A large national Police program engaged one of the big four consulting firms to help manage their program risk. I was asked by one of the partner agencies involved in the program to review their approach to risk management
The big four consulting firms employ an army of intelligent, skilled and hardworking people. And they are guided and led by highly accomplished partners who bring a wealth of experience and demand high standards. I've worked with many of them and almost all have been excellent.
Unfortunately, that excellence was not apparent in the approach to risk management that they recommended to the program. The approach they recommended showed that they were project generalists, not project risk specialists. There were a number of issues with their approach that ran counter to industry best practices.
First, they consistently referred to “high impact” risks. Given the context, it was clear that they meant “risks with a high risk score”. This reflected a dangerous misunderstanding of the concept of a Risk Scores.
It is industry best practice to use Risk Scores to allow us to compare risks with a high probability but a low impact against risks with a low probability but a high impact.
A high impact risk with the lowest possible probability doesn’t get a very high risk score because they usually don’t deserve as much attention as other risk. This is a subtle but important distinction between a High Impact and a High Risk Score. The big four consultancy did not bring an understanding of this fundamental concept to their client engagement.
Second, the approach that these consultants brought encouraged narrowing focus on identifying a few top priority risks. This is dangerous and counter to industry best practice. In any project, there will be a handful of obvious risks that everyone is likely already aware of. These types of risks are likely to be identified and addressed in the normal course of a project. The real danger lies in the less obvious risks.
It is better to cast the net wide when identifying risks. The aim of risk identification should be to identify as many conceivable sources of uncertainty. Only after you have established a long list of risks should you start to analyse them and prioritise them. The risk identification approach that the big four consultancy advocated was fundamentally flawed and produced little of value.
Third, the big four consultancy only had one risk response plan to recommend. The Project Management Institute's Project Management Body of Knowledge (PMBOK) advocates five risk responses for negative risks, five risk responses for positive risks and five risk responses for overall project risks. In total, it recommends 8 distinct risk response plans.
All industry best practice advocates multiple options for risk response plans to treat the identified risks. Projects need options so that they can manage the balance between risk and reward and manage risks in the most cost effective manor. The big four consultancy did the program a disservice by only providing one risk response plan. As Abraham Maslow observed "I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail". Such was the approach those consultants advocated to the program.
These were just three issues with the risk management approach that the big four consultancy advocated but they clearly indicated that their "risk managers" were project generalists, not project risk specialists. And, the approach that they put forward indicated that they did not have a common risk management framework for programs & projects.
The national Police program is still in the process of delivery, but many new risks have emerged since that first risk workshop failed to identify them. Scope has been greatly reduced, all the contingency reserves have been used and the schedule has been extended. The program staff are working frantically in the hope of delivering the reduced scope to the extended deadline.
If the program had engaged specialists who could have helped them manage risks better, they would not ended up in such a predicament.
At ALB Consulting, we specialise in project risk management. We spent thousands of hours upfront developing the Bullet Dodging Risk Management Framework so that we consistently bring industry best practice to our engagements. You can see the Bullet Dodging Risk Management Framework outlined in detail in our best selling book, Bullet Dodging; A Risk Management Handbook for ICT Projects.