Project Management Institute

Beware risk number 11


Too much risk planning can lead to complacency.


Q When it comes to identifying risks, my organization seems to learn more slowly than most, and we are constantly surprised. Any thoughts on why, and what we might do about it?

A My friend Richard is a project manager of vast experience, gained in tough and risk-filled environments over three decades. He's a consultant now but for years he led organizations employing thousands of project managers. When he talks, I pay attention.

“The best thing for a project manager to have is a detailed risk-management plan,” Richard intoned at a recent dinner party. Everyone at the table nodded in agreement, but then he continued. “And the worst thing for a project manager to have is a detailed risk-management plan.”

Now that was a surprise.

Time invested in risk planning, he explained, however necessary and desirable, can also lead to complacency, even hubris, within a project team. When a team believes it has identified all the major risks with appropriate risk-response plans in place, it can become too proud of its work.

Examples abound. To focus our efforts, we commonly build top-10 lists, and use them as templates for project reports and reviews. We dutifully trudge through the status of those risk items once a week or once a month, and in so doing we convince ourselves that things are under control. Then we get blindsided by something out of the blue. Sometimes it's “risk number 11,” a threat we considered but didn't rank quite highly enough. Often the disaster stems from something we simply hadn't considered.

Of Frogs and Aircraft

The “boiled frog” concept is based on the claim that a frog tossed into boiling water will leap out immediately, but one in lukewarm water will allow itself to be boiled to death if the temperature is raised slowly. (Please don't try this at home.)

The idea is that even a mortal risk, rising gradually enough, can fail to penetrate our perceptual defenses and is thus recognized too late—if at all.

True story: Some years ago, a revolutionary stealth aircraft underwent flight-testing. Things were going rather well, until one day a reporter asked about the strange business jet that was always tagging along about 10 miles (16 kilometers) behind the new aircraft. No one in the project office knew anything about this alleged snooper, but clearly if some stranger was tailing an allegedly invisible secret aircraft, just maybe there was some new risk involved that the project team hadn't foreseen.

The story checked out: There was indeed an unmarked jet that mysteriously arose from a nearby airport whenever the new stealth aircraft flew. But the real shock came when the facts were presented to the project's robustly manned security office, which promptly declared this troubling development to be no threat at all. Why? Well, the security gurus declared that nowhere in their plan—developed at great cost, mind you—was this particular scenario identified as a potential risk. Ergo, it was, by definition, not a real threat.

Wiser heads prevailed, fortunately. An investigation revealed that the tailgater belonged to a defense contractor developing a new radar. (And what better test—and what better marketing ploy—than to be able to show that they could track an aircraft known the world over for its stealthiness?)

If, as some claim, the essence of project management is risk management, it all begins with risk identification. That's never a simple task, and it can be made immeasurably more difficult by the perceptual barriers within our organizations and ourselves. PM

Bud Baker, PhD, is a professor of management at Wright State University, Dayton, Ohio, USA. Please send questions for Ask PM Network to [email protected].

This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI.




Related Content