Almost everybody I’ve ever worked with thought of me as being a bit paranoid. I kept telling them that I’m just really good at and focused on risk management. So, what is the difference between being paranoid and risk management?
Being paranoid means you approach everything you do, all the projects, with the same level of paranoia. Basically, you’re scared of everything. Working on risk management means you can adjust how paranoid you are, based on the situation or on the project you undertake.
Some projects required very paranoid people while others need people who are more optimistic. With a little bit of practice and understanding of risk management, we can develop these skills about being more flexible (call it agile!) about our risk management.
Risk management, by the book
Every book on risk management will tell you that before you start any project you have to decide on how you’re going to approach risk management. For example, you don’t want a paranoid person to run an innovation project, do you? They may be unwilling to try anything new. Most projects deal with uncertainty, uncovering needs and building products incrementally and iteratively. You’ll have to be a bit more permissive with the threats and more open to identifying and enhancing opportunities. If your project is very sensitive and there might be severe consequences, then yes you can be very tough on threats that you’ll want to mitigate or even eliminate. But then, if you look around today, the need for innovation (at all levels, products and processes) makes it very hard for those who don’t want to adjust their risk profile. As the saying goes, playing it safe is the riskiest thing to do.
Opportunities are positive risks
Opportunities are also considered as risks because they do the same thing: create variance to the plan. And we want to minimize that variance, and respect the plan, don’t we? In reality, opportunities are very different from threats. They create positive variances: finish earlier, save money, improve the quality of the product, etc. How do you achieve that? Just by being lucky? Maybe! But we need to work to create our own luck.
There are two key benefits to an opportunity strategy. First, obviously you’ll have more opportunities that will create a positive effect on the overall project. Secondly, opportunities tend to balance out the threats. Not to mention that today we have more opportunities than ever. For instance, we likely can agree that constantly evolving technology is characterized more as an opportunity and not a threat?
This is an ongoing activity. There should be a formal repetitive activity – almost like a dedicated process – where people should be thinking about what could go wrong but also what are the positive things, we can take advantage from. Again do both: threats and opportunities. The other dimension is macro and micro. What are the big risks but also zoom in and look at small, apparently insignificant risks. Any small opportunity with a little bit of enhancement could turn to be a big advantage. Having some recurrent sessions dedicated to identifying risks can only help.
When you say high probability and high impact, do you really have a baseline for that judgement or is it just a feeling. Leave the emotions out and create a scale for assessing what low and high mean. With an objective and scientific scale, no matter who’s looking at a risk, they’ll come up with the same assessment. In other words, when assessing a risk, use numbers not feelings.
Something that is normally reserved for risk management professionals, I’m not going to go into details about what-if analysis. But from time to time it would be good to take a few steps back and think of different possible scenarios. What would really happen if some of the threats or opportunities would actually occur? You don’t need fancy tools for this, but merely running this exercise could generate some interesting insights.
Improvements are achieved by implementing changes. And nobody likes changes because inherently they will associate them with threats. But, if we want to improve, and the need is bigger than ever, we should look into how can we control or mitigate the threats and look more into opportunities. It is virtually impossible to improve something without taking a few risks. Your risk management will undoubtedly drive your improvements.
It does sound bad and nobody wants to fail. And because we’re so scared of failing, we don’t take any risks. However, it is almost impossible not to fail.
Complexity, changes, dynamics, crisis, make it impossible to have all the answers. We need to rethink failing and even try to blame it less. Consider it as tool, a necessity for a modern organization. Cultivate a culture of experimentation, failing fast and blameless collaboration. And more importantly, a climate of trust and safety.
As strange as it may sound, it could be that the way we manage risk is the main success driver of an organization today. It is not about how smart their employees are, how many resources they have available but more about how they keep threats under control while making the most of the increasing number of opportunities.