Risk Management is About Playing Both Defense and Offense

Find out how you can use risk management to make better strategic decisions for greater and more sustainable business growth.

Pre-Flighting: Well Worth Repeating

Contributor: Zane Scott, Vice President of Professional Services, ViTech Corporation

Some time ago, Zane wrote this post for us about the weakest point of risk management – the very first step of identifying risks on a project. Read his insights here.

When an aircraft is readied for take-off one of the most important procedures is running the pre-flight checks.
Because small failures can have catastrophic consequences in flight, the plane must be examined in detail with a systematic focus on critical parts and assemblies. It is crucial that every point is covered every time. That demands an orderly and thorough approach. In order to insure that nothing is missed the pilot conducting the checks uses a number of devices to guide him/her through the checks. Whatever the device, the purpose is always the same- to guide the pilot through the pre-flight without leaving out any critical item.

In the world of risk management the focus has been on the management of identified risks. Mitigation plans, tools to track those plans to their completion — all efforts have been directed toward mitigating or eliminating risks. But the success of these efforts rested squarely on the identification of the risks. An unidentified risk is not going to make it into the process for mitigation.

The weak point in the risk management process has been at the beginning — at the point of identifying the risks. Once the risk was identified there were tools and processes to assure its mitigation. But there was nothing to help in assuring that all the risks had been identified.

This is where the aviation example is instructive. The pre-flight checklists are the product of experience with in-flight problems. Points of failure identified as lessons learned from previous problems have become the points on the checklists. The checklists translate the lessons of experience into tangible reminders that form a systematic journey through the critical points. The checklist takes the knowledge about possible problems and instantiates that knowledge into a systematic review process.

What is needed in the Risk Management world is just such a tool. The project risk manager could benefit greatly from a step-by-step tour of potential sources of risk. Ideally, this would be positioned at the beginning of the project allowing the risk manager to consider the potential risks and anticipate their appearance in the project. Just as the airplane pilot can prevent problems by tightening connections or correcting equipment defects, the risk manager can take preventative steps to mitigate or eliminate risks.

In order to use such an approach to best advantage it should be grounded in significant research that is both broad and deep. The risk inventory and checklist should cover the landscape of possible sources of risk. That way the completion of the survey can offer real assurance that the project will proceed with its eyes open and its risks under management.

In addition, the “pre-flight” risk tool should compile that knowledge into a guided tour of project risk formatted in a way that allows the risk manager to move efficiently through the risk landscape catching all those risks that are relevant to the project at hand. This makes the risk research accessible and actionable.

Have You Seen It Yet?

If you haven’t seen it yet, you are in for a treat! The Program Risk ID product, PRID, is a revolutionary addition to the risk manager’s toolkit.

I just sat in on a training session and was blown away. With PRID you will know that you didn’t miss any critical risks for your project and that you have risk management under firm control from all perspectives. PRID is easy to use, scales up or down and integrates with other risk management and reporting tools. Its reports are easy to read, use color well to highlight important information and bring attention to critical risks.


  • Being responsible for an important project, one that you know has risks. However, you are not sure what those are and you don’t want to miss any critical ones.
  • Being able to choose from a set of risks based on your project’s characteristics, risks that have been shown to occur most frequently on your type of project.
  • Characterizing the level of each risk based on your assessment for your project.
  • Being able to see at a glance how many are critical, how well you are mitigating them, and what the trend to lower risk is both for each risk and for your project overall!

When you export your risks to other tools in your toolkit and assign monitors, define mitigation and contingency plans and integrate with other relevant project tools, you can be confident you have left no stone unturned in identifying risks for your project.

PRID makes it easy to report the risks you’ve selected up the management chain. Being able to tell management that your selection criteria has been based on hundreds of similar projects covering years of experience and identified by highly credentialed risk management experts ensures credibility and makes you look smart!

PRID is the missing front-end of the risk management lifecycle and could well be the most valuable addition to your risk management capability ever.

Contributed by Ruth Buys – Program Manager, M.B.A., Ph.D., ESEP, ITIL, Lead Auditor, CPDE®, and author of over 20 presentations at conferences and workshops and other publications.

Proposal Time Again?

Are you rushing to submit proposals for the next contract year or to compete for those year-end funds?

How would you like to alert your client about the level of risk for their program and what you plan to do about it in your proposal?

How would you like to tell them you have an early warning system that shows the steps you plan to take to mitigate those risks before award?

You can if you have Program Risk Identification (PRID)!

I’ve worked on many federal contract proposal teams and know that we are all looking for that unique competitive advantage in our proposals, something that sets us apart from the pack, something that makes us stand out, is credible, and can show a positive impact on a daily basis. Knowing the most likely risks your customer will face on their program would get their attention. How is that for a unique competitive advantage for your next proposal?

PRID is truly an early warning system that provides an automated first step for the risk management life cycle, reduces uncertainty and makes the proposed schedule and cost proposal even more believable.

Imagine the advantage of telling your client that if you are selected, you will begin work with risks for their project prioritized and with risk plans in place.

Imagine being able to say that you will be monitoring critical risks from Date of Award.

Imagine assuring your customer that your risk plans can be updated easily to incorporate new risks and keep the project on schedule and on budget.

What if you included examples of reports on the risks you’ve identified that have been shown to occur on your type of project? Then show them how you can interface with almost any risk tracking tool available and the advantages will be obvious to any proposal evaluation team?

Use PRID to illustrate your proposal with examples, reports, and charts and PRID will give you a competitive advantage, make your proposal stand out before award and allow you to jumpstart the project when you win!

Contributor: Ruth Buys – Program Manager, M.B.A., Ph.D., ESEP, ITIL, Lead Auditor, CPDE®, and author of over 20 presentations at conferences and workshops and other publications.

Guest Blog: Who’s Keeping Score? In Defense of Risk Modeling

By Carl Pritchard *
When my children were little, they both played on the T-ball leagues.  The first game I attended was a revelation, as I arrived late.  “What’s the score,” I asked.

“We don’t keep score,” the coach chuckled.  “It’s just to get them into the game.”

I have been and always will be a big fan of keeping score.  I believe it’s the only way you get a sense where you stand, whether you’re improving, and how you stack up against others.  I’m interested to realize that even in business, keeping score matters.

Every time an organization builds a business case, they’re keeping score.  What’s the potential Return on Investment? What’s the profit?  What’s the margin?  And yet, in one of the largest business considerations—risk—we’re not good at keeping score.

I became a proponent of risk modeling to keep score decades ago, when my primary clients were in the telecom industries.  They used qualitative models to establish scores for the potential threat on a project and the potential opportunity.  The models often bore out what the managers already knew.  Some projects were low threat and high opportunity.  Some projects were high threat and low opportunity.  But the beauty was the organizations’ abilities to evaluate current state in comparison with other projects.

In teaching clients how to keep score, I always finish the first modeling session by asking everyone in the room to plot their current biggest project in the model.  It’s an attempt to learn who has the “riskiest” project.  In one particular class, my student Myra got the worst possible score in the model.  Virtually no opportunity and top of the charts on threat.  When I asked her the name of her project, she shared it with the class.  Every head in the room spun to look at her.  They let out a collective gasp, followed by “I’m so sorry!”  They all knew about the project.  It was new, but already had a reputation.  It already carried the stench of death.

When I asked why her organization was pursuing this piece of work, she explained that they had always done it, and it was an image-maker.  (I seriously questioned whether or not it still had that “image-maker” status).  In any case, her management labeled it as work that had to be done.

Why have a risk model if you’re going to ignore the results?  The company didn’t ignore Myra’s results.  The project was now a known quantity.  Everyone knew it was potentially very, very bad.  And everyone knew it was not a conventional money-maker.  Even when the results of a risk model are negative, they can at least serve to garner acknowledgment that the efforts involved have limited prospects and don’t open the door to great promise.  And if they achieve great promise?  Then these efforts and their managers are to be lauded more greatly than the “easy walk” of some other efforts.

If we don’t keep a risk score, we don’t have the ability to know who the true heroes of the organization may be.  If we don’t keep a risk score, we don’t know when we have accomplished great things.  If we don’t keep a risk score, we know neither triumph nor defeat.  Theodore Roosevelt put it quite eloquently:

“Far better is it to dare mighty things, to win glorious triumphs, even though checkered by failure… than to rank with those poor spirits who neither enjoy nor suffer much, because they live in a gray twilight that knows not victory nor defeat.”

Better for us, as risk managers, to know where we stand on the scale.  And in the long term, organizations that understand their scales for risk afford their managers the ability to work within the system to improve their prospective lot.

We welcome your comments!

*Carl Pritchard, PMP®, PMI-RMP® is a recognized figure in the risk community and the author of Risk Management: Concepts & Guidance, Fifth Edition, as well as The Risk Management Memory Jogger. He leads training sessions and provides keynote addresses around the world, championing the cause of more effective risk management.

Shoot the Messenger Part 2

In our last blog we explored the ‘Shoot the Messenger’ phenomenon – blaming folks that bring bad news as if they were responsible for it.

How do you overcome the ‘Shoot the Messenger’ syndrome?
1. When a problem is brought forward – praise the person! This seems counter-intuitive because, after all, who wants more problems in their life? By praising the person, you are signaling that it is OK to report problems, and it encourages others to do the same. Remember, hidden problems can harm your efforts at the worst time.
2. Focus on solutions.
3. Once the underlying cause(s) are exposed, take steps to ensure that they don’t happen again.

Negative reactions to surfaced risks are usually caused by fear – which drives denial of risks or embarrassment about having program risks. When customers or others in authority have these types of reactions, there are work-arounds. One is to have a discussion with the customer to understand the barriers to reporting risks. Another is to deal with the risk on the program side, with issues raised only if additional resources are needed.

Risks = mines in a minefield. Don’t shoot those that tell you where the mines are!

Shoot the Messenger, Part 1 of 2

What is ‘Shooting the Messenger’? It is treating the bearer of bad news as if they were to blame for it.

We define risks as potential problems that can penalize development programs in terms of cost, schedule, or performance. Risks can cause programs to totally fail, too.

To some organizations, the bad news is that someone sees a program risk and they speak up about it.
Shooting the messenger can take several forms. It can include being told that risks are not discussed, are being ignored, are not being taken seriously, and/or they may be verbally attacked. These behaviors are particularly egregious when they take place in front of colleagues and others.

From what we’ve seen, treating people this way is an effective way to squelch risk reporting and creativity. Here is why you DON’T want to do this: what you don’t know can hurt you, your program and your organization. For example:

* Murphy is alive and well. Risks will occur at the worst possible time and in the worst possible way.

* Pay some now or pay a LOT MORE later. Studies have shown that a problem that costs $1000 to address early in a program may blossom to $500,000-$1,000,000 late in the game.

* Loss of reputation. How many times can you under-deliver, under-perform, or have cost over-runs before your customers or your market doesn’t want to do business with you anymore?

* You could lose a job…Yours and others.

This is why it is imperative to stay well-informed about current and potential program problems. Although problems can be troublesome to deal with, it is far better to be aware of them and involved in solving them than to be surprised by them at the worst possible time.

People who raise concerns are performing a vital program function, a vital program service.

Chack on Thursday for Part 2!

Find Innovation Where You Least Expect It

Risk Management is recognized as a necessary process as well as a best practice by the program management and systems engineering communities, as well as being required by government contracts. The four basic (and repeatable) steps of risk management are:
1.Risk Identification
2.Risk Prioritization (Estimate likelihood and consequences)
3.Risk Mitigation or Elimination (Define, execute steps)
4.Risk Tracking

As challenging as people find risk identification, once identified, further challenges arise as the risks are eliminated or mitigated as much as possible. The steps to resolution, or burn-down steps, are opportunities for creativity and innovation, particularly in budget or schedule constrained environments.

A recent article entitled ”Find Innovation Where You Least Expect It” * explores the cognitive biases that ‘…cause people to overlook elegant solutions hidden in plain sight.’

One of the cognitive biases is Design Fixation. This has to do with being fixated on only the most obvious or well-known aspects of common objects, or in our case, the aspects of your system design.

Back to the identified risks that need to be addressed: suppose you looked beyond the most obvious aspects of the elements of your system to all defining characteristics. Does this provide a different perspective on the problem? Are there new possibilities for solution that come into view?

A good example of utilizing system elements in helpful new ways is regenerative cooling in the context of liquid propellant rocket engine design. Briefly, rocket engines burn an oxidizer and propellant (fuel) to thrust people and payloads off the earth. The earth’s gravity is a strong force, so it takes a great amount of thrust to achieve space. Rocket engines burn prodigious amount of oxidizer and fuel, and both are usually liquefied (which occurs at very low temperatures) for maximum efficiency. Rocket engines reach very high temperatures and require additional cooling so that they don’t melt. The very cold fuel is used to cool the very hot engine combustion chamber, using the fuel as a coolant in addition to its primary function.

Have you encountered situations where you used your system elements in new ways to solve problems? If so, tell us how… contact@sysenex.com

* Mccaffrey, T. And Pearson, J., December, 2015. Find Innovation Where You Least Expect It. Retrieved From Https://Hbr.Org/2015/12/Find-Innovation-Where-You-Least-Expect-It

2016 – Blue Skies Ahead!

New beginnings, fresh starts, reaffirmations — isn’t that what a new year is all about?

Like the picture here, blue skies can stand for a bright, clear, awesome future — the best of everything we love. No matter what opportunities, challenges, and (let’s just say it) problems we’ve faced this last year, 2016 is a new and promising “blank slate.”

We’re hoping 2016 brings you greater heights of success and prosperity, plus health, happiness, and FUN!

Make Your Choice

Frequently, risks are seen as a negative, as a black mark against a program.

Your program is flawed if you have risks – there is something wrong with you and/or your program if you have risks.

This is incorrect…EVERY program has risks.

Anytime a development effort is undertaken, even if you are doing something similar to what you did before, there are risks. It comes with the territory. Risks are to be dealt with and there are ways of identifying them and dealing with them successfully. It’s like walking across a mine field. You can walk along and pray you don’t step on a mine. Or, you can use tools and processes to help you find them.

Which scenario is going to make your day?

So, finding risks is actually a very good thing. The sooner you start identifying and solving program risks, the more money and time you save, and the more stress you avoid. Tackling risks early gives you more time to mitigate or eliminate risks. The earlier you solve risks, the less expensive they are to address — it is far cheaper and quicker to change requirements and drawings than it is to change software and hardware.

A proactive approach to identifying and dealing with risks is the way to go: 1). at the beginning of your program and 2). throughout your program.

Even if you don’t find a risk at the beginning, it’s still better to find it before it blows up in your face. Also, some risks become evident only in the interim stages of a program (e.g.certain design risks), so you need to keep looking for them.

In the systems engineering world, there is a rule of thumb: If a problem costs you $1K to fix during the definition or early design phases and goes undetected or unresolved, it blossoms into a $300K-$500K+ problem in detailed design, test or operation. This means that your upfront risk efforts pay off handsomely.

Now, compare these two scenarios. In the first one, you are asking your management for more budget and schedule because you didn’t find a risk; it found you, and not in a good way. In the second one, you are being congratulated since you came in under budget and ahead of schedule (because you found and solved risks in early stqges).

Which scenario would you rather be in?