Risk Management Archives - The Project Foundry

24 August 2016

Risk Management – Always bet on black

ProjectFoundry
AtoZ
Governance, Risk Management
0

It’s Vegas Baby!

In this article I’ll pose the question whether the problem is that people (or executives or both) don’t know what risk is or choose to ignore it. We will see what the implications of either and/or both are.

“The streets at Edwards Air Force Base, where the majority of both the Air Force and NASA aeronautical flight testing and research takes place, are not named for generals. They’re named for pilots killed on test flights. It’s a reminder to all who work there that the junction between technology and nature can be a dangerous place.”
(Lane Wallace, Why We’re So Bad at Managing Risk, 2010).

“The streets at Edwards Air Force Base, where the majority of both the Air Force and NASA aeronautical flight testing and research takes place, are not named for generals. They’re named for pilots killed on test flights. It’s a reminder to all who work there that the junction between technology and nature can be a dangerous place.”
(Lane Wallace, Why We’re So Bad at Managing Risk, 2010).

In the same article Lane goes on to talk about the catastrophic oil spill in the gulf. She points out that BP is not new to offshore operations or the risks inherent in drilling into the earth. Lane asks the question “how did the company misjudge the dangers, risk and consequences of an accident so badly?” Herein lies the crux of it. Financial return will trump any and every other concern.

Leaving the stark reality of the Deepwater Horizon oil spill, the Challenger space shuttle accident and the emotive discussion on where the blame lies. Let’s have a conversation about the industry we all work in, an industry where technology and people co-exist and collaborate for commercial reasons.

Substituting risk management failures for NASA and BP disasters I want to know how we keep getting it so wrong… so often? My assertion is that Lane Wallace thinks the easy answer is, there’s a financial incentive for going forward, and a financial disincentive for holding back. Is that it? Does it all come down to money at the end of the day, no matter what the consequences? Or is it more nuanced?

Richard Leblanc wrote an article 25 Reasons for Risk Management Failure (2015). Having spoken to directors and officers about risk management he presented 25 reasons for risk management failure. The link to Richard’s article will be included at the end of this post. For now I want to include a subset from Richard’s list to see do they all, some or any of them resonate with you:

Lack of enterprise risk management expertise on the board.
Governance gaps over a material risk(s) within the board or across committees.
Directors incapable of identifying and fully understanding the risks, or worse yet, don’t want to understand. Committees show no interest when they should be shocked.
Internal oversight functions reporting to management instead of the board. A complacent board does not correct.
Directors do not insist on a real-time line of sight over material risks and their mitigation/treatment.

I like that Richard lets the voice of those he interviewed do the talking for him instead of sermonising. Richard does conclude (in his introduction) that “based on my experience assisting boards, including boards that have failed and boards that cannot afford to fail… I have never encountered a risk management failure where the board was not at fault, based on what the board said or did, or failed to say or do.”

Lane Wallace points out that “risk is an elusive, and ultimately unconquerable, opponent.” That said Lane advises to “expect the unexpected. And plan accordingly.” Expect the unexpected. And plan accordingly. We don’t. Why? Richard Leblanc presents the reasons. “I have never encountered a risk management failure where the board was not at fault, based on what the board said or did, or failed to say or do.” The three wise monkeys strain of the C-ostrich, Do-ostrich disease has reached epidemic proportions. Is it, like risk, an ultimately unconquerable opponent?

I’ll leave you with this question? When is the next Deepwater Horizon oil spill or the Challenger space shuttle accident going to happen? Place your chips. Roll the dice. It’s Vegas baby!

Please read Richard’s article (http://corporatecomplianceinsights.com/25-reasons-for-risk-management-failure/) to see the full list. It’s insightful and frighteningly familiar.

For an even more frightening example of risk management failing please read Lane’s article: http://www.theatlantic.com/technology/archive/2010/06/why-were-so-bad-at-managing-risk/57522/

24 February 2016

Project Governance… works except when it doesn’t

ProjectFoundry
AtoZ
Governance Communication, Measurable success criteria, Risk Management
0

An exceptional certainty if you will.

In last week’s blog we identified why IT projects fail and included such reasons as lack of user involvement, scope creep, communication, controlling budget and time. We also included poor governance as a reason.

“For how could you establish even the most obvious fact when there existed no record outside your own memory?” (1984 by George Orwell).

“For how could you establish even the most obvious fact when there existed no record outside your own memory?” (1984 by George Orwell).

Despite all the literature and evidence, the one thing that is clear is that organisations are not learning from previous lessons. When it comes to learning lessons is it better to learn from why projects fail or why projects succeed? The answer is from both.

When you analyse the reasons why projects fail and there are many (those identified in last week’s blog are by no means all of them), it is difficult (maybe impossible) to pinpoint one overriding factor that causes project failure. The issues (reasons) mentioned above (and in last week’s blog) are interlinked and are not really ‘technical’ issues, but rather ‘human’ issues that relate to management and training.

When it comes to fixing the issues (reasons project fail) where do you start? There are a number of formal models available for assessing organisational maturity in project management, each with its own set of advantages and limitations. Personally I am an advocate of the P3M3 maturity framework used for portfolio, programme and project management but canvasing support for it is thought food for another day. For now let’s say we have five seconds to choose an issue to tackle? Clock ticking. I choose poor governance and my weapon of choice to fix it (poor governance) is risk management. It is my view that an effective risk management approach to project governance can be used to ensure the maximum benefit and potential.

A survey conducted by the UK Government in 2013 listed “decision making failures” as one of the top five reasons for project failure. Although the discipline of risk management has matured, we continue to see projects failing to deliver successfully and by this we mean failing to deliver the expected outcomes as per their business cases.

The same study listed governance and stakeholder management as the second and third most common drivers of project failure.

What does good (effective) governance look like?

Informed decision-making.
Ability (and authority) to provide appropriate
Appropriate (“custom-fit”) and understood project management methodology or framework.
Skills and capability (knowledge and experience) of those governing.
True
Transparent (not “lip service” or token) information exchange and communication.
Common, clear outcomes universally understood and
Invested

So risk management? Risk management, along with other knowledge areas of project management, contribute to a decision maker’s ability to make decisions.

My recommendation is that you develop and implement a risk management framework (driven by metrics) that examines risks in light of potential threats’ potential to effect the strategic goals of the project. Note: early posts on Benefits Realisation, Change Management and Delivery Maturity Assessment where I ask the C-suite executives (those cured of the dreaded C-ostrich, Do-ostrich affliction) to align all projects’ outcomes to their organisations’ strategic goals, otherwise why… why… why do the project?

The risk management framework will help organisations better identify, assess and respond to business threats in alignment with overall business goals. The method consists of three steps: identify, assess and action. This method is based on the fundamental principles of The Project Foundry’s 3As Maturity Model (read more here!):

Step one: establish goals for the risk management framework
Step two: align risk management framework with key business objectives and operations in order to develop key risk indicators.
Step three: design/define the risk management framework rules, principles and guidelines including when to involve the various levels of the organisation including C-suite executives, lines of business and IT.

In summary I am a dummy so I always like to follow a dummy’s guide. If you follow this dummy’s guide I think you will have more successes than failures:

Align projects to organisation’s strategy.
Define measurable success criteria for your projects.
Develop a risk management plan based on these metrics.
Align your governance plan to the triggers defined in your risk management plan.
Don’t forget to talk! It makes things so much easier.

“And if all others accepted the lie which the Party imposed – if all records told the same tale – then the lie passed into history and became truth. “Who controls the past,” ran the Party slogan, “controls the future: who controls the present controls the past.” And yet the past, though of its nature alterable, never had been altered. Whatever was true now was true from everlasting to everlasting. It was quite simple. All that was needed was an unending series of victories over your own memory. “Reality control,” they called it: in Newspeak, “doublethink.” (1.3.18)” (1984 by George Orwell).

Finally for this week, if it’s worth doing, it’s worth doing right. If it’s not being done right, change it or leave!

“And if all others accepted the lie which the Party imposed – if all records told the same tale – then the lie passed into history and became truth. “Who controls the past,” ran the Party slogan, “controls the future: who controls the present controls the past.” And yet the past, though of its nature alterable, never had been altered. Whatever was true now was true from everlasting to everlasting. It was quite simple. All that was needed was an unending series of victories over your own memory. “Reality control,” they called it: in Newspeak, “doublethink.” (1.3.18)”

(1984 by George Orwell).

See you next week! If you have liked what you have read please like and remember to share.