New World, New Ways of Managing Risk

Transcript

STEVE HENDERSHOT

What makes the difference between a team that exceeds all expectations and one that flames out? Innovation? Sure. Collaboration? Absolutely. But it also comes down to risk resilience. That means being able to mitigate and manage the threats you’ve identified but also conquering the ones you never saw coming.

MICHAEL O’CONNOR

I think risk is so important now because change is happening so fast. It’s hard to stay up on things. It’s hard to keep track of things. And if you don’t have a risk plan and risk mitigation, you’re going to be behind. 

NARRATOR

The world is changing fast. And every day, project professionals are turning ideas into reality—delivering value to their organizations and society as a whole. On Projectified®, we’ll help you stay on top of the trends and see what’s ahead for The Project Economy—and your career.

STEVE HENDERSHOT

This is Projectified®. I’m Steve Hendershot.

Extreme weather, geopolitical crises, cybersecurity failures. Business leaders knew there would be risks, yet somehow no one saw the massive toll the coronavirus would take on the world. That points to a new mindset required to identify, manage and mitigate risk throughout the project life cycle.

When PwC surveyed risk management leaders in particular, they predicted a year fraught with risk, seeing increased threats in categories such as digital transformation and cybersecurity, as well as the environmental, social and governance criteria increasingly used to signal good corporate citizenship. That’s a lot to plan against.

On the show today, we talk with two project leaders about how they’re navigating the new risk landscape. First up is Michael O’Connor, director of strategy and project management at Medtronic. 

MUSICAL TRANSITION
STEVE HENDERSHOT 

The pandemic obviously shifted the conversation around risk. So you’re more aware of infectious diseases now, but you’re also dealing with other big-picture threats like extreme weather and cybersecurity. How has all of that changed how you approach risk?

MICHAEL O’CONNOR

If I kick off here with weather, so for Medtronic, we experienced fires out in the West Coast, in California. We experienced earthquakes in Mexico and hurricanes in Puerto Rico. We had to deal with all those things prior to the pandemic. So weather has been making a bigger mark on Medtronic’s global footprint, and those are things that we’ve had to mitigate and put risk mitigation and people into those areas to make sure that we address them correctly and that we’re ready for them in the future. Now, I’m happy to say all those three areas—fires, earthquakes and hurricanes—we managed to do quite well, but that was only due to the fact that there was good leadership in place. There was [a] plan in place. We reacted very quickly. But that’s our reality, and I think even with the pandemic, hurricane season upon us again for Puerto Rico, we’re seeing those things and that’s a real risk to a global company like ourselves. 

Moving over to the pandemic, that of course has been a big issue for everyone. And of course, it has been for us. From a Medtronic standpoint and a risk management standpoint, leadership stepped up. When I say leadership, I say at the highest level, the CEO and the executive leaders, they stepped up and they started putting plans into place well before it hit here in the U.S. 

And then, of course, cybersecurity. Yeah, we’ve seen that a lot in the news lately, but that’s been something that’s been a big focus area for Medtronic, being a large medical device company and dealing with devices that are implanted, that have connectivity with Bluetooth or with 4G, 5G. Every day we have to be thinking about how do we mitigate risks there, and how do we have risk management plans for the cybersecurity piece, which is growing by leaps and bounds as we’re speaking right now, right, with the latest things in the news. 

STEVE HENDERSHOT

With cyber, it’s an interesting point. This is obviously something we hear more about with cars these days. Everything is network connected, which is great in terms of firmware updates and dangerous in terms of vulnerability. So, obviously you’ve got devices located inside people’s bodies; it’s maybe low likelihood but extremely high impact were something to go wrong. So how have you devised a plan against that? And obviously this is a few years running now. So how has that evolved over time, and how do you think about reading this forward decades

MICHAEL O’CONNOR

I think it’s very product dependent. People have started, like you said, years ago, based on their product and based on what technology they’re using. But in recent time, we’ve formed a product security group that reports to a high-level leader. So that group has expanded, and they’re looking at a lot of different things. They’re looking at consortiums; they’re looking at partnering with internal, external folks and looking at getting some type of governance and systematic systems in place to mitigate risk as much as possible. Because a lot of times, people are doing great things in pockets, but a big company like Medtronic, we’re not always maybe talking to each other as much as we could be. So we’ve made efforts to try to holistically put something in place that people could go to and get the latest information, the latest tech that they would need. 

But again, I think as in light of recent events, this is an area that I wouldn’t say worries us, but it’s an event that we’re keeping a close eye on, right? There’s a lot of things happening. How does that impact what we do? We have our devices connected by Bluetooth, by 4G, 5G, and you’ve got Internet of Things. You’ve got a lot of different things happening, connectivity and software and hardware. It’s getting more prevalent in all the things that we make, all the things that we do. Again, it’s that whole risk management process of how do we mitigate that risk, and how do we do that in a way that is across the enterprise, not just in certain pockets. That takes some time and some effort and people at the right level, just like how we addressed the pandemic. It takes leadership. It takes enough volume of people to make a difference versus just pockets doing some great work. 

STEVE HENDERSHOT

Why is it so important for companies to look at risk management right now? And what role does organizational culture play? At your company, for example, you have the Medtronic Mindset—how do those kinds of enterprise ideas influence how teams approach risk?  

MICHAEL O’CONNOR

A lot of people, at least in my early years, will think you do a failure mode effect analysis, or you do some kind of risk mitigation. You put it on paper or put it up in the share site and it’s good, but that’s not the case, right? You need to constantly be looking at it, adapting it, mitigating the risks, changing the scores, reviewing it with the teams, reviewing it with your stakeholders, your sponsors. I think that puts things a little bit more out there, meaning projects and products, software, hardware aren’t just underneath something. They’re out in the open, and they need to be looked at, and leadership wants to know and leadership wants to see.

I think that the mentality and the culture is something that’s also changing. We have something called the Medtronic Mindset. We’re changing how we’re looking at things, too. It’s not just good enough to say we’re going to change the structure. We’re actually going to change our mindset, our cultural norms. I think that says a lot about what they’re expecting from people and how we go about our day-to-day job and how we take risks. One of them I remember is to act boldly. So it’s not okay just to sit back and don’t do anything, like even the risk register or risk management. You need to get in there, and you need to actually do this work and bring things up and raise your hand. Being passive isn’t good enough anymore. You need to act in a way that you’re going to keep the company on the cutting edge and keep our products out there. 

STEVE HENDERSHOT

There’s a corollary to the idea that you brought up at the beginning of that answer—the danger with a risk assessment is that it gets tucked away in a file somewhere and forgotten about. The other idea is that legal and compliance knows what’s in that document, but it doesn’t get shared throughout the organization. So is that something that you’ve either become more attuned to over time? Or just, how do you go about making sure that that document becomes a part of every team’s way of doing business?

MICHAEL O’CONNOR

You can’t just hide these things and not bring them up. When I run projects, I have the risk piece of it baked in there, and we review those things. Have they changed? Do we have new mitigations? Do we have positive risks, negative risks? Are there other risks? So we talk about that in a more day-to-day fashion. I think people need to be aware, and I think mainly project leaders or leaders need to be aware of that. And they’re the ones that really need to bring that up and keep that in front. 

But with our new Medtronic Mindset, we’re saying that’s everyone’s job. Everyone should be reviewing that, should be looking at that and bringing up risks or ideas or mitigation ideas to those risks and updating those as needed. And so I think it’s getting more internalized that risk is just a part of the day-to-day job as far as managing it and updating it and mitigating it. But I think the nature of our business, it’s in the milestones, it’s in the reviews. We call them PRC reviews, product review committees. Those things just happen, but I like to see it more on a daily basis and keep it in front of people because they change so much, and they change so often. 

STEVE HENDERSHOT

What’s some advice you’d offer to project leaders on how they can better manage risk in their projects? 

MICHAEL O’CONNOR

If you don’t communicate this stuff and you just keep it to a few on the project team, like my teams aren’t that big, that’s not going to be good. So how do you communicate to leadership in a way that you show these risks with enough teeth without exciting them. That’s another area that you have to tease out and be a little savvy with. 

The days of doing a risk management plan and, like I said, put it in a drawer or put it on a shelf, those are done. Risk has to be in front of us all the time. There’s new risk coming up, there’s risks that are being mitigated. There’s risks happening all the time that maybe we haven’t even thought of. That’s the reason we need to communicate. We need to keep talking about it because risk is always going to be there, and having a plan is better than not having any plan.

MUSICAL TRANSITION
STEVE HENDERSHOT

That kind of always-on mindset is playing a key role in how companies are reimagining risk management.

Ernest Seto is a project manager at Linde Engineering in Munich, with the PMI-RMP certification. He spoke with Projectified®’s Hannah Schmidt about the renewed spotlight on risk with COVID and how organizations caught off guard by COVID can create a culture of risk resilience. 

MUSICAL TRANSITION
HANNAH SCHMIDT

Teams might not have considered a pandemic before COVID-19. What should they take away from that, and what are some of the emerging risks to consider now?

ERNEST SETO

I think, Hannah, you are right. Few teams might have considered pandemics in the risk identification processes. However, we have had pandemics all over the history. So, this is something that it could have been, let’s say, somehow identified and have some policy what to do in case of a pandemic. Of course, but as you said, I think very few companies have managed to do that.

In terms of what is one of the most important risks, I think in the future, and in general, I would say disruption. Not only for the pandemic, but I think we see disruption more and more. I mean, we have the pandemic, but we also have a lot of disruption in the technological aspects, in the political, social, economical. So, in general, I see disruption as one of the most important risks. And not only risks, but also opportunities.

What is difficult is these emerging risks normally are unknown risks, so they are very difficult to identify, or basically you cannot identify them. But what you can do—organizations, what they can do—is to get ready. So my advice would be really to develop a culture of resilience that allows your organization to adapt and to change and to react quickly when those emerging risks materialize. I think in future also organizations would have to seek for risk to survive, because we are a more and more competitive world and full of disruptions. Organizations will need to increase the risk appetite, and then risk management will become more and more important.

HANNAH SCHMIDT

When it comes to organizations, why is it important to instill this and create risk management processes for their projects?

ERNEST SETO

I believe traditional risk management was like having a table—identify the risks, put probability, impact—and let’s say have the teams meeting in a periodical basis, maybe a monthly basis, and basically fulfill the procedure. And then you can say I have taken the risk management procedure. But I think this is not valid anymore. I think now organizations, what they have to do is to create a culture and a mindset. That means people, doesn’t matter if they are managers, leaders, engineers. They don’t have to be all risk managers, but they all need to understand the risks on their tasks. And they need to understand which impacts can have, not only for them, but also for the organization or for all the teams in the project. I think if the companies can foster this mindset in the teams, then it will really bring the value.

HANNAH SCHMIDT

So obviously it’s this active and ongoing mindset. So how can organizations implement this across teams?

ERNEST SETO

First of all, organizations need to foster open, honest communication within the teams. That everybody can say whatever they think, and people can talk about risks not being scared, or people can talk about risk from other departments without having the feeling that someone will do some finger-pointing. So for me, the best and the most important is communication. And then for sure, there are many, many things you can do from training to have people know at least the basics, which tools they can use to identify risks, to manage risks, and especially also to define risk responses. So everybody has to feel like he’s accountable to manage the responses for risk, if it happens. So on this, I think everybody working for a project, they should have this mindset.

HANNAH SCHMIDT

Right now, you’re leading two projects in Russia. And when COVID-19 hit, I’m sure there were some changes to your risk register. How did teams adapt, and how have you worked to mitigate new risks it created?

ERNEST SETO

In many occasions, we were not really able to manage the risk because the issue was there. So we had to manage the issues outside of the risk management. I would say this was maybe 50 percent of the cases. But, of course, we also had some risk responses, and we did some changes just to avoid future risk. For instance, for construction, we just change our strategy. And instead of planning to send some supervisors from Germany, we just change it to local supervisors supported by expert teams in Germany remotely. Or we have used also our LindeGO. These local supervisors, they have some glasses, and we can see in real time all what they see on-site, and then we can make decisions here from the office.

In terms of equipment inspections, the same. We have done remote inspections to ship equipment. But of course, this also bring some risks. And also, we have to make sure that we update our contracts and agreements to include all necessary clauses to cover the COVID risks.

HANNAH SCHMIDT

What are a couple of specific strategies for making teams more resilient to risk?

ERNEST SETO

I would say to implement risk processes, but very important to be tailored to your organization. You cannot apply risk management in all the organization in the same way. So, it depends which type of projects you do, what size of the organization you have. Organization needs to have some people who understand the risk processes and who also understand the organization, and then they can tailor the risk processes to the organization. 

To have implemented governance across the programs and portfolio and projects so that in case of conflicts, everything can be resolved very quickly. Sometimes a risk for a project, it can be an opportunity maybe for the portfolio or for the strategy of a company. And this shall not just be, let’s say, analyzed from a project perspective but also to be analyzed from a higher level.

MUSICAL TRANSITION
STEVE HENDERSHOT

We went through a lot in 2020—and we learned a lot. Now it’s up to project leaders to take that knowledge and build a new risk resilient mindset. And it’s on companies to build the kind of culture that makes that happen.

NARRATOR

Thanks for listening to Projectified®. If you like what you heard, please subscribe to the show. And leave a rating or review—we’d love your feedback. To hear more episodes of Projectified®, visit Apple Podcasts, Google Play Music, Stitcher, Spotify or SoundCloud. Or head to PMI.org/podcast.