Uncertainty is everywhere - in markets, in budgets, in boardrooms, and in customer requirements. In fact, "uncertainty" has joined "change" as the only constants. Uncertainty means risk, and that means you are surrounded by risk. Fortunately, every project manager, program manager, portfolio manager, engineer, and team lead has an incredibly powerful tool to help them deal with uncertainty. That tool is risk management. Risk management is also known as managing uncertainty, and I'm sure you've heard this before - it is about reducing the probability or the impact of a future crisis. There is a significant difference between risk management (call it being prepared) and management by crisis (call it fighting fires). Risk management is a fundamental element in any project, program, portfolio, or business operation. It requires a 360o view of the project, program, or portfolio from every team member's perspective and thinking through the "What if..." scenarios that make up the program or project's timeline, activities, and constraints. "What if ... our database is hacked?" "What if ... we could use social media to strengthen our brand or be more customer interactive?" The teams think through the risks' root causes, their probabilities, and their impacts. It requires a total team effort because one person's threat could be another person's opportunity. This is especially true at the enterprise or portfolio level. For example, an application development team identifies and analyzes a risk to their project schedule and the application performance. This risk's root cause is a requirement to virtualize the application. However, from the enterprise's perspective, virtualization is an opportunity to reduce the operating costs of a data center. When done well, risk management is more than the identification and analysis of negative and positive risks; it is a means of creating a shared situational awareness of the failure and success factors that keep leaders up at night. Yes, that's right. Failure AND success factors. If you're only managing negative risks, or threats, then you're missing half of the picture. Focusing solely on negative risks is like looking at the proverbial iceberg - you're only seeing a part of what's there. Positive risks, also known as opportunities, need the same types of identification, analysis, response planning, and monitoring as the threats. Consider a well-known law of physics for a moment: every action has an equal and opposite reaction. If we transfer that line of thinking to risk management, we could posit that a potential threat is countered by a potential opportunity. Too often we focus on the threats (that's rational, right?) while neglecting the chances to enhance or exploit opportunities that create more value for our customers and our stakeholders. A client reported that two of the negative risks from his team's risk register had occurred. Those risks had become issues, and he was concerned that he had not managed the risks properly. We reviewed the risk register and other risk documentation and pointed to those risks' response strategies - "Accept the risk(s) - costs to mitigate exceed benefits of mitigation." However, the strategy to accept those risk(s) was not a passive acceptance. Because he and his team had a robust risk management process in place that emphasized proactive risk monitoring and risk communication, the team had developed contingency plans that were to be implemented if the risks did happen. When the risks did occur, the project manager, the team, and the stakeholders were not caught by surprise. The team executed the contingency plans. The fog of uncertainty had been burned away, and the program manager did not need to become a crisis manager. We can often find wisdom in common phrases. One of a risk manager's favorites is: "An ounce of prevention is worth a pound of cure." Risk management is the ounce of prevention. While there are many strategic and operational project management frameworks and processes that support successful project outcomes, risk management is the key process for enabling project teams to adapt to change, to overcome challenges, and/or to exploit a disruptive technology. The bottom line is that disciplined and integrated risk management can:
- Provide a significant return on your time and resources invested through a focus on risk identification, analysis, response planning, and monitoring
- Cut through uncertainty to prevent surprises
- Decrease time spent in reacting to management of crises
- Enable the development of strategies that enhance and exploit your project's and business' opportunities.