing post hoc explanations are always available: that is, Black Swans are always predictable in hindsight; but never with in advance.  Yet we know Black Swans exist, so what can you do?

Black Swan seen on family outing

Prepare for the Unexpected

You don’t know what black swan events to expect in your project, programme or organisation, but you can be sure it is worth preparing for them. So instead of worrying about what; focus on how. Look at how an unexpected incident could affect you, rather than what that disruption might be. How robust is your project or organisation to a set of simultaneous disruptions? And what can you do, to strengthen it?

Risk Happens! Manage Risk and Avoid Failure in Business Projects, by Mike Clayton

Risk Happens!

Risk Happens! is perhaps the most comprehensive introduction to project risk management available. It follows a simple process, offers a wealth of practical tools and techniques and fully embraces Mike’s trademark pragmatic style for getting things done rigorously and simply. It contains 57 figures and diagrams and 60 tables and checklists that you will want by your side, day-to-day.
Risk Happens! is available in paperback and all eBook formats, including Kindle.

Risk Happens! Website


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s