Abstract
Risk management needs constant attention if it is to be fully effective. But many project teams find it hard to maintain the energy levels required by the risk process. This paper introduces the concept of “risk energetics” to explore the reasons for poor risk management performance. It is natural for energy levels to decay with time, and this will affect how the risk process is implemented if there is no active intervention. Risk energetics explains how the natural decay curve can be exacerbated by negative influences, and indicates how to maintain energy levels throughout the risk process with key re-energising factors. It also suggests how to develop renewable and self-sustaining energy from one project to the next to promote risk maturity in the organisation.
Introducing “Risk Energetics”
It is self-evident that projects are risky and that risk should be managed proactively in order to optimise project performance. While it is undoubtedly true that risk management is not complex, there are a number of challenges that those wanting to manage risk in their projects need to address and overcome. Risk management is an essential component of how projects should be managed, but anyone who takes a casual approach to managing project risk is likely to encounter difficulties. One significant barrier to effective risk management is the loss of energy during execution of the risk process, leading to lack of commitment and action by the project team and other stakeholders. Fortunately energy levels throughout the risk process can be actively managed, using the new approach of “risk energetics” (Hillson, 2009), which is described in this paper.
The Natural Decay Curve
The starting point for risk energetics is the natural decay curve, which is experienced by an energy pulse in a free and unconstrained setting, as illustrated by the dashed line in Exhibit 1. A rise in energy follows the initial input, but this quickly starts to decline and ultimately reaches zero.
Exhibit 1: Risk Energetics – Natural Decay and Damped Curves
This decay curve can also be used to illustrate the level of energy that is evident in a group of people who are seeking to manage risk (e.g., a project team), if their situation is unmanaged and without external input. Following a period of initial enthusiasm, their degree of engagement soon peaks and starts to reduce, until they eventually lose interest in the risk management process. This may be due to natural busy-ness and tiredness resulting from the day-to-day work of performing the project, or it may arise from other distractions that prevent the team from applying themselves to the risk process.
The Damped Curve
Some project teams experience active discouragement and barriers to managing risk on their project. This can lead to a damped curve as shown by the solid line in Exhibit 1, with the black arrows indicating the damping points. The result is zero or negative energy and failure to engage with the risk process.
The typical risk management process includes a number of standard steps. Different risk standards and guidelines use different names for the various process steps (Association for Project Management, 2004; Hillson & Simon, 2007; Project Management Institute, 2008, 2009; International Organization for Standardization, 2009), but a typical risk management process includes the following main stages:
- Risk process initiation
- Risk identification
- Risk assessment
- Risk response planning
- Risk response implementation
(Other common steps include risk review and update, risk reporting and post-project risk review. These are excluded from this discussion for simplicity, although the same principles apply across the entire risk process.)
If these main steps are overlaid onto the energy decay curve as shown in Exhibit 1, the natural unmanaged progression of a group of people undertaking risk management can be illustrated. This indicates initial enthusiasm when the risk process is first launched in the risk process initiation step, peaking during the risk identification step. The peak probably occurs because this step is seen as being interesting and engaging, giving the team the chance to raise their concerns about risks on their project, and allowing their worries to be documented as threats that could negatively affect the project, while also capturing good ideas as opportunities that might assist the project. The use of creative techniques such as brainstorming or workshops also generates a sense of excitement, leading to raised energy levels.
From this point on however, the level of energy in the team tends to decrease with time. There is less enthusiasm for the risk assessment task, which can be seen as a chore, having to discuss each of the identified risks and consider their probability of occurrence, degree of impact, ownership, proximity, urgency, etc. The energy level reduces still further when the risk response planning step is reached, leading to a tendency for teams to take the first feasible response instead of taking care to examine alternatives and select the most effective option.
Finally, the unmanaged energy curve gets close to zero in the most important step of the risk process, risk response implementation, when agreed actions are actually performed. At this point the project team is likely to have lost interest in the risk process, perhaps even viewing it as a distraction from their “real project work.” Any risk responses allocated to them may not get the degree of attention they deserve, and implementation may be cursory or superficial.
The Desired Curve
Obviously, this situation is not likely to lead to effective management of risk on projects. As a result, active intervention is required in order to ensure that energy is maintained at a sufficiently high level to promote and support an effective risk process. This intervention can have two aims: to reduce the effect of influences that dampen the energy curve to produce a decay, or to stimulate additional energy and maintain the required high level. The desired energy level is shown in Exhibit 2 (solid line), overlaid above the unmanaged natural decay curve for comparison (dashed line). In this desired curve, interventions are made to keep energy levels up, particularly in the two most creative phases of the risk process, namely risk identification and risk response planning.
Exhibit 2: Risk Energetics – Desired Curve
Understanding Influences
In order to obtain the desired energy curve it is necessary to understand two groups of factors. The first group is those factors that reduce energy in the risk process and thereby create the damped curve, and the second are those factors that promote energy levels and lead to the desired curve. These are outlined in the two following sections.
Energy-Sapping Factors
A number of reasons are commonly given to explain why project teams do not commit the required levels of energy to the risk process. The most frequently expressed ones are listed below (from Hillson & Simon, 2007):
The risk process takes time and money. Risk management is not a passive activity, and there is a cost associated with executing the “up-front” risk process—the cost of assessing risk. Risk management requires involvement of the project sponsor, project manager, members of the project team and other stakeholders over and above what some would consider their normal level of commitment to the project. This causes a double problem: it is hard to find time for the risk process in an already overloaded working environment; and even when time is found, the risk process costs money as effort is spent in risk workshops and review meetings.
Risk responses cost money. A central purpose of the risk process is to identify risks and determine appropriate responses, and this will inevitably result in the need to do new and unplanned things. This introduces a second type of cost to the risk process—the cost of addressing risk. Risk responses are in reality new project activities that were not originally considered to be required. Because they were not included in the original project scope they will add to the resource requirement and budget. As a result, risk management adds to the project workload while at the same time increasing the required budget.
Risk management doesn't work. Although risk management is not difficult, many people have unfortunately experienced it being applied ineffectively. This leads them to believe that, based on their own experience, risk management doesn't work. This situation often arises when risk management has been performed without proper commitment, perhaps by organisations merely wishing to comply with a contractual or procedural requirement. This creates a negative reinforcing “vicious circle”, where a poor previous experience of ineffective risk management leads to lack of commitment to the risk process, which leads to further ineffectiveness.
Risk management is just scare-mongering. It has been common until recently for risk management to be only concerned with threats. As a result the risk process focuses only on the bad things that might occur, examining every possible cause of failure, and listing every potential problem. This can be very de-motivating for a project team, and create a sense of doom, believing that the project cannot possibly succeed given the number of negative risks that have been identified. This can also affect senior management, project sponsors and customers, who might believe that the project team is merely scare-mongering, raising potential problems that might never happen, possibly trying to engender sympathy, or maybe even paving the way for project failure.
I'm too busy dealing with issues. When projects are badly planned in the first place then issues and problems will quickly arise that can dominate the day-to-day management of the project. In these situations it is easy for project managers to become consumed with the “now” problems and find it difficult, if not impossible, to worry about possible future events, even though it would clearly be beneficial to the project if these were identified and managed proactively. The result is often that risk management never even gets started.
Managing issues is more fun and more rewarding. Some believe that it is more interesting and rewarding to spend time dealing with issues, problems or even crises. Individuals might gain considerable satisfaction from solving a problem especially if it is a big one, even if it could have been prevented by proactive risk management. In addition, many organisations reward those macho project managers who successfully resolve a major crisis and then deliver their project in line with its objectives. By contrast, the project manager who has avoided all problems by effectively applying risk management is often ignored, with the implication that “it must have been an easy project as nothing went wrong.”
It's too late to carry out risk management. Some projects simply involve implementing pre-defined solutions, where all key objectives (time, cost, and quality) are pre-agreed and cannot be changed. Where this is true, the project manager might see little point in taking time to identify risks that will require additional work and more money to manage, when neither more resources nor more budget will be made available because the objectives are fixed and agreed in advance. The risk process might even reveal that it is not possible to achieve the agreed project objectives—an “unacceptable” conclusion. Even though many would say that part of the purpose of risk management is to expose unachievable objectives, in reality this could put the project manager in a very difficult position, and could result in statements like “Don't give me problems, just give me solutions” or “Stop complaining, just do it.”
It's just commonsense. Everyone looks both ways when they cross the road, don't they? The majority of people carry out risk management intuitively as part of their daily job; it's just commonsense. If this is true then we should expect that risk management will be applied intuitively to all projects and project managers will always do it, without needing a formal or structured risk process.
We can't prove that risk management works. Sometimes risks that are identified never materialise, and as a result some people think that considering what might not happen is just a waste of time. In addition it is very difficult to prove that risk management is working on a project as there is never an identical project that can be run as a “control” without risk management. And where the risk process only addresses threats, successful risk management means nothing happens! Because it is impossible to prove a negative, the absence of unusual problems cannot be firmly linked with the use of risk management—the project might just have been lucky and no problems occurred.
Where these and other negative factors are present, the energy levels in the risk process will be actively dampened, leading to lack of commitment from the project team and other stakeholders. Fortunately, it is quite simple to counter each of these excuses for not doing risk management properly, through use of a small number of powerful energy-promoting factors.
Energy-Promoting Factors: Internal Factors
A number of active inputs can be used to prevent decay and maintain energy during the risk process. Some of the more significant ones are described below, divided into two groups. The first group is internal factors that are within the scope of the project itself, and which can probably be implemented directly by the project team. The second group is external to the project, and is the responsibility of the wider organisation.
Three groups of important and effective internal energy-promoting factors are outlined here, namely:
- Process design
- Facilitation
- Resources
Process design. One of the dampening influences over the risk process which can quickly sap energy and enthusiasm from the team is the design of the risk process itself (Hillson, 2002a). Where the process is bureaucratic or complex, people will soon disengage from it. This barrier can be overcome by thoughtful process design, seeking to maximise efficiency and reduce the overhead associated with running the risk process, while not cutting any essential corners. Use of templates can also assist in reducing the burden of data capture and recording.
An important element of risk process design is to ensure scalability. Not all projects are equally risky, and the risk process used for a particular project should reflect the degree of risk challenge faced by that project (Hillson & Simon, 2007). So a low-risk project should only employ a simple risk process, with less formality and fewer resources. By contrast a high-risk project will require a more robust risk process using a range of risk techniques and a correspondingly higher level of effort. In all cases the same process steps are followed but at a differing degree of detail. So risk identification in a simple risk process may be covered as an agenda item at a weekly project team meeting, where a more detailed risk process may use a range of formal risk identification techniques. Scaling the risk process level to the risk challenge of the project ensures that energy is only expended where it is most needed.
It can also be very helpful when implementing risk management to introduce a process break to reduce energy loss. For example, it is common to use a risk workshop setting for the identification and assessment stages, and sometimes these workshops are extended to include preliminary risk response planning (Hillson & Simon, 2007). Because both risk identification and risk response planning require use of creativity and original thinking, it is asking a lot of project teams to expect them to maintain a high level of engagement and interest for a long time in a workshop. Instead, the workshop could be split into two or three elements, covering risk identification in the first, followed by a break, then going on to assessment and possibly also response planning at a second session. Sometimes it is enough simply to take a lunch break in the workshop, identifying risks in the morning and assessing them in the afternoon. Alternatively a two-day workshop can be arranged, ensuring that participants have the chance to recharge their batteries and come fresh to the second installment.
Facilitation. A proven contributor to maximising risk process efficiency is the use of a skilled and experienced facilitator (Pullan & Murray-Webster, 2011). This person can have various titles, such as Risk Champion, Risk Coordinator, Risk Process Facilitator, or Risk Manager. More important than their job title however are their personal characteristics. A good Risk Champion will have a combination of technical skills (including both the domain of the project as well as technical risk competences) and people skills (including the ability to understand and manage different types of individuals and groups). These latter soft skills are very useful for keeping energy levels high during the risk process, and a high degree of emotional literacy can be particularly helpful.
Where a Risk Champion is used to facilitate the risk process for a particular project, they should take responsibility for its effective and efficient operation. This is likely to include briefing the team on the purpose of risk management, leading workshops, recording outputs, drafting reports, and chasing progress on actions. The ability to encourage and motivate people in these settings is key to a successful risk process, and will ensure that project team members stay engaged and enthusiastic about managing risk on their project.
It should be noted that “Risk Champion” is a role and may not necessarily equate to a single individual on every project. Some organisations may indeed allocate a dedicated Risk Champion to each project, at least for major or large projects. Others may provide part-time Risk Champions from a central pool outside the projects, perhaps via a Project Management Office or Risk Competence Centre. Another alternative is for the Risk Champion's duties to be undertaken part-time by another team member, perhaps even the project manager. It is more important that someone facilitates the risk process than where they come from in the organisation.
Resources. It is evident that risk management is not a cost-free activity, and the project needs to provide the necessary level of resources if the risk process is to function properly. These resources include people, time, and money. Of these three, people are undoubtedly the most important, and the project should ensure that the team includes members with the necessary experience and skills to undertake effective risk management (some organisations use the acronym SQEP to indicate the need for Suitably Qualified and Experienced Personnel). However, the risk process cannot succeed if it is not allocated adequate time, and the project schedule should explicitly include risk-related tasks such as risk workshops, risk reviews etc., as well as including agreed risk responses in the project schedule as planned tasks. Similarly, an amount must be included in the project budget for both the risk process and for the cost of implementing agreed risk responses.
Energy-Promoting Factors: External Factors
In addition to factors under the control of the project itself, there are a range of external energy-promoting factors that contribute to the overall effectiveness of the project risk management process. These are summarised under three headings:
- Infrastructure
- Organisational risk culture
- Management support
Infrastructure. The organisation is responsible for ensuring that each project has the necessary infrastructure to support the various activities and processes of the project. This is usually provided as a generic organisational capability into which each individual project taps.
We have already seen that although there is a core risk process to be followed, the level of detail required can vary from one project to another. Low-risk projects may only need a simple risk process, whereas more challenging projects might require a more in-depth approach. In the same way, different organisations may choose to implement risk management in varying levels of detail, depending on the type of risk challenge they face. The decision over implementation level may also be driven by organisational risk appetite, and by the availability of funds, resources and expertise to invest in risk management. Each organisation must determine a level of risk management implementation which is appropriate, acceptable and affordable. Having chosen this level, the organisation then needs to provide the necessary infrastructure to support it.
At its most simple, risk management can be implemented as an informal process in which all the phases are undertaken with a very light touch. At the other extreme is a fully-detailed risk process that uses a wide range of tools and techniques to support the various phases. The typical organisation will probably implement a level of risk management somewhere in between these two.
Having selected the level of implementation, the organisation must then provide the required level of infrastructure to support the risk process. This might include choosing techniques, buying or developing software tools, allocating resources, providing training in both knowledge and skills, developing procedures which integrate with other business and project processes, producing templates for various elements of the risk process, and considering the need for support from external specialists. The decision on the required level for each of these factors will be different depending on the chosen implementation level.
Failure to provide an appropriate level of infrastructure can cripple risk management in an organisation (Hillson, 2002b). Too little support makes it difficult to implement the risk process efficiently, while too much infrastructure adds to the cost overhead and presents bureaucratic barriers. Getting the support infrastructure right is therefore a critical success factor for effective risk management, enabling the chosen level of risk process to deliver the expected benefits to the organisation and its projects.
Organisational risk culture. Culture can be defined as “the shared beliefs, values and knowledge of a group of people with a common purpose.” Risk culture is a subset of this more general phenomenon, describing how a group of people views risk (Hillson & Murray-Webster, 2007; Murray-Webster & Hillson, 2008). This culture is driven by underlying attitudes towards risk, as well as the resultant outward and observed behaviour when risk is either encountered or perceived. Risk culture is exhibited by groups at different levels, including project teams, management review boards, and the wider organisation within which the project is being performed.
Organisational risk culture is a major topic that presents a multi-dimensional challenge to the business that is serious about managing risk effectively (Hillson, 2002c). Here we will concentrate on those elements of organisational risk culture that act as factors for effective risk management. Perhaps the most important of these is a culture which is risk-aware, recognising the existence of risk both within the business and in the external environment, as well as intrinsically present in the projects being undertaken by the organisation. Denial of risk is fatal to the ability of an organisation or its projects to manage risk properly, and conversely acceptance of its existence is a prerequisite to its management.
A second characteristic of appropriate organisational risk culture is to be risk-mature. This describes a culture that has a well-developed approach to risk at all levels, which is not surprised when risk is encountered, and which is able to take risk in its stride. A risk-mature organisation takes a proactive approach to risk management in all aspects of the business, makes active use of risk information to improve business processes and gain competitive advantage, and learns from its experience (Hillson, 1997; Hopkinson, 2011).
A last element of risk culture that has a significant influence on whether the project risk process is effective or not is the way risk-taking is regarded. The organisation (and particularly its senior management) should encourage and reward appropriate risk-taking, and will celebrate successes when projects and their teams demonstrate an effective approach to managing risk. Where the converse occurs and people are punished or discouraged from taking any level of risk, this will result in a lack of commitment and enthusiasm for the risk process and reduced effectiveness.
Management support. The role of management in encouraging and rewarding appropriate risk-taking has already been mentioned, but there are other things that senior managers can do to maximise the effectiveness of the risk process on their projects. These revolve around demonstrating a visible and consistent commitment to risk management, with two particular aspects.
The first way senior management can show their commitment to the risk process is to appoint a senior manager (who may be called the Corporate Risk Sponsor or similar) who will promote the cause of risk management at the highest levels of the organisation. This role is ideally filled by a Board member, responsible to the CEO and the Board for setting risk policy for the entire organisation, creating a “pull” for risk management from the lower levels of the business. The Corporate Risk Sponsor is also responsible for receiving risk reports from within the organisation on behalf of the Board, and ensuring that their content is complete and correct. The Corporate Risk Sponsor is effectively the “end-user” or “customer” for risk information produced by the business, and acts on behalf of the CEO and Board.
The Corporate Risk Sponsor may be supported by another senior role, perhaps called the Corporate Risk Champion, who has a central coordinating role within the business, acting as a focal point for implementation of all types of risk management activities at all levels across the organisation. The Corporate Risk Champion acts as the “sponsor” of risk management activities, and is responsible to the Corporate Risk Sponsor for setting performance criteria for risk management implementation, providing expert guidance at all levels, and supplying assurance to the business that lower-level risk processes are functioning effectively in compliance with the overall risk policy set by the Corporate Risk Sponsor.
The second major way in which the senior management of the organisation can demonstrate their commitment to effective risk management across their projects is to use the results of the risk process to support risk-informed decision-making. When project teams can see that their risk information is actually being used to assist senior managers in running the wider business, they will be motivated to provide the best possible outputs from the project risk process. Conversely, if the risk process is confined to the project level and its results are never seen by senior management, or worse, they are seen but ignored, project teams will quickly learn that there is no point in them investing energy in managing project risk.
Renewable and Sustainable Energy Across the Project Lifecycle and Beyond
Exhibit 3: Risk Energetics – Updates and Reviews
Exhibit 1 suggests that project teams engaged in an unmanaged risk process will inevitably lose energy and enthusiasm as the risk process progresses, and active discouragement will hasten and deepen the rate of decay.
There are however a wide range of factors that can be deployed to counter the natural loss of energy, leading to a consistently higher level of energy throughout the risk process (Exhibit 2). These two figures illustrate the position across a single iteration of the risk process from risk process initiation to risk response implementation. However, risk management is not a single-shot process, but it should continue during the project with a series of risk reviews, to ensure that the project remains aware of its current risk exposure and responds appropriately. This is reflected in Exhibit 3, where the risk energetics cycle is extended into a series of risk reviews and subsequent implementation of newly-identified risk responses. The figure shows that renewed input of energy is required at the start of each update cycle in order to maintain the effectiveness of the risk process throughout the project lifecycle.
Of course Exhibit 3 only describes the position for a single project, and one would naturally expect the level of energy applied to the risk process to fall to zero when the project completes. But a business does not usually perform just one project, and the same risk energetics cycle can be expected to occur on each project in the organisational portfolio. However if the business is truly a learning organisation, one would expect to see a rising trend of energy and enthusiasm for risk management as one project gives way to the next, driven by the demonstrable success and value of managed risk on completed projects. Indeed the presence of the factors described above should have a beneficial effect wider than just in each single project. If each project is exhibiting the internal factors of appropriate process, skilled facilitation and adequate resourcing, and if the wider organisation is providing the right level of supporting infrastructure, and developing a risk-aware and risk-mature culture with visible senior management support, then the organisation should experience a growing maturity and effectiveness of risk management over time as it continues to learn (Hillson, 1997; Hopkinson, 2011). This will produce positive reinforcement and lead to increasing levels of attention, energy and enthusiasm for risk management. Exhibit 4 shows this trend, leading to a self-sustaining risk culture where the value of project risk management is recognised and expected.
Exhibit 4: Risk Energetics – Rising Trend
Conclusions
Despite general agreement that the ability to manage risk effectively is an important contributor to business and project success (Hillson, 2010), common experience indicates that project teams still find it hard to maintain the necessary levels of energy and commitment throughout the risk process. As a result, the process becomes less effective in its later stages, and fails to deliver the expected and required benefits. Project team members and other stakeholders become disillusioned with the risk process, and ultimately may even abandon attempts to manage risk as “too hard.” This in turn will inevitably lead to reduced project performance, as more unmanaged threats turn into problems that should have been avoided, and possible opportunities to enhance project performance are missed.
It is entirely natural that projects teams should experience a loss of energy as the risk process progresses. The risk energetics “natural decay curve” (Exhibit 1) illustrates what to expect if there is no active management of team energy, with a gradual reduction in the application of effort throughout the risk process. The presence of energy-sapping factors can make the situation worse, leading to a “damped curve” (Exhibit 1) where energy is lost through the risk process more quickly.
Risk energetics provides a framework to understand this phenomenon, providing insights into how energy loss can be prevented, and how active interventions can result in increased and sustained energy levels. A range of internal and external energy-promoting factors can be deployed both within the project and more widely in the broader organisation in order to counter the effect of energy-sapping factors and produce the “desired curve” where high levels of energy are applied at all stages of the risk process (Exhibit 2). The risk energetics approach can be applied to the risk process of a single project to ensure that the required level of commitment and effort is maintained throughout the project (Exhibit 3). It also provides a way to transfer energy between projects, offering a renewable and self-sustaining path to increased risk maturity and risk management effectiveness (Exhibit 4).