Managing risks in complex projects


Dealing effectively with risks in complex projects is difficult and requires management interventions that go beyond simple analytical approaches. This is one finding of a four-year recently concluded field study into risk management practices of 35 large projects in 17 high-technology companies. Almost one-half of the contingencies that occur are not being detected before they impact project performance. Yet, the risk-impact model presented here shows that risk does not affect all projects equally, but depends on the effectiveness of collective managerial actions dealing with specific contingencies. Some of the best success scenarios point at the critical importance of recognizing and dealing with risks early in the project life cycle and decupling them from work processes before they impact project performance. This requires broad involvement and collaboration across all segments of the project team and its environment, plus sophisticated methods for assessing feasibilities and usability early and frequently during the project life cycle. Specific managerial actions and organizational conditions are suggested for early risk detection and effective risk management in complex project situations.


Uncertainty is both a reality and great challenge for most projects (Hillson, 2010, ¶2). The presence of risk creates surprises throughout the project life cycle, affecting everything from technical feasibility to cost, market timing, financial performance, and strategic objectives (Loch, Solt, & Bailey, 2008, p. 28; Thieme, Song, & Shin, 2003, p. 104). Yet, to succeed in today's ultracompetitive environment, management must deal with these risks effectively despite these difficulties (Buchanan, & O‘Connell, 2006, pp. 34–35; Patil, Grantham, & Steel, 2012, pp. 35–40; Shenhar, 2001, pp. 394–410; Srivannaboon & Milosevic, 2006, pp. 185–190). This concerns executives, and it is not surprising that leaders in virtually all organizations, from commerce to government, spend much of their time and effort to deal with risks-related issues. Examples trace back to ancient times that include huge infrastructure projects and military campaigns. Writings by Sun Tzu articulated specific risks and suggested mitigation methods 2,500 years ago (Hanzhang & Wilkinson, 1998). Risk management is not a new idea. However, in today's globally connected, fast-changing business world with broad access to resources anywhere, and pressures for quicker, cheaper, and smarter solutions, projects have become highly complex and intricate. Many companies try to leverage their resources and accelerate their schedules by forming alliances, consortia, and partnerships with other firms, universities, and government agencies that range from simple cooperative agreements to “open innovation,” a concept of scouting for new product and service ideas anywhere in the world. In such an increasingly complex and dynamic business environment, risks lurk in many areas, not only associated with the technical part of the work but also include social, cultural, organizational, and technological dimensions. In fact, research studies have suggested that much of the root cause of project-related risks can be traced to the organizational dynamics and multidisciplinary nature that characterizes today's business environment, especially for technology-based developments (Torok, Nordman, & Lin, 2011). The involvement of many people, processes, and technologies spanning different organizations, support groups, subcontractors, vendors, government agencies, and customer communities compounds the level of uncertainty and distributes risk over a wide area of the enterprise and its partners, often creating surprises with potentially devastating consequences. This paradigm shift leads to changing criteria for risk management. To be effective, project leaders must go beyond the mechanics of analyzing the work and its contractual components of the “triple constraint,” such as cost, schedules, and deliverables, but also understand the sources of uncertainty before attempting to manage them. This requires a comprehensive approach with sophisticated leadership, integrating resources and a shared vision of risk management across organizational borders, time, and space. Currently, we are good at identifying and analyzing known risks, but weak in dealing with the hidden, less-obvious aspects of uncertainty (Thamhain & Skelton, 2007, pp. 37–40). Yet, some organizations seem to be more successful than others in dealing with the uncertainties and ambiguities of our business environment, an observation that is being explored further in this field study.

What We Know About Risk Management

We Are Efficient in Identifying and Analyzing Known Risk Factors. With the help of sophisticated computers and information technology, we have become effective in dealing with risks that can be identified and described analytically. Examples range from statistical methods and simulations, to business case scenarios and user centered design. Each category includes hundreds of specialized applications that help in dealing with project risk issues, often focusing on schedule, budget, or technical areas. Risk management tools and techniques have been discussed extensively in the literature (Bstieler, 2005, pp. 267–280; Cooper, Grey, Raymond, & Walker, 2005; Hillson, 2010, ¶2; Jaofari, 2003, pp. 47–52; Kallman, 2006, p. 46). Examples include critical path analysis, budget tracking, earned value analysis, configuration control, risk-impact matrices, priority charts, brainstorming, focus groups, online databases for categorizing and sorting risks, and sophisticated Monte Carlo analysis, all designed to make project-based results more predictable. In addition, many companies have developed their own policies, procedures, and management tools for dealing with risks, focusing on their specific needs and unique situations. Especially in the area of new product development, contemporary tools such as phase-gate processes, concurrent engineering, rapid prototyping, early testing, design-build simulation, CAD/CAE/CAM, spiral developments, voice-of-the-customer, user centered design (UCD), agile concepts and scrum have been credited for reducing project uncertainties. Furthermore, industry-specific guidelines (i.e., DOD Directive 5000.1, 2007), national and international standards (i.e., ANSI, CSA, ISO and National Institute of Standards and Technology, 2000), and guidelines developed by professional organizations (i.e., A Guide to the Project Management Body of Knowledge (PMBOK® Guide)—Fifth Edition [Project Management Institute, 2013]), all have contributed to the knowledge base and broad spectrum of risk management tools available today.

We Are Weak in Dealing with Unknown Risks. These are uncertainties, ambiguities, and arrays of risk factors that are often intricately connected. They most likely follow non-linear processes, which develop into issues that ultimately affect project performance. A typical example is the 2010 Deepwater Horizon accident in the Gulf of Mexico. In hindsight, the catastrophe should have been predictable and preventable. In reality, the loss of 11 workers and an environmental disaster of devastating proportion came as a “surprise.” While the individual pieces of this risk scenario appeared to be manageable, the cumulative effects leading to the explosion were not. They involved multiple interconnected processes of technical, organizational, and human factors, all associated with some imperfection and risk. Even afterward, tracing the causes and culprits was difficult. Predicting and controlling such risks appears impossible with the existing organizational systems and management processes in place.

We Are Getting Better Integrating Experience and Judgment with Analytical Models. With the increasing complexity of projects and business processes, managers are more keenly aware of the intricate connections of risk variables among organizational systems and processes, which limit the effectiveness of analytical methods. Managers often argue that no single person or group within the enterprise has the knowledge and insight for assessing these multi-variable risks and their cascading effects. Further, no analytical model seems sophisticated enough to represent the complexities and dynamics of all risk scenarios that might affect a major project. These managers realize that, while analytical methods provide a critically important toolset for risk management, it also takes the collective thinking and collaboration of all stakeholders and key personnel of the enterprise and its partners to identify and deal with the complexity of risks in today's business environment. As a result, an increasing number of organizations are complementing their analytical methods with managerial judgment and collective stakeholder experience, moving beyond a narrow dependence on just analytical models. In addition, many companies have developed their own “systems,” uniquely designed for dealing with uncertainties in their specific projects and enterprise environment. These systems emphasize the integration of various tools, often combining quantitative and qualitative methods to cast a wider net for capturing and assessing risk factors beyond the boundaries of conventional methods. Examples are well-known management tools, such as review meetings, Delphi processes, brainstorming, and focus groups, which have been skillfully integrated with analytical methods to leverage their effectiveness and improve their reliability. In addition, a broad spectrum of new and sophisticated tools and techniques, such as user centered design (UCD), voice of the customer (VoC), and phase-gate processes evolved, which rely mostly on organizational collaboration and collective judgment processes to manage the broad spectrum of risk variables that are dynamically distributed throughout the enterprise and its external environment.

Research Questions and Method

Despite extensive studies on project risks and its management practices (Wideman, 1992; Jaofari, 2003, pp. 47–57; Kallman, 2006, p. 46), relatively little has been published on the role of collaboration across the total enterprise for managing risk. That is, we know little about organizational processes that involve the broader project community in a collective cross-functional way for dealing with risks identification and mitigation. Moreover, there is no framework currently available for handling risks that are either unknown or too dynamic to fit conventional management models. The missing link is the people side as a trans-functional, collective risk management tool, an area that is being investigated in this article with focus on two research questions, which provide a framework for this exploratory field study:

RQ1: How do contingencies impact project performance, and why does the impact vary across different projects?

RQ2: What conditions in the project environment are most conducive to dealing effectively with complex risks?

In addition, I state four important observations made during discussions with project leaders and senior managers at an earlier exploratory phase of this study. These observations provide a small window into current managerial thought and practice. They underscore the importance of investigating the two research questions and providing ideas for future research and hypotheses testing.

Observation #1: Contingencies in the project environment do not impact the performance of all projects equally.
Observation #2: Early detection of contingencies is critically important for managing and minimizing any negative impact on project performance.
Observation #3: Performance problems caused by contingencies (risks) are likely to cascade, compound, and become intricately linked.
Observation #4: Contingencies in the project environment affect project performance more severely with increasing complexity and high-tech content of the undertaking.

While specific hypotheses testing appears premature at this early stage of the research, the research questions together with the field observations provide focus for the current investigation, including designing questionnaires, conducting interviews, guiding data collection, and discussing results. Furthermore, the field observations could provide the basis for the development of formal propositions, hypothesis testing, and future research.

Objective and Significance. Taken together, the objective of this study is to investigate the dynamics and cascading effects of risk scenarios in complex projects, and the management practices of handling these risks. Specifically, the study aims to improve the understanding of (1) the dynamics of risk impacting project performance, and (2) the human side of dealing with risks in complex project situations. Part of the objective is to look beyond the analytical aspects of risk management, examining the interactions among people and organizations, trying to identify the conditions most conducive to detecting risk factors early in the project life cycle and to handle them effectively. The significance of this study is in the area of project management performance and leadership style. The findings provide team leaders and senior manager with an insight into the dynamic nature of risk and its situational impact on project performance. The results also suggest specific conditions that leaders can foster in the team environment conducive to effective risk management, especially in complex project scenarios.

Key Variables Affecting Risk Management

By definition, risk is a condition that occurs when uncertainties emerge with the potential of adversely affecting one or more of the project objectives and its performance within the enterprise system (ISO, 2009; PMI, 2013). Risk can occur in many different forms, such as known or unknown, quantitative or qualitative, and even real or imaginary. Risk is derived from uncertainty. It is composed of a complex array of variables, parameters, and conditions that have the potential of adversely impacting a particular activity or event, such as a project. At the minimum, three interrelated sets of variables affect the cost and overall ability of dealing with risk, as graphically shown in Exhibit 1:

  1. Degree of uncertainty (variables, set #1)
  2. Project Complexity (variables, set #2)
  3. Impact (variables, set #3)

Understanding these variables is important for selecting an appropriate method of risk management, and for involving the right people and organizations necessary for effectively dealing with a specific risk situation.

Dimensions of risk management

Exhibit 1 - Dimensions of risk management

Data Collection Method

The work reported here is the continuation of ongoing research into risk management practices and team leadership in complex project situations(Skelton & Thamhain, 2007, pp. 36–47; Thamhain, 2011, pp. 40–45). This article summarizes four years (2008–2011) of this investigation, focusing on the risk management practices of 35 major product developments in 17 high-technology, multinational enterprises with a sample characteristics as summarized in Table 1.

Total sample population 560  
Companies 17  
Product development projects 35  
Project teams 35  
Team members* 489  
Product managers 9  
R&D managers 6  
Senior managers & directors 21  
Average project budget $4.6M  
Average project life cycle 18  
* Total team = Total team sample – project managers – product managers – R&D managers – senior managers  

Table 1: Summary of sample statistics

The current research uses an exploratory field study format with focus on four interrelated sets of variables: (1) risk, (2) team, (3) team leader, and (4) project environment. All these variables, plus the components of risk management, product development, team work, technology, and project management are intricately connected, representing highly complex sets of variables with multiple causalities. Researchers have consistently pointed at the nonlinear, often random nature of these processes (Bstieler, 2005, pp 267–284; Danneels & Kleinschmidt, 2001, pp 358–370; MacCormack, 2001, pp. 22–35; Thamhain, 2009, pp. 20–30; Verganti & Buganza, 2005, pp. 225–235). Simple research models, such as mail surveys, are unlikely to produce significant results. Instead, one has to use exploratory methods, casting a wide net for data collection, to look beyond the obvious aspects of established theory and management practice. I used my ongoing work as consultant and trainer with 17 companies to conduct discussions, interviews and some surveys, together with extensive observations, all helping to gain insight into the work processes, management systems, decision making, and organizational dynamics associated with project risk management. This method, referred to as action research, includes two qualitative methods: participant observation and in-depth retrospective interviewing. This combined method is particularly useful for exploratory investigations, such as the study reported here, which is considerably outside the framework of established theories and constructs (Eisenhardt, 1989, pp. 535–545).

The Questionnaire was designed to measure (1) risk factors, (2) frequency of risk occurrences, (3) impact on project performance, and (4) managerial actions taken to deal with contingencies (risks). To minimize potential misinterpretations or biases from the use of social science jargon, each of the 14 risk classes (e.g., summarized in Exhibit 3) was defined specifically at the beginning of the questionnaire.

Data Analysis. The data collected via questionnaires were evaluated and summarized via standard statistical methods, while content analysis was used to evaluate the predominately qualitative data collected via work process observation, participant observation and in-depth retrospective interviewing.


The findings of this field study are organized into three sections: First, a simple risk assessment model for tracking the effects of risk on project performance is presented. Second, the type of contingencies that typically emerge during project execution are identified and examined regarding their impact on project performance. Third, the managerial implications and lessons learned from the broader context of the quantitative and qualitative part of this study are summarized in two separate sections of this article.

A Simple Model for Risk Assessment

“Risks do not impact all projects equally.” This observation from earlier phases of this research is strongly supported by the formal results of this field study. The managerial actions of dealing with the event, such as eliminating or working around the contingency, greatly influence the ability of minimizing the magnitude of problems caused and the cascading effects that propagate through the organization. The dynamics of these processes is being illustrated with the risk impact model in Exhibit 3, showing the influences of the external and internal business environment. The Model suggests that contingencies affecting one part of a project, have the tendency to cascade throughout the project organization, with increasingly unfavorable impact on project performance, and eventually affecting the whole enterprise.

Risk-impact-performance model

Exhibit 2 - Risk-impact-performance model

Based on the performance impact, the model identifies four distinct risk categories:

Category-I Risks No impact on project performance. Two types of risks fall into this category. First, events that might occur in the external or internal project environment with potentially harmful impact on project performance in the future. These contingencies, such as a delayed contract delivery, labor dispute, technical issue, or priority change, are lurking in the environment, whether they are anticipated or not. But, they have not yet occurred, and therefore have not yet impacted project performance. By anticipating these contingencies, management can take preventive actions to mitigate the resulting impact if the event occurs. Second, events that actually occurred were identified and dealt with before they affected project time, cost, or other performance parameters.
Category-II Risks Impact on task or project sub-systems only. The risk events have occurred in the external or internal project environment with potentially harmful impact on project performance. However, by definition, these risk issues occurred at a lower level of project activity, such as a task or sub-system, and have not yet affected overall project performance. Examples are delayed contract deliveries, labor disputes, technical issues, or priority changes that can be solved “locally.” Although the resolution might require extra time, it is not part of a critical path, and therefore the performance impact is limited to a sub-set of the project. A similar situation exists for issues that affect cost, quality, or other performance parameters at the local level only. Thus, while these risks are expected to impact the whole project, they have not yet affected overall project performance. Therefore, timely managerial actions could minimize or even avoid such performance impact.
Category-III Risks Impact on project performance. Events that occurred in the external or internal project environment did impact project performance, such as schedules, budgets, customer relations or technical issues. The impact on project performance could have been a direct result of a contingency, such as a failure to obtain a permit, or resulting from an issue at a lower level, but propagating to a point that affects total project performance. Examples are test failure on a critical activity path, or problems caused at a lower level propagate to a point where they affect total project performance. However, by definition, the impact is still contained “within the project,” without affecting enterprise performance. Proper timely management actions can lessen the impact on overall project performance, and possibly minimize or avoid any harmful impacts on the enterprise.
Category-IV Risks Impact on project and enterprise performance. Events have occurred and have already significantly impacted overall project performance and the performance of the entire enterprise. Similar to Category-III, the effects could be immediate or cascading (i.e., Toyota's “accidental acceleration”). Proper management actions can lessen the final impact on both project and enterprise performance, but by definition, a certain degree of irreversible harm has been done to the project and the enterprise.

Contingencies versus Project Performance Impact

Using content analysis of the survey data from interviews and questionnaires, managers in this study identified more than 1,000 unique contingencies or risk factors, which have the potential of unfavorably impacting project performance. These contingencies were grouped into 14 sets, or classes of risks, based on their root-cause similarities. A graphical summary shows the 13 classes in Exhibit 3, ranked by average frequency as observed over a project life cycle. Typical project performance impact includes schedule slippage, cost overruns, and customer dissatisfaction. In addition, risks also affected broader enterprise performance, such as market share, profitability and long-range growth. On average, project leaders identified six to seven contingencies that occurred at least once over the project life cycle. However, it should be noted that not every contingency or risk event seems to impact project performance, as discussed in the previous section. As a most striking example, project managers reported “the loss or change of team members” (cf Exhibit 3, set #6) to occur in 38 percent of their projects, an event described as a major risk factor with potentially “significant negative implications to project performance.” Yet, only 13 percent of these projects actually faced “considerable” or “major” performance issues, while 22 percent experienced even less of an issue, described as “little” or “no” impact on project performance. Hence, 60 percent of projects with lost or changed team members experienced little or no impact on project performance. For most of the other 13 sets of contingencies, the statistics is leaning more toward a “negative performance impact.” On average, 61 percent of the contingencies observed in the sample of 35 projects caused considerable or major impact on project performance. The most frequently reported contingencies or risks fall into three groups: #1 changing project requirements (78 percent), #2 changing markets or customer needs (76 percent), and #3 communications issues (72 percent). These are also risk areas that experience the highest negative impact on project performance. They include approximately 80 percent of all projects with “considerable” or “major” performance issues. The specific statistics observed across all contingencies or risks recognized by project leaders in all 35 projects, is as follow: (1) 9 percent of the contingencies had no impact on project performance [Category-I Risks]; (2) 16 percent of the contingencies had some manageable impact on project performance [mostly Risk Category-II plus some Category-III]; (3) 14 percent of the contingencies had substantial, but still manageable impact on project performance [Category-III Risks]; (4) 49 percent of the contingencies had a strong, irreversible impact on project and enterprise performance [Category-IV Risks]; and (5) 12 percent of the contingencies resulted in project failure [mostly Category-IV Risks].

Mixed Performance Impact. Although the number of risk occurrences (frequency) was approximately equally observed by all 35 project leaders, the reported impact distribution was more skewed, with 20 percent of the project leaders reporting 71 percent of all considerable and major performance problems. This again provides strong support for Observation #1 stated earlier that “contingencies in the project environment do not impact the performance of all projects equally.” It is interesting to note that although all projects (and their leaders) reported approximately the same number of contingencies with normal distribution across the 14 categories, some projects were hit much harder on their performance (i.e., those 12 percent project that failed). This suggests differences in organizational environment, project leadership, support systems, and possibly other factors, which influence the ability to manage risks.

Senior Management Perception. When analyzing the survey responses from senior managers separately, we find that senior managers rate the performance impact on average 30 percent lower than project managers. That is, senior management perceives less of a correlation between contingencies and project performance. Additional interviews with senior managers and root-cause analysis of project failures strongly confirms this finding. While senior managers and project leaders exhibit about the same statistics regarding (1) the number of contingencies and risks occurring in projects and (2) the distribution of risks across the 14 categories (as tested by Kruskal-Wallis analysis of variance by rank), senior managers perceive less performance issues directly associated with these risks. That is, they are less likely to blame poor performance on changes or unforeseeable events (risks), but more likely are holding project leaders accountable for agreed-on results, regardless of risks and contingencies. The comment made by one of the marketing directors might be typical for this prevailing perspective: “Our customer environment is quite dynamic. No product was ever rolled out without major changes. Our best project leaders anticipate changing requirements. They set up work processes that can deal with the market dynamics. Budget and schedule problems are usually related to more conventional project management issues, but are often blamed on external factors, such as changing customer requirement.” This has significance in three areas: (1) perceived effectiveness of project management performance; (2) conditioning of the organizational environment; and (3) enterprise leadership. First, project leaders should realize that their performance is being assessed largely because of project outcome, not the number and magnitude of contingencies that they had to deal with. Although overall complexity and challenges of the project are part of the performance scorecard, they are also part of the conditions accepted by the project leader at the beginning of the project, and therefore not a “retrospective” performance measure. Second, less management attention and resources might be directed toward conditioning the organizational environment to deal with risks that specifically affect projects, because senior managers perceive less of a linkage between risk and project performance. This connects to the third area, the overall direction and leadership of the enterprise that affects policies, procedures, organizational design, work processes, and the overall organizational ambience for project execution and control, an area that probably receives less attention from the top, but could potentially influence project performance significantly, and an area that should be investigated further in future research studies.

Risk classes, frequency and impact on project performance

Exhibit 3. Risk classes, frequency and impact on project performance

Discussion and Implications

Seasoned project leaders understand the importance of dealing with project risks and take their responsibility very serious. However, foreseeing contingencies and effectively managing the associated risks is difficult and challenging. It is both an art and a science to bring the effects of uncertainty under control before they impact the project, its deliverables, and objectives. Given the time and budget pressures of today's business environment, it is not surprising that the field observations show project managers focusing most of their efforts on fixing problems after they have impacted performance. That is, while most project leaders understand the sources of risks well, they focus their primary attention on monitoring and managing the domino effects of the contingency rather than dealing with its root causes. It is common for these managers to deal with problems and contingencies only after they have impacted project performance, noticed in schedules, budgets, or deliverables, and therefore have become Category-II or III Risks. Only 25 percent of these managers felt they could have foreseen or influenced the events that eventually impacted project performance adversely. It is further interesting to note that many of the organizational tools and techniques that support early risk detection and management—such as spiral processes, performance monitoring, early warning systems, contingency planning, rapid prototyping, and CAD/CAM-based simulations—readily exist in many organizations as part of the product development process or embedded in the project planning, tracking, and reporting system. It is interesting to note however, that project managers, while actually using these project management tools and techniques extensively in their administrative processes, do not give much credit to these operational systems for helping to deal with risks. Although this is an interesting observation, it is also counterintuitive and needs further investigation.

Decoupling Risks from Projects: Cause-Effect Dynamics

The field study provides an interesting insight into the cause and effect of contingencies on project performance, including their dynamics and psychology. Whether a risk factor actually impacts project performance depends on the reaction of the project team to the event, as graphically shown in Exhibit 2. It also seems to depend on the judgment of the manager whether or not a particular contingency is blamed for subsequent performance problems. Undesirable events (contingencies) are often caused by a multitude of problems that were not predictable or could not be dealt with earlier in the project life cycle. During a typical project execution, these problems often cascade, compound, and become intricately linked. It is also noticeable that the impact of risk on project performance seems to increase with project complexity, especially technology content of the undertakings. From the interviews and field observations, clearly even small and anticipated contingencies, such as additional design rework or the resignation of a key project team member, can lead to issues with other groups, confusion, organizational conflict, sinking team spirit, and fading commitment. All these factors potentially contribute to schedule delays, budget issues, and system integration problems that may cause time-to-market delays and customer relation issues, which ultimately affect project performance. Realizing the cascading and compounding effects of contingencies on project performance, the research emphasizes the importance of identifying and dealing with risk early in the project life cycle to avoid problems at more mature stages. The study also acknowledges the enormous difficulties of actually predicting specific risk situations, their timing, root-cause, and dysfunctional consequences, and to act appropriately before they impact project performance.


Differences in Assessing Performance Issues between Project and Senior Managers

Project leaders and senior managers differ in their “true cause” assessment of performance problems, as was shown in the statistical analysis of Exhibit 3. Yet, there are additional implications to the perception of what causes performance issues. These perceptions affect the managerial approaches of dealing with risk. Specifically, we learn from the discussions and field interviews that project leaders blame project performance problems and failures predominately on contingencies (risk situations) that originate outside their sphere of control, such as scope changes, market shifts, and project support problems, while senior management points directly at project leaders for not managing effectively. That is, senior management blames project managers for insufficient planning, tracking and control, poor communications, and weak leadership. Additional field investigations show an even more subtle picture. Many of the project performance problems and failures could be root-caused to the broader issues and difficulties of understanding and communicating the complexities of the project, its applications, and support environment, including unrealistic expectations for scope, schedule, and budget, under funding, unclear requirements, and weak sponsor commitment.

The significance of these findings is in several areas. First, the polarized perspective between project leaders and senior managers creates a potential for organizational tension and conflict. It also provides an insight into the mutual expectations. Senior management is expected to provide effective project support and a reasonably stable work environment, while project leaders are expected to “manage” their projects toward agreed-on results. The reality is, however, that project leaders are often stretched too thin and placed in a tough situation by challenging requirements, weak project support, and changing organizational conditions. Moreover, many of the risk factors have their roots outside the project organization, and are controlled by senior management. Examples are contingencies that originate with the strategic planning process. Management, by setting guidelines for target markets, timing, ROI, and product features, often creates conflicting target parameters that are also subject to change due to the dynamic nature of the business environment. In turn, these “external changes” create contingencies and risks at the project level. Existing business models do not connect well between the strategic and operational subsystems of the firm, and tend to constrain the degree to which risk can be foreseen and managed proactively at the project level. It is therefore important for management to recognize these variables and their potential impact on the work environment. Organizational stability, availability of resources, management involvement and support, personal rewards, stability of organizational goals, objectives, and priorities are all derived from enterprise systems that are controlled by general management. It is further crucial for project leaders to work with senior management, and vice versa, to ensure an organizational ambience conducive to cross-functional collaboration.

Lessons for Effective Risk Management

Despite the challenges and the inevitable uncertainties associated with complex projects, success is not random. One of the strong conclusions from this empirical study is risks can be managed. However, to be effective, especially in complex project environments, risk management must go beyond analytical methods. Although analytical methods provide the backbone for most risk management approaches, and have the benefit of producing relatively quickly an assessment of a known risk situation, including economic measures of gains or losses, they also have many limitations. The most obvious limitations are in identifying potential, unknown risk situations, and reducing risk impact by engaging people throughout the enterprise. Because of these limitations and the mounting pressures on managers to reduce risk, many companies have shifted their focus from “investigating the impact of known risk factors” to “managing risk scenarios” with the objective to eliminate potential risks before they impact organizational activities. As a result, these companies have augmented conventional analytical methods with more adaptive, team-based methods that rely to a large degree on (1) broad data gathering across a wide spectrum of factors and (2) judgmental decision making. In this field study, I observed many approaches that aimed effectively at the reduction or even elimination of risks, such as simplifying work processes, reducing development cycles, and testing product feasibility early in the development cycle. Often, companies combine, fine-tune, and integrate these approaches to fit specific project situations, their people and cultures, to manage risks as part of the total enterprise system. An attempt is being made to integrate the lessons learned from both the quantitative and qualitative part of this study. Especially helpful in gaining additional perspective and insight into the processes and challenges of risk management, and in augmenting the quantitative data toward the big picture of project risk management was the information obtained while working with companies on specific assignments (action research). This includes discussions and interviews with project leaders and senior managers and the observations of project management practices. Therefore, within the broader context of this study, several lessons emerged that should stimulate thoughts for contemporary risk management practices, new tool developments, and future research.

Lesson 1.     Early recognition of undesirable events is a critical precondition for managing risk. In addition, project leaders must not only recognize potential risk factors in general, but also know when they will most likely occur in the project life cycle. Recognizing specific issues and contingencies before they occur or early in their development is critical to the ability of taking preventive actions and decoupling the contingencies from the work process before they impact any project performance factors. Examples include the anticipation of changing requirements, market conditions, or technology. If the possibility of these changes is recognized, their probability and impact can be assessed, additional resources for mitigation can be allocated, and plans for dealing with the probable situation can be devised. This is similar to a fire drill or hurricane defense exercise. When specific risk scenarios are known, preventive measures, such as early warning systems, evacuation procedures, tool acquisitions and skill developments, can be put in place. This readiness will minimize the impact, if the risk situation actually occurs. While the field study clearly shows the difficulties of recognizing risk factors ahead of time, it is fundamental to any risk management approach. It is also a measure of team maturity and competency and gives support to the observation made during this field study that “contingencies do not impact performance of all projects equally.”

Lesson 2.     Unrecognized risk factors are common in complex project environments. Contingencies (even after affecting project performance) often go unrecognized. In our field study, more than half of the contingencies that occurred were not anticipated before causing significant performance issues (Category-III Risks or higher). Most commonly, the impact is on cost, schedule, and risk escalation. To minimize these problems, collective, team-centered approaches of monitoring the project environment are needed. This includes, effective project reviews, design reviews, focus groups, action teams, gate reviews, and “management by wandering around (MBWA).”

Lesson 3.     Unchecked contingencies tend to cascade and penetrate wider project areas. Contingencies occurring anywhere in a project have the tendency to penetrate into multiple subsystems (domino effect) and eventually affect overall project performance. Many of the contingencies observed in this field study, such as design rework of a component, a minor requirements change, or the resignation of a team member, may initially affect the project only at the subsystem level. These situations might even be ignored or dismissed as issues of no significance to the project as a whole. However, all these contingencies can trigger issues elsewhere, causing work flow or integration problems, and eventually resulting in time-to-market delays, missed sales opportunities, and unsatisfactory project performance.

Lesson 4.     Cross-functional collaboration is an effective catalyst for collectively dealing with threats to the project environment. The project planning phase appears to be an effective vehicle for building such a collaborative culture early in the project life cycle. The active involvement of all stakeholders—including team members, support functions, outside contractors, customers, and other partners—in the project planning process leads to a better, more detailed understanding of the project objectives and interfaces, and a better collective sensitivity where risks lurk and how to deal with the issues effectively. Collaboration is especially essential for complex and geographically dispersed projects with limited central authority, and limited ability for centrally orchestrated control.

Lesson 5.     Senior management has a critical role in conditioning the organizational environment for effective risk management. Many risk factors have their roots outside the project organization, residing in the domain of the broader enterprise system and its environment. Examples are functional support systems, joint reviews, resource allocations, facility, and skill developments, as well as other organizational components that relate to business strategy, work process, team structure, managerial command and control, technical direction, and overall leadership. Senior management—by their involvement and actions—can develop personal relations, mutual trust, respect, and credibility among the various project groups, its support functions and stakeholders, a critical condition for fosterong an ambiance supportive to collective initiatives and outreach, conducive to early risk detection and management.

Lesson 6.     People are one of the greatest sources of uncertainty and risk in any project undertaking, but also one of the most important resources for reducing risk. The quality of communications, trust, respect, credibility, minimum conflict, job security, and skill sets, all these factors influence cooperation and the collective ability of identifying, processing, and dealing with risk factors. This field study found that many of the conditions that stimulate favorably risk management behavior are enhanced by a professionally stimulating work environment, including strong personal interest in the project, pride, and satisfaction with the work, professional work challenge, accomplishments, and recognition. Other important influences include effective communications among team members and support units across organizational lines; good team spirit, mutual trust, respect, low interpersonal conflict, plus opportunities for career development and advancement; and, to some degree, job security. All these factors seem to help in building a unified project team that focuses on desired results. Such a mission-oriented environment is more transparent to emerging risk factors and more likely to have an action-oriented, collaborative nature that can identify and deal with emerging issues early in their development.

Lesson 7.     Project leaders should have the authority to adapt their plans to changing conditions. Projects are conducted in a changing environment of uncertainty and risk. No matter how careful and detailed the project plan is laid out, contingencies will surface during its execution that require adjustment.

Lesson 8.     Testing Project Feasibility Early and Frequently During Execution Reduces Overall Project Risk. Advances in technology provide opportunities for accelerating feasibility testing to the early stages of a project life cycle. Examples are system integration, market acceptance, flight tests, and automobile crash tests that traditionally were performed only at the end of a project sub-phase or at a major integration point. However, with the help of modern computers and information technology we can reduce risks considerably by advancing these tests to the front-end of the project or to the early stages of a product or service development.

Lesson 9.     Reducing work complexity and simplifying work processes will most likely reduce risk. Uncertainties originate within the work itself. The observations from this field study show that the project work together with its complexities and processes contributes especially heavily to the uncertainties and risks affecting project success. Whatever can be done to simplify the project, its scope, deliverables, and work process will minimize the potential for problems and contingencies, make the project more manageable, and increase its probability of success. Work simplification comes in many forms, ranging from the use of pre-fabricated components to subcontracting, snap-on assembly techniques, material choices, and high-level programming languages.


Risks do not affect all projects equally is one strong conclusion from this field study. Actual risk impact does not only depend on the risk event, but also on the managerial actions of dealing with the contingency and its timing, which influence the magnitude of problems caused by the event and the cascading effects within the project organization. The risk-impact-on-performance model developed in this article contributes to the body of knowledge by providing a framework for describing the dynamics and cumulative nature of contingencies affecting project performance. The empirical results show that effective project risk management involves a complex set of variables, related to task, management tools, people, and organizational environment. Simple analytical approaches are unlikely to produce desired results, but need to be augmented with more adaptive methods that rely on broad data gathering across a wide spectrum of the enterprise and its environment. The methods also have to connect effectively with the organizational process and the people-side of project management. Some of the strongest influences on risk management seem to emerge from three enterprise areas: (1) work process; (2) organizational environment; and (3) people. I observed many approaches that effectively reduced risks by simplifying the work and its transfer processes, shortening development cycles, and testing project feasibility early. The best success stories of this field study point at the critical importance of identifying and dealing with risks early in the development cycle. This requires broad scanning across all segments of the project team and its environment and creative methods for assessing feasibilities early in the project life cycle. Many risk factors originate outside the project organization, residing in the broader enterprise and its environment. Therefore, it is important for management to foster an organizational environment conducive to effective cross-functional communications and collaboration among all stakeholders, a condition especially important to early risk detection and risk management.

Although no single set of broad guidelines exists that guarantees project success, the process is not random! A better understanding of the organizational dynamics that affect project performance, and the issues that cause risks in complex projects, is an important prerequisite and catalyst to building a strong cross-functional team that can collectively deal with risk before it impacts project performance.

Bstieler, L. (2005). The moderating effects of environmental uncertainty on new product development and time efficiency. Journal of Product Innovation Management, 22(3), 267–284.

Buchanan, L., & O'Connell, A. (2006). Chances are. Harvard Business Review, 84(1), 34–35.

Cooper, D., Grey, S., Raymond, G., & Walker, P. (2005). Project risk management guidelines: Managing risk in large projects and complex procurements. Hoboken, NJ: Wiley.

Danneels, E., & Kleinschmidt, E. J. (2001). Product innovativeness from the firm's perspective. Journal of Product Innovation Management, 18(6), 357–374.

Eisenhardt, K. M. (1989). Building theories from case study research. Academy of Management Review, 14(4), 532–550.

Hanzhang, T., & Wilkinson, R. (1998). The art of war. Hertfordshire, UK: Wordsworth Editions.

Hillson, D. (2010, February). Managing risk in projects: What's new? PMWorld Today (Project Management eJournal) 12(2), Column #2.

International Organization for Standardization. (2009). ISO 31000, Risk management: Principles and guidelines. Geneva, Switzerland: International Organization for Standardization (ISO).

Jaofari, A. (2003). Project management in the age of change. Project Management Journal, 34(4), 47–57.

Kallman, J. (2006). Managing risk. Risk Management, 52(12), 46.

Loch, C. H., Solt, M. E., & Bailey, E. M. (2008). Diagnosing unforeseeable uncertainty in a new venture. Journal of Product Innovation Management, 25(1), 28–46.

MacCormack, A. (2001). Developing products on internet time. Management Science, 47(1), 22–35.

National Institute of Standards and Technology. (2000). Managing technical risk: Understanding private sector decision making on early stage, technology-based projects (NIST Publication No. GCR 00-787). Washington, DC: US Government Printing Office.

Patil, R., Grantham, K., & Steele, D. (2012). Business risk in early design: A business risk assessment approach. Engineering Management Journal, 24(1), 35–46.

Project Management Institute. (2013). A guide to the project management body of knowledge (PMBOK guide) (5th ed.). Newtown Square, PA: Project Management Institute.

Shenhar, A. J. (2001). One size does not fit all projects: Exploring classical contingency domains. Management Science, 47(3), 394–414.

Skelton, T., & Thamhain, H. (2007). Success factors for effective R&D risk management. International Journal of Technology Intelligence and Planning (IJTIP), 3(4), 376–386.

Srivannaboon, S., & Milosevic, D. Z. (2006). A two-way influence between business strategy and project management. International Journal of Project Management, 24(2), 184–197.

Thamhain, H. (2009). Leadership lessons from managing technology-intensive teams. International Journal of Innovation and Technology Management, 6(2), 117–133.

Thamhain, H. (2011). Critical success factors for managing technology-intensive teams the global enterprise. Engineering Management Journal, 23(3), 40–45.

Thamhain, H., & Skelton, T. (2007). Managing globally dispersed R&D teams. International Journal of Information Technology and Management (IJITM), 7(2), 36–47.

Thieme R., Song, M., & Shin, G. (2003). Project management characteristics and new product survival. Journal of Product Innovation Management, 20(2), 104–111.

Torok, R., Nordman, C., & Lin, S. (2011). Clearing the clouds: Shining a light on successful enterprise risk management. Executive Report, IBM Institute for Business Value, Somers, NY: IBM Global Services.

Verganti, R., & Buganza, T. (2005). Design inertia: Designing for life-cycle flexibility in Internet-based services. Journal of Product Innovation Management, 22(3), 223–237.

Wideman, R. M. (1992). Project and program risk management: A guide to managing project risks and opportunities. Newtown Square, PA: Project Management Institute.

© Hans Thamhain
Originally published as part of 2013 Global Congress Proceedings – New Orleans, Louisiana



Related Content