Three Immutable Laws of Risk Management

As many of my long time newsletter readers know, CompanySmith started five years ago with a premise of working with business leaders to identify and mitigate project risks. As those readers also know, that focus was short-lived even though our current work of improving results and predictability of projects is closely related.

As we look back on that first year – and even more prompted by the Katrina tragedy – we find that there are three immutable laws of risk management. Unfortunately almost every business and government seems to abide by these laws.

1.         We won’t pay to find out we have a problem

Sometimes ignorance is bliss. Paying good money for a program that might tell you that you have a problem in your business will be one of the first things to drop from a budget. Especially when prioritized against projects that might actually make money.

Examples abound. Most businesses won’t pay to test their indoor air quality. If they found a problem the costs to remediate are high, and hey, not that many folks seem sick anyway, right?

And how about testing new drugs. I had a near-death experience from a medicine that millions of people were taking. Six months and many deaths after my incident, the drug was taken off the market 

Or simply implementing a real and complete risk management process. A risk management process can be both expensive to conscientiously implement and it raises those pesky issues that no one would really like to talk about. A great deal of organizational maturity is required to talk openly about high-stakes risks.

And worse yet, a risk management plan documents a potential liability for a hostile lawyer to find in discovery.

2.         We won’t invest in a maybe

Here Katrina and the breached levees come to mind. It was known that the levees would breach with a hurricane over category 3, and a hurricane over category three was an inevitable occurrence. But for this generation of taxpayers, this set of government officials, this constituency, this term in office, it was a maybe.

More investment in this ‘maybe’ is required for adequate disaster planning and the mock disaster drills that prove that the contingency plans work or don’t work. More investment in a maybe.

It can be expensive to talk about risks. Short term, it raises project costs, impacts schedules, and means that the team has to share risks with management that may be catastrophic to the project, for which there is simply no good answer, or that may show their leadership capabilities in a less-favorable light.

The other and more disconcerting class of ‘maybes’ is the risks for which science has not found an answer. This category includes nuclear waste management, international social injustice, global warming, and the ozone layer. In these cases the consequences are potentially beyond imagination and our collective wisdom can’t seem to provide a straight answer. Science for all its truths is still susceptible to politics and the agenda of the for-profit (or not-for-profit) corporation.

3.         If it kind-of works, then it’s not broken

I hear project leaders say that they’ve never used risk management processes before and ‘look how well we’ve done’. They never invested in risk mitigation and still get projects out the door. This is fine until the risks come home to roost and projects are cancelled, teams are ‘reassigned’ and people’s careers or lives are ruined.

This is not just about projects and natural disasters; it’s also about leadership styles. I was on a panel a while ago where someone related a common defense of command and control managers with the thought that at least how they ‘lead’ “works a little bit”. That was the justification for not changing.

In Closing

I hope that at least a few readers will start a risk management process. Start small and grow risk management into something meaningful that will make your projects and our lives better and avoid some project disasters for which the stage has already been set.

Home | Privacy