In a prior post on selecting means of communication, I quoted Master Kan, from the pilot to the early 1970’s television series, Kung Fu:
Avoid, rather than check. Check, rather than hurt. Hurt, rather than maim. Maim, rather than kill. For all life is precious, nor can any be replaced.
We should adopt a similar rubric for selecting risk response strategies:
Avoid, rather than transfer. Transfer, rather than mitigate. Mitigate, rather than accept. For all risk response strategies have both a cost and a residual risk.
Selecting Risk Response Strategies
I bring this up because I see so many organizations and managers choose to mitigate or accept risks that they could otherwise avoid or transfer. Avoiding a risk usually results in an opportunity cost, or at least deferring the benefit, but it tends to result in the least residual risk. For example: responding to a schedule risk by removing some element from scope avoids the risk, at the opportunity cost of not having the capability provided by that element. Transfer and Mitigate responses usually have at least somewhat predictable direct costs while retaining some residual risk. Accepting a risk means it’s all residual, and acceptance can have a complex mix of direct and opportunity costs.
In some cases, it’s about the perceived cost of the safer responses. But I see it happen most often in organizations following a merger or acquisition, where they haven’t reached an end state in their evolving culture. Perhaps one of the predecessor firms had a greater appetite for risk; perhaps middle management has internalized the acquisition itself as a willingness to take on significant risk. Or maybe their appetite for certain types of risks is higher than that of their new colleagues.
A few years ago, I worked with a customer that was being acquired by a much larger firm. They had initiated a project for the express purpose of reducing the chance of being found in non-compliance with a legal requirement, although they had relatively little exposure. The cost of the project far outweighed the potential cost of being found in non-compliance, or of making improvements to their existing manual process. But the decision-maker felt that the non-compliance risk absolutely had to be mitigated. That said, the project itself was very risky, in terms of schedule and quality. It was kicked off late, the vendor provided a relatively inexperienced team member in a key role, and there was no internal consensus on what business rules should be embedded in the process. In the end, a senior manager in the acquiring firm killed the project. Their view of the bundle of risks was quite different, and they decided to accept what they viewed as a relatively low-cost, low-impact risk, rather than take on all of that residual risk.
Gauging Appetite for Risk
It is extremely difficult to measure risk tolerance, or even to describe it in meaningful terms. In an interview, I once asked a PMO director about their organizational risk tolerance. He admitted that the question had never been asked before, and struggled to answer in a way that would be actionable for a contract project manager. Plainly, no organization is willing to admit that they have little appetite for risk, although few can express what level of risk they find acceptable. But in order to suggest risk response strategies, the team will benefit from an understanding of how the organization views their choices. So, let me propose a few interview questions that might start the process of gauging appetite for risk:
- Are you willing to replace an established vendor with an acceptable level of performance in order to reduce costs? While the new vendor might have a lower price, any transition will have a learning curve and lower quality. If this is an acceptable trade-off, then they should be seen as having a somewhat higher appetite for risk.
- Are you willing to accept higher retention risk after an implementation project is completed, in order to avoid the costs of augmenting your staff with temporary workers? Most projects that replace a legacy system provide a platform for team members to gain new skills and experience, and it is common for some folks to seek out greener pastures. If cost avoidance matters more than staff retention, then that tells you a bit about what risks they are willing to accept.
- Are you willing to accept higher quality risk, in order to finish on schedule? If the project does not have an immovable finish-by date, follow up with questions on what drives this response.
- Are you willing to defer some deliverables in order to reduce schedule risk? The answer can lead to some interesting discussions on perceived benefits of the project deliverables.
- Are you willing to add administrative complexity, in order to reduce implementation risk? Again, this speaks to the trade-off between quality and cost.
While this list is not particularly comprehensive, I think it will provide some insight into the organization’s appetite for risk. Or at the very least, their tolerance as it applies to the proposed project. If you have some additional interview questions you’d like to add to this short list, please leave a comment.