On the one hand, systematic risk management can help identify potential problems early on and develop contingency strategies. On the other hand, it can also lead to negative effects such as a false sense of security and excessive bureaucracy. We have addressed the three most common misconceptions surrounding risk management.
Risk management is now an integral part of project implementation. Its acceptance is based not least on requirements from various standards such as CMMI, PMBOK, Automotive SPICE, or INCOSE Systems Engineering, as well as the DIN ISO 31000 standard, which enshrines the principles of risk management.
Risk management is intended to ensure the achievement of project and business objectives—in terms of project duration, costs, and qualitative factors. To this end, potential risks are typically identified in advance and assessed based on their probability of occurrence and the severity of their impacts. Suitable strategies are then sought to avoid the risks, reduce the probability of occurrence, and/or mitigate the impact.
These may include adjustments to workflows and deliverables, or the development of contingency plans and alternative solutions.
Light and Shadow
Risk management is designed as a beneficial strategy intended to contribute to business and project success. In practice, however, the picture is not always so rosy. Risk management ties up personnel resources and increases the complexity of processes within the project because it requires additional activities.
It is not uncommon for risk management to become a burdensome formality in the project, serving merely to meet current standards and norms on paper. The reason need not lie in personal sensitivities or approaches. Perhaps tendencies toward excessive bureaucratization have indeed crept into the methods, hindering a faster pace of innovation (“China Speed”).
But even where the benefits of risk management are basically recognized, this topic is often viewed merely as a “side issue” that must take a back seat to other challenges.
Therefore, it is definitely worthwhile to critically examine the approach to risk management. On the one hand, to what extent the intended positive effects can be achieved at all. On the other hand, how efficiently integration into the various project processes succeeds. In this way, potential for optimization in internal processes can be identified.
The following section outlines three typical mistakes and their causes.
Mistake 1: Adding Risks
To be clear: Determining a project’s risk value based on the risk values of individual risks is not a valid, practical simplification—it is incorrect. Individual risks cannot be added together, as risks are subject to probability distributions that can vary significantly depending on the specific context.
A one-week delivery delay has a different probability than a one-month delay (see Figure 1). Risks can follow different statistical distribution patterns (e.g., uniform, normal, triangular, or Weibull distributions), but they may also not correspond to any of these standard distributions.
Relationship between probability of occurrence and impact, using the example of “late delivery of a component,” idealized representation; Source: EDAG
Numerical approximation methods for risk aggregation, such as Monte Carlo simulation, require known probability distributions. Unlike in insurance, betting, or medical research, statistical data is generally not available in this project. Data from previous projects or studies, if available, is hardly transferable—the boundary conditions are too different, and technologies, data structures, tools, and working methods change too rapidly.
Furthermore, this type of risk assessment is based on the assumption that all (or at least the majority of) risks have been identified. It is a misconception that one can identify all risks in larger projects simply by proceeding systematically and applying the right method. Let’s not kid ourselves: when dealing with complex issues—which are the norm in product development with a high degree of innovation—our vision of the future does not extend very far.
Complexity arises from many interconnected elements and their interdependencies (structural complexity). Similarly, uncertainty regarding the desired outcome and the approach contributes to complexity (see Figure 2). Projects are basically complex because stakeholders, team members, work packages, requirements, and external constraints interact with one another, and both the goals and the approach are fraught with uncertainty. In projects, one must therefore always expect a “blind spot” whose extent cannot be quantified with . This uncertainty actually means “not knowing”—and a lack of knowledge cannot be replaced by methods.
Factors of project complexity, based on Williams (2002), cited in Alter (2018); Source: EDAG
Further evidence of why risks cannot be added together is provided in the following section.
Misconception 2: Risks are isolated elements
Entries in risk lists give the impression that risks are distinct elements or building blocks that together form a complete picture. In reality, however, every potential event is part of a continuous, complex chain of cause and effect. The very wording used determines what is considered a “risk.” Consider the example of staff availability: Are we analysing the entire team or individual people? An absence of one day, two days, or a week? Over what time period? Due to illness, resignation, or a transfer to another project? Are we assessing the impact on deadlines, costs, or performance?
A risk put into words is always a selected snapshot—but which one do you choose? This is precisely the problem employees often face in risk workshops, making it difficult to formulate a risk description.
Difficult Distinctions
Another hurdle: risks are always intertwined. They cannot be broken down into individual linear causal chains. There is no one-to-one relationship between effects, underlying causes, and possible countermeasures. Different risks can have similar effects or stem from the same cause. A single measure can prevent a multitude of risks.
Distinguishing between “schedule,” “cost,” and “quality” risks also does not seem productive and is, at best, an artificial distinction, as every risk can encompass multiple aspects.
Furthermore, risk lists often mix global and specific risks, such as “staff shortage” versus “insufficient measurement range of sensor X.” Identified risks can relate to a sub-result, project goals, business goals, or global goals.
Misconception 3: Risk management is a separate process
In many companies, risk management is viewed as a standalone process or subprocess. Its activities run parallel to other processes, such as management, core, and support processes. One possible reason for this lies in the direct adoption of structures from standards such as CMMI, PMBOK, Automotive SPICE, INCOSE Systems Engineering, or the ISO 31000 standard for risk management.
In technical literature, norms, and standards, structuring is often conveniently organized by knowledge areas or subject fields. However, different criteria apply to the design of company-specific processes. While the former primarily involves the collection and sorting of knowledge (or requirements), company processes focus on the chronological description of workflows and personnel assignments.
Activities that are closely related in terms of personnel, content, and timing are grouped into processes. According to this logic, risk management as a separate process with its own activities, deliverables, and roles makes no sense. Identifying, assessing, or mitigating risks are the most important risk management activities. They are never detached from other project activities: they take place during the same time period, relate to the same deliverables, and are typically carried out by the same group of people.
The strategy of establishing a separate risk management process inevitably leads to redundancies and inconsistencies in project management.
Ways out of the dilemma
As shown, the risk management process presents a number of pitfalls and stumbling blocks. Thus, when considering individual risks, one must not lose sight of the big picture. Strategic decisions such as “bid/no-bid” decisions or the calculation of contingencies and risk premiums require a holistic view of the project.
A proven approach is demonstrated by the Canadian government’s “Project Complexity and Risk Assessment Tool” (Treasury Board of Canada Secretariat, 2017). Using a comprehensive set of criteria, projects are evaluated for their complexity and scope and assigned to one of four categories: Sustaining, Tactical, Evolutionary, and Transformational. The criteria provide a comprehensive overview of project characteristics as well as risks related to management, procurement, human resources, business, project management integration, and requirements.
It is significantly more difficult to avoid parallel processes and unclear responsibilities. Here, an embedded risk management approach is recommended, in which the analysis and treatment of risks are integrated into existing core, management, and support processes. Risk assessment and treatment thus become part of every work step. This also aligns with the principles of the risk management standard DIN ISO 31000 (2018, 4 principles). According to this standard, effective risk management means that it is an “integral part of all an organization’s activities.”
If you, too, want to optimize your processes and projects and increase the efficiency of your risk management, speak with Alin Javorsky, Project Management & Process Consulting at EDAG Engineering. Or download our white paper “Risk Management Reimagined” right here, which explains the concept of the embedded risk management approach in detail.
