Episode 274: Risk Responses? You’ll Forget to Implement them. I Guarantee it! (Free)
This episode is sponsored by The PM PrepCast for The PMP Exam:
We are once again on a call with Dr David Hillson (http://www.risk-doctor.com) to discuss project risk management.
David is well-known internationally as a leading thinker and expert practitioner in risk management, and he consults, writes and speaks widely on the topic. He specializes in both strategic and tactical risk, with a particular interest in opportunities and risk psychology.
In this interview, we look at project risk responses. Or to be precise… we look at them to find out why people seem to forget about them.
The issue at hand is the fact that the typical project risk management process doesn’t include a step to "Implement Risk Responses". So it is common for people to identify and assess their risks, develop responses, record these responses in the risk register, and then… do nothing! We forget. We simply forget.
To help us get around this, David is campaigning for not just one, but two additional steps to be included into the project risk management processes. So that we don’t forget.
Below are the first few pages of the transcript. The complete transcript is available to Premium subscribers only.
Cornelius Fichtner: Hello and welcome to Episode # 274. This is the Project Management Podcast™ at www.pm-podcast.com and I am Cornelius Fichtner. Thank you for joining us today.
We are once again on a call with Dr. David Hillson to discuss project risk management. David is a well-known international leading thinker and expert practitioner in risk management and he consults, writes and speaks widely on the topic. He specializes in both strategic and tactical risk with a particular interest in opportunities and risk psychology.
In the following interview, we looked at project risk responses or to be precise, we looked at them to find out why people seem to forget about them. The issue at hand is the fact that the typical project risk management process doesn’t include a step to implement risk responses. So it is common for people to identify and assess their risks, develop responses, record these responses in the risk register and then do nothing. We forget. We simply forget.
To help us get around this, David is campaigning for not just one but two additional steps to be included into the project risk management processes so that we don't forget.
And now, just enjoy the interview.
Female voice: The Project Management Podcast’s feature Interview: Today with Dr. David Hillson, the risk doctor.
Cornelius Fichtner:Good morning, David and once again, welcome back to The Project Management Podcast™!
Dr. David Hillson: Thank you, Cornelius. I very much enjoyed our other two conversations. I'm looking forward to this one as well.
Cornelius Fichtner: So am I and so am I. So when we look through the literature then risk management is quite methodical and it follows a process. Can you summarize for us what steps a generic risk management process usually includes?
Dr. David Hillson: Right. Now, here is the key question usually and I think we're going to be talking about this a little bit later because in my view, the typical risk management process is missing some really important steps.
So let’s just talk about what it usually includes and we might include the PMI PMBOK process in this or even the ISO-31000 standard which is the international risk management standard 31000.
So I mentioned in one of our other conversations about risk management asking and answering some key questions and these are the key questions that a generic risk process usually covers. First of all, what are we trying to do? Secondly, what might affect us? Thirdly, what are the big ones? And fourthly, what could we do about it? And last, what's changed? And so, those five questions, the answer to the question is a process.
So we ask the question, what am I trying to achieve? The answer is objective setting and risk management planning. We ask the question, what might affect me as I try to achieve those things and the answer is risk identification. Then we say, which are the big ones and the answer is risk analysis or risk evaluation or assessment. And then we say: "Well what could we do about it?" And that's risk response planning or risk treatment. And then lastly, we say: What's changed? And that's our risk review or update or risk monitoring step. So those are the five typical steps in a generic risk management process.
The PMBOK® Guide has six steps because it divides the analysis into two. So it talks about qualitative analysis looking at the qualities of a risk in our discussion of what goes in the risk register, probability and impact and so on. And then we have quantitative analysis looking at quantities, numbers, things like Monte Carlo simulation or decision trees. But still it's basically those five steps ---the risk management planning, identify risks, analyze risks, response planning and review.
Cornelius Fichtner: But you've already said it, something's missing. Can you please elaborate?
Dr. David Hillson: Yes, I think there are two things missing in this process. As you probably know, I'm a fellow of PMI and I'm totally committed PMI. It's a great organization. I was a founder member of the risk management sig and then the risk management community of practice, I'm one of the authors of the PMI practice standard but PMI's got it wrong in my view in the PMI PMBOK® Guide risk Chapter 11. There are two processes missing.
So let's just say those words again and see if you can spot one of them. We plan the risk management process, identify risks, analyze the risks and plan our responses, then we review. Where do we do anything? So here's a big gap in the process. We plan responses and then we hold risk reviews. And actually, the truth is, that’s what most people do in the risk management process on their projects. They do their workshop and they look at what the risks are and how big they are and they develop some responses and write it in the risk register, then they file the risk register. Get on with the project for a month and then come back for a review meeting. And surprise, surprise, nobody has done anything. So I think there's a big gap between risk response planning and monitor and review.
And then there's another question. If you look at the typical risk management process for example in PMBOK Chapter 11, it's a cyclic process. So we have one kind of kickoff risk management planning, then we go identify, analyze, plan responses, review, then we identify, analyze, plan responses and review. And round and round we go.
The question is, where do you stop? It's a never-ending cyclic process. But it's a project process and projects have an end. Projects have a duration. So the project management process has got to finish and in the PMBOK, we have closing processes but the risk process never ends. So clearly, there is something missing in that cyclic process. It has to have a finish point.
The last part of our project management closing processes is a post-project review. And we need to have some kind of closing process for the risk management approach as well where we learn risk-related lessons. Now, they could be part of the post-project review but I'm afraid that quite often, we don’t learn any lessons about risk. We rush on to the next project and then we find the same threats occur and turn into problems and the same opportunities are missed and we don’t learn from them. So the two bits of the process that I think are missing are implement risk responses between plan responses and review and at the end of the project, learn risk-related lessons when we finally finish the project.
Cornelius Fichtner: Alright! Let's take a look at these two a little bit more in detail and talk about them separately. I'd like to start obviously with implementing our risk responses. What exactly has to happen for me to take action and implement something? Isn't this a risk response is here for when a risk actually gets activated, when a risk is appearing?
Above are the first few pages of the transcript. The complete PDF transcript is available to Premium subscribers only.