You know how the movie Moulin Rouge has this recurring idea (originally coming from Nat King Cole’s Nature Boy) that “the greatest thing you’ll ever learn is just to love and be loved in return”? One of the greatest things I ever learnt, a wisdom that stuck with me for the longest time, came from the loading screen of World of Warcraft, while I was sitting there, impatiently waiting to enter my alternative virtual home. It said unto me:
Remember to take all things in moderation. Even World of Warcraft.
Mind you, I wasn’t happy at the time that Blizzard was trying to emulate my mom, but it’s amazing how right they were generally speaking. And not only will moderation in most cases be the best road to take, but we seem to be primed for making our choices not too hot, but not too cold either. What sells most in a bar that offers beer coming in three sizes: small, medium and large?
Medium! High five to all alcoholic Goldielocks around the world.
But where is this all going? Sit down please, we need to talk. About what?
About your risk appetite.
And that sweet sweet spot you should be aiming for.
Risk appetite refers to how much risk an organization is willing to take in order to achieve its strategic goals. Determining and clearly communicating the operational range of risk is an important consideration before one comes to the actual risk management process.
Risk appetite can vary depending on industry, company culture, competitors, the nature of the objectives pursued, financial strength and capabilities of the organization (having more resources at hand gives a company a greater capacity to accept risks and the associated costs).
Risk appetite is not necessarily a constant, but a variable that we should asses risks against, in a continuous manner, because changing environment, circumstances, available resources, skills or technologies may induce shifts of the optimal operational range.
Along with risk appetite comes risk tolerance. This is how much risk an organization can cope with. Also good to note.
It is important to know your company’s risk taking capacity in advance, because failing to do so will make the company and its projects inflexible. Taking on new risks becomes increasingly problematic as we approach the upper limit of our risk tolerance.
By the way, risk taking preferences in individuals can vary over a vast scale and this seems to have a genetic basis. Namely, different versions of the dopamine receptor gene (DRD4) are correlated with different levels of affinity towards financial risk taking, and particularly so in men . Women are found to be more risk averse than men irrespective of familiarity, framing, costs and ambiguity and tend to perform more conservatively in financial fields .
It is no wonder there is a dopamine receptor involved – you probably know about dopamine, it’s been called the Kim Kardashian of molecules. Dopamine is part of the brain’s reward system, a neurotransmitter that makes us feel good when we eat a satisfying meal, have sex, see our favourite football team win, and it is also responsible for the high we feel when we do something daring.
It also plays a major role in initiating movement, and malfunctioning in the dopaminergic neurons is in the root of Parkinson’s disease. But back to the point: In the risk taker’s brain, there appear to be fewer dopamine-inhibiting receptors — these brains are more saturated, which predisposes them to keep taking risks and chasing the next high .
Know where you stand on the risk seeking – risk averse scale, so you can modify your natural propensities and change your risk taking habits if they lean towards one side. Yes, either side. You don’t want to go to the extreme of taking on too little risk, because risk includes not only threats, but opportunities as well, and balancing this can make or break you.
According to David Hillson, “the risk doctor”:
Risk is an uncertainty which if it occurs will have a positive or negative effect on one or more objectives.
So, assuming you know your risk appetites, let’s go over the five basic steps in the project management process. This is something you can scale from a daily routine that you can wrap into 20 minutes at the start of your day, to a two week-long process where you take your time to discuss and plan all possible aspects with the stakeholders.
Risk is an uncertainty that can reflect negatively on cost, duration, performance or scope of your project. And while all risks are uncertan, not all uncertainties are risks. The goal of this step is to identify what uncertainties matter for your project, and note them down in a risk register.
For consistency and control, it’s convenient to have a risk register template in a tabular format.
Your register could contain colums like:
- Risk ID – Give each identified risk a unique identification number so you can unambiguously track it.
- Risk Category – This is where you categorize your risk. Does it concern scope, time, cost, resources, environment, or something else?
- Risk Description – Describe the potential risk. This could be something like: “There is conflict over resources and team members don’t have enough time due to competing demands.”
What you can describe at the beginning of a project are known unknowns, that is, the things that you know that you do not know enough about. But bear in mind that there are also unknown unknowns, those events that you do not know that you do not know about, and therefore cannot predict their occurrence.
Individual risks combine to make up overall risk, which is what you and your stakeholders might want to know when deciding whether to take on a project or not. You want to make room for unknown unknowns, so leaving a margin below the limit of your upper risk tolerance level would be a good idea.
Once you have all the important uncertainties pinned down, go over each one of them and assess how it affects your objectives. How does it reflect on your scope, resources, cost, duration?
Quantify how big of an impact it would have should it occur.
How likely is it? Assign a probability value.
Does it have a positive or negative effect? Is this a threat or an opportunity?
Estimate the risk’s proximity – how far in the future do you expect the risk might manifest itself?
How urgent is it? How fast do you need to act if it occurs?
How managable is it? Is there much you can do about it?
Assess propinquity. How important is it to you, does it directly affect you and your team?
There are some well established tools to assist you in quantitative risk analysis – such as decision trees, EMV, Monte Carlo simulations…
Key risk indicators (KRIs) are a tool used to enhance the monitoring of risks and facilitate risk reporting.
Once you described and quantified the uncertainties, you would like to order them so you can plan risk responses efficiently. You wouldn’t want to end up wasting time managing risks that are not very likely to happen or have a minor impact on your objectives, while neglecting a potential hazard that could completely derail the project.
But how do you prioritize when there are so many dimensions to take into consideration?
Start with the two most important ones: impact and likelihood. Place all the identified risks in a probability-impact matrix. This is usually a 3×3 or a 5×5 matrix, where one dimension (say rows) corresponds to the level of probability of a risk occuring, and the other one (columns) correspond to the level of impact the risk would have.
Example probability-impact matrix [Taken from JustGetPmp]
The risks that end up on and around the secondary diagonal of the matrix are assigned moderate priority. Those in the upper left corner, meaning low probability and low impact will have low priority, and those in the lower right corner that are very likely to happen and would have a significant impact on the project are of high priority and demand the most elaborate response plans.
The red areas contain the biggest threats and also the biggest opportunities.
When the risks are sorted on these two dimensions, split each one according to the remaining dimensions (proximity, managability, etc.) and sort once again. This will stratify the risks additionally and let the really important ones pop up like bubbles.
Add a priority level to each risk in the register.
So now you can proceed to the actionable items.
4. Response planning
The risk response strategies will depend on whether the risk is positive or negative.
Negative risk strategies include:
- Avoidance: eliminate risk by eliminating its cause, accepting an alternative, changing the design, or changing a requirement.
- Mitigation: reduce expected monetary value of a risk through reduction of probability and/or impact through active measures.
- Transfer: transfer the risk in totality or in part to another party. This approach isn’t used very often and tends to be more common in projects where there are several parties involved. If you are subcontracting, these transferences are typically addressed in the contract.
- Acceptance: Accepting the consequences of the risk, taking action when triggers are met. This is often accomplished by developing a contingency plan to execute should the risk event occur, keeping a stash of extra budget and time in case the risk is selected.
Positive risk strategies come in these flavors:
- Exploit: Do everything in your power to make sure that you take advantage of an opportunity.
- Share: share with another party who can increase the probability and/or impact of opportunities.
- Enhance: Increase the probability of an opportunity by playing on its triggers.
- Accept: Wait and see, adopt a passive attitude and have a plan of action should the opportunity manifest itself.
This may sound basic, but don’t forget to actually implement your risk management strategies. Risk analyses have a tendency to be performed in the initial stages of a project and then end up in a drawer (virtual one probably) that is never opened after the initial risk assessment. And if this is the case, and an uncertainty is suddenly embodied, we no longer talk about risk management but crisis management.
Instead, put your response plans into practice. Be proactive and not reactive. Proper risk management will reduce not only the likelihood of an event occurring, but also the magnitude of its impact.
Apart from these hard strategies, there are soft approaches you can take to improve risk management. Setting a firm value structure within your company and making sure all incentives are aligned can go a long way in preventing some hazards from occuring.
The same goes for possessing a decent level of emotional intelligence and knowing your stakeholders, their risk affinities, their sources or power, so you can better calibrate your risk assessment and tune your responses.
5. Review and update
So you have all your analyses and plans set. Unfortunately that is not where it ends. As the project progresses and circumstances possibly change, the risk manager will need to keep pace and update the risk register. Has a new risk emerged in the meantime?
If an action is taken to mitigate a risk, this will also require an update in the risk analysis. What changed? Use the opportunity to note what has been learnt from the experience. Document the actions taken and results it yielded.
Would you do something differently next time?
- Dreber, A., 2010. Biological Basis of Risk Preferences. Gruter Institute Squaw Valley Conference – Innovation and Economic Growth
- de Goeij, P.C., Gender Differences in Risk Taking: Are Women more Risk Averse? Thesis, Universiteit van Tilburg
- Norbury, A., Manohar, S., Rogers, R.D. and Husain, M., 2013. Dopamine modulates risk-taking as a function of baseline sensation-seeking trait. Journal of Neuroscience, 33(32), pp.12982-12986