RISK MANAGEMENT IN ACTION?

R.Murray-Webster1, P.W.Simon1
1
Managing Partner, Lucidus Consulting Limited, United Kingdom

Short Abstract
If risk management is good for us, why don’t we do it? This question is at the heart of the
paper. The paper looks at the experience of a number of leading companies who have
invested heavily in risk management processes and tools, and in training for their people; but
yet they fail to reap the benefits of a risk management approach because these knowledgeable
people, equipped with appropriate processes and tools, do not actually commit to action.
The paper outlines a range of causes of the problem, and a number of solutions ranging from
the behaviours of project managers and sponsors (business leaders) to the nature of the
procedural documentation that is in place. All of our observations are firmly grounded in our
practical experience when working with major companies, as well as building on leading edge
theoretical approaches.
Key words: risk, application, culture, attitude
Paper
Starting Premises
We have two starting premises. The first starting premise is that risk management is
important and that:

• Proactive consideration of what might happen in the future is worth the investment in
training and in the development of specific processes;

• Modelling of potential future states is worth the investment in tools designed for the
process;

• Contingency plans and funding are most usefully based on a good understanding of the
inherent uncertainty in any particular plan of action, rather than applying generic guesses
(such as +20%) that add nothing to the management of the situation.
The benefits of risk management have already been established and widely published, for
example, the set of benefits developed by the UK Association for Project Management in
1996 and published in a variety of places since1. This work lists a range of ‘hard’ benefits
associated with project and business success, for example risk management “discourages the
acceptance of financially unsound projects” and a range of ‘soft’ benefits associated with the
human impact of working in uncertain situations, for example, risk management “leads to
common understanding and improved team spirit”. Our experience leads us to specifically
claim that an additional key benefit of risk management relates to the topic most commonly
labelled stakeholder management. Any project, programme or change initiative needs
sustained buy-in from investors, decision-makers and other parties with a vested interest
throughout its life cycle.
Securing this commitment requires the uncertainty in the situation to be considered, to reduce
the chance that the venture fails to deliver the desired return on investment. Effective risk
management enables such commitment.
Assuming therefore that risk management is important, it is necessary to identify what
effective risk management looks like; the elements that together enable the desired benefits.
Figure 1 depicts the elements that enable project success, adapting a diagram originally used
in the Total Quality Management discipline2. This diagram indicates that to achieve success
(however that is defined for a particular initiative), the work to be done and the tools and
processes used to do the work will only “hold together” if they are join ed by the right
behaviours as depicted by the terms communication, commitment and culture.

Work
Hard
elements

Co
mm
re

Behaviour

un
ltu

Project

ica
Cu

Success

tio
Criteria

ns
Context

Processes Tools
Commitment

Figure 1: Success combining hard and soft elements

Our second starting premise, therefore, is that effective risk management requires an
investment in processes and tools and also in the development of an organisational culture,
shared and meaningful within the group concerned, that demonstrates through actions and
behaviour that risk management works and is worth the investment.
Case Studies
The experience of four companies, in 2005, is discussed in this section. All the companies are
major international players in their sector (financial services, defence systems, drug
development and professional services). All the companies have invested heavily in risk
management processes and tools and in training for their people; but felt the need to
commission our company to provide additional support to them because, despite their
investment, they fail to reap the benefits of a risk management approach. They have
knowledgeable people who are equipped with appropriate processes and tools ; yet risk
management is not perceived to be effective in practice .
Table 1 contains a selection of comments given to us by key personnel within these
companies. The comments summarise what we found during our work with them.
“Although our risk management processes are good, we don’t really insist they are used. We
expect project managers to manage risk, but good ones do this intuitively and without the
process.”

“We have processes that represent best practice” (and they have). “Our difficulty is in getting
people from the business to engage with the process. As a result the only people committed
to risk management are the risk managers.”

“Our risk management processes are boring; we don’t really see how they add anything to our
work.”

“It is difficult to get excited about risk management when the effects of a risk occurring don’t
really affect us.”

“It seems much more relevant to put effort into sorting out those problems that do occur,
rather than trying to anticipate what might happen.”

“By the time we are filling in our risk log, most of the meaningful risks on the project have
already been taken. Our job is to solve problems when they happen.”

Table 1: Risk Management in Action? 2005

Assuming these comments are indicative of wider experience, it seems that some of the
causes of ineffective risk management are:

• A belief that a formal approach is not needed for competent people, only to support people
who are less experienced and/or skilled or one might to protect the innocent.
• An inability to persuade stakeholders that there is benefit from a formal approach.

• A desire for work to be exciting (not boring). “Fighting fires” tends to be seen as more
exciting than work to prevent them in the first place.
• A difficulty in engaging with situations where there is little perceived personal relevance.
• A belief that risk management processes deliver too little, too late.
This suggests that work remains to be done on both the “hard elements” of risk management,
for example ensuring processes are relevant and deliver timely results without excessive
bureaucracy and on the “soft” or behavioural elements, for example ensuring that people
understand and are committed to making the processes work. Alternatively, perhaps the
reality of risk management in action as described in Table 1 points only to a need to improve
the culture for risk management in these organisations on the basis that if people are really
committed, they will make the processes work, or change them into something they will use.
Risk Management Culture
Culture has been described in various ways in a number of seminal texts. Writing in 1985,
Schein 3 describes culture as “the way in which a group of people solves problems and
reconciles dilemmas”.
Using this definition therefore, a culture that supports risk management would be one where
groups of people see the benefit of risk management in solving problems and reconciling
dilemmas. Adopting a proactive risk management approach of course is perfectly possible for
an individual to do, intuitively and without the aid of formal processes. However, the very
nature of managing change within organisations demands for groups of people to take this
approach, and this is difficult to do without some degree of formality.
So the challenge for organisations is to find a way of engaging groups of people with risk
management as a central part of how that group solves problems and reconciles dilemmas.
Developing more and/or better processes is unlikely to be the answer. The answer is more
likely to lie at the heart of attitudes that are held towards risk taking itself, and that are held
towards risk management as an effective way of dealing with those uncertainties.
In their book, Understanding and Managing Risk Attitude, David Hillson and Ruth Murray-
Webster4 examined the notion of risk attitude for individuals and groups. They explored a
range of factors that bias attitudes and the choices that people make, and suggested ways in
which individuals could change their attitudes if so desired. The authors were clear in
defining risk attitude as a chosen response to risk (a specific risk-event or risk in general) with
the choice influenced by perception of the situation in question. The notion of choice is
central. People may not feel they overtly choose an attitude, resorting to habit or some other
sub-conscious response, but they are nevertheless making an implicit choice.
Using this definition, individuals or groups could choose to hold a p ositive attitude to a
certain risk, for example, choose to support a risky course of action that would lead to a
desired outcome, and at the same time hold a negative attitude to a different situation, for
example, choose to avoid a risky course of action where the pay-off of taking the chance was
not perceived as good enough. The fact that everyone holds a range of different risk attitudes
at any one time suggests that risk attitudes are not right or wrong in absolute terms, but are
situational responses that may be appropriate, but may also be inappropriate in the
circumstances.
In the case studies cited , the chosen responses to risk are, in the main, to do nothing, i.e. to
choose to take the chance that the uncertainty will occur and deal with it then rather than try
to proactively manage them. This would typically be described as a risk seeking attitude to
threats, and a risk-averse attitude to opportunities. From our work within these organisations
we understand that although the action (to do something or nothing about risk management) is
taken by individuals, the risk attitude seems to be held by groups of individuals who appear to
share, or be comfortable with the same response to the risk in their situation. This may be
because the organisational culture supports reactive issue resolution (sometimes referred to as
“hero management”) rather than proactive risk management; or perhaps because the
perception of whether a situation is risky or not is biased by a lack of understanding of the
potential outcome should the risk occur, or some other source of personal or group bias.
Understanding risk attitude is a many-faceted challenge. It is understandable for individuals,
but group risk attitude is more difficult.
Our company, in collaboration with Risk Doctor & Partners are in the early stages of some
formal research into group risk attitude designed to provide more in-depth insight into
collective risk taking. Our research is designed to test the influence of a range of factors on
group risk attitude within decision-making groups. Until that is available however, we are left
with trying to find a way of moving organisations that appear serious about risk management
to a position where they put their investment into action.
Committing to Action
When something is part of a culture, deeply ingrained and sub-conscious, it is no longer an
option, but part of “the way things are done around here”. Modifications to already robust,
nearing ‘best-practice’ processes and tools, or to providing additional education and
development for people cannot be the answer. The challenge is to develop behaviours that
demonstrate that risk management is central to the way the organisation works without it
being seen as mechanistic and boring.
What behaviours do people need to demonstrate to build a culture for risk management?
Some suggestions are shown below:
Project Sponsors /Business Leaders
• Talk to stakeholders about their perception of the project, the things they are assuming will
happen, the things that may have a negative effect on objectives and the things that could
make the project even better.

• Document these risks in a risk register during the preparation of the business case, and as a
result show it is important to the project manager and project team by being a positive role
model.

• Expect many threats to exist so support the identification of these. It isn’t negative, it’s
sensible.

• Never “shoot the messenger”. If a member of your team identifies risks (threats) that they
cannot resolve then thank them and don’t make them feel foolish or else they will be afraid
to do the same in the future.

• Encourage people to identify opportunities and add these to the risk register too. Actively
doing this will show that effective risk management is not just about avoiding bad things,
but enabling good things.

• In support, do not reward the “heroes”, the people who refuse to plan and rely on super-
human efforts to resolve problems when they occur.
• Demand an understanding of why problems that must be resolved (project issues) and
change requests have occurred. Could the issue or change have been avoided?

• Measure the cost of issue resolution. It may be that with a little effort you can demonstrate
the financial benefit of proactive risk management?

• Through review, try to find examples of where there has been a positive benefit from
proactive risk management. Celebrate the success of proactive management.
Project Managers/Team Leaders
• Make risk management a “daily exercise”. Use the language of risk management in your
every day communications with stakeholders and your project team. Don’t confine risk
identification to formal workshops, talk to people about their views and how these might
affect objectives. Add these uncertainties to the risk register as soon as they are raised.

• Hold a continual, up to date view of the top five threats and top five opportunities for your
project. What circumstances might help you deliver a quality product earlier or cheaper?
What circumstances are the show-stoppers in terms of threats to the stated success criteria?
Make it your business to be able to give a succinct overview of these at any time to anyone
who asks.

• Monitor progress with risk response strategies with the risk owners on a regular basis.
Show it matters by your words and your actions.

• Ensure that the time and effort to complete risk responses are built into your project
schedule and budget. Failing to do this will almost certainly mean that the work will not be
done.
Summary
Major companies who have invested heavily in developing risk management capability still
fail to reap the benefits they desire from the investment. Although there is a widespread
perception that risk management is good for business in general and for managing the
uncertainty inherent in change initiatives in particular; there remains a disconnect between the
intention to put risk management into action and practice on the ground.
This paper has looked at real examples from companies in 2005 and has suggested that the
focus for attention in future should be to develop an organisational culture for risk
management that appreciates, at its heart, that risk management is essential for solving
problems and reconciling dilemmas in an effective way.
Currently, there is something about the attitudes that individuals and groups hold regarding
risk that is leading them to take unmanaged chances, preferring to deal with resolving those
issues that do happen, rather than avoiding situations that might happen. Some clues to
understand this type of risk attitude are availa ble, but there is more work to do to shed light on
the phenomenon.
 Whilst this research is ongoing, however, there are many practical things that leaders can do
to be positive role models for risk management, to “walk the talk” and turn the investment of
their company into a tangible benefit. These simple but effective changes to behaviour may
be all that is needed, and hold the key to putting risk management into real action?

REFERENCES
1. Association for Project Management Risk Specific Interest Group (SIG) (2004): Project Risk
Analysis and Management Guide, APM Publishing Limited, High Wycombe, UK.
2. Oakland, J, S. (1993): Total Quality Management; the route to improving performance, Nichols
Publishing Company, New Jersey, USA.
3. Schein, E. (1985): Organisational Culture and Leadership, Jossey Bass, San Fransisco, USA.
4. Hillson, D, A. and Murray-Webster, R. (2005): Understanding and Managing Risk Attitude, Gower
Publications, Aldershot, UK.