Guest blog post from The Risk Doctor – Dr David Hillson FIRM FRSA FCMI PMI-Fellow Hon FAPM
I recently presented a workshop at a conference in Dublin, and when the chairman introduced the topics for the three alternative sessions he said “Anyone wanting to learn about the hard skills of risk management should attend David Hillson’s workshop.” I was initially worried that this might put people off, but over half the conference delegates packed into the room, which was encouraging. As I reflected on my reaction to his words, I realised that I was objecting to the assumption that risk management is a “hard skill”, and that this was for two very different reasons.
Firstly, many people think that risk management is “hard” because it is difficult and not easy. Some are afraid of statistics and think that risk management is all about the use of arcane calculations. Perhaps we have painful memories of maths classes at school, or maybe we recall the words of Benjamin Disraeli when he referred to “Lies, damned lies and statistics.”
Others believe that it must be really difficult to imagine all the things that might happen in an uncertain future which might affect us. Still others may have been put off by the fear of unmanageable “unknown unknowns”, or confused by the somewhat garbled statement of Donald Rumsfeld in February 2002 that “…as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.”
In fact risk management is not difficult. It simply offers a structured way to think about risk, providing a framework to channel how we deal with risk intuitively. At its foundation, risk management involves asking and answering a few simple questions:
- What are we trying to achieve and how much risk can we take? (setting objectives and risk thresholds)
- What risks might affect us, either to help or hinder? (risk identification)
- Which of these are most important? (qualitative risk assessment)
- How could these affect our overall outcome? (quantitative risk analysis)
- What shall we do about it? (risk response development and implementation)
- Who needs to know about this? (risk reporting)
- Having taken action, how did our responses change things and where are we now? (risk review)
- What have we learned? (post-project review)
These questions represent the most simple expression of an intuitive risk management process. They can easily be expanded into a more detailed process which represents a natural and logical approach for managing risk in a project or business, indicating the extent to which risk management is simply structured common sense.
There is a second sense in which some people view risk management as “hard”. This is in contrast to other disciplines which are regarded as “soft” because they are more concerned with people than with techniques. Risk management involves the use of brainstorming, checklists, Risk Registers, probability-impact matrices, Monte Carlo simulation, decision trees etc. All these are hard analytical techniques which require discipline, rigour and structure, based on data and numbers. Other management skills such as team-forming, motivation, leadership, conflict resolution, communication and so on are “soft skills” based not on numbers but on the need to understand how people tick.
But this is also true of risk management. Risk is not managed by machines, computers or robots, it is managed by people. Every step of the risk process involves people: we set objectives and risk thresholds, identify and assess risks, propose and implement responses etc. But each individual has a distinct personality, history, set of motivations and needs, relationships etc. These characteristics influence how people react to risk, both on their own and when in groups, leading them to adopt risk attitudes that vary between situations and with time.
Without taking proper account of the people aspects of managing risk, the risk process will be subject to unseen influences, leading to unreliable results and actions. Conversely, when attitudes and behaviours are fully understood and managed, then the risk process will work as it should. Effective management of risk in projects and business requires both people and process, acting together to allow risk to be managed intelligently and appropriately.
This explains why I wanted to disagree so strongly with the conference chairman who described risk management as a “hard skill”. Risk management isn’t hard, it’s easy, because it embodies an intuitive process for dealing with uncertainty that matters, and most people will find it natural. And risk management isn’t hard, it’s soft as well, because it requires both the use of structured techniques as well as the ability to understand and manage people.
If we persist in the view that risk management is hard it will encourage people not to do it. But if we recognise that managing risk is basically not difficult and that it needs to take proper account of people, it will be much more effective in helping us to deliver more successful projects and businesses.
What do you think? Add your comments below.
For more thoughts from The Risk Doctor, visit www.risk-doctor.com