Project Management Institute

The risk stops here

Project Management in Action


Forrest C. Six

The expression “the buck stops here” is frequently heard in the executive suite. Within organizations that are responsible for executing projects or bringing new products to market, that expression should be paraphrased to say “the risk stops here.”

Too often we rationalize our lack of informed project risk planning with statements like: “Risk management is inherently part of the intuitive management skills we have learned through years of experience-we will react as best we can when a particular risk pops up.” The frequent consequence of this out-of-sight, out-of-mind rationale is an artificial comfort level, vulnerable to those surprises that tell us a project or program is in trouble. The surprise becomes a management disaster when the risk consequences are not acknowledged until after the damage has been done! Far too much executive energy is expended on damage control, which could otherwise be applied to organization building and expanding markets.


An acquaintance of mine, a CEO of a major engineering and construction firm, caused some ripples in his organization when he asked if a risk assessment had been performed on a major project proposal that had been submitted to him for approval.


Forrest C. Six is a management consultant providing project management, marketing, and planning assistance to the engineering, construction and transportation industries. He resides and maintains his office on Bainbridge Island, Washington, near Seattle. Previously he was president of Holmes & Narver, Inc. in Orange, California, and prior to that held executive and Management positions with The Ralph M. Parsons Co. in Pasadena, California, and its affiliate, Saudi Arabian Parsons, Ltd. He has been project manager or executive sponsor for many large transportation, communications-electronics, defense and infrastructure projects, several in the mega-project category. He is an advisory director to PLAN Systems International, which provides project risk management software for engineering, construction and product development applications. Fewest is currently associated with Martin-Simonds Associates in Seattle, Washington, providing management consulting services to the architectural, engineering, environmental, planning and construction industry. He has a bachelor's degree in electrical engineering from Oregon State University, is a Fellow in the Institute for the Advancement of Engineering, and has been active in many technical societies, community organizations and boards of directors.

Catching the proponents of the proposal off guard, he received only qualitative answers like these:

  • “We always consider the risks inherent in what we do.”
  • “We have been able to make money on projects similar to this in the past, so if we put the right team together to manage this project, we will be all right.”

When the project proponents were unable to provide the CEO with an effective risk assessment, they passed the buck to the CEO by default. The CEO had no one to pass the risk decision on to. The board of directors could not make the decision for him and in his own conscience he could not pass the risk, as he perceived it, on to the shareholders. His intuitive judgment told him to kill the proposal.

There were those in the organization who believed the CEO had made a wrong call and that he could not have possibly had either the project-specific experience or the knowledge to make such a decision. The proponents had worked hard for many days to analyze the project, assess the competition, and put the proposal together. In their own minds they had adequately considered the risks associated with the proposed work. Where they failed was in their ability to communicate their analysis and their proposed risk mitigation strategy to the boss.

In this example, my CEO friend was correct in expecting more quantitative data upon which to base his required decision to proceed or not to proceed with this major program that could have put the firm considerably at risk. He was also aware that his organization neither had the tools, training nor interactive risk management culture necessary to provide him with the kinds of analysis he wanted.


Under similar circumstances, I would use such an incident to send a clear message to my organization about my expectations for risk assessment. I would want:

  • Project managers to be knowledgeable of the risks inherent in their proposed or ongoing operations
  • Each major project or proposal to be carefully and systematically analyzed to identify high-risk activities
  • The project team to have a well-thought-out plan for executing the project in a way that will reduce our exposure to those risks
  • What-if analyses to be performed to identify contingent plans if the project does not go as planned
  • The consequences of potential high-risk activities to be quantified in terms of probable financial exposure

I can anticipate arguments against my risk assessment expectations such as these:

  • “There is never time to do such a detailed analysis under the pressures of responding to proposal deadlines,” or
  • “The project budget will not support a rigorous risk management program in addition to all the other reporting and controls we must exercise to satisfy our clients' needs.”

These are tough arguments, particularly if my expectations for more rigorous risk assessments are imposed after a request for proposal is received or a project is under way but before risk management proficiency has been achieved in the organization.

As a CEO or COO, I am responsible for running my operation in the most risk-free manner possible. Through leadership, I need to motivate a risk management culture throughout the organization to manage each element of project risk in a way that will maximize our financial success. That culture needs to include excellent communications, teamwork, and the acceptance of accountability for risk management at the project level.


Too frequently, I have heard these arguments from those associated with a project already in trouble:

  • Project management. “The marketing people simply didn't understand the amount of work necessary to do this job right and consequently took the contract for too little money.”
  • Marketing. “We sold the project for as much as the competition would allow with the expectation that the project would be managed effectively and resources would be applied efficiently.”
  • Both. “Management will just have to deal with it since they approved our taking on the work in the first place. They can surely figure out how to squeeze some extra profits out of other projects to make up for our unavoidable losses on this one.”

Observe how smoothly accountability for the assumption of risk consequences has been transferred to the executive suite. This example again illustrates the fundamental gap in understanding of risk and risk consequences within organizations. Earlier, I referred to the out-of-sight, out-of-mind syndrome that I believe inhibits effective communication about risk within our project-oriented enterprises. If an effective basis for identification and communication of risk factors is not present, then the organization's ability to manage risk will be dangerously limited and individuals cannot be held accountable.

As a CEO or COO, I am responsible for running my operation in the most risk-free manner possible. Through leadership, I need to motivate a risk management culture throughout the organization to manage each element of project risk in a way that will maximize our financial success.

If an effective basis for identification and communication of risk factors is not present, then the organization's ability to manage risk will be dangerously limited and individuals cannot be held accountable.


Coupled with the CEO's responsibility to motivate a risk management culture throughout the organization is his obligation to enable the skills training and analytical tools necessary to support that culture. Any top-down driven risk management program should be closely aligned to the organization's existing project control and cost management system. Marketing, financial management, engineering and other project support functions must also buy into the concept of dynamic, on-line risk management if it is to become an effective management tool. Fortunately, improved risk analysis software and proven methodologies are now available to firms that wish to, maintain their competitiveness in an increasingly risky marketplace.

I would get the process started by forming a dedicated task force, assisted as necessary by an outside consultant, to identify the risk management procedures and tools that would allow project management to identify and quantify high-risk activities and to make risk planning a complimentary part of project planning and control. I would authorize a budget, a work scope and a challenging schedule. If one major project disaster can be avoided down the road as a result of having a dynamic, interactive risk management program in place, the cost of developing that program and training project and support staff in its use will most likely be returned to the organization several times over.

I would also require the task force to select risk management computer software to supplement our existing project management software. I would insist that the techniques employed …

  • Be fast and readily accessible by project management to support our real-time decisions and what-if evaluations.
  • Require no more computer and mathematical skills than the project management system we now use.
  • Communicate with project management personnel in their language.


The transient nature of risk encourages us to rationalize potential risks away (out-of-sight) and to submerge risk management within our old reliable intuitive management processes (out-of-mind). Don't let these attitudes persist in your organization. The challenges inherent in executing projects in today's highly competitive, efficiency-driven environment demand the best trained people and most effective tools to make the tough decisions that are necessary for enterprises to survive and projects to succeed. These decisions will be most effective within the organizations that encourage identification and mitigation of potential high-risk project activities before they occur. The executive suite can then spend less time on damage control and more time planning a profitable future. img

Editor's Note: Managing risk in a rational manner, as urged by Mr. Six, requires new approaches to analyzing projects. The sixth in John R. Schuyler's series of tutorials on decision theory, Decision Analysis In Projects: Other Probabilistic Techniques, appears in this issue (see page 20). Readers are urged to review the previous articles in this series and to read those yet to come to develop a basic understanding of analysis of risk.

This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI.

PMNETwork • April 1994



Related Content

  • PM Network

    Playing with Fire

    By Jones, Tegan With the coastline of an entire continent burning, a scorched-earth urgency had teams across Australia racing to control the damage. Between September 2019 and January 2020, bushfires ravaged…

  • PM Network

    Trees of Life

    By Hendershot, Steve The world needs more trees—and a lot of them—to stem the damage wrought by mass deforestation. Brazil alone is destroying the equivalent of three football pitches per minute in the Amazon rainforest…

  • PM Network

    Rising Risks

    By Nilsson, Ryan For as long as humans have been building cities, they have migrated toward the coasts -- for food, ease of transportation and any number of ecological benefits. Today, it's estimated that more than…

  • PM Network

    From the Rubble

    By Thomas, Jennifer Puerto Rico's infrastructure woes began long ago. But a series of earthquakes this year coupled with hurricanes Irma and Maria in 2017—which racked upUS$139 billion in damage—exacerbated the U.S.…

  • PM Network

    Trading Transformed?

    Blockchain—the technology that made cryptocurrency mainstream—is now entering the U.S. stock market. In November, the U.S. Securities and Exchange Commission approved a pilot project to use…