Risk Mitigation - What's Your Score?
Curtin Institute of Radio Astronomy, Curtin University Perth Western Australia, Australia
Submission: January 23, 2018; Published: February 05, 2018
*Corresponding author: Philip Crosby, Curtin Institute of Radio Astronomy, Curtin University Perth Western Australia, Australia, Email: Philip.Crosby@curtin.edu.au
How to cite this article: Philip Crosby. Risk Mitigation - What's Your Score?. Eng Technol Open Acc. 2018; 1(1): 555551. 10.19080/ETOAJ.2018.01.555551
This article examines conventional methods for risk identification and risk scoring using 'look-up' tables, and concludes that such methods are inherently flawed and offer false confidence in project management. The author suggests a series of searching questions to test the efficacy of traditional risk assessment in order to better prepare the project for review. Important further considerations are posed in relation to nonspecific, irrational risk exposure (i.e. Black Swans), and the author presents two approaches for improved preparedness against undefined risk.
Keywords: Risk; Score; Lkelihood; Consequences; Mitigation; Project management; Assessment; Task force; Preparedness; Black swan
Abbreviations: PMBOK - Project Management Book of Knowledge
Ask about risk management in almost any complex project, and you're likely to be presented with some form of table listing various risks, often ranked by severity, with many of the highest risk exposures “mitigated” by control measures and demoted to safer (non-red!) scores. These conventional style risk plans, underpinned by likelihood and consequence ratings derived from coloured look-up tables, certainly give the impression of a scientific treatment of project risk. But if you then ask more searching questions around the
(i) Relative meaning of the derived risk score,
(ii) Frequency of updates and reviews of risk tables, or
(iii) Verification of the effectiveness of mitigation plans,don't be surprised to see 'cracks' appearing. (For example,how much 'riskier' is a score of five, than a score of four?).
However, perhaps such lack of ongoing attention matters little, since a growing number of researchers suggest serious flaws in this standard method of risk management. Awati  sums up these concerns, drawing on work by both Hubbard and Cox, each theorising that such arbitrarily chosen (and likely biased) risk ratings are mostly worthless.
From my direct involvement in several large scale, high technology projects, and several years of in-depth research into the topic, I conclude that these 'standard' methods of risk identification and assessment are irrevocably ingrained in project management practice. Project management courses and “PMBOK” style guidebooks mean that risks of all kinds (including those that for which there is no statistical probability distribution) will likely continue to be assessed and managed by traditional means, and to be fair, the process does at least portray a view of known risk exposure at a point in time. But how good is the method in practice? I suggest that investment of a couple of hours can pay handsome dividends as a self-test and learning exercise - for both practitioner, and the organisation.
Here’s a Suggested Approach
1. Set aside a time (ideally just ahead of a project gate review), when you and at least some other project leads can focus on the project risk table and control plan(s).
2. Examine a few examples of the assessed risks with the highest impacts, and their controls and/or mitigation plans.
3. Now ask these questions:
a. In retrospect, were these actually among the highest impact risks?
b. Did they materialise (impact or threaten the project) in the predicted way?
c. Were the mitigation measures or controls effective in reducing impact??
d. In the light of the above, can we do better at ranking our exposure profile?
e. Do we need to change, or implement new, controls?
4. Allocate a time to update the risk plans to capture and embed the new view of project risk, and do it.
The above task will freshen up the risk register and better prepare the project, and its people, for periodic review. However there is one other important aspect that is likely to 'fall-out' of the exercise.
Working through (or brainstorming) potential project risk can only help reveal and rate the set of known exposures and cannot cope with non-specific, or intangible, risk in complex projects. As humans, we are optimists. We extrapolate poorly from past events, and we are generally reluctant to plan for nonrational, unexpected negative impacts. This idea is most highly developed by Taleb  who classifies such events as 'Black Swans'. Green  adds the crucial point that project planners should not be fooled by the statistically insignificant frequency of Black Swans, but instead should pay close attention to the potential catastrophic consequences. Something we are much better at when dealing with risk where we have a personal stake e.g. investing our own money, or caring for our family
So, how might complex projects is better shaped in terms of risk? First, since the unknown cannot be planned in detail, I suggest investing in preparedness not prediction. Green  promotes 'uncertainty spotting' skills; the early seeking out and challenging of threats and assumptions through active awareness - especially geopolitical and economic developments at the project boundary. The trick here is to develop an atmosphere of vigilance and preparedness, especially among project team leaders.
The second approach to building defences against Black Swans in complex projects is two-pronged:
(i) Establish a contingency reserve against estimated risk cost, combined with
(ii) The early appointment of a 'proto' task force panel(s) kept in dormant readiness to offer expert advice against unanticipated events.
Cost estimation of risk, which is admittedly a highly speculative process, is well covered in Baccarini's  catalogue of formal risk-pricing processes and worth reviewing. Promptly deployable task forces, coupled with access to project contingency reserves provide fast and practical resilience measures for troubled projects.
To summarise, if your engineering project organisation has adopted the traditional risk rating approach, then work through it non-mechanistically, frequently, and lift your success through application of learning and experience to implement defences against unexpected trouble. And finally, actively open your mind to the potential negative consequences of a Black Swan event .
- Awati K (2014) On the limitations of scoring methods for risk analysis.
- Taleb NN (2010) The black swan: the impact of the highly improbable. (2ndedn), Random House, USA.
- Green N (2012) Keys to success in managing a black swan event. Aon Risk Solutions White Paper.
- Baccarini D (2006) The maturing concept of estimating project cost contingency - a review. Department of Construction Management, Curtin University of Technology, Perth, Western Australia.
- Crosby P (2013) Success in large high-technology projects: what really works, ICCPM, Australia.