Effective Risk Management: Some Keys to Success
Edmund H. Conrow
A book review by R. Max Wideman
Introduction
This book is about Project Risk Management, a point that should be emphasized as this discipline is not the same as business or financial risk management. The author, Edmund Conrow, has over twenty five years of experience in this field, a substantial part of it in, or associated with, US government departments or agencies such as Air Force, Army and Navy, Department of Defense and NASA. Edmund adopts the writing style of these people so it will appeal particularly to the US federal government market, the source of the many examples and recommendations contained in the book.
According to Edmund, "The purpose of this book is two fold: first to provide key lessons learned that I have documented from performing risk management on a wide variety of programs, and second, to assist you, the reader, in developing and implementing an effective risk management process on your program."i "In effect, this book discusses how to implement sound risk management on a wide variety of defense, commercial, and other programs."ii
A point should be emphasized here. Edmund writes this book from the perspective of a government department or large corporation conducting project risk management in the course of acquiring the necessary services for undertaking a significant program or project. As we shall see, this leads to a somewhat different project risk management process model compared to the popular North American project model.
The author claims that the text describes practices that can be used by both project management and technical practitioners including those who are unfamiliar with [project] risk management.iii However, in reading the book we found it highly sophisticated and felt that the reader does need a good knowledge, or at least considerable experience with significant projects, to appreciate its value. If that is true, then we would be surprised if such a person did not have some familiarity with project risk management. Indeed, although chapter 2 provides an introduction and overview, the author states "This is not an introductory text on risk management – the book assumes a working knowledge of the subject."iv
Since the book is about project risk management, whenever "risk" is mentioned in the book, "project risk" is implied. So, we will do the same.
Book Structure
The book consists of eight chapters, each with a number of subsections, followed by eleven appendices. To provide a sense of content, the chapter headings are listed as follows:
Of these, chapters three and six are by far the largest, together occupying 75% of the chapter space indicating that the content of the book is concentrated on implementation and analysis considerations.
The Appendices are identified as follows:
While the chapters occupy 77% of the book, the above appendices occupy a hefty 23%. Interestingly, we found the appendices most captivating, perhaps because they provide more detailed explanations, discussion and practical recommendations.
Risk management is for adults
Right off the bat, Edmund states
" I've included a new appendix (Appendix E), written by a highly respected risk management consultant and author Dr. Robert N. Charette, on the definition of risk. This appendix includes a thought-provoking discussion on differences between risk and opportunity. This discussion is particularly important and timely because many in the project management community blindly believe that opportunity should be included in the definition of risk – something that does not withstand close scrutiny."v
Turning to Appendix E, we find a most interesting discussion of no less than seventeen pages. Robert Charette starts out by observing
" Traditionally, risk has been defined as the likelihood of an event occurring coupled with a negative consequence of the event occurring. In other words, a risk is a potential problem – something to be avoided if possible, or its likelihood and/or consequences reduced if not."vi
Later, he crystallizes this into "the potential for the realization of unwanted, negative consequences of an event."vii From this definition, Edmund develops the corollary for opportunity as "the potential for the realization of wanted, positive consequences of an event."viii
A quick look at the definition of risk in our Comparative Glossary of Project Management Terms will show that few people would disagree with these definitions.
Having recognized the difference between risk and opportunity, Robert then makes the point that
" Informally, we can say that the project [itself] represents the enterprise's attempt to realize an 'opportunity'. In other words, a project is an 'enterprise event' that has the potential for some desired positive outcome."ix And "A project risk, then, is always defined in relation to our project expectation."x
All well and good. But then Robert asserts that "The primary purpose of risk management is to ensure that situations do not get worse (i.e. we meet our minimum expectations), instead of better."xi It is here that we part company. If the organization chooses to define project risk management in this limited way, so be it, but we think that the organization is then missing an opportunity for expanding the role of project risk management. That is to encompass the positive rather than dwelling entirely in the negative. We, ourselves have had several experiences where the potentially disastrous, with a little care and thought has been turned into a very profitable opportunity. Remember, we are speaking of project "uncertainty" which is the parent of both risk and opportunity and not the peer or child of risk. A point that seems to have been overlooked by both authors.
In a subsection titled "Risk Management is for Adults", Robert asserts "Moreover, the arguments that risk management will be used more because, through a definitional change [i.e. of 'risk'] project management will perceive the management of risk as more 'positive' in outlook is curious."xii We truly believe that this assertion is misdirected. The issue for most project managers is not whether they themselves will use project risk management but whether their organization's culture embraces it and allows them to do so. To corporate management all project management is an overhead, and if a clearly positive slant is what it takes to get project risk management accepted at that level, then why not? Indeed, many of Edmund's own examples, and comments as we note in our first quote below, suggest that this is exactly what is needed.
Of course, there is more to this discussion than we have been able to tackle in this limited space.
Notable quotes
Some of the quotable quotes that demonstrate the authors experience and orientation include:
" One of the key implementation issues that must be addressed is how to overcome a corporate culture that is lacking or even negative toward risk management."xiii
" I would also be remiss if I did not say that risk management can be very political in some programs."xiv
" I have also found that the overall effectiveness of a risk management process is primarily determined by two factors, namely, technical sophistication and implementation efficiency."xv
" Although risk avoidance may sometimes be the best risk handling approach, program managers should not expect miracles to occur on demand to resolve risk-related issues that should have been properly dealt with much earlier."xvi
Edmund also takes issue with the Project Management Institute ("PMI") over its definitions of "project" and "program" and the use if the word "temporary". He states:
" I do not disagree with these definitions, but in risk management there can be a blurring between the terms project and program that makes the distinction in definitions difficult and somewhat artificial. For example, large-scale development activities often have a time horizon (e.g., many years) and may be single items (e.g., line item) from a funding perspective. Hence, they may not be a temporary endeavor depending on one's definition of temporary (thus leaning toward the term program). In other instances they may be viewed as a collection of items from a funding perspective (thus leaning toward the term program), yet may result in a single product (thus leaning toward the term project)."xvii
We agree that the term "temporary" is inappropriate in the PMI definition, although we are not sure that multiple funding sources necessarily converts a project into a program. We have our won views on the desirability of multiple funding sources, but that is different matter. In the book, Edmund uses project and program interchangeably, perhaps because of the variety of organizational cultures and their predispositions that he has dealt with, rather than any specific definition.
What we liked
Chapter 2, Risk Management Overview, lays important groundwork for the whole book. In particular it presents a process diagram xviii which is virtually identical to the Risk Management Structure displayed in the Risk Management Guide for DOD Acquisition. Perhaps this is not surprising as Edmund's work played a significant role in developing the content of the DOD's Guide.
It must be remembered that Edmund's book is written from the perspective of acquisition of project management services, whether as owner-buyer or prime contractor-buyer who buys subcontract services to sell to the owner, although most of his experience is from the seller's perspective. The inference is that detailed project risk management activities take place within the seller organizations although both buyer and seller have responsibilities. Still, it is worth pausing for a moment to compare this figure with the Project Management Institute's view.
Differences worth noting between the two are that the PMI model is a linear progression, even with two types of analyses. In contrast, the DOD model (Figure 1) groups risk identification and analysis under the single heading of risk assessment. This is followed by risk handling which covers both planning, i.e. selecting options, and taking action. This is then followed by risk monitoring which is actually the monitoring of performance risk handling rather than the monitoring of the incidence of risk events themselves. Finally, the DOD model contemplates feedback from the last activity of risk monitoring back into each of the earlier activities as shown by the return arrows.
Edmund claims the following advantages of his approach:
Another feature of the book is that risk handling options are reduced to four major headings namely: assumption, avoidance, control, and transfer.xxi However, under the control option, also named "mitigation" in a narrower definition, a total of nineteen interesting possible approaches are offered.xxii Under the heading of "Some Contractual Considerations", one particular risk caught our eye. Edmund states, no doubt with some feeling:
" However, just because risk management is required in the proposal, evaluated in source selection, and put on contract, there is no guarantee that it will be successfully implemented after the program phase is initiated. For example, many proposal writers are not involved with the project after the next program phase begins."xxiii
The many "considerations" described in the book are taken from the copious experience of Edmund and those around him. Since it is natural for "experiences" to dwell on what went wrong, these considerations tend to describe what not to do. However, for those who want to know what to do, there is the Risk Management Guide for DOD Acquisition referenced above. At the time of this writing (March 2004), this document is a free download from: http://www.dau.mil/pubs/gdbks/risk_management.asp. In fact, reading this document is almost a prerequisite if you want to get the full benefit from reading Edmund's book
Downside
This book is not an easy read. In the classic style of government writings, policies and procedures, the whole text is heavy with acronyms. Worse, there is no reference glossary for all these terms, so if you miss a definition with which you are not familiar, you have to go back and search for it. We found ourselves having to make copious marginal notes to keep track, some we suspect because they have been invented especially for this treatise.
Another pointer high-lighting the need for a glossary is that we encountered a number of terms with which were not familiar such as "rate production"xxiv, "Cost-Performance Slice"xxv and "technical possibility surface".xxvi Or what precisely are "programmatic schedule decisions" and "inherent errors"xxvii, or "single process initiatives"?xxviii
The text generally is poorly laid out. The language is ponderous in style, with many sentences unnecessarily long. For example we found schedule monitoring described as "the use of program schedule data to evaluate how well the program is progressing to completion vs the baseline schedule"xxix, (20 words). Doesn't this simply mean "the tracking of actual progress against planned" (7 words)? Moreover, far too many paragraphs contain far too many sentences for comfortable reading and easy comprehension. For example, in one sentence we counted 57 wordsxxx and in one paragraph of 38 lines we found no less than 18 sentences.xxxi The net effect is that there is little white space to rest the eye and little time for the mind to grasp the far-reaching issues.
A feature of the book is that many chapters display certain paragraphs in bold. These paragraphs are in the nature of sidebars but appear as continuity of the normal text. You can read these bolded text paragraphs, jumping from one to the next, to get a quick impression of the content of the section. Most of these paragraphs-in-bold repeat parts of the plain text word-for-word and appear at the end of the corresponding paragraph or discussion. It is true that repetition helps to drive home the message, but we found this constant "recycling" most distracting and eventually very irritating.
The central focus of Edmund's book is on project cost, performance, and schedule, or "C,P,S" as it is referred to.xxxii Apparently, this is the major concern of US federal acquisition. From a risk management perspective, however, this seems to overlook the type of plausible risk events categorized as non-recurring, discrete one-time events such as fire, theft, suit or even bankruptcy, to say nothing of the risks arising from the vicissitudes of the corporate culture following a change in top management or the political environment. These types of non-recurring risks require subjective analysis, rather than the objective analysis possible in examining the recurring conditions of C,P,S.
Summary
Edmund Conrow's book, Effective Risk Management is a tour de force of project risk management in the field of government and large corporate project acquisitions. Although chapter 2 provides a summary, to obtain full benefit from the content we recommend first reading the US DOD Risk Management Guide for DOD Acquisition, in which Edmund had a significant hand.
For the majority of us involved in less sizeable projects, we found the aspirations of the book somewhat idealistic. Perhaps this is not surprising from the perspective of a project risk manager, but we could sympathize with project managers who feel that some of the recommendations are over kill or at least not cost-effective. If the decision to skip some recommendations is a conscious one, that's fine. If, however, it is by default, then as the author is at pains to make clear, such overkill would not be conducive to final project success. Clearly, "The material contained in this book must be tailored to your program . . ."xxxiii
This book is not for the feint of heart. Indeed, we think that considerable experience in the acquisition of services for large projects is required in order to benefit from the wisdom offered. In reading the book we found that many of the "considerations" presented were negative critiques of past programs or instances representing things that should not be done. Of course, that is valuable information for those in similar environments.
However, on many occasions other than to consult expert advice, we were left wondering what should have been done instead in the particular instances described. We hope that perhaps a third edition of the book will correct the shortcomings that we have identified. Together with occupying about 30% less space, the book could then be of interest to a much wider audience.
R. Max Wideman
Fellow, PMI