You cannot not manage risk

There is an entire risk management world out there that no one calls risk management. Master that and become the Yoda of risk management (the big one, not the baby).

When you look at organizations and how they deal with risks, a strange paradox starts bugging you: People may hate the idea of a risk management process, but they are very keen on managing risks.

Let me give you an example: A project manager for a major CAPEX project just went to great length talking to me about their cost focus and hands-on management style to deal with that. When I politely inquire about their risk management practices, the answer is: 'We tried that. It didn't work.' Or, alternatively: 'We do not have that kind of culture.' Or: 'We do not have the time.' Or: 'Our data quality does not allow for it.' Or: 'We do it, but the guy who does it is only allowed out of the basement for Steering Committee meetings.'

So the same (very) smart guy who is kept up by the thought of cost risk at night tells you two things: a) they do a lot about it (somehow), and b) it ain't risk management.

So, what is the secret of managing risks without risk management?

For starters, let's take a moment to let one thought sink in a little:

You cannot not manage risk.

The risks are there, like it or not (or maybe better: see it or not). They could not care less about you or your organization's opinion on their existence or relevance.

Why can't we just ignore them and NOT do risk management? As a quick look into the Big Book of Risk Management Strategies reveals, that is actually a risk management approach: acceptance of residual risks. And it is a perfectly reasonable response, if done knowingly. The stick-your-head-into-the-sand variety is, at best, irresponsible. But it is risk acceptance nevertheless. You cannot not manage risk, try as hard as you may.

On the other hand, every manager and engineer with half a neuron dedicated to self-preservation in such an organization does quite a bit of risk management focused on mitigating reputation, financial and legal risks to their person. The academic term for that risk management strategy is CYB (Cover Your Butt).

It pains me to say, but one of the best ways of managing risks I saw was not risk management

There are happier examples though as well: I was visiting a very successful (small-ish) contractor in the aerospace and defense sector. I paraphrase my conversation with their Chief Engineer:

• Do you manage risks? - "Yes!".

• Do you do risk management? - "No!".

• Then what on earth is going on here? - "Well, look at our requirements management process for example. Every time we write down a requirement, we ask ourselves four questions: 1) How sure are we that we understood the customer right? 2) How sure are we that the customer knows what they want? 3) How sure are we that they are not going to change their mind? 4) And how sure are we that it is physically possible to build this?" .

We kept talking for quite some time. It gave me a bit of a headache when I had to acknowledge that I had just stumbled on one of the best working risk management systems I had seen in the industry in a while, and there was no ISO 31000 to be seen for miles.

So what is that strange risk management universe beyond risk management?

That got us thinking: Obviously there is a whole world of risk management out there that exists outside what I, or any other self-respecting risk manager, would call risk management. A risk management beyond formalized processes that are called risk management. What could that possibly be?

As your typical professor, when I come up against a particularly intriguing problem that also promises to be hard and require a lot of work, I go and hire a PhD student to do the heavy lifting (it is a bit more complicated than that, but pretty close).

Here is what we found:

There are two dimensions in which the way we go about risk management differs: It is either formal or informal, and it is either explicit or implicit.

ISO 31000-type risk management - formal and explicit - adds a fraction of the risk management value in most organizations we saw

After wading through towering piles of interview transcripts, it emerged that it is useful to think about risk management activities in four categories. Conveniently, they fall into a 2x2 matrix, so are also accessible for senior management (did I really just write that?):

1. Formal and explicit risk management: We love to focus on the formal, explicit quadrant: Processes that are defined as processes, that deal with risk management, and that even say risk management on the sticker. Think of this as everything your average guy considers risk management. Fun fact: This is also the most hated part, and the part that is arguably perceived to add the least amount of value to a project or organization.

2. Formal and implicit risk management: These are a large category of formally defined processes (not risk management, but the 'real work' we do around here). They do not say 'risk management' on the sticker, but in well-run organizations they do address risks, aka the real-life uncertainties and their consequences. The requirements management approach mentioned above is a good example. So are cost management, scheduling or any other planning process in what would intuitively feel to you like a "well run organization": They all aggressively deal with what you do not know (yet), and what to do about it.

3. Informal and explicit risk management: Although upper management keeps telling you they hate this, they will rapidly promote you if you are good at it, and thus make sure the organization keeps doing it: Crisis management and firefighting. There is a whole range of informal (i.e. not written down as processes), but explicit (i.e. officially designated to deal with risk) activities along the risk management life cycle. This ranges from us 'suddenly' realizing that we do not understand our regulatory landscape, to some of our products catching fire in the field. This is very costly, very dumb, but unfortunately, also very very exciting.

4. Informal and implicit risk management: This is the killer category. What could possibly not even be a process, not called risk management, but arguably play the most important role to successfully manage risks? We discovered that the foundation, and indeed the one element you cannot do without, are factors such as water cooler conversations, friends from college who now work for your client, and you just showing the right amount of restraint and judgement at the office Christmas party to keep your colleagues trust. I would venture so far as to say that the best risk management is trust and communication.

That is it for today.

Just for fun, the next time you discuss risk management at your organization, print out the 2x2. Put it on the wall, and talk about what you currently do, what you should do more of, and how you will get there.

If you do not make it to Risk Management Yoda right away, you should at least be at Luke-on-Dagobah level.

Acknowledgements and Resources

The ideas discussed in this article were borrowed from Pelle Willumsen's PhD work. You find his publications, including his PhD thesis, here. Thank you Pelle.

I work at DTU's Engineering Systems Design Group, and run the DTU RiskLab.

For my fellow academics: The theoretical lens we used in this research was that of Actuality in project management. If you have not heard about it, check it out, it is pretty neat. My claims of importance and value of one approach over another are my personal opinion, based on the interviews. We have not coded (or in fact: set up the research) for any normative claims.