There's a conversation (of sorts) on Linked-In about Risk Management.
Several topics are going on in parallel
- For risks, created by reducible uncertainty, direct corrective or preventive actions can be taken to reduce the probability that the risk will occur and/or "reduce" the probability of the undesirable consequences.
- For risk created by irreducible uncertainty, the only "handling" strategy is "margin" (padding if you like) to protect from the undesirable outcomes. How much margin can be determined in several ways? Monte Carlo Simulation is one, but there are others.
- There is a process that is missing from standard risk management and that is the determination of the "cause" of those uncertainties. Root Cause Analysis goes hand in glove with Risk Management "Why" are we seeking these uncertainties that create risk? Take action to find the "condition" and the "action" that create the risk (the root causes) and prevent or correct these.
With that, the probability of the risk occurring for reducible risks and the sources of the irreducible can be handled. Here's one summary of this approach Increasing the Probability of Success with Continuous Risk Management (which turned into two chapters in The Practitioners Guide of Project Performance) the approach we use for SW Intensive System of Systems (which can be tailored for other domains). This presentation comes from a larger briefing on managing SW Intensive System of Systems in the presence of uncertainty using Earned Value Management) 18.0 Root Cause Analysis
The standard PMI risk management process of determining the probability of occurrence and the probability of impacts and putting those two numbers in the matrix (five by five) is a poor way to do risk management.
- First, those numbers come from probability distributions and you can't do arithmetic with probability distributions. See Tony Cox's assessment:
- What’s Wrong with Risk Matrices? Decoding a Louis Anthony Cox paper
- What's Wrong with Risk Matrices
- And many other sources if you Google "Anthony Cox" and "Risk Matrix"
- Next, for any non-de-minimis system, there are interactions between many, if not all, the components of the system. Be it a Space Craft or a Road Construction project. These interactions create loops - forward loops and backward loops- that themselves create risk. In Increasing the Probability of Project Success paper above shows how the Design Structure Matrix is used to model the interactions of risk on a project. A good place to start for DSM and the resulting Risk Structure Matrix and the ARENA tool (mentioned in the paper) is Tyson Browning work and his book Design Structure Methods and Applications which should be on every Project Manager and Risk Manager's desk.
- Finally, the notion of Hazard needs to be included in Risk Management. I'll write a Blog on the connection of Hazard and Risk Management, or better yet, get my colleague Ray Laqua, who's contributing to our upcoming book on Risk Management to write that, since he's an expert on Process Safety Management and hazards.