Guest Post by Malcolm Peart (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Can we really manage risk, or do we delude ourselves by going through the prescribed activities of ‘risk management’ giving the illusion that it’s happening? Is risk management merely a hypocritical ritual and applying some science to fate through statistical mumbo-jumbo, decision trees, and quantitative analyses?
Let’s consider the abandonment of NASA’s space shuttle program caused by two catastrophic crashes as a consequence of ‘O’ rings and insulating foam coupled with complacency and poor decisions. Complacency was evident when NASA stated, “nothing bad has happened yet” and “NASA came to accept that” indicating a ‘wait and see approach’ rather than proactive intervention.
Closer to Earth we had the Deepwater Horizon explosion in 2010 that resulted in multiple fatalities, an environmental disaster and a cost to British Petroleum in 2018 of over US$65 billion. At the time ‘it’ was attributed to a “series of complex events, rather than a single mistake or failure.” The sad truth is that the events did happen…and recognised risks became ruthless reality.
If major organisations fail in their management of risk how can risk management live up to its allusion of offsetting project failure. Again, can risk really be managed?
Risk management is addressed in Project Management bodies of knowledge, international codes of practice and sometimes national standards. Some of the latter advocate caution in a world of optimism bias. Some Clients demand that risk registers are produced and risks are tracked and reported against. The ‘top ten’ risks are then discussed sagely and opinions are shared and recorded. And if things do go wrong the latter-day soothsayer can always say, retrospectively, “I told you so“…which is far from being proactive.
Going through the motions of risk management gives a veneer of compliance and ‘ticks the boxes’. Management audits will then show that processes are in place giving an impression that ‘risk management’ is being carried out.
Risks will be identified, quantified, classified and regularised and a project team may start to believe their own bull. Such belief breeds complacency and self satisfying behaviour which results in an internal belief that risk has been contained under a self-induced veil of delusion.
Risk management would have us believe that risks may be transferred, treated, terminated or taken. But taking on any venture we are ‘taking’ on risks, including the risk that we believe others are taking risks for us. “It’s a risk to try and be a success‘ said Somerset Maugham. If we believe that it’s only our risks that are important we create a false impression of security that somebody else will be diligent with theirs.
‘Risk owners’ will be assigned but this doesn’t necessarily mean that ‘their’ risk will be managed. Magicians use smoke and mirrors, and sleight of hand but in projects we are exposed to puffery and overconfidence giving the illusion that such-and-such is best suited to control our risk through a false sense of security possibly created by a delusion on their side that they can manage risk.
If these “Others” then realise their risks then they will need to communicate the problem. However, and all too often, they will initially declare that everything is under control and, infamously, “nothing can go wrong”. The project team, under an illusion that risks have been transferred, can then say with naive impunity, “It’s your problem and not mine“. Illusion may well fuel delusion.
NASA and BP along with many other organisations such as Bearings Bank and Union Carbide have experienced spectacular and catastrophic failures despite their risk management systems in which they believed. Their approach to risk management did not work and identified risks were ignored. Organisations must take risk if they want succeed or possibly just survive, and risk, just like change, is inevitable. But why are risks repeatedly ignored knowing that failure is highly likely?
A case in point was development of the multi-billion-pound T5 Terminal for London’s Heathrow Airport. The Owner of the project adopted a unique and, to date, a never repeated procurement model with a total approach to risk management. A collaborative culture in a partnering environment was created obviating many construction disputes and reducing costs. This proved to be hugely successful during the construction phase. Unfortunately, the opening day was disastrous as ‘known risks’ associated with baggage handling were allowed to ‘happen’. This cost GBP16 million in five days causing a “national embarrassment” and a parliamentary enquiry.
Colin Powell said, “Don’t let adverse facts stand in the way of a good decision” but ‘adverse’ and ‘good’ are matters of individual opinion. No matter what any risk management process tells us or what a Monte Carlo simulation indicates it is the gut-feel and opinion of the frail human that drives decisions. The ‘reality’ of a risk is in the eye of the decision maker rather than the position of a risk within a risk register.
Humans are the decision makers and regularly override the ‘facts’ that risk management identifies or forecasts. These decision makers may well be deluded into thinking risk will not affect them or be under an illusion that somebody else will be responsible and accountable.
Unfortunately, when a risk does happen there will be a realisation that something went wrong and, inevitably, discovery that somebody related to Mr Murphy had recognised that it could have happened. As a NASA chairman said after a space shuttle tragedy, “Obviously, it was wrong, but that is hindsight“; and as we should all know, hindsight is 20-20 vision.
“One man’s risk is another man’s opportunity” goes the saying and somebody somewhere will take a chance on that risk, even if they know the consequences and probability. But the question remains…”Can we really manage risk?” or is it just a sad fact that it is people that can’t be managed!
UK Chartered Engineer & Chartered Geologist with over thirty-five years’ international experience in multicultural environments on large multidisciplinary infrastructure projects including rail, metro, hydro, airports, tunnels, roads and bridges. Skills include project management, contract administration & procurement, and design & construction management skills as Client, Consultant, and Contractor.
Provision of incisive, focused and effective technical and managerial solutions for all project phases; identifying and dealing with troubled projects.
Tyler Johnson says
That’s a good idea to make sure that you don’t; rely one hundred percent on the risk management data. I could see how it would be useful to use a combination of b both data and gut feeling to make decisions. I’ll have to consider getting someone to help me learn about the risks if I decide to start a business so I can make an informed decision.
Gregory B says
Risk based, decision is still an emerging discipline. It’s based on a combination of heart, head, and gut. The interesting thing that we’ve recently learned and got confirmed: we now live in COVID time and all decisions are going to be made through the risk lens.
Yes, you’re right. if you’re thinking of starting a business especially in COVID time, please do an informed risk assessment. There are simply too many risks.