Risk Management Versus Prudence

Risk Management Versus Prudence
3 mn read Risk registries confound me almost as much as heat maps. Brainstorming everything that could go wrong on a project or within a program could result in quite a laundry list of everything from the absurd (what if an asteroid hits the earth in the middle of construction) to the mundane (what if I get sick and cannot make the next stakeholder meeting), the latter being things that Dr. David Hillson (the Risk Doctor) refers to as business-as-usual risks, which I believe require nothing more than prudence. In my organization, program managers must maintain a risk registry as part of compliance with our certified ISO 9001 quality management systems policies, processes, and procedures, since ISO 9001:2015 introduced the concept of risk-based thinking (whatever that means). I was disappointed to find these risk registries full of business-as-usual risks that have little impact on the programs themselves. As Doug Hubbard points out in his book How to Measure Anything, “In a decision model with a large number of uncertain variables [like risk analysis], the economic value of measuring a variable is usually inversely proportional to how much measurement attention it typically gets.” I recently had the opportunity to ask a friend who runs a successful construction company in Virginia how he manages risk on his construction projects. He seemed perplexed by the question. Clearly, risk management is not something at the forefront of his mind when it comes to managing his business. After thinking for a few moments, he declared, “The only risk that concerns me is whether or not we will make money on a project. That is how we decide which jobs to accept.” I did not have the opportunity to dig further, but I am sure my friend was not being cavalier towards the concept of risk. What about the risk that someone will get hurt on the construction site? you ask. As I pointed out above, identification of these types of risks could go on ad nauseum. I am sure this businessman has taken these probabilities under consideration as much as possible. He provides safety training to his employees and provides the appropriate safety equipment to mitigate the probability that an accident will happen (prudence), and he has purchased liability insurance to cover the residual risk if an accident does occur (risk transfer).  (Even if he does not believe purchasing this insurance is prudent, state law requires it.) To many, these factors are second nature to the point they are not even associated with risk management. They certainly would not appear in a managed risk registry. What if materials arrive late? you askRealization of this type of risk would extend the duration of the construction project and cause additional costs, so why does my friend not consider this in his simple risk analysis process? Again, there are an infinite number of individual threats that could delay the project and risk the probability that the project loses the company’s money. I do not doubt that there are activities this businessman and his company take into account before accepting a job. Think of bow-tie analysis where multiple threats, or triggers, are visually displayed leading to an event that results in consequences. Again, these activities are most likely second nature to my friend. He probably has his procurement specialist check on the availability of critical and long-lead construction materials, has the squad leaders confirm the availability of workers to complete the project on time, and consults with his chief financial officer to ensure there is adequate cash flow or credit to see the job through. Such safeguards are only prudent. Since risks are often well known within specific construction project types — and I get the feeling my friend’s company does the same type of work year after year — risk analysis is most likely done unconsciously in the minds of all the stakeholders who have a responsibility within the company to ensure each job is completed within scope, on schedule, and within budget. I assume that, if a job ends up costing the company more than the revenue earned, there follows a scramble to find out why. Again, whether documented in some bureaucratic report or ingrained in the minds of all involved, lessons would be undoubtedly learned and would be considered before accepting the next job. In summary, many items that wind up on risk registries are merely business-as-usual risks that can be handled through prudence without being actively managed. Furthermore, most business-as-usual risks are already being mitigated, avoided, or transferred through other means above the level of a project or program. I refer to these means as inherited risk controls, and I will discuss them more in next week’s blog.   Recommend0 recommendationsPublished in Technology & Innovation

Related Articles

Responses