Weight loss for risky projects
Dr. David Hillson, PMP, PMI Fellow
The Risk Doctor Partnership
Risk obesity happens when we take on too much risk as a result of uncontrolled risk appetite. We need to take the right amount of risk in our projects—the amount that we can digest and deal with effectively. Risk obesity can make us inflexible and slow to react to risk, and it can lead to multiple problems with delivering the intended benefits of our project. This paper describes how to tackle risk obesity by controlling risk appetite, reducing risk exposure, and changing our risk-taking habits, so that we can reach an acceptable target level of risk exposure.
Introducing Risk Obesity
Obesity: A Global Epidemic
Physical obesity is a medical condition in which excess body fat has accumulated to the extent that it may have an adverse effect on health, possibly leading to reduced life expectancy (World Health Organization, 2015). Obesity increases the likelihood of various diseases, particularly heart disease, type 2 diabetes, obstructive sleep apnea, certain types of cancer, and osteoarthritis. Obesity is most commonly caused by a combination of excessive food intake, lack of physical activity, and genetic susceptibility.
The 2014 Future Diets report from the Overseas Development Institute (Keats & Wiggins, 2014) notes over one-third of all adults across the world—1.46 billion people—are obese or overweight. Between 1980 and 2008, the number of people affected in the developing world more than tripled, from 250 million to 904 million. In high-income countries, the numbers increased by 1.7 times over the same period.
The World Health Organization website provides similar statistics (World Health Organization, 2015), reporting that in 2014, more than 1.9 billion adults were overweight and of these more than 600 million were obese. Overall, about 13% of the world's adult population (11% of men and 15% of women) was obese in 2014. The worldwide prevalence of obesity more than doubled between 1980 and 2014.
Obesity is one of the leading preventable causes of death worldwide, and we all know we should watch our physical weight, eat and exercise sensibly, and develop a healthy lifestyle. In 2001, the U.S. Department of Health and Human Services suggested that obesity caused about 300,000 deaths per year in the United States and more than 2.5 million deaths worldwide (U.S. Department of Health and Human Services, 2001).
Defining Risk Obesity for Projects
Physical obesity has a parallel in the world of projects. “Risk obesity” occurs when there is too much risk in the system, resulting from uncontrolled risk appetite (Hillson, 2014). This can affect the business as a whole if strategic risk-taking decisions by the senior management team lead to risk exposure that is greater than the organization can manage. But risk obesity can also occur at the project level, when a particular project is carrying levels of risk that are too high, posing a significant threat to the project's success.
Each of the characteristics of physical obesity has parallels in risk obesity, where we accumulate excessive risk exposure that threatens the ongoing health of our project, and that may ultimately be terminal. Risk obesity also makes other risk ailments more likely, as high levels of risk exposure challenge the ability of our risk management processes to cope.
The main cause of risk obesity is an uncontrolled or inappropriate risk appetite (Hillson & Murray-Webster, 2012), leading us to take on too much risk without the ability to digest it and deal with it effectively. It is also possible in some cases that there is a built-in tendency to risk obesity arising from the “organizational DNA,” with a corporate ethos and culture that lead to excessive risk-taking.
The good news for projects suffering from risk obesity is that it is both treatable and preventable. This paper provides clear diagnostic symptoms to determine whether a project is risk obese, as well as proven treatment options.
Diagnosis: Symptoms of Risk Obesity
Just as physical obesity seems to be easy to identify by outward appearances, it might seem that risk obesity would be simple to spot. Surely the presence of high levels of risk exposure is a clear indicator of the influence of risk obesity in a project?
The reality is not so clear-cut. How much risk exposure is too much for a project? There seems to be an easy answer to this question. We have too much risk exposure if the amount of risk taken exceeds the capacity of the project to deal with it effectively. But we can only know if this is happening if we have a clear understanding both of our risk capacity (how much risk we can cope with) and our risk appetite (how much risk we want to take), as well as a reliable way of measuring our risk exposure (how much risk we are actually taking).
Risk appetite is expressed by defining a series of tolerances (risk thresholds) against each of the key project objectives (Hillson & Murray-Webster, 2012). These are then used to determine how much risk the organization is prepared to take in this particular project.
At the project level, risk exposure is high if there are many risks with both high probability of occurrence and high impact. These are often called “red risks” because they plot in the high-priority area of a probability-impact matrix in which priority zones are indicated using a red-yellow-green traffic-light system, as illustrated in Exhibit 1 (Hillson, 2009; Project Management Institute, 2013).
One of the problems in deciding whether we have too much risk is not knowing how to define what is “red” in the probability-impact matrix. We can see from Exhibit 1 that “red” corresponds to various combinations of probability and impact. So for each risk we just need to assess how likely it is to occur, picking one of the scale values for probability (VHI, HI, MED, LO, and VLO), then assess the potential impact it would have if it did occur, again picking one of the impact values. Plotting the risk on the grid then shows whether it rates as “red” (high priority), “yellow” (medium priority), or “green” (low priority).
However, to make informed assessments of probability and impact, we need to know what the scale points mean for this particular risky situation or project; this is usually documented in the project's risk management plan. Exhibit 2 presents an example set of definitions (Hillson, 2004, 2009; Hillson & Simon, 2012).
Once we have an agreed-upon way to decide if a risk is rated red, yellow, or green, how can we tell if a project has too many red risks, indicating risk obesity? Is it a subjective judgment to say that when we look at the probability-impact matrix it seems that there are “a lot” of red risks? That is like trying to decide whether someone is physically obese simply by looking at them. One possibility is simply to set a threshold for the number of red risks considered to be too many. But it would be better to have a more refined way of determining whether a project is risk obese.
In the case of physical obesity, there is a precisely quantified definition, based on the calculation of body mass index (BMI); obesity is defined as BMI ≥ 30 (World Health Organization, 2015). Is there a similarly quantified measure for risk obesity? Do we know what our level of risk exposure is—and what it should be? When we try to answer the question “How much risk is too much risk?” what units of measurement do we use?
Some suggest monetizing the impact of all risks and then calculating the expected monetary value (EMV) for each risk by multiplying probability and impact. So, for a risk with a 10% probability and a US$100,000 impact, the EMV is US$10,000. The overall amount of risk in the project is then equal to the total EMV for all risks. If this level exceeds a predetermined threshold, then the project is defined as “too risky.”
One problem with this approach is that not all risks have financial impacts, and not all nonfinancial impacts can be easily translated into dollars. Moreover, the “probability times impact” EMV calculation is fundamentally flawed because the importance of very-low-probability/very-high-impact risks is unduly undervalued. Also, there is a danger that EMV could be viewed as a monetary amount, representing the risk exposure of the project in actual dollars, when in fact EMV is measured in an imaginary pseudo-currency of “probability dollars.”
A better approach is to use a probability-impact score (P-I score) to reflect the “size” of each risk. The P-I score is based on multiplying numerical values that represent probability and impact (see Exhibit 3) (Hillson, 2004, 2009). This can be calculated for different impact types (such as schedule or reputation), normalizing all impacts in a common nondenominational score. Unlike EMV, there is no danger of confusing P-I score with “real money.” It is then possible to set a risk threshold defining “too much risk” in terms of the total P-I score for a given project, and then to monitor whether the actual risk exposure exceeds this value.
Prognosis: Effects of Risk Obesity
Similar to the ways that physical obesity affects individuals, risk obesity has obvious effects on current project performance, as well as a hidden impact on the ongoing health of the project.
Inability to Handle Additional Risk Exposure
If a project is suffering from excessive risk exposure, having taken on more risk than it can handle, this is likely to have a significant effect on its ability to address additional risk effectively. The project will be inflexible and slow to react when new risks arise, leading to more unmanaged risks; avoidable threats will become problems and potentially advantageous opportunities will be missed. The project team will probably be in crisis mode, fully engaged in firefighting the existing risks and unable to spend time identifying or managing any other risks that might arise. The risk management system is already overloaded with too many risks, so any new risks inevitably will get little attention or action.
Increased Susceptibility to Other Risk Ailments
In addition to this day-to-day effect on performance, risk obesity has a more insidious impact on the wider health of project. Just as physical obesity leads to a range of other health problems, the presence of high levels of risk exposure can increase the likelihood of other risk ailments occurring. (Hillson  has described 10 of the most common risk ailments, together with recommended treatment options.)
Stressed Project Team
People managing high levels of risk become stressed, leading to preventable mistakes and accidents, and degrading their ability to make good decisions. Corners may be cut to save time, producing a higher number of undetected defects. Relational issues become more acute, affecting staff morale, motivation, and productivity. Systemic failure is possible in areas such as monitoring and control, auditing, and reporting. In the worst case, complete shutdown of a project is possible as the amount of risk becomes unmanageable and overwhelming.
Case Studies: Risk Obesity In Action
A number of examples from history illustrate the effects of risk obesity on businesses, projects, and society at large. When the early signs of excessive risk-taking are ignored and preventive actions are not taken, full-blown risk obesity may result.
Risk obesity has been evident for many years in the financial markets when investors lose sight of reality and take on levels of risk that ultimately prove fatal (Beattie, 2015). Such so-called “speculative bubbles” occur when markets trade assets in high volumes at prices that are considerably at variance with intrinsic values, pricing assets based on unrealistic views about the future (Levine & Zajac, 2007). These bubbles are examples of risk obesity resulting from excessive risk-taking driven by uncontrolled risk appetite. They are not just a recent phenomenon: The first speculative bubble occurred in 1637 with the Dutch Tulip Mania, followed in 1711–1720 by the South Sea investment bubble in England.
A more recent example of risk obesity in action is the dot-com boom (sometimes called the Internet bubble), which was a speculative bubble lasting from 1997 until 2000. Newly launched Internet-based companies saw share prices rise wildly in the early years, based on confidence that future profits would be very high, encouraging many investors to overlook traditional performance metrics such as price/earnings ratios in favor of technological advancements. Venture capitalists saw record-setting growth as dot-com companies experienced meteoric rises in their stock prices. They moved faster and with less caution than usual, choosing to mitigate the risk by investing in many contenders and letting the market decide which would succeed. Low interest rates in 1998–1999 helped increase the start-up capital amounts. The bubble collapsed in 2000–2001, with many Internet-based companies going out of business. Others saw heavy reductions in their share value but survived, and some of these went on to build successful profitable businesses in the longer term.
The history of project management is littered with examples of major projects that have failed to meet their objectives (Williams, 2012), and data from the Standish Group CHAOS Report since 1994 continue to confirm that a majority of projects either fail outright or miss one or more important targets (Standish Group, 2015). Studies of failed projects frequently cite an inability to manage risk exposure as a key cause of project failure, usually promoted by taking on more risk than could be handled by the organization or its project team. Well-known examples include the Sydney Opera House (1,400% over budget), U.S. Army 101 Helicopter (+330%), or the Guangzhou City Transport Project (+335%).
In 2005 the UK government's Office of Government Commerce (OGC) and National Audit Office (NAO) identified eight common causes of project failure in UK government projects (Office of Government Commerce, 2005, p. 5), which included “Lack of skills and proven approach to project management and risk management.” The NAO regularly reports that major projects fail due to a failure to understand and manage risk effectively, and this is confirmed in their 2013 report Over-optimism in Government Projects (National Audit Office, 2013), as well as their most recent Major Projects Report (National Audit Office, 2015), which states that “Project teams have varying skill levels in cost forecasting and risk management” (p. 9).
Flyvbjerg et al. (2003) drew similar conclusions in their seminal analysis of infrastructure projects, which demonstrated that major projects fail because high levels of risk are taken on without proper transparency, scrutiny, or accountability.
Treatment Options: Addressing Risk Obesity
Once we recognize that our project is carrying too much risk, we can proceed to treat risk obesity. We know that a project is risk obese if it consistently breaches its risk thresholds, or if it is carrying a large number of “red” risks with an overall high total P-I score. These conditions can be addressed through both short-term and long-term actions. Short-term treatment for risk obesity involves de-risking the project until we reach a “target level” of acceptable risk exposure. In the longer term, we need to change our risk-taking habits, with a more balanced risk diet, supported by a clear understanding of our risk appetite. By regulating risk intake and carefully managing risk-taking behavior, it is possible to reach and maintain a target level of healthy risk exposure.
Short Term: Reduce Current Risk Exposure
When a project recognizes that it is suffering from risk obesity because it has taken on too much risk, the immediate response is to reduce risk exposure in a controlled manner. A specific level of acceptable risk exposure should be set so that progress toward the goal can be measured, and so we will know when to stop reducing. Just as each individual has a different ideal weight, the appropriate target level of risk exposure will vary between projects. This “target risk weight” is defined through risk thresholds, which state how much variation is acceptable against each objective.
Short-term treatment of risk obesity at the project level involves de-risking the project, which can be achieved through two distinct mechanisms. One is the routine risk management process (Hillson & Simon, 2012; Project Management Institute, 2013), which proactively targets the highest individual risks and seeks to develop effective risk responses to minimize threats and maximize opportunities. A second complementary way to deal with excessively high risk exposure on a project is to make controlled changes to the project scope (Project Management Institute, 2009). This can involve removing scope elements that are particularly risky, splitting the project into a series of subprojects with incremental development and deliveries, or subcontracting some parts of the project to other parties who are better able to manage the risk.
Decisions on changes to project scope should be made by the project sponsor or business owner, taking advice from the project manager. The combination of explicit management of individual high risks through the routine risk management process plus implicit management of overall project risk through controlled scope change offers a powerful and effective way to address risk obesity in the short term (Hillson, 2008; Hillson & Simon, 2012).
Of course, instant results should not be expected; moving from risk obesity to a proper degree of risk will take time. In seeking physical weight loss, general health must be maintained during the dieting period, giving attention to the usual processes of life such as exercise, work, rest, and relationships. Similarly, project teams seeking to reduce their risk exposure should not ignore other aspects of the project in the drive to shed risk, but must continue to pay attention to the other routine aspects of project management while they act to reduce risk exposure, as well as managing client relationships, staff morale, marketing, communication, etc.
Long Term: Change Risk-Taking Habits
The short-term treatment for risk obesity involves the risk equivalent of “losing weight” by reducing overall risk exposure to a level that can be managed within the risk capacity of the project. Long-term treatment requires a change in risk-taking behavior to ensure a more balanced risk diet, so that a healthier level of risk exposure can be maintained. This means developing new risk-taking habits when the target level of risk exposure is reached, through our risk culture and risk management approach.
The details of a balanced risk diet will be different for each project, and the degree of risk exposure will need to be monitored carefully to ensure that it remains within acceptable bounds. We need to be aware of our risk appetite and manage it proactively on a daily basis (Hillson & Murray-Webster, 2012). This involves answering questions such as: Do we feel hungry to take on more risk? Is that appropriate now, or should we resist the risk-seeking urge? Are we getting a balanced risk diet, including the right range of opportunities that will promote healthy growth? Or is there an area where taking on more risk or a different type of risk would bring useful rewards?
We have seen that the acceptable level of risk is defined by setting risk thresholds against each objective; these thresholds need to reflect the organizational risk appetite. We need to ensure that we review each decision that involves taking on additional risk, whether it is changing the strategic direction of the project or determining new tactics for project development and execution. In each case, we need to ask whether the amount of risk we are taking on will cause us to exceed the risk threshold. If it does, we must have effective measures in place to absorb that risk without disrupting the overall health of our project.
By clearly understanding our risk appetite at project level, expressing that risk appetite through quantified risk thresholds for each objective, and monitoring risk exposure to ensure that we stay within these thresholds, we can develop new and healthier risk-taking habits that prevent a return to risk obesity.
Staying Risk Healthy
This paper uses the metaphor of physical obesity as a way to explore a common problem with managing risk in projects. Risk obesity occurs frequently across the world in a variety of industry sectors, but effective treatments are available to enable sufferers to recover to a place where they are symptom-free.
Being free of the symptoms is not enough, however. In the same way that peace is not the absence of war, and happiness is not the absence of sadness, it is also true that positive well-being is not gained simply by ensuring the absence of illness or ailments. This was recognized as long ago as 1946 in the preamble to the constitution of the World Health Organization, which defines health as “a state of complete physical, mental and social wellbeing and not merely the absence of disease or infirmity” (World Health Organization, 1946, p. 1).
So in the physical realm, health is not merely the absence of disease. It is also true in the area of business, projects, and risk. It is not enough simply to diagnose and treat any shortcomings in the way we manage risk in our projects and businesses. We also need to actively promote health and well-being in risk management.
Risk health is more than the absence of risk ailments. It is a positive state of well-being in which risk management capability and competence are effective, robust, well established, and growing. There are five strategies that can help a project-based organization gain risk health and stay healthy (Hillson, 2014):
- Develop a mature organizational risk culture
- Demonstrate clear risk leadership
- Regularly enhance risk management capability
- Ensure intentional learning
- Maintain momentum
No single strategy will ensure the risk health of a particular project, but together these five offer a powerful way of keeping the risk management approach strong and healthy. This is especially true if they are built into the overall “risk lifestyle,” becoming part of everyday practice in the way risk is approached in projects (Hillson, 2009).
Risk management is one of the most important things we can do, in our personal and private lives, in our careers and professions, and in our projects and businesses. It is too important to leave to chance, and we need to do it better. By diagnosing and treating any unhealthy aspects of our approach to risk management, and by discovering new habits that we can build into our risk lifestyle, we can all stay risk healthy and thrive. In the particular case of risk obesity in projects, we need to understand how much risk is too much, then compare the actual risk exposure of our project with current risk capacity. Where we discover that we are carrying too much risk, we can implement short-term actions to reduce risk exposure to manageable levels, as well as taking longer-term measures to prevent a recurrence of the situation.
Metaphors can be helpful to explain difficult issues, using a familiar situation to shed light on something that might otherwise be hard to understand. The use of physical obesity as a metaphor in this paper is intended to be illustrative only, and is in no way meant to deny the reality of the genuine condition or to belittle or undermine the challenges faced by those who suffer from it. The medical imagery and language is merely intended to serve as a useful entry point for discussing approaches to effective risk management.
Beattie, A. (2015). The greatest market crashes. Retrieved from http://www.investopedia.com/features/crashes/
Flyvbjerg, B., Bruzelius, N., & Rothengatter, W. (2003). Megaprojects and risk: An anatomy of ambition. Cambridge, UK: Cambridge University Press.
Hillson, D. A. (2004). Effective opportunity management for projects: Exploiting positive risk. Boca Raton, FL: Taylor & Francis.
Hillson, D. A. (2008, October). Towards programme risk management. Presented at PMI Global Congress North America 2008, Denver, CO, USA.
Hillson, D. A. (2009). Managing risk in projects. Farnham, UK: Gower.
Hillson, D. A. (2014). The risk doctor's cures for common risk ailments. Vienna, VA: Management Concepts.
Hillson, D. A., & Murray-Webster, R. (2012). A short guide to risk appetite. Aldershot, UK: Gower.
Hillson, D. A., & Simon, P. W. (2012). Practical project risk management: The ATOM methodology (2nd ed.). Vienna, VA: Management Concepts.
Keats, S., & Wiggins, S. (2014). Future diets: Implications for agriculture and food prices. London, UK: Overseas Development Institute.
Levine, S. S., & Zajac, E. J. (2007, January). The social life of financial bubbles. Presented at American Economic Association Annual Meeting 2007, Chicago, IL, USA.
National Audit Office. (2013). Over-optimism in government projects. London, UK: National Audit
Office.National Audit Office. (2015). Major projects report 2014. London, UK: National Audit Office.
Office of Government Commerce. (2005). Common causes of project failure. London, UK: Office of Government Commerce.
Project Management Institute. (2009). Practice standard for project risk management. Newtown Square, PA: Author.
Project Management Institute. (2013). A guide to the project management body of knowledge (PMBOK® guide) – Fifth edition. Newtown Square, PA: Author.
Standish Group. (2015). 2015 CHAOS report. Retrieved from http://www.standishgroup.com/Reports2015
U.S. Department of Health and Human Services. (2001). Overweight and obesity: A major public health issue. Prevention Report, 16(1).
Williams, T. (2012, November). Overdue and overspent—Why do our projects go so badly wrong? Inaugural lecture, presented at Hull University, Hull, UK.
World Health Organization. (1946). Constitution of the World Health Organization. Off. Rec. Wld Hlth Org., (2), 100.
World Health Organization. (2015). Obesity and overweight. Fact Sheet 311. Retrieved from http://www.who.int/mediacentre/factsheets/fs311/en/
© 2015, David Hillson
Originally published as a part of the 2015 PMI Global Congress Proceedings – Orlando, Florida, USA