Why I’ve Stopped Spending So Much Time on Risk Management

The more I manage projects, the less useful I consider risk management on projects. It gets to the point where I actively minimise my time spent on risk management activities. It’s not because projects have got less risky, but I have noticed a decreasing value return from risk management.

Effort and return on risk management don’t make sense

If there was any operation in a business that spent $1,000 to generate a $10 return, that process would not last long before it was improved or rationalised out of the business. Unfortunately, this is the sort of return that I see on risk management.

The effort involved in risk management is not small. Often there are workshops with the wider project team to brainstorm a set of risks, sometimes repeated at a defined frequency. In the project team there is logging and tracking of the risks and periodic review of the risks. The risks are reported in Steering Groups and Governance Groups.

The return from this effort is low. I see few, if any, active decisions taken by Steering, Governance or Project teams to mitigate risks, or to avoid them by having different courses of action. This isn’t because of a lack of desire to action, this is because the fundamental process of risk management practiced in many project teams, is flawed.

Many of you will disagree.

Many of the risks are not risks

A lot of the risks tracked by project teams are not risks that anyone on the project has the authority or capability of doing anything about. Because of this, the effort is wasted. The largest fundamental way that this materialises is in environmental risks versus project risks. Environmental risks are risks in the environment, not risks because of the project. For example, there is a risk that someone comes to market with a new product before we do; there is a risk that we lose IP if people leave the business; Those risks would exist if we were doing the project, or if we were not doing the project. Therefore, project teams, Governance Groups and Steering Groups do little about these risks. They’re endemic in the environment, not created because of the project. Tracking these risks adds no value, yet they are the most frequent risks I see tracked in risk logs.

When is a risk an issue or an assumption

Most risks can be rewritten as an issue or an assumption, that generates positive actions as a result.

If we have an assumption that the key people on the project are going to remain and we are going to keep their IP, this is similar to tracking it as a risk. Except now, it’s easy to take steps to validate our assumption. Let’s identify those key people. Let’s ask them if they’re enjoying their work. Let’s look at their last employee satisfaction surveys. And if anything looks amiss, this now becomes an issue. Simply by reframing the risk as an assumption, the actions we take increase and the management of the situation is improved.

I challenge you to rewrite your entire risk log as issues or assumptions. It will increase the return in value you get from your effort spent and your project will thank you for it.