Proposing more effective risk management is essentially suggesting a change to the way people do things. People resist change for a variety of reasons. One constructive form of resistance is the use of honest inquiry, in which one seeks to understand why a change should be made. This is a good thing because if you can show why a change might be an improvement over the status quo, the people you are asking to change might be more likely to consider what is proposed. Some forms of resistance are less constructive, and they can lead colleagues to dismiss your proposal without consideration.
What follows are seven dismissive remarks you might encounter if you propose increased risk-management rigor, as well as some thoughtful responses to consider.
1. Stop sniveling: High risk equals high reward.
This is really a fallacy. While it is true that team members taking on valuable projects often must deal with higher levels of risk, that doesn’t mean risk implies value. For example, while you could juggle chainsaws in your front yard—certainly a risky activity—doing so is of questionable value. A way to turn the discussion in a more productive direction is to observe that there are certain choices that could be made to reduce risk without reducing value. The question for the team is, “Is the analysis to identify and address those risks cost effective?” Only time will tell, but you must begin more effective risk management to gather data on the merits of that approach.
2. You can’t be sure X is going to happen.
The best definition of risk I’ve encountered was from risk management expert David Hillson, who described risk as “uncertainty that matters.” If we are sure that a risk is going to occur, it wouldn’t be a risk; it would be a fact of life that must be addressed. The purpose of risk management is to identify uncertain events that matter and look for cost-effective ways to reduce the likelihood of their occurrences or decrease their impact on the project. Risk management is like a life-insurance policy; we buy it not betting we are going to die, but rather because the cost of the premium is seen as a reasonable expense to offset harm.
3. We can’t eliminate all risks, so why bother?
While it’s true that the only way to eliminate all project risk is to cancel a project, we can make informed decisions about the identified risks that we believe can be addressed in a cost-effective manner. By identifying and discussing the risks we can reduce the threats to the project; these include our conscious choices about risks that have been identified as well as the effects of risks that have not been identified. A reduced threat means a higher chances of success.
4. I’m tired of that theoretical Project Management Body of Knowledge (PMBOK) garbage!
It’s common that people who have never been exposed to risk management or have only been exposed to theoretical (or overdone) risk processes might be skeptical of the value of formal risk management. Despite the snotty presentation of this fourth remark, this comment can represent a valid concern. Rather than fight, I might be inclined to agree that risk management, time management, and software quality can all be taken to extremes of questionable value; that doesn’t mean they must. When it comes to dealing with skeptical people, you should ease them into risk management gently and monitor whether they see the value in a discussion of risk. On Agile Connection, you can read an example of a risk management process that might not be overwhelming or too theoretical. A description of risk management that might help sway executives who aren’t sure risk management is a good investment can be found on StickyMinds.