Carl is a recognized lecturer, author, researcher, and instructor. He is considered a leading authority on risk and communication management and he presents on a variety of management topics ranging from project essentials to the complexities of network diagramming and team motivation.
Subscribe to Project Management Paradise via one of the links above or on the right and you’ll automatically receive new episodes directly to your device.
Excerpts from Episode 95: “Risk Management” with Carl Pritchard
Can you tell me how you initially got into the area of project management?
I got in to project management, as so many project managers do, completely by accident, it was not the plan. I was doing some Moonlighting work for my job in radio, I had a full-time job, I was the news director of WASH radio in Washington DC. My Moonlighting job actually had me write a white paper for an executive on issues and concerns in project management.
The funny thing is that the guy called me back after and said “We would like to talk to you about doing some consulting work for us in project management. I said “I’m a writer, I just wrote what your people told me” and he said “That’s okay, you have got a much better understanding of project management than we do and we would like you to come in” and that was 30 years ago.
Can you maybe just give us a little summary of some of the books that you’ve published?
My big, fat book is “Risk management-Concepts and Guidance” and the fifth edition is published by Taylor and Francis and it is basically, it is my tome on risk management. I have written a lot of shorter stuff, as well, but that’s the one that really is the most in-depth, most researched, most, I hate to use the word, but, academic of the stuff that I have written.
Can you maybe just give us some of your take on the concept and how you guide people through appropriate risk management?
I think it all starts with and I think the important thing to remember is, it’s not some giant fat administrative layer. In fact, my book, reading my book would take you longer than to actually implement good risk management on a project.
The kicker is that the people need to basically lay down the rules of how are going to handle risk, the limits of what risks they are willing to accept and then go about actually trying to identify “Okay, what are we willing to put up with and what are we not willing to put up with and when am I going to as a manager freak out?”. Because too often people, people don’t know “Should I be freaking out?” and it’s like “Yes, you should be completely freaked out right now”. And we should be identifying all way ahead of time so that it’s not a surprise. The risk is, the whole idea of risk management is to take that surprise out of all this.
Could you talk a little bit about the rules and the limits organizations may not have a kind of formal risk assessment, adherence guide or whatever they like to call it in the organization, is this what you refer to when we talked about the language regarding risk management like what is the surprise you don’t want, what is a high risk to me could be a low risk to you, is that to do with perception?
Exactly and it goes to the whole notion of risk governance, risk governance, the whole idea behind good, effective risk governance is that you actually layout for people and say this is what we expect you to do and if you get anywhere near this particular line in the sand, it’s time to go ahead and call somebody. It’s time to actually address and it’s time to make sure that we are all on the same page, that we all agree, that we all have clarity and we all have an understanding of “This is what we’re genuinely going to worry about” and make sure that information is well shared.
Tragically, that information doesn’t get out to people, some people freak out way too often, and some people don’t freak out at all, and some people think we should mitigate everything and other people think we should mitigate nothing. The true risk and this is the operative word here, the manager actually manages by virtue of laying very clear guidelines, “This is what I expect you to notify me about, this is what I don’t expect you to notify me about”.
And most organizations never go that far because they don’t understand their tolerances, the point beyond which they will not go. One client that I had years ago and I’ve never seen it before, I’ve never seen it since, they actually did this by virtue of how they wrote their project charters. I thought it was genius and it breaks my heart that nobody else has adopted this along the way. Their project charters look like everybody else’s project charters, but at the very bottom of the charter there was a separate box and that separate box said: “kill criteria”.
Under the following conditions this project will be sent to management for review, for termination and I always thought it was genius in terms of tolerances because it communicates to anyone who looks at the charter “By the way, if it ever goes this far along, we’re done, we are really, really done”. Tragically, most organizations never get to that “really, really done” piece, they never know and instead, they crawl their way through bad times and more bad times and die the death of a thousand paper cuts and that’s not the way to go.
If a project ever, ever gets the five million dollars in spending, we are done, if that’s what it says in your kill criteria and you are a third of the way through the project and you spent 3 and a half million dollars, Houston, you have a problem. At that point, you should be able to go to the management and say that they should be aware that it’s got to the point that it’s this dark and it’s bad. If the management is now aware of that, they can now act proactively instead of waiting until you’re whacked into the wall of five million dollars, you’re able to stop and say you know what we should probably reassess this or shut it down now and that’s a much better place to be.
In your opinion, what are the three most important elements of Risk Management?
The first one is, knowing your tolerances, knowing the points beyond which you will not go. That would be one. The second most important thing is to get everybody on the same page, as to what we will avoid and what we will accept. In a lot of organization and what I mean by that is in a lot of organizations, avoidance is something that we don’t even talk about, it’s assumed everybody knows.
One of the big foods manufacturers that put breakfast cereal on everybody’s table every morning, their number one article of faith is to do nothing to damage their public image. If there is anything that’s going to do any harm to their public image, everybody stops, they don’t move forward, they shut it down. In fact, about 10 years ago, there was a pesticide scare, they were the only manufacturer that actually pulled every last box of cereal off the shelves in every grocery store around the world.
You couldn’t buy their products anywhere on the planet. There was somebody who understood the avoidance really, really well. Now, contrast that with acceptance. There are certain things your organization will universally accept. If your people are working more than 40 hours a week without paying them over time, a lot of the organizations just willingly accept that, they assume that people are going to be able to live with that.
And yet, there will always be people who complain “I have put in 45 hours a week” and it’s like “Whiner, that’s enough” but we need to be the one to say “No, no, no, that’s universally accepted, so all the whining in the world isn’t going to change it”. One of the beauties of the effectively implemented risk management is that it minimizes the whining, it stops these people. The third thing everybody needs to do universally in risk management is to have an open line of communication.
I’m flying out to Detroit next week for a training and kind of interesting I asked this in class “What’s the big risk I face flying out to Detroit?” and somebody finally after waiting the longest time, somebody in the class will go “Your plane could crash and you could die” and everybody in the room invariably gasps.
They go “I can’t believe you said”. Just because they said, it doesn’t mean I’m going to die in a plane crash. The reality is we need to be able to say those things, we need to be able to see them without fear, we need to be able to share information openly and freely. And tragically a lot of people are just ill-equipped to actually accomplish, that they just can’t do it and they can’t do it well. So, that’s the other big consideration.
If I identify risk on my project or my program and if I have difficulty not necessarily in me escalating the risk to a more senior level, how could one deal with actually following throughout the escalation of a risk if the senior team isn’t willing to accept that risk or responsibility for that risk, have you any advice on that front?
A lot of times senior management would be the ones going “I think you’re just worrying, I think you’re just worrying, I don’t think that’s a big concern” and you will be like “No, no, the building is going to collapse” and they are like “Well, but it has never collapsed before”. And you want to shake them about the head and shoulders but they seriously don’t listen.
If you’re in that kind of environment, the best things that I can suggest are, and it’s not just CYA, it’s a matter of ensuring that we have a common understanding and a common acceptance of “Okay you are not willing to identify this as a risk, you take this on this as a risk, you are not even willing to acknowledge this as a risk so what I’m going to do is I’m going to document it and I’m going to capture my risk plan, that we actually look at mitigation strategies and we are going to let this run”, But, what I would also do on the side, because I am a paranoid soul, I will try and find a way to mitigate it under the guise of mitigating some other risk.
I will desperately try to find some way to actually get them to buy “Okay, this doesn’t mitigate this risk but it does mitigate the risk of something else”. A good example of this is a firm from Sweden I was working with, where they actually had an interesting experience back in the 1980s. In the 1980s, they were doing a transmission distribution line project in Ghana and what made it interesting was that they were doing this project and the project manager has identified as one of the key risks – there may be rebel attacks.
In the 1980s, Ghana was the Wild West, it was kind of a crazy place. And he said he said “This is a big concern for me, that our people might get attacked by rebels” and management said, “No, no, no, we’ve been assured by the government that this is under control”. Interestingly enough, what his strategy was to deal with that were helicopters. He thought if they had a small fleet of helicopters on site, that would mitigate that, that they can get out.
He suggested that the management they initially no. Then he pointed out the supply chain risks that they had, all of the illness risks that they have, all the other risks that they had trying to put the transmission distribution line project across Ghana. And they bought in and said “Yeah, you can have helicopters for that” and beautifully he was able to mitigate a larger risk he was really afraid, by virtue of finding a solution for something else.
How can we maintain consistency between action and reaction?
I think it is the function of, and the only way you are going to sell it to the senior management is to be able to sell the cost benefits associated with it. If you have not taken the time to actually figure out what are the costs and what are the benefits, both tangible and intangible, that’s where some of the lines get drawn.
We have seen it recently with the whole Takata airbag disaster, bag the largest automotive recall in the history, where they recalled 35 million vehicles by virtue of the fact that the airbag detonators were actually turning them into dangerous bombs with shrapnel. You need to have the model of consistency and you also need to know where the lines are drawn. The risk is a lot like quality in that regard, it’s the costs of conformance vs. the costs of non-conformance and we need to be able to sell the notion that if we don’t have a risk plan if we don’t have a risk strategy, we don’t implement mitigation ahead of time, here are the implications if we have to deal with the real risk.
If it’s done well and done long enough over time, it becomes not just the strategy for a problem, it becomes inculcated into the organization’s natural day-to-day practices. Just a project example of this. The Japanese get credit for something that they created that I didn’t even know that they had created it. It is a lifesaver on a lot of roads. They are responsible for creating the rumble strip, a little strip on the side of some highways that actually give you that alert when you are tired and make sounds.
Originally, the rumble strips were only for the high-risk roads and high-risk environments and now they are the norm rather than the exception. And it’s that risk mitigation strategy that worked so brilliantly that everybody was like “We should just do this” and that’s when you’ve really arrived as a risk manager.