"Managing risk in practice" workshop

Rollback to version 52

0:01 - 0:04

Okay, let's have a look at
risk management in practice
0:04 - 0:08

And what I want to do
is to start with some basic concepts
0:08 - 0:14

then focus on TWO difficult areas
in the risk process
0:14 - 0:19

So, I guess if I asked you
to define the word 'risk'
0:19 - 0:23

you would have some idea
of what it meant
0:23 - 0:26

We might not have a formal definition
that we could quote,
0:26 - 0:30

but we all have something in our minds
when we hear the word 'risk'
0:30 - 0:34

This is what we think,
and maybe you think of things like this
0:34 - 0:39

Maybe you feel like this little guy,
facing some big ugly challenge
0:39 - 0:42

that you know is just going to
squash you flat.
0:42 - 0:44

Maybe you feel like this guy.
0:44 - 0:46

This is a real job in North Korea,
0:48 - 0:51

and his job is to hold the target
for other people to shoot at
0:52 - 0:54

Sometimes project managers
have the target here
0:54 - 0:57

We feel like everybody is shooting at us
in our job
0:58 - 1:02

Or maybe you just know there's something
nasty out there, waiting to get you
1:02 - 1:06

And maybe that's what you think of
when you think of the word 'risk'
1:06 - 1:10

Well that's partly true
but it's not the whole truth.
1:10 - 1:14

Risk is not the same
as uncertainty.
1:14 - 1:17

Risk is related to uncertainty
but they're different.
1:18 - 1:24

So all risks are uncertain
but not all uncertainties are risks.
1:25 - 1:28

If you have a risk register
or a risk list,
1:28 - 1:31

you don't have a million items in it,
or you shouldn't.
1:32 - 1:35

You don't even probably have
a thousand items in it,
1:35 - 1:36

you have a smaller number.
1:37 - 1:40

Although there are millions
of uncertainties in the world.
1:40 - 1:44

So how do we decide which uncertainties
we're going to call 'risk'?
1:45 - 1:47

And write them down
and put them in our risk register
1:48 - 1:50

and decide to do something about them.
1:50 - 1:56

Clearly 'risk' is a subset
of uncertainties, but which subset?
1:57 - 1:58

How do you know?
1:59 - 2:03

I think it's very simple to separate
risk and uncertainty.
2:03 - 2:05

And I use 3 English words,
2:05 - 2:10

these words here,
"risk is uncertainty that matters."
2:12 - 2:15

Because most of the
uncertainties in the world don't matter.
2:16 - 2:19

We don't care if it's going to rain
in London tomorrow afternoon.
2:19 - 2:24

It might, it might not.
It's irrelevant, it doesn't matter.
2:24 - 2:27

We don't care what the
exchange rate will be
2:27 - 2:31

if it's between the Russian Ruble
and the Chinese Yen in 2020.
2:31 - 2:32

It doesn't matter to us.
2:33 - 2:35

But there are things on our projects,
2:35 - 2:37

and things in our families,
2:37 - 2:39

and things in our country,
2:39 - 2:41

which are uncertain which do matter to us.
2:42 - 2:45

If it's an uncertainty that matters,
it's a risk.
2:46 - 2:50

So here's another question,
how do you know what matters?
2:51 - 2:53

In your projects,
what are the things that matter?
2:54 - 2:58

The things that matter in our projects
are our objectives.
2:59 - 3:02

So we must always connect uncertainty
with objectives,
3:03 - 3:06

in order to find the risks.
3:06 - 3:08

And if we look at
some definitions of risk,
3:08 - 3:11

this is the ISO standard that I mentioned,
3:11 - 3:14

it connects those words very simply;
3:14 - 3:18

Risk is the effect of uncertainty
on objectives.
3:18 - 3:21

And we might look at another definition
from the UK,
3:21 - 3:24

from our association
for project management,
3:24 - 3:28

it says the same thing that risk
is an uncertain event
3:28 - 3:32

or a set of circumstances,
which is uncertain,
3:32 - 3:35

but it matters because should it occur,
3:35 - 3:39

it will have an effect
on achievement of objectives.
3:39 - 3:41

Uncertainty that matters.
3:41 - 3:44

So we should be looking
in our risk register for two things:
3:45 - 3:49

"Is it uncertain?" We don't want
problems in our risk register.
3:49 - 3:52

We don't want issues in the risk register.
3:52 - 3:55

We don't want constraints or requirements.
3:55 - 4:00

These things are certain,
what we want is uncertainties,
4:00 - 4:02

something that might happen
or might not happen.
4:03 - 4:07

But the other important question for our
risk register is
4:07 - 4:08

"Does it matter?"
4:08 - 4:12

Which objective would be affected
if this thing happened?
4:13 - 4:16

And then when we want to see
how big the risk is,
4:16 - 4:18

we can ask those two questions:
4:18 - 4:20

"How uncertain is it,
4:20 - 4:22

and how much does it matter?"
4:22 - 4:25

And that will tell us how big the risk is.
4:25 - 4:27

So, this idea of uncertainty that matters
4:27 - 4:31

then develops into
something which is useful
4:31 - 4:33

by linking uncertainty to our objectives.
4:35 - 4:37

So, we have two dimensions of ‘risk,’
4:37 - 4:40

we have an uncertainty dimension and we
4:40 - 4:42

have a dimension that
affects our objectives
4:43 - 4:47

In projects, we call
this probability and impact.
4:47 - 4:50

We could call them other things,
4:50 - 4:51

there are other English
4:51 - 4:53

words we could use,
but these
4:53 - 4:55

are the ones,
most often, we use.
4:55 - 4:58

And I would like to ask you with
this picture of the mouse.
5:00 - 5:05

What effect matters to the mouse?
5:06 - 5:09

So first of all, clearly,
he is in an uncertain situation here.
5:10 - 5:12

And he's seen some risks.
5:12 - 5:15

His objective is to get the cheese
and stay alive.
5:16 - 5:19

And so, one of the risks he has
identified is a bad thing
5:19 - 5:21

that might happen:
he might be killed or injured.
5:22 - 5:25

And so, he has been a
good project manager,
5:25 - 5:27

he has put his little helmet on,
and he is preparing
5:27 - 5:32

so that it doesn't happen to him.
So, he doesn't get killed or injured.
5:32 - 5:33

Very good.
5:34 - 5:37

And there are things in our projects,
that if they happened
5:37 - 5:38

would kill or injure us.
5:38 - 5:39

They would waste time,
5:39 - 5:42

waste money, damage reputation,
5:42 - 5:43

destroy performance,
5:43 - 5:46

maybe even injure real people.
5:46 - 5:50

And as project managers we have to
see those things and stop them happening.
5:50 - 5:52

Protect ourselves in advance.
5:52 - 5:53

Avoid them.
5:54 - 5:58

Are there any other uncertainties
that matter for the mouse?
6:00 - 6:01

Well there is...
6:01 - 6:02

the cheese.
6:03 - 6:06

There's an uncertainty here which
matters a great deal.
6:06 - 6:08

"Will I get the cheese out of the trap?"
6:09 - 6:10

He might, or he might not.
6:11 - 6:14

And if he doesn't get the
cheese out of the trap, he's failed
6:15 - 6:17

So he has two uncertainties to manage,
6:17 - 6:20

one of them is bad - he might be killed
or injured -
6:20 - 6:23

the other is good - he might
get the cheese.
6:23 - 6:25

And what he has to do,
6:25 - 6:29

what he has to do is to manage both
of these at the same time.
6:29 - 6:32

And as project managers, we have to
do the same thing.
6:33 - 6:36

And also we have to do it in the
best possible way -
6:36 - 6:41

sometimes there's a better way to get the
cheese without being killed or injured.
6:41 - 6:45

In our projects, we have to stop the
bad things happening,
6:45 - 6:48

but we also have to get the cheese out
of our projects.
6:49 - 6:52

"So what does 'cheese' mean,
in your project?"
6:52 - 6:54

"What is the 'cheese' in your project?"
6:55 - 6:57

'Cheese' means value.
6:57 - 6:58

'Cheese' means benefits.
6:59 - 7:02

'Cheese' means products and
services that people want and need.
7:02 - 7:04

'Cheese' means customer satisfaction.
7:04 - 7:07

'Cheese' is the good stuff
that we're trying to get
7:07 - 7:08

out of our difficult projects.
7:09 - 7:12

And if we don't do anything bad -
7:12 - 7:16

we don't waste time, we don't
waste money, we don't damage reputation -
7:16 - 7:18

but we don't create value,
7:18 - 7:19

we've failed.
7:20 - 7:23

If the mouse didn't die but he didn't
get the cheese, he failed.
7:24 - 7:28

If we create benefits, but we waste time
and waste money and destroy reputation,
7:28 - 7:29

we've failed.
7:30 - 7:33

And if the mouse gets the cheese
and he's killed,
7:33 - 7:34

he's failed.
7:34 - 7:36

So we have to do both of these things.
7:36 - 7:39

And when we think about risk
and think about impact,
7:39 - 7:42

there are two kinds of impact that matter.
7:43 - 7:45

Bad ones, and good ones.
7:45 - 7:48

Uncertainties that could hurt the project,
7:49 - 7:52

and uncertainties that
could help the project.
7:52 - 7:56

Both of these matter
and both of these need to be managed.
7:57 - 7:59

And we have another word for those.
7:59 - 8:04

So, here's the definition of risk from the
Project Management Institute, the PMI,
8:04 - 8:06

from the PMBok Guide.
8:06 - 8:08

It's the same as the others
that we've seen:
8:08 - 8:12

an uncertain event or condition,
that if it occurs, affects an objective.
8:13 - 8:19

But PMI knows about the mouse. PMI knows
about the cheese and the traps,
8:19 - 8:22

and has added three words
to the definition of risk here.
8:23 - 8:26

It's not the words 'cheese' and 'traps'.
8:26 - 8:29

It's the words 'positive or negative'.
8:30 - 8:34

What this tells us is that there
are good risks, as well as bad risks.
8:35 - 8:38

And we heard that in one of our
keynote speeches, earlier this morning.
8:39 - 8:43

In the uncertain situation that this
country faces going forward
8:43 - 8:46

with all the changes that there have been,
there are threats.
8:46 - 8:48

There are things that could go wrong.
8:48 - 8:50

And you need to see those
and address them.
8:50 - 8:53

But there are also opportunities.
8:53 - 8:56

Uncertain things that might happen
that could be good.
8:57 - 8:59

And we also need to see those things,
9:00 - 9:03

and to try and proactively
make them happen.
9:03 - 9:05

And that is equally true in our projects,
9:05 - 9:07

in our personal lives,
9:07 - 9:09

and also at the national level.
9:10 - 9:14

And I'll be talking about some of
those things later on this afternoon
9:15 - 9:19

So, PMI has this definition. The other
standards have something very similar.
9:20 - 9:21

The ISO standard, at the bottom here,
9:21 - 9:26

says 'risk is the effect of
uncertainty on objectives.'
9:27 - 9:29

Note, the effect can be
positive or negative.
9:31 - 9:35

And the APM, Association for Project
Management in the UK says the same thing.
9:35 - 9:40

So we have this new idea,
that risk is a double-sided concept.
9:41 - 9:44

And it's the same impression,
the word you have for risk,
9:44 - 9:48

we mostly think of bad things.
But it could be used for good things,
9:48 - 9:50

as well. Isn't that right?
9:50 - 9:51

It's an uncertain word.
9:52 - 9:55

And there are good risks as well
as bad risks.
9:56 - 9:59

So in our project
risk management process,
10:00 - 10:03

we should be looking out for the traps
and avoiding them
10:03 - 10:06

and protecting ourselves and
preventing them happening.
10:06 - 10:09

But we should also be looking
out for the cheese
10:09 - 10:12

and chasing it, and making it
happen proactively,
10:12 - 10:15

so we get the maximum
benefit for the minimum cost.
10:16 - 10:19

That’s why risk management is so
important to
10:20 - 10:23

project success: because it effects
our objectives.
10:24 - 10:27

It gives us the best possible chance
to achieve our goals.
10:29 - 10:30

So how do we do that?
10:31 - 10:33

If we think about the risk management
process,
10:34 - 10:36

the process has to do a number of things.
10:37 - 10:40

If risk is uncertainty that affects
objectives,
10:40 - 10:42

we have to know what our objectives are.
10:42 - 10:44

Then, we have to identify the
uncertainties.
10:45 - 10:48

The uncertainties that would matter to
those objectives.
10:49 - 10:53

And remember that they could be good
or bad, threats and opportunities.
10:54 - 10:57

That gives us a long list of uncertainties
that matter,
10:57 - 10:58

but they don't all matter the same.
10:59 - 11:04

So the next thing we have to do is
to prioritize, and ask the question
11:04 - 11:07

"How uncertain,
and how much does it matter?"
11:07 - 11:10

Then we get a prioritized list of risks.
11:10 - 11:14

We know which are the worst threats and
the best opportunities,
11:15 - 11:17

so that we do something about it.
11:18 - 11:19

Then we plan how to respond.
11:19 - 11:23

We think about what would be appropriate
to stop the bad thing happening
11:23 - 11:25

and to make the good thing happen.
11:26 - 11:29

And having decided, we do it of course.
11:30 - 11:34

And then risk is constantly changing
so we need to come back and do it again,
11:34 - 11:36

and see what has changed.
11:37 - 11:42

We could express this process as a number
of questions that it's important to ask,
11:42 - 11:46

and keep on asking about our project.
11:46 - 11:50

In fact, you can use these questions for
anything.
11:50 - 11:54

You could use these questions for your
next career move.
11:55 - 11:59

You could use these questions for deciding
about your pension.
11:59 - 12:04

You could use these questions to decide
how to bring up your children
12:04 - 12:09

or to decide on how to invest the nation's
wealth.
12:10 - 12:12

These are the questions:
12:12 - 12:15

"What are we trying to achieve?"
That's setting objectives.
12:16 - 12:18

Then, "what could affect
us in achieving that?"
12:19 - 12:21

That's identifying risks.
12:21 - 12:24

Then, "when we have a list of risks,
which are the most important ones?"
12:25 - 12:27

That's prioritizing at that
assessing the risks.
12:28 - 12:30

Then, "what could we do about it?"
12:30 - 12:34

Planning our responses and doing it,
implementing the responses.
12:35 - 12:39

And then, "did it work and what's changed"
Reviewing the risk.
12:39 - 12:44

So if we look at a risk management
process, we could link each step in the
12:44 - 12:47

process to one of these questions.
12:47 - 12:50

And this is why risk
management is so easy,
12:50 - 12:56

because all we're doing is asking and
answering obvious questions.
12:56 - 13:01

Anybody who's doing anything important
will ask these questions:
13:01 - 13:04

"What am I trying to do?"
"What could affect me?"
13:04 - 13:06

"Which are the big ones?"
"What shall I do about it?"
13:06 - 13:09

"Did that work?"
"Now what?"
13:10 - 13:14

And you could ask those questions every
Monday morning when you drove to work,
13:14 - 13:16

or every Saturday morning.
13:16 - 13:18

You can ask the question, say
13:18 - 13:21

"What am I trying to achieve today?"
"This week?"
13:21 - 13:24

"What could affect me and
which are the big ones?"
13:24 - 13:25

"What shall I do?"
13:25 - 13:30

We can manage risk on a very simple basis,
or we can use this as the structure for
13:30 - 13:35

a risk process which is much more complex,
which involves lots of meetings,
13:35 - 13:39

and lots of stakeholder groups and
lots of analysis and statistics.
13:39 - 13:41

It's the same questions.
13:42 - 13:45

So I would like you to remember
two important things.
13:45 - 13:49

One is, risk is uncertainty that matters.
13:50 - 13:54

And secondly, these questions,
these six questions.
13:55 - 13:58

Because that's the heart,
that's the basis of managing risk,
13:58 - 14:01

and it really is very, very easy.
14:01 - 14:06

Now, in the time that we have, I want to
focus on just two parts of this process,
14:06 - 14:11

and then give us the opportunity
to try out some of these things.
14:11 - 14:14

The identification step, clearly
very, very important
14:14 - 14:18

because if we don't identify the risks,
we can't manage them.
14:19 - 14:22

And then planning responses.
14:22 - 14:26

Understanding how we can deal with
the uncertainties that we've identified.
14:27 - 14:30

So, let's think about these things:
identifying risks.
14:30 - 14:32

How do we find all of the risks?
14:33 - 14:35

Well, you can't.
14:35 - 14:39

You can't find all of the risks because
there are risks that arrive
14:39 - 14:41

that we hadn't seen before.
14:41 - 14:44

There are emergent risks,
new risks, different risks
14:45 - 14:49

and I'll be talking about those
later this afternoon in my speech.
14:49 - 14:55

What we want to find are the knowable
risks: the risks that we could find.
14:55 - 14:59

We don't want somebody
on our project team who knows a risk
14:59 - 15:00

and they're not telling anybody.
15:00 - 15:05

So this process is about exposing the
uncertainties that matter,
15:05 - 15:07

finding them so we can
do something about them.
15:07 - 15:09

And there are lots of techniques,
15:09 - 15:12

brainstorming, workshops, check lists,
15:12 - 15:15

testing our assumptions and so on.
15:15 - 15:18

But I would like to answer a
bigger question,
15:18 - 15:20

a different question from techniques.
15:21 - 15:24

And it's the question, "are we
finding the real risks?"
15:25 - 15:30

When you go to a risk workshop and you
write things in your risk register,
15:30 - 15:34

are they really the uncertainties that
matter for your project?
15:34 - 15:40

Are these really the things that could
drive you off track or really help you?
15:40 - 15:42

Or are they just the obvious things?
15:42 - 15:46

Where all projects have problems with
requirements,
15:46 - 15:50

with resources, with testing.
These are things that
15:50 - 15:53

always come up, and we have processes
to deal with them.
15:54 - 15:56

But are they the real risks?
15:56 - 15:59

I would like to suggest to you that often
in our risk registers
15:59 - 16:02

we confuse real risks with other things.
16:03 - 16:08

Often, we confuse risks with their causes,
where does the risk come from?
16:09 - 16:13

Or we confuse risk with their effects,
what do they do if they happen?
16:14 - 16:17

But risks are uncertainties that matter.
16:18 - 16:20

They are not causes or effects.
16:20 - 16:23

So causes are things that are true.
16:23 - 16:26

This is true that the project
is difficult,
16:26 - 16:29

it is true that we do not have enough
people on the project.
16:30 - 16:33

it is true that the customer hasn't
signed the contract yet.
16:34 - 16:37

These are not risks, they are facts.
16:37 - 16:38

They might be issues.
16:38 - 16:42

They might be problems, but they are
not risks because they are not uncertain.
16:43 - 16:45

And a lot of people write these
things in our risk register.
16:45 - 16:48

"We don't have enough time
for this project."
16:48 - 16:49

"It’s a risk!"
16:49 - 16:51

No, it’s a problem.
16:52 - 16:55

Sometimes we confuse risks
with their effects.
16:55 - 16:59

There could be an accident,
we could be late.
16:59 - 17:02

those are not risks either,
they are the effects of risks,
17:02 - 17:07

how do you manage, we could be late?
If your late, it’s too late.
17:07 - 17:11

What we want to know is,
why might you be late?
17:11 - 17:15

What unplanned thing could happen
that would result in you being late?
17:16 - 17:19

So, risks sit between causes and effects.
17:20 - 17:24

We can’t manage causes because
they're here now, they're facts.
17:24 - 17:27

We don't want to manage effects
because they may never happen.
17:28 - 17:31

What we can manage is risks
that sit in the middle
17:31 - 17:33

because they haven't happened yet.
17:34 - 17:38

So, risk management has
to separate risks from
17:38 - 17:41

their causes and risks from
their effects.
17:42 - 17:46

And I find looking at hundreds of
risk registers all around the world.
17:47 - 17:52

I've worked in 48 different
countries, every continent, every culture.
17:52 - 17:56

Uh, not the Antarctic, it’s too cold.
Um, but nearly every continent.
17:57 - 18:02

And over half of the stuff in risk
registers are causes or effects.
18:03 - 18:04

Over half.
18:04 - 18:07

So the things we are trying to
manage in the risk register
18:07 - 18:10

are not risks and then
people are surprised that it doesn't work.
18:12 - 18:16

So how do we separate cause, risk, and
effect. Here is a little test.
18:17 - 18:20

And these statements are
written in your notes.
18:20 - 18:22

Or you can just think as we go.
18:22 - 18:26

Each of these statements and they are
all very simple is one of these things.
18:26 - 18:28

A cause is something that is true today.
18:29 - 18:32

A risk is an uncertainty that might,
or might not happen.
18:32 - 18:35

The effect is why it matters
to our objective.
18:36 - 18:39

Okay? So you have to
think what these are.
18:39 - 18:42

The project is based in a
third-world country.
18:42 - 18:44

Cause? Risk? Or effect?
What do you think?
18:45 - 18:46

Cause! Very good.
18:46 - 18:50

So, this is a fact, there might be
uncertainties that come out of this fact.
18:50 - 18:55

So we may not get the resources we need,
there may be security concerns.
18:55 - 19:00

We may not get paid. These are
uncertainties that come from this fact.
19:01 - 19:04

Interest rates might go down.
19:04 - 19:05

It's a risk.
19:05 - 19:07

Or they could stay the same or
they could go up.
19:07 - 19:10

And we could go over budget.
19:10 - 19:11

It's an effect.
19:11 - 19:14

So, a million things could
take you over budget,
19:14 - 19:15

maybe interest rates is one of them.
19:15 - 19:17

Okay? They were easy.
How about this?
19:17 - 19:20

The weather might be better than usual.
19:20 - 19:22

So risk could be the same or worse.
19:23 - 19:26

It would be a bad thing if you
were selling umbrellas.
19:27 - 19:30

It would be a good thing if you
were selling ice cream.
19:31 - 19:33

It depends what your project is.
19:34 - 19:36

Um, I'm allergic to prawns.
19:38 - 19:40

It's a cause, it's a fact.
19:40 - 19:44

What is the risk that comes from
this fact, this cause?
19:48 - 19:50

You think maybe I could be sick?
19:50 - 19:53

I could have a reaction.
I could be very ill. I could die.
19:55 - 19:58

All of those things are effects.
Aren’t they?
19:59 - 20:01

But if something happens
that I didn't plan,
20:01 - 20:04

because I am allergic something might
happen that makes me sick.
20:05 - 20:07

What's the something?
20:07 - 20:09

I might eat prawns without knowing.
20:10 - 20:14

So then I check, are there prawns in this?
You know I avoid things with prawn in them
20:15 - 20:18

I manage the risk and not the effect.
And not the cause.
20:18 - 20:22

Okay, we have got to use a new technique,
an unproven technique.
20:23 - 20:26

It's a fact, it's a requirement,
we have to do it.
20:26 - 20:29

we might introduce design errors but it
just is a fact.
20:29 - 20:31

A requirement of our project.
20:31 - 20:33

The contractor may not deliver on
time is a risk.
20:34 - 20:36

Um, this is going too fast.
20:36 - 20:39

It might not work for some reason.
20:39 - 20:41

You saw the color, it's an effect.
20:41 - 20:45

Okay, I will go more slowly. Uh,
we don't have enough people.
20:47 - 20:51

It's a cause, yes. And lastly,
there's a risk that we'll be late.
20:54 - 20:57

Hmm...mm.
It's an effect, is it?
20:58 - 21:01

Because we want to know what is the
risk that we'll be late.
21:02 - 21:03

Being late is an effect.
21:03 - 21:09

So apart from the prawns, all of the blue
and green things we see in risk registers.
21:10 - 21:17

The project environment, new technology,
lack of resources, or going over budget.
21:17 - 21:21

Lack of performance, delivering late.
These are not risks.
21:21 - 21:23

These are causes or effects.
21:24 - 21:28

And if we looked at a real risk register
and this is written in your notes for you
21:28 - 21:31

If you want to do this afterward,
we could do another exercise
21:32 - 21:36

In fact, the next page of the notes,
if you turn over the page
21:36 - 21:39

has these written a bit larger for you
21:39 - 21:40

English only I'm afraid.
21:41 - 21:43

We'll have to do something about that.
21:44 - 21:48

Um. You could just try this little
exercise on a real risk register
21:49 - 21:53

This is one of my clients, I asked
them for their top 10 risks.
21:53 - 21:54

This is what they gave me.
21:54 - 21:57

They're not risks. They're all sorts of
things mixed up.
21:58 - 22:01

Really, you should do this on your
risk register.
22:02 - 22:06

But let me show you what happened
when I did this on their risk register.
22:07 - 22:09

I found there was a whole mixture
of things.
22:10 - 22:14

So, the current hardware is not fast
enough to support testing. That's a fact.
22:15 - 22:16

It's a cause.
22:17 - 22:21

This means that we may be unable
to test performance
22:21 - 22:23

until production hardware is used.
22:24 - 22:25

That's the risk.
22:26 - 22:28

So we have two things in this
statement.
22:29 - 22:31

The next one down is just a fact.
22:31 - 22:35

A number of usability issues have
been identified by the supplier.
22:36 - 22:38

Okay, so what?
22:39 - 22:40

What difference does that make?
22:41 - 22:45

Let me color code this for you.
Just to be slightly friendly.
22:45 - 22:45

Umm.
22:45 - 22:49

But you will have to do it on your own
if you want to try the complete exercise.
22:50 - 22:54

Umm. There is a whole range of different
things in this so-called risk register.
22:55 - 22:57

And I would expect that yours is the same.
22:58 - 23:02

That you'll have things in your risk
register that are just pure facts.
23:02 - 23:06

Or things that are a mixture of risks
and other things
23:07 - 23:11

Now, there are two in this list that I
think are particularly interesting.
23:11 - 23:15

It's this one and this one.
They have all three colors in them.
23:16 - 23:18

Because they have a cause and a risk
and an effect.
23:20 - 23:24

So, let take this one. The team
does not have a documented design.
23:24 - 23:26

For this function. That's a fact.
23:27 - 23:28

So what?
23:28 - 23:31

Well, there's the risk
that the architecture
23:31 - 23:34

may not support
the required functionality.
23:34 - 23:37

That might happen because we don't have
a documented design.
23:38 - 23:40

Why do we care about that?
23:40 - 23:44

If that happens, it results in the
requirements not being met.
23:44 - 23:46

or a higher number of defects.
23:46 - 23:49

That hits our performance objective
and our quality objective.
23:50 - 23:54

So, now we have three things,
we know what the risk is.
23:54 - 23:58

The risk is that the architecture might
not support the functionality.
23:59 - 24:02

We know why that's happening,
because we don't have a documented design.
24:02 - 24:07

And we know how it could affect the
project in not meeting the requirements,
24:07 - 24:09

or delivering defects.
24:10 - 24:12

Those are really useful things to know.
24:13 - 24:18

And it will be helpful if every risk
description had those three things in it.
24:18 - 24:22

And, so what we recommend is
a structured description of risk
24:22 - 24:24

that has three parts to it.
24:25 - 24:31

That says "as a result of" some fact,
a cause. Then, an uncertainty might occur.
24:32 - 24:34

It might not, but it might.
24:34 - 24:36

And if it did, it would be a risk.
24:38 - 24:41

and if that thing actually happened,
it would lead to
24:41 - 24:43

An affect on the objectives
24:43 - 24:49

And we recommend and PMI recommends
and the ISO standard recommends
24:49 - 24:51

and best practice guidelines recommend.
24:51 - 24:54

But you describe your risk in these
three stages.
24:54 - 24:58

What do we know, what uncertainty does
that gives us, and why does it matter?
24:59 - 25:03

And then we can use it to help us
manage the risk.
25:04 - 25:08

In English, we have definite words
to describe facts
25:08 - 25:12

This is true. This has happened.
This does occur.
25:13 - 25:17

We have uncertain words to describe the
risk. It might or it might not
25:17 - 25:19

It's possible.
25:19 - 25:23

And then we have conditional words that
say this would follow
25:23 - 25:25

if the risk occurred.
25:25 - 25:28

Maybe your language is a little different.
25:28 - 25:31

But we can use the language
to help us perhaps.
25:31 - 25:33

So one of the things
I'd like us to try,
25:33 - 25:36

in the short exercise we're
going to do in a moment,
25:37 - 25:41

is to try describing risks
in that three part way.
25:42 - 25:43

What do we know?
25:43 - 25:45

What uncertainty does it give us?
25:45 - 25:48

And why does that matter
to our objectives?
25:48 - 25:51

And I would recommend that you
try that for your own
25:51 - 25:55

real risk register on your project, and
see what difference it makes.
25:56 - 25:58

You might be surprised.
25:58 - 26:03

Now, let's think about the
next question, which is not,
26:03 - 26:04

Well, there is another question.
26:04 - 26:05

"How do we prioritize them?"
26:05 - 26:08

But the one I want to focus on is,
"What could we do
26:08 - 26:10

about the risks that we've identified?'"
26:10 - 26:12

Planning risk responses.
26:13 - 26:15

Here are the questions
we need to ask.
26:15 - 26:18

"What are we going to do based on
the risk?"
26:18 - 26:20

How manageable it is.
26:21 - 26:24

How bad or good it might be
if we left it alone
26:24 - 26:26

impacts the variety.
26:26 - 26:30

Whether we have the people
and the equipment of the skills
26:30 - 26:31

to deal with it.
26:31 - 26:33

A resource availability
26:33 - 26:35

and cost effectiveness.
26:35 - 26:38

Can we spend a small amount
to save a big amount?
26:38 - 26:42

We don't want to spend a big amount
to save a small amount.
26:43 - 26:45

And the next important question
26:45 - 26:46

"who is going to do this?"
26:48 - 26:51

What could we do to deal with risk?
26:52 - 26:54

Often, people think of four things.
26:54 - 26:58

Four different types of things
we could do to address
26:58 - 26:59

uncertainties that matter.
27:00 - 27:02

And each of these has a name.
27:03 - 27:06

It's a strategy. A strategy to focus
our planning.
27:07 - 27:09

To focus our thinking.
27:09 - 27:14

And then, once we've focused our thinking
with a strategy, we can develop tactics
27:14 - 27:16

to address each individual risk.
27:16 - 27:18

So, what are the four things
that most people think of?
27:19 - 27:21

The first is risk avoidance.
27:21 - 27:25

Is there something we can do to
kill the risk, to remove it altogether?
27:26 - 27:29

The second is something we call
risk transfer.
27:30 - 27:32

Can we give it away?
27:32 - 27:34

Can we get somebody else
to take it away for us?
27:36 - 27:38

The third is what we call risk reduction.
27:39 - 27:42

Some people call this risk mitigation.
27:42 - 27:44

And here, we're trying to make
the risk smaller
27:45 - 27:46

so that we could accept it.
27:48 - 27:52

And the fourth response after avoid,
transfer, or reduce
27:53 - 27:55

is the one that everyone forgets.
27:56 - 27:58

They think if we can't do anything
about it
27:58 - 28:01

we just have to hope and pray and wonder
and wait.
28:03 - 28:04

The other response is
28:04 - 28:06

to take the risk.
28:06 - 28:08

We call that risk acceptance.
28:08 - 28:12

To recognize we're taking this risk
and to include it in our baseline
28:12 - 28:15

and to monitor it very carefully.
28:15 - 28:22

So, you might see those four options as
quite a good set of response strategies.
28:23 - 28:24

But there's a problem.
28:25 - 28:29

The problem is all these
things only work for bad risks.
28:30 - 28:32

What about opportunities?
28:32 - 28:36

We don't want to avoid or
give away or make smaller
28:36 - 28:37

opportunities.
28:38 - 28:42

So, how do you respond if you find
a good thing that might happen
28:42 - 28:43

on your project.
28:44 - 28:46

Do you just wait and see and hope?
28:47 - 28:50

Or is there something active that we
could do?
28:51 - 28:55

Fortunately, there are four response
strategies for opportunities
28:55 - 29:00

that match the four response strategies
for threats.
29:00 - 29:02

So, here are the bad ones.
29:02 - 29:03

Avoid a bad thing.
29:04 - 29:05

Give it to someone to take away.
29:05 - 29:07

Make it smaller.
29:07 - 29:08

Or take the risk.
29:09 - 29:12

This is not those things
I'm trying to achieve.
29:12 - 29:14

To remove the uncertainty.
29:14 - 29:16

To get somebody else to help.
29:16 - 29:18

To change the size of the risk.
29:18 - 29:21

Or to include it in our project plan.
29:22 - 29:24

We could do all of those four things,
29:24 - 29:26

for opportunities.
29:26 - 29:28

How do you eliminate uncertainty
29:28 - 29:30

from opportunity?
29:31 - 29:32

You capture it.
29:33 - 29:34

Take up a strategy,
29:34 - 29:36

which makes it definitely happen.
29:37 - 29:40

In English, we call this "Exploit".
29:40 - 29:42

Exploit is the same as avoid.
29:43 - 29:45

For avoid, you make the probability
zero.
29:46 - 29:47

It can't happen.
29:48 - 29:50

For a threat, it's avoid.
29:50 - 29:52

For opportunity, exploit.
29:52 - 29:55

It's to make the probability 100%
29:56 - 29:58

It will happen. It must happen.
29:58 - 30:00

So they're aggressive strategies.
30:00 - 30:03

You kill the threat,
you capture the opportunity
30:04 - 30:05

It's the same kind of thing.
30:06 - 30:10

What could we do, instead of giving away,
transferring a threat?
30:10 - 30:13

We want to involve
somebody else to help us.
30:13 - 30:15

We could share the opportunity.
30:15 - 30:18

We could ask them
to come into our project
30:18 - 30:24

and be involved with us in a
joint venture
Not Synced

or a subcontract, or a partnership.
Not Synced

Where they help us to achieve this
uncertainy that would help us all?
Not Synced

And we give them some part of the benefit
Not Synced

We share the opportunity
Not Synced

How could we change the size
of an opportunity?
Not Synced

We don't want to reduce it,
we want to enhance it.
Not Synced

We want to grow it,
we want to make it more likely.
Not Synced

And bigger impact. It's the same idea but
the other way around for the opportunity.
Not Synced

And the last one, if we can't do these
active things, we could just
Not Synced

Accept an opportunity and wait and see
what happens.
Not Synced

But monitor it very closely if there's
nothing else we could do.
Not Synced

So what this slide tells us is that
there's an equal variety
Not Synced

Of potential response times that we can
choose between for our opportunities
Not Synced

Equal to the number that we have threats.
Not Synced

You see, the secret to thinking
about opportunities...
Not Synced

Is to recognize that an opportunity
is the same as a threat.
Not Synced

The only difference is the sign
of the impact.
Not Synced

So a threat has a negative impact,
an opportunity has a positive impact.
Not Synced

Apart from that, they're the same.
Not Synced

They are both uncertainties that matter.
Not Synced

They are both things that might or might
not happen.
Not Synced

But could affect our objectives.
Not Synced

They can both be managed practically.
Not Synced

They both make a difference to the chances
of succeeding on our project.
Not Synced

And that's why risk management should
manage threats and opportunities together
Not Synced

in a single process.
Not Synced

Because they are the same things.
Not Synced

And that may be new thinking to
some of you.
Not Synced

Those of you who always think of risk
as a big ugly thing waiting to squash me.
Not Synced

Or the unknown thing in the future
that's going to hurt me.
Not Synced

There are some like that, and we need to
stop them happening to protect ourselves.
Not Synced

But there are also some very good things
out that which might happen
Not Synced

Which we need to see, and
we need to chase them.
Not Synced

And make them happen. So that our
projects could be more successful.
Not Synced

There is another response strategy
that we might try.
Not Synced

Which is really not recommended, and
just pretending that there are no risks
Not Synced

and hiding away and saying maybe
it will never happen.

Title:: "Managing risk in practice" workshop
Description:: David Hillson delivered a half-day risk workshop in Tehran in February 2016 for about 200 project management professionals. In this extract from the introduction, he outlines the basic principles of risk and summarises the risk process, before focusing on how to identify real risks and develop effective responses.

more » « less
Video Language:: English
Team:: Captions Requested
Duration:: 35:49

	vjsCM edited English subtitles for "Managing risk in practice" workshop
	vjsCM edited English subtitles for "Managing risk in practice" workshop
	vjsCM edited English subtitles for "Managing risk in practice" workshop
	vjsCM edited English subtitles for "Managing risk in practice" workshop
	vjsCM edited English subtitles for "Managing risk in practice" workshop
	vjsCM edited English subtitles for "Managing risk in practice" workshop
	vjsCM edited English subtitles for "Managing risk in practice" workshop
	vjsCM edited English subtitles for "Managing risk in practice" workshop

Show all

English subtitles

Revisions Compare revisions

Revision 56 Edited

vjsCM
Revision 55 Edited

vjsCM
Revision 54 Edited

vjsCM
Revision 53 Edited

vjsCM
Revision 52 Edited

vjsCM
Revision 51 Edited

vjsCM
Revision 50 Edited

vjsCM
Revision 49 Edited

vjsCM
Revision 48 Edited

Evelyn Pung
Revision 47 Edited

gracieml
Revision 46 Edited

Evelyn Pung
Revision 45 Edited

Evelyn Pung
Revision 44 Edited

Evelyn Pung
Revision 43 Edited

nicolv93
Revision 42 Edited

mgchacon98
Revision 41 Edited

mgchacon98
Revision 40 Edited

mgchacon98
Revision 39 Edited

mgchacon98
Revision 38 Edited

mgchacon98
Revision 37 Edited

mgchacon98
Revision 36 Edited

mgchacon98
Revision 35 Edited

Kaera Mitchen
Revision 34 Edited

Retired user
Revision 33 Edited

mgchacon98
Revision 32 Edited

mgchacon98
Revision 31 Edited

mgchacon98
Revision 30 Edited

mgchacon98
Revision 29 Edited

mgchacon98
Revision 28 Edited

mgchacon98
Revision 27 Edited

mgchacon98
Revision 26 Edited

mgchacon98
Revision 25 Edited

mgchacon98
Revision 24 Edited

mgchacon98
Revision 23 Edited

mgchacon98
Revision 22 Edited

Troian
Revision 21 Edited

nk1717
Revision 20 Edited

mgchacon98
Revision 19 Edited

mgchacon98
Revision 18 Edited

mgchacon98
Revision 17 Edited

mgchacon98
Revision 16 Edited

mgchacon98
Revision 15 Edited

mgchacon98
Revision 14 Edited

mgchacon98
Revision 13 Edited

Rachel Li
Revision 12 Edited

Rachel Li
Revision 11 Edited

wy kenta
Revision 10 Edited

mgchacon98
Revision 9 Edited

mgchacon98
Revision 8 Edited

mgchacon98
Revision 7 Edited

mgchacon98
Revision 6 Edited

wy kenta
Revision 5 Edited

Rachel Li
Revision 4 Edited

Rachel Li
Revision 3 Edited

Rachel Li
Revision 2 Edited

mai5396
Revision 1 Edited

mai5396

	Revision Number	Author	Created
	56	vjsCM
	55	vjsCM
	54	vjsCM
	53	vjsCM
	52	vjsCM
	51	vjsCM
	50	vjsCM
	49	vjsCM
	48	Evelyn Pung
	47	gracieml
	46	Evelyn Pung
	45	Evelyn Pung
	44	Evelyn Pung
	43	nicolv93
	42	mgchacon98
	41	mgchacon98
	40	mgchacon98
	39	mgchacon98
	38	mgchacon98
	37	mgchacon98
	36	mgchacon98
	35	Kaera Mitchen
	34	Retired user
	33	mgchacon98
	32	mgchacon98
	31	mgchacon98
	30	mgchacon98
	29	mgchacon98
	28	mgchacon98
	27	mgchacon98
	26	mgchacon98
	25	mgchacon98
	24	mgchacon98
	23	mgchacon98
	22	Troian
	21	nk1717
	20	mgchacon98
	19	mgchacon98
	18	mgchacon98
	17	mgchacon98
	16	mgchacon98
	15	mgchacon98
	14	mgchacon98
	13	Rachel Li
	12	Rachel Li
	11	wy kenta
	10	mgchacon98
	9	mgchacon98
	8	mgchacon98
	7	mgchacon98
	6	wy kenta
	5	Rachel Li
	4	Rachel Li
	3	Rachel Li
	2	mai5396
	1	mai5396

"Managing risk in practice" workshop

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)