no matter how you look at it, business is filled with risk. The only question is whether that risk is always a threat. Michael Hatfield, PMP, an author, instructor and PM Network columnist, answers with a resounding “yes.” David Hillson, Ph.D., PMP, of Risk Doctor & Partners, begs to differ.
Why is risk management important to project management?
Dr. Hillson: Projects are all about uncertainty. They're complex. They include interfaces and dependencies, and they are also based on assumptions, and we don't know how those are going to turn out. Sometimes we might have even made false assumptions. Projects are also done by people, and that brings added uncertainty. So risk management has to be at the center of the way that we manage projects.
RISK ANALYSIS says, “What have we got?” and risk management says, “What are we going to do about it?”
–DAVID HILLSON, Ph.D., PMP
Mr. Hatfield: David is right that projects are inherently risky, and there is a legitimate place for quantifying that risk and thereby managing it. But I would go so far as to say that once a project has kicked off—once the scope has been laid out and the cost and schedule baselines have been set—the information that risk analysis can provide a project manager in day-to-day decisions starts to fall off.
There's a prevailing theory that if anything goes wrong in a project, the proximate cause was a lack of planning or even poor planning. That's an unfortunate assumption, but because it's there, a lot of effort goes into trying to quantify future occurrences that will impact project performance.
Dr. Hillson: I think there's a distinction, Michael, between risk analysis and risk management. I agree with what you started to say. The role of risk analysis is in setting baselines and getting the original estimates as robust and realistic as possible. After that, as you get into the project, the value of risk analysis may diminish.
But risk analysis is not the same as risk management. Risk analysis says, “What are we going to do about it?” It's important that we don't just do the analysis and stop. Risk management is something we need to do constantly. That might be the distinction between us.
Mr. Hatfield: Under the threat of turning this into a semantics discussion, what you described as “risk management,” I would describe as management. It's how you deal with the bad stuff that comes up.
Is risk an opportunity or a threat— or both?
Dr. Hillson: It depends on who's asking the question. If you look into your standard dictionaries, then risk is only a bad thing. If you look in A Guide to the Project Management Body of Knowledge (PMBOK® Guide), then risk is both a good and bad thing. PMI and the PMBOK® Guide have an absolutely explicit and unequivocal position that risk is an uncertain event or condition that—if it occurs—has a positive or negative effect on achievement of one or more project objectives.
Mr. Hatfield: Thank you, David, for the concession that common dictionaries have not just a negative connotation associated with risk, but a negative denotation, as well. On the flip side, when you look up opportunity, the reference is always positive.
The PMBOK® Guide can redefine those commonly held terms to its heart's content. But that doesn't mean that they change in common usage.
The debate then moves on to, when we're in risk-analysis and riskmanagement space, are we also talking about opportunity analysis and opportunity management? I would argue absolutely not. When looking at traditional risk-analysis techniques, they're almost always oriented toward identifying hazards or dangers—avoiding them, absorbing them and mitigating them.
Dr. Hillson: Actually, that's really not true, Michael. For example, if you look at a Monte Carlo analysis, we often use a three-point estimate, which defines minimum, most likely and maximum—or optimistic, realistic and pessimistic—values. The question becomes, where does the optimistic or the minimum come from? That means you have to assume somehow you can beat the plan. You can only do that if there's an opportunity to work faster, smarter, cheaper than you actually thought you would.
Mr. Hatfield: Those opportunities, or what you call upside risks, exist only in the respect that they offset a larger body of potential negatives. If your company were called in to do a risk analysis of a baseline and you came back and said, “Well, we don't need any contingency because we, in fact, have identified enough upside risk so that it comes out balanced,” that would be a very rare project, indeed.
Dr. Hillson: As project managers it's important for us to manage all potential variability from the plan, to look at the things that might happen and to manage those proactively, wherever possible. Things could happen to make us late or cost us more money and so on. Equally, it's true that project managers need to manage potential upsides where we might save time or money.
I sometimes use a simple “predefinition” for risk which is just three words: Uncertainty that matters. This covers the possibilities of both negative variations and positive upsides. There are some uncertainties that could hurt you and delay you and hinder you from achieving your objectives. We might call those “threats.” And there are some uncertainties that matter because they could help you to achieve your objectives more efficiently and more effectively. We can call those “opportunities.” Both threats and opportunities are “uncertainties that matter,” so both are types of risk.
The reason PMI and others have brought opportunity within the risk management process is largely a practical one. We already have a process that works for managing uncertainty that matters. Up until now, we've only used it for managing negative uncertainties.
Mr. Hatfield: David, you redefined risk as uncertainty that matters. If the PMI Risk Specific Interest Group or special experts such as yourself have that latitude to redefine those terms in that fashion, then essentially, there's no aspect of project management that could be fairly said to lie outside the purview of risk management.
DAVID HILLSON, Ph.D., PMP is an international risk consultant and director of Hampshire, England-based consultancy Risk Doctor & Partners. Dr. Hillson is also technical director of PMI's Risk Management Specific Interest Group. He has written five books on risk, most recently Practical Project Risk Management: The ATOM Methodology [Management Concepts, 2007].
MICHAEL HATFIELD, PMP, is the New Mexico, USA-based author of upcoming Things Your PMO Is Doing Wrong [Project Management Institute, 2008] and a PM Network columnist.
Are senior-level practitioners and CEOs paying enough attention to risk management?
Mr. Hatfield: It depends on your industry. Pharmaceutical companies, for example, live and die by the expertise involved in their risk management. Other companies, such as those in construction that do firm, fixed-price contracts on buildings they've built 100 times all over the country, clearly don't need as much risk management as some others.
IF YOUR COMPANY WERE CALLED IN to do a risk analysis of a baseline and you came back and said, “Well, we don't need any contingency because we, in fact, have identified enough upside risk so that it comes out balanced,” that would be a very rare project, indeed. —MICHAEL HATFIELD, PMP
Are CEOs paying enough attention to project management? The short answer is probably not. But they're going to have some kind of project disaster. One of their high-priority projects will leave the rails. And then they'll get a sharp lesson in how much attention they should pay to risk management.
Dr. Hillson: A lot of what you said there, Michael, is limited to risk in projects. I take a broader view. I'd say that successful senior managers and CEOs always focus on risk and risk management, but not at the level of project risk. Project managers have to manage project risk. Program managers manage program risk. And CEOs and senior managers manage strategic risk.
They're thinking about their profitability, reputation and market position. So they're constantly looking ahead, trying to predict the unpredictable. The ones who succeed are the ones who manage their strategic risks most effectively. That's not, of course, saying I need my project manager on the board. It's saying I, as a senior manager, need to manage the risks to my objectives.
If an organization has its objectives properly specified, then senior managers set strategic objectives and flow them down through the organization. The senior level shouldn't be worrying about some project's technical or tactical risks—unless something comes up on a project that has such a big impact that it affects the organization strategically.
Mr. Hatfield: David, you said you take a broader view. We're broadening the view to the point where we're trying to stipulate that risk analysis and risk management contain more than what legitimately belongs under that purview. I'd like to narrow those borderlines when we're talking about risk management. I understand you believe it should include opportunity management and strategic risk and so forth. I'm not as comfortable making it that broad of an umbrella.
Dr. Hillson: And that's where we agree to disagree, isn't it? PM