In a previous post on selecting means of communication, I quoted Master Kan, from the pilot to the early 70s television series Kung Fu:
Avoid, rather than check. Check, rather than hurt. Hurt, rather than maim. Maim, rather than kill. For all life is precious, nor can any be replaced.
We should adopt a similar rubric for selecting risk response strategies:
Avoid, rather than transfer. Transfer, rather than mitigate. Mitigate, rather than accept. For all risk response strategies have both a cost and a residual risk.
Avoiding a risk usually results in an opportunity cost, or at least deferring the benefit, but it tends to result in the least residual risk. For example: responding to a schedule risk by removing some element from scope avoids the risk, at the opportunity cost of not having the capability provided by that element.
Choosing Risk Response Strategies
I bring this up because I see so many organizations and managers choose to mitigate or accept risks that they could otherwise avoid or transfer. In some cases, it’s about the perceived cost of the safer responses. But I see it happen most often in organizations following a merger or acquisition, where they haven’t reached an end state in their evolving culture. Perhaps one of the predecessor firms had a greater appetite for risk; perhaps middle management has internalized the acquisition itself as a willingness to take on significant risk. Or maybe their appetite for certain types of risks is higher than that of their new colleagues.
Last year, I worked with a customer that was being acquired by a much larger firm. They had initiated a project for the express purpose of reducing the chance of being found in non-compliance with a legal requirement, although they had relatively little exposure. The cost of the project far outweighed the potential cost of being found in non-compliance, or of making improvements to their existing manual process. But the decision-maker felt that the non-compliance risk absolutely had to be mitigated. That said, the project itself was very risky, in terms of schedule and quality. It was kicked off late, the vendor provided a relatively inexperienced team member in a key role, and there was no internal consensus on what business rules should be imbedded in the process. In the end, a senior manager in the acquiring firm killed the project. Their view of the bundle of risks was quite different, and they decided to accept what they viewed as a relatively low-cost, low-impact risk, rather than take on all of that residual risk.
Gauging Appetite for Risk
It is extremely difficult to measure risk tolerance, or even to describe it in meaningful terms. In an interview, I once asked a PMO director about their organizational risk tolerance. He admitted that the question had never been asked before, and struggled to answer in a way that would be actionable for a contract project manager. Plainly, no organization is willing to admit that they have little appetite for risk, although few can express what level of risk they find acceptable. But the ability to optimize the cost of a bundle of risks depends on an understanding of how the organization views the alternatives. So, let me propose a few interview questions that might start the process of gauging appetite for risk:
- Are you willing to contract with a new vendor, in order to reduce costs? If yes, then they should be seen as having a somewhat higher appetite for risk.
- Are you willing to accept higher retention risk, in order to avoid the costs of augmenting your staff with temporary workers? If so, then they are more willing to accept risk.
- Are you willing to accept higher quality risk, in order to finish on schedule? If the project does not have a fixed finish-by date, this indicates higher tolerance for risk.
- Are you willing to tolerate higher capital costs, in order to keep operating expenses low? If so, this might be seen as a willingness to transfer risk.
- Are you willing to defer some deliverables, in order to reduce schedule risk? If so, this might be seen as a willingness to avoid risk.
- Are you willing to add administrative complexity, in order to reduce implementation risk? Again, this speaks to transferring risk.
While this list is not particularly comprehensive, I think it will provide some insight into the organization’s appetite for risk. Or at the very least, their appetite as it applies to the proposed project. If you have some questions you’d like to add to this small list, please leave a comment.
For more brilliant insights, check out Dave’s blog: The Practicing IT Project Manager