Everything I Need To Know About Risk Management I Learned From My Pocket Umbrella

By Gary Nelson, PMP

January 6, 1991: Standing on top of Ayers Rock (Uluru), Northern Territory, Australia. 
45C/113F and a cloudless, brilliant sunny sky. Humidity? near zero.

 

One of the driest, hottest places on earth.


So why am I carrying my pocket umbrella in my backpack?

And what does this have to do with Risk Management?


Interesting question!

To answer that we need to go back a few years earlier - and to a much wetter climate.

A Basic Lesson in Risk Management

Vancouver, BC, Canada - the "Wet Coast". 

Growing up in Vancouver you get used to rain. Lots of it - or at least long periods of drizzle especially in winter. (In Vancouver they can take a good NZ afternoon downpour and spread that out over three weeks of solid gray sky and liquid sunshine. One joke goes like this: "If you can see Mount Baker, it is going to rain. If you can't, it is already raining."  And another one - "They don't tan in Vancouver - they rust.")

Exaggerating a bit of course, but you get the idea. Wet. And not only that - you expect it, and plan for it.

Everyone has an umbrella (or three or four) and a rain jacket. One umbrella for the car, one for the office, one or two for home, and some spares for guests that might come by. Why? Well for the rain, of course - or at least the very high likelihood of rain, especially in the cooler months.

From the time I was in High School and taking the bus (or walking on a fine day), I carried a small umbrella in the bottom of my backpack.

It did not rain every day, of course - but I always carried the umbrella with me. It was perhaps my first practical exposure to Risk Management Planning. Knowing the region and the climate, there was a decent likelikood that on any given day I would need to keep my head - and especially my textbooks - dry from all that liquid sunshine. 

Remember the book "All I Really Need to Know I Learned in Kindergarten" by Robert Fulghum?  

My parallel to this might be called "Everything I Need To Know About Risk Management I Learned From My Pocket Umbrella."

Silliness, you say. How can you learn anything from an umbrella?

Essential Components of Risk

Risk - especially in the context of a project, is sometimes misunderstood, sometimes feared, and sometimes given no more than a sideways glance as everyone just wants to "get on with it" and start working on the project and produce the deliverables everyone is expecting. On the other end of the scale, Risk Management may become an all-consuming task that sucks the life out of your project as everyone is consumed by the worry of what might happen.

So what is a Risk - vs an Issue?

An Issue is a definite item that will pose some challenges or problems for your project. You are going to have to address it, or choose to ignore it - but it is not a "maybe" - the item is there, in your face- either right now, or at a known stage of your project.

Risk relates to an event that might happen at some time on your project. This Risk can be broken down into the following components:

- What may happen (the Risk Event)

- When is it likely to happen (timeframe: during a specific stage of the project, or at any time)

- What is the likelihood (probability) of it happening (High/Medium/Low)

- What is likely to be the outcome (the Impact) of the RIsk Event should it occur (High/Medium/Low)

- What factors might precipitate or contribute to the event

These are just the basic concepts - in your Risk Management Planning you will indeed include all of the above, as well as what you might be able to do about it - to try to prevent it happening (Risk Avoidance/Pre-Event Risk Mitigation), or if it does happen, what you can do to lessen any negative impacts (Post-Event Risk Mitigation/Risk Response).

The trick with Risk Management is doing a thorough enough job to make sure that you are aware of what might happen to impact your project - and to have plans in place to monitor the potential risk conditions and respond in the event it occurs. You don't want to take the "hope and pray" approach, hoping risk will pass you by - but you don't want all of your resources tied up in an exhaustive Risk Management approach that takes on a life of its own and detracts from your project. 

You need to take a practical approach to Risk Management. Look at what is "out there", and do a realistic assessment of what may happen, probabilities and impacts, and then devise an action plan to respond to any events, and look at what practical preventative measures you can afford to take, without going overboard.

When you have your list of Risk Items, you need to categorize them as outlined above, and map them out. You can do a simple 2x2-square grid (High-Low) or 3x3 (High/Medium/Low) if it is helpful to your project, but in my experience, simpler is better. For now let's discuss a simple 2x2 model.

In this model, we want to pay particular attention (and concentrate most of our efforts) on the High Impact/High Probability quadrant items. These could be show-stoppers. Proactive risk mitigation actions might also be advisable for several of these items.

High Impact/Low Probability items need to be monitored and prepared for - but you should not spent a huge amount of effort on prevention - but do have a good post-event mitigation plan.

Low Impact/High Probability items need to noted - but you should not spent a huge amount of effort on prevention or the mitigation plan.

Low Impact/Low Probability items can in many cases be simply noted and little time should be spent on them. Don't lose them though - it might be that their profile will change if conditions on the project change.

Pre-and-Post Event Mitigation

When you develop your Risk Management Plan, you will likely come up with a "what to do IF it happens" set of plans (Post-Event Mitigation) - write them down, and keep them in a drawer somewhere, just in case you might need them later. Update them as necessary.

However, the proactive (Pre-Event Mitigation) side of Risk Management includes taking preventative measures on an active or semi-active basis.

For example, if there is a risk that you might be attacked while staying in a war-torn foreign country, it might be wise to actively station armed security outside your complex. (The best Pre-Event Risk Mitigation strategy is simply not to go there in the first place, but if you are already there...)

But in our example (fortunately) all we have to worry about is rain. Specifially, preventing it from soaking your bag or briefcase.

Preventative Risk Mitigation

 If we took a fully active approach, you might walk around all the time with an umbrella open over your head. Aside from the lack of Vitamin D from sunlight, you would look pretty silly after a while and people will begin to talk about your odd behaviour.

So a semi-active approach might be a bit better. In this scenario, we would be prepared for rain- or at least rain of an average volume. So let's just take an umbrella with us - all the time. (If you only take an umbrella when you know it will very very likely rain - i.e. the weatherman warned you it is going to rain, that is just being prudent. No bonus points for you!)

Which umbrella to choose? (aka Effort)

Those big golf umbrellas provide great coverage, but they are bulky - and just like the guy walking with the open umbrella on a sunny day, walking around with one of those all the time will get people talking. Not ideal. Plus you are quite likely to poke people with it on the bus.

I prefer a more pragmatic semi-active approach - be prepared, but not necessarily for a monsoon. Prepare for a typical or middle of the range event - in this case, a typical Vancouver rain. So I packed a pocket umbrella in my bag. (Not the tiny ones, the ones about 33cm/1 foot long when closed). Suitable for most conditions, but small enough and light enough to carry everywhere, and not be too visible. People will commend you when you bring it out in the rain, but not look at you oddly on sunny days, because they can't see it.

And most of the time - as a Pre-Event Risk Mitigation Plan it was sufficient. Until last year, that is...

Change the Environment, change the Risk

As with everything in your project, things change over time. And sometimes, your Risk profile can change. You need to be aware of the changing conditions and re-assess your risks based on new data. You just might need to update your mitigation planning (post-event and pre-event).

Sometimes what worked before simply won't be enough!

August 30, 2011, Annapolis, MD, USA. 7:45am - I am due to start the training class at 8:00am. I am waiting in my car, outside in the parking lot, along with dozens of other people in their cars. Waiting - because it is not raining. It is drowning outside. Heavy rain bombs hitting the window, and over 1.5cm/half an inch of water pooled everywhere in the flooded parking lot, deeper in many places.

I have my pocket umbrella. Wheelie computer bag is in the trunk. Waiting.

7:59am. Still pounding down outside. I am going to be late for class!

Risk assessment: I have my umbrella. If I grab the bag and pull it, running fast I might be ok. 30 seconds to the front door, give or take. How bad could it be?

8:00 Inside the foyer, absolutely soaked except my head.

8:01 In the classroom, opening my computer bag. Everything is wet.

8:02 My laptop will not turn on.

8:02:01 Risk Event: Computer will not turn on! !@#&*!&#*(&!@#(*&!@*(#& 

Oh dear... I definitely did not make the right call on this one!

8:04 Risk mitigation (post-event): USB thumb drive with the training materials I made as a backup copy seems to be dry. Let's give it a shot, or I will not be earning money today!

8:10 Class starts, up and running with a borrowed laptop and my USB stick - while I completely empty my bag and disassemble the components of my laptop to try to dry them out with the hot air from the LCD projector.

11:55am Wrapping up for lunch. Things seem dry- I reassemble the laptop and power it up. Crossing fingers! 

11:59 Laptop boots up normally. Lucky. Very lucky I don't have to go buy a new laptop.

Lesson #1: Sometimes having a backup to your backup plan is a good thing to have!

Lesson #2: Don't let the heat of the moment let you make bad judgement calls when you have a Risk mitigation plan in place that is likely inadequate. As it turns out, at 8:05am the rain stopped. Haste makes waste, all those sayings...very true. Patience is a virtue...

Lesson #3: Pre-Event Risk Mitigation Plan adjustment: Buy a plastic bag to line the inside of the laptop bag in case of heavy rain.

Back to the Australian Desert

Down from Ayers Rock (Uluru), back in the LandCruiser and on the way back up to Alice Springs.

Still very hot, and dry. No cloud at all.

Feeling a little bit foolish about dragging that little pocket umbrella into the middle of the arid Australian desert. But then - I could not exactly leave it anywhere either - so here it is with me, in the bottom of my bag.

January 10, 1991: Took the train from Alice springs towards Canberra, stopped in Broken Hill NSW. 44C/111F. Dry. Hot. (Note: Home of Silverton Pub, the pub in the original Mad Max movie. If you go there, take "the challenge" and you will get a free beer. Really! I did.) 

January 11, 1991: Broken Hill, New South Wales, Australia. One of the few rainstorms per year hits the town, dumping several inches of rain in the afternoon.

** Guess who has an umbrella? ** :-)

Ironically, as there is so little rain, there are no storm drains in Broken Hill. They just have the street curbs, and some walkways the put out from the curb to the middle of the street so people can walk over the water until it flows back out into the desert. However as the rain was quite heavy, the little bridges only went halfway through the flowing water. 

So - umbrella held high and barefoot I went, walking down the street holding my shoes in my hand.

You can't plan for everything!

Summary

Risk Management is a matter of awareness and balance - and updating your Risk Profiles as time goes by - some risks disappear, new ones may be added, and some may change.

I have continued the habit of carrying a pocket umbrella in my bag - or, I did until my teenage son needed it more than me this year - now that it is his turn for taking the bus to High School. 

Time to buy another umbrella!

Good luck with your projects, and try to stay dry!

Gary Nelson, PMP
Gazza Consulting Services

Originally posted on Gazza's Corner by Gary Nelson, PMP Sunday, 17 June 2012. Reposted with permission. All rights reserved. Click here to see the original post.
Gary Nelson is the current Director of Communications for PMINZ,

Risk Mitigation Through Contracts

By Lars Theil-Lardon (MBA)

In my years as project manager, one thing my clients have valued most is the security of their funds or at least the knowledge of the last final figure.

At university they teach us that through planning 70% of the total expenditure of a project can be predetermined and secured. Life teaches us that clients usually do not want to go the extra mile in the planning process either due to time constrains or overconfidence.

Under these circumstances risk management helps to determine potential risks, which deviate from the desired project goal, and eliminate, isolate or minimize them. In the current market, dealing with risks and their potential influences can’t make up for inefficient planning.

In my personal opinion risks are best managed, some even avoided, through a solid written contract. However, this can only be achieved if the planning phase has been correctly and robustly executed. I have been in the construction sector for the last 6 years and I can recall that the most project issues came through wrong client expectations and sloppy written contracts. Many of my fellow engineers and project managers dealing with Local Government Agencies are using NZS3910 as their contract construct, but forgetting to personalise the contract with the particular project they dealing with. Sometimes recommendations made by the Engineers or Project Managers are rejected by the Clients as they are different to their standard contract conditions.

Now most of the readers will ask themselves, ‘why is this guy talking about contracts and risks avoidance in the same moment?’ The answer is easy. With a good and solid contract the client can avoid additional risks and with a sloppy written contract they will create additional risks. For example, if you predetermine your design in detail, you can anchor all the items in the contract document. As a client you will rely on the knowledge and experience of your consultants to get an understanding of the construction period. Even if the suggested timeframe is longer than your anticipated plans allowed for, try not to restrict the time by specifying the contract period shorter than it actually takes. Most contractors will still sign contracts with overly short contract periods, but they will work on potential extension of time from the early days. One piece of major advice is that a client shouldn’t change any plans or objectives after the contract is signed. A move like this will expose the client to a risk that the price for the variation is no longer the lowest market price and an extension to the contract period will be added.

Another catastrophic risk which can be eliminated with a contract is the reserves for any damages. Every construction contract has retentions placed on the suppliers. The maximum should be within 5% to 10% of the construction sum. This money can be used as funding source for any claimed damages after the project is practically complete and payment has occurred. I remember one of my contracts, where a maximum retention sum of $100K (equal to 1%) was specified. Three payments before the contract finished, potential applied damages were identified as being in the order of $300K to $500K. As you can imagine, the client got very nervous due to the fact that he was exposed to the risk of having to claim the damages from the contractor as invoices. This situation is not a single case - rather a regular thing.

A last but major risk is ambiguity of the contract. Some contracts are rushed and therefore mistakes, minor as well as major ones, slip into the contract. These ambiguities are risks which can cause financial implications to the client and frustrations on all sides of the contract. As a guideline to good management practice, all contract documents should be proof read at least 3 times preferably by 3 different people. At best one of these people should have had no involvement in the design process at all. With the increase in complexity and value the number should be increased too.

In my current project a lot of frustration between the contractor, client and consultant could have been avoided, if the document would have been closer examined before it was released for tender.

But every contract has its limitations and some unforeseen issues, such as unexpected ground conditions, can’t be eliminated. For these events and many others like delivery issues, theft, vandalism and so on, a well prepared risk management plan will govern the way through the risk world.

Lars Thiel-Lardon (MBA)

Professional Management Services 2009 Ltd

Lars studied at the University of Rostock and graduated in 2004 with a MBA. In 2005 he immigrated to New Zealand and works since in the construction sector.

Lars is specialised in civil and building construction projects and managed a number of construction projects in New Zealand. For the last 15 months he is involved with the Morrinsville Wastewater Plant Upgrade on behalf of Matamata Piako District Council.

Lars is also the Bay of Plenty Sub-Branch Coordinator.

Pragmatic Risk Management for Projects

By Grant Goodman

Life is risky and since time immemorial human beings have found a myriad of ways to maim, injure and kill themselves and others. However, the vast majority of us are still alive and well, through risk management practices that we are often unaware of. Driving on the roads is risky but we mitigate the risk by having speed limits and road rules.

Before I got into project management I spent three years as a risk manager in a healthcare setting. Healthcare settings are risky but a good risk practitioner looks for a way to minimise and mitigate risk. It is only in rare circumstances that we can actually eliminate risk. I suppose one could stop treating patients and that would stop the risk of treatment side effects but immediately another and larger risk will present itself – death from the risk of non treatment. The rule of thumb that the organisation I worked for was to identify all the risks and pro-actively manage the top ten on an ongoing basis. This allowed real progress to be made on reducing the risk profile without seeing monsters around every corner.

As we all know one of the cornerstones of effective project management is to keep an active risk register along with an issues register. For those of you who are unaware of the distinction a risk may happen, but an issue has already happened and needs action. The challenge is to manage risk effectively by following a small number of principles:

Risk Identification

At the initiation stage of your project identify all the potential risks with the project board, team and key stakeholders. Be realistic and resist the temptation to go overboard. Reputational risk from a botched project is real, the risk that your whole business will be destroyed by a catastrophic event is not very likely (but does happen as our colleagues in Christchurch can testify).

Risk Review

Review the risk register on a regular basis. Has the risk profile changed? Have new risks appeared? Have old risks been further mitigated? Have some of the risks become issues? All these questions should be asked but this should not take hours to do. Check out the risk controls to ensure that these are still working, if not, rework them.

Risk Reporting

I like to see full risk reporting on a monthly basis with a risk reporting section in all weekly project exception reports. The monthly report lets me track risks across my portfolio and associated programmes and forms the basis of the monthly risk reporting through to the project, programme and executive boards. Of more interest to me are the weekly exception reports. All I want to see in the risk section is new risks or an escalation/or dramatic de-escalation of existing risks. Any risk that is realised as a new issue is also reported. That way I can keep a regular view on the risk profile across the organisation without wasting a day reading full risk reports.

In my experience when risk registers get over-bloated then senior project and business stakeholders lose a sense of the real risk profile, this in itself raises another risk that real risks get obscured by the noise of smaller risks. It is unusual that any project manager is actively managing more than five active risks in any week so I only want to know what is happening to the top five on a weekly basis. Of course I do expect my project managers to escalate any significant risk that is worrying them when it occurs. While I see all the risk reports on a monthly basis only the top ten make it to the executive management for review. Once again this is a pragmatic approach. Senior executives are very busy and your report is usually one of many items on the agenda, so focus what you report to allow them to see the real view.

End of Project Risk and Issue Review

At the project close out a final review of the risk and issue registers needs to be performed. Any risk that has not turned into an issue can be closed. Issues need to be reviewed to see if they are still active or not. If they are active transfer them to someone in the business, if not close them out. This is an important exercise and should feed into the lessons learned section of the project close out. It also provides a reality check as to which risks can be dropped off the next project and which ones can really bite you in the rear.

Effective risk management will help you project manage without tying you up in minutiae.

Grant Goodman

Grant is an experienced programme director who has worked on a large number of programmes and projects nationally and internationally. He has recently returned from a three year consulting stint in the United Kingdom. Grant is also the Waikato Sub-Branch Coordinator.