An Evolutionary Approach to Risk Management
Risk management is the process of identifying, analyzing, mitigating, and monitoring risks to a project. Humans do this all the time with varying levels of effectiveness, but some aspects are easier to rally around than others because of our instincts.
There are parts of risk management that come naturally to us. When mammals experience a threat, their brains become hyper-vigilant to record aspects of the event for future learning and survival. If you get mugged by someone wearing a red sweater, you might be more anxious around the next stranger you see in a red sweater. That’s an evolutionary response: Your brain remembers so you can avoid situations in the future that resemble the traumatic one from your past.
Team experience is good input to the process of risk identification. A team will often have lots of risk ideas, if you give them a chance to share. A risk you experienced of the vendor failing to deliver promised hardware reminds me of the time the telecom provider failed to deliver the fiber circuit, and soon we have a raw list of risks that we can refine for our project. Risks identified this way are credible to the team because we know someone who has experienced them.
Slightly more challenging is engaging with risks no one on the team has encountered personally. They may be legitimate, but they can seem less likely to occur. That’s why it’s hard for some people to use a generic list of risks as a starter; they just don’t seem real.
Here we get to the boundary of our innate risk ability. Some people are better at recognizing the real threat of risks that they have never personally experienced. Some of this is about creativity and visualization, and some of it is about knowledge and expertise. If you study epidemiology and understand the exponential spread of a virus, then the risk is less abstract than it might be to a random person.
When it’s time to identify risk remedies, we have biases as well. We can do a better job of risk management on our projects if we recognize our natural strengths and weaknesses.
Here are some questions to aid that process.
During risk identification:
- What risks have you experienced on projects that might threaten this project? How were those projects similar? How were they different?
- Review this generic list of risks. Which of these can you imagine coming up in our project? What would that look like?
During risk remediation planning:
- What could we do to decrease the likelihood of this risk occurring on this project?
- What might we do to reduce the harm to the project if this risk were to occur?
- How would we know if this risk were imminent? Are there any early warning signs we should be looking for?
- Are there alternative approaches that might eliminate our exposure to this risk?
Projects are rarely successful because they don’t experience any risk events. Effective risk management involves responding effectively to risks that occur, and, perhaps more importantly, reducing the number and severity of risks by implementing preventive and mitigating measures.
Some risk management comes naturally, and some requires training and forethought. Plan accordingly.