The Influence of Risk Tolerance on Risk Response Strategies

In a prior post on selecting means of communication, I quoted Master Kan, from the pilot to the early 1970’s television series, Kung Fu:

Avoid, rather than check. Check, rather than hurt. Hurt, rather than maim. Maim, rather than kill. For all life is precious, nor can any be replaced.

We should adopt a similar rubric for selecting risk response strategies:

Avoid, rather than transfer. Transfer, rather than mitigate. Mitigate, rather than accept. For all risk response strategies have both a cost and a residual risk.

Selecting Risk Response Strategies

I bring this up because I see so many organizations and managers choose to mitigate or accept risks that they could otherwise avoid or transfer. Avoiding a risk usually results in an opportunity cost, or at least deferring the benefit, but it tends to result in the least residual risk. For example: responding to a schedule risk by removing some element from scope avoids the risk, at the opportunity cost of not having the capability provided by that element. Transfer and Mitigate responses usually have at least somewhat predictable direct costs while retaining some residual risk. Accepting a risk means it’s all residual, and acceptance can have a complex mix of direct and opportunity costs.

In some cases, it’s about the perceived cost of the safer responses. But I see it happen most often in organizations following a merger or acquisition, where they haven’t reached an end state in their evolving culture. Perhaps one of the predecessor firms had a greater appetite for risk; perhaps middle management has internalized the acquisition itself as a willingness to take on significant risk. Or maybe their appetite for certain types of risks is higher than that of their new colleagues.

A few years ago, I worked with a customer that was being acquired by a much larger firm. They had initiated a project for the express purpose of reducing the chance of being found in non-compliance with a legal requirement, although they had relatively little exposure. The cost of the project far outweighed the potential cost of being found in non-compliance, or of making improvements to their existing manual process. But the decision-maker felt that the non-compliance risk absolutely had to be mitigated. That said, the project itself was very risky, in terms of schedule and quality. It was kicked off late, the vendor provided a relatively inexperienced team member in a key role, and there was no internal consensus on what business rules should be embedded in the process. In the end, a senior manager in the acquiring firm killed the project. Their view of the bundle of risks was quite different, and they decided to accept what they viewed as a relatively low-cost, low-impact risk, rather than take on all of that residual risk.

Gauging Appetite for Risk

It is extremely difficult to measure risk tolerance, or even to describe it in meaningful terms. In an interview, I once asked a PMO director about their organizational risk tolerance. He admitted that the question had never been asked before, and struggled to answer in a way that would be actionable for a contract project manager. Plainly, no organization is willing to admit that they have little appetite for risk, although few can express what level of risk they find acceptable. But in order to suggest risk response strategies, the team will benefit from an understanding of how the organization views their choices. So, let me propose a few interview questions that might start the process of gauging appetite for risk:

  • Are you willing to replace an established vendor with an acceptable level of performance in order to reduce costs? While the new vendor might have a lower price, any transition will have a learning curve and lower quality. If this is an acceptable trade-off, then they should be seen as having a somewhat higher appetite for risk.
  • Are you willing to accept higher retention risk after an implementation project is completed, in order to avoid the costs of augmenting your staff with temporary workers? Most projects that replace a legacy system provide a platform for team members to gain new skills and experience, and it is common for some folks to seek out greener pastures. If cost avoidance matters more than staff retention,  then that tells you a bit about what risks they are willing to accept.
  • Are you willing to accept higher quality risk, in order to finish on schedule? If the project does not have an immovable finish-by date, follow up with questions on what drives this response.
  • Are you willing to defer some deliverables in order to reduce schedule risk? The answer can lead to some interesting discussions on perceived benefits of the project deliverables.
  • Are you willing to add administrative complexity, in order to reduce implementation risk? Again, this speaks to the trade-off between quality and cost.

While this list is not particularly comprehensive, I think it will provide some insight into the organization’s appetite for risk. Or at the very least, their tolerance as it applies to the proposed project. If you have some additional interview questions you’d like to add to this short list, please leave a comment.

Risk Response Strategies: Transfer and Avoid

As I’ve noted in other posts, a risk is an uncertainty that matters. Some event has a significant probability of occurring, and there will be a significant consequence if it does. A risk represents a threat, and a wise project team endeavors to identify project threats and analyze them so that the probability of occurrence can be reduced or the cost of the consequences reduced. Or both.

Consider the following proverb:

“The early bird gets the worm, but the second mouse gets the cheese.” — David Jakovac

Mr. Jakovac is correct only if the cheese is in a trap; otherwise, the Second Mouse goes hungry while the First Mouse eats his dinner. Thus, the Wise Mouse looks at the context, seeking potential threats and assessing her exposure to them. If the cheese is indeed in a trap, waiting to be triggered, then she has four potential risk management strategies to consider:

  • Mitigate – try to either trigger the trap from a safe distance or find a way to survive the snap
  • Accept – in effect, volunteer to be the First Mouse
  • Transfer – recruit a First Mouse (or possibly a whole tribe of mice)
  • Avoid – look for another food source

After considering the technical limits of the alternatives available for mitigation (little chance of reducing the probability of occurrence) and the fatal consequences of triggering the snap (little ability to reduce the cost of the event), the Wise Mouse will abandon the first two strategies as unworkable. At this point, Ms. Mouse needs to consider the economics of the Transfer and Avoid strategies.

Transfer

Crappy BumperGenerally, a risk is transferred using one of two mechanisms: pooling and delegating. In pooling, a number of parties at risk contribute funds to finance recovery from an event experienced by a member of the pool. If that sounds like an insurance policy, it is. Surety bonds are also a form of risk transfer, commonly used to absorb the impact of non-performance. Currency exchange rates can be a risk, and appropriate financial derivatives are used to partially absorb a loss. In most cases, pooling is about reducing the financial impact of an event, at some initial fixed cost.

The Wise Mouse is considering a delegation strategy. Delegation can take many forms—from sub-contracting to an experienced performing agency to engaging a contingent worker. Crowd-sourcing is a delegation strategy, as is the use of open-source software. Delegation to someone with more expertise is intended to reduce the likelihood of the event, again at some cost. Other times, as in the case of the recruited First Mouse, delegation is about transferring the consequences. Note that some residual risk will usually be present; in other words, some of the consequences will be borne by the Wise Mouse, possibly at the hands of the First Mouse’s mourners.

Avoid

We avoid a risk by accepting the opportunity cost of not doing something. In projects, this can range from taking something out of scope to making adjustments to the project delivery schedule. Depending on the goals of the project and the nature of the risk, we may determine that the remaining value of all-but-this-one-thing still exceeds the adjusted cost, and we may proceed without it.

Of course, if the value no longer exceeds the cost, it may be better to abandon the project. The Wise Mouse is considering exactly that approach.

Certainty is for People With No Imagination

Eats, Won’t Leave, So Shoot!

Leadership requires a willingness to make decisions under conditions of uncertainty. To be certain, you must believe that you have perfect knowledge of the circumstances and absolute control over the outcome. It also requires you to have absolutely no imagination; “Nothing will go wrong.”  These people often go on to win Darwin Awards. The rest of us acknowledge the limits of our understanding and control. We have horrible dreams, and yell at the heroine in the horror film to turn on the damned lights when you enter the room! We often live long enough to reproduce, or at least have roles in the sequel.

Risk management is about improving the quality of decisions made under conditions of uncertainty. It is unrealistic to demand certainty before taking action and foolish to assume that all will go well, simply because you need it to. Identifying and analyzing risks may help reduce uncertainty to acceptable levels, or it may lead to cancellation of a doomed project. In either case, the analysis of the risk and alternative strategies allows a rational basis for decision making.

Final Roundup: PM Articles for the Week of March 23 – 29

This is the 500th and final roundup of new project management articles published on the web during the week of March 23 – 29. Thanks for sticking with me all these years! Over the next few weeks, I’ll publish a few articles that I wrote for other venues but never got around to posting here, and in November I’ll publish my annual list of public holidays for 2021.

And this week’s video: Camaroonian musician and composer Emmanuel N’Djoké  “Manu” Dibango passed away on March 24th due to complications from COVID-19. He was 86. His 1972 hit, “Soul Makossa (I will dance),” was widely sampled and influenced generations of composers and performers around the world.  6 minutes, safe for work. “A true musician never dies; he just stops performing live.”

Ethics, Business Acumen and Strategy

  • My wife made 39 disposable face masks for a local hospital

    Fred Schmalz interviews Sunil Chopra on how companies can prepare their supply chain for the next disruption by balancing efficiency with resilience. 5 minutes to read.

  • Thomas Choi and colleagues say that the COVID-19 global pandemic proves the value of supply chain mapping as a disruption response tool. 5 minutes to read.
  • Greg Satell argues that we need to prepare for future crises—from artificial intelligence to climate change to the ballooning debt—like we would prepare for a war. 5 minutes to read.
  • Randall McAdory analyzes Tesla’s diverse collection of core technical competencies, and asserts that their market advantage is essentially insurmountable. 9 minutes to read.

Managing Projects

  • Cornelius Fichtner talks with Karthik Ramamurthy on seven techniques for effective project scope management. Podcast, 30 minutes, safe for work. Plus an article, 3 minutes to read.
  • Elizabeth Harrin announces the creation of a new professional community for project managers: #ThePMTribe. 5 minutes to read.
  • Glen Alleman argues for capabilities-based planning—providing an outcome or effect without an a priori specification. 2 minutes to read.
  • Mike Clayton tells us what to put in a project risk register, and how to maintain and use it. Video, 11 minutes, safe for work.
  • Praveen Malik explains how to save a baseline in MS Project, and how to use it once you have. 5 minutes to read.
  • The nice folks at ActiTIME suggest six ways to think of (and track) project costs. 6 minutes to read.

Managing Software Development

  • Stefan Wolpers curates his weekly list of Agile content, from the new future of remote work to the latest Cynefin iteration to enterprise agility. 7 outbound links, 3 minutes to read.
  • Cesar Abeid interviews Johanna Rothman and Mark Kilby on their new book, remote project management, and distributed agile teams. Podcast, 48 minutes, safe for work.
  • Nicole Segerer suggests that evolving software business models require new approaches to establishing and maintaining customer relationships. 4 minutes to read.
  • Kristin Jackvony reviews Enterprise Continuous Testing, by Wolfgang Platz and Cynthia Dunlop. 4 minutes to read.
  • Gojko Adzic did a comprehensive survey to see what’s changed since his classic book, Specification by Example, was published ten years ago. 22 minutes to read, but worth the time.
  • Henny Portman recaps the 3rd edition of Agile NXT, a downloadable magazine from Xebia. 3 minutes to read.

Applied Leadership

  • Karolina Toth interviews Steven McCord, SVP of Technology at WhyHotel, on how to succeed in your first 100 days as a tech leader at a new company. Podcast, 30 minutes, safe for work, or read the notes in 11 minutes.
  • Tom Cagely begins a series on toxic meeting cultures with diagnostics: how to recognize them. 3 minutes to read.
  • Lisette Sutherland interviews Danny Page on socially responsible outsourcing and the finer points of working as a distributed team. Podcast or video, each about 40 minutes, safe for work.

Cybersecurity and Data Protection

  • Das Rush interviews Joel de la Garza on the transformations of information security practices and capacity as more of the workforce goes remote. Podcast, 22 minutes, safe for work.
  • Erich Kron and James McQuiggan advise us what to do if we discover that someone is impersonating our company in a phishing campaign. 2 minutes to read.
  • Ben Dickson shares some additional security precautions to take when connecting remotely to the company network. 4 minutes to read.

Pot Pourri

  • Pascal Papathemelis recaps his webinar on active listening. Great content, too bad I missed it, but this is almost as good. 7 minutes to read, plus a video, 52 minutes, safe for work.
  • Francesco Marcatto makes the case for dot voting as a way for a team to converge on a limited set of alternatives. 4 minutes to read.
  • Esther Derby gives us a cheat sheet for helping those who are new to remote work to conduct better meetings. 2 minutes to read.

Peace be with you!