Is risk quantification distracting us?
Written by Infrastructure SIG Committee member Chantelle Morrisette
Quantifying risk on projects has increased certainty of cost and schedule, providing a tangible outcome of the risk management process. Though, could it be at the detriment of performing other key risk management activities, distracting us from possibly influencing the project achieving its objectives?
The distraction is potentially more significant on projects where quantification is mandatory for all risks, regardless of their importance, and where risk quantification is updated too frequently (when it doesn’t significantly impact previous results), leaving few resources to dedicate towards other, arguably more important risk management activities.
The challenge increases when there is intense pressure on the project to deliver with a lean project team, which increases the importance of developing a strategy to efficiently allocate available project resources. Risk assessment (including quantification) prioritizes risks, helping us take informed decisions, and calculating an adequate contingency and management reserve, but it doesn’t reduce the project’s risk exposure. Activities related to identification, treatment and management of risks needs a strong emphasis at all times.
The temptation to over-emphasise risk quantification is understandable: Risk quantification can be seen to provide a clear outcome, and potential cost and schedule impacts of risks materializing can be communicated to senior decision makers (though we must remember that they are not predictions of the future). Risk metrics typically include target risk levels and can demonstrate a month-by-month project cost progression, positive or negative. Though, as we know, target risk is an estimate and uncertain; therefore, it should be taken as a reference only. However, this is often not the case.
Risk quantification is not all-encompassing focusing solely on cost and schedule impacts. Project risks concerning safety, environmental, and societal outcomes are of course very real and relevant. The ISO 31000 definition on risk – the effect of uncertainty on objectives – acknowledges the importance of such consequences.
For quantification purposes, risk consequences are typically translated into cost and schedule impact values, but by doing so, are we potentially misunderstanding their relevance?
For example, a risk that impacts societal outcomes might be perceived as non-significant because of its limited cost or schedule impact, though it could impact core project areas and have important / significant knock-on effects. Reputation risk is another complex consequence: in most cases it has a strong ripple effect, which affects the project, the parent company, and the many organizations involved, for a period potentially longer than the life of the project itself. In practice, it is difficult to accurately translate reputation impacts into cost and schedule terms.
And, we should always bear in mind that risk can be positive (an opportunity) as well as negative (a threat).
What about historical data?
At times when we are navigating uncharted waters, historical data is often unavailable. For example: How likely is that a genetically engineered organism will damage the current ecosystem? or how likely is it and what would be the impact of having Artificial Intelligence procuring goods for the project?
When historical data is available, it doesn’t mean that the data will continue to behave as it did in the past. We should ask ourselves: Has something changed that makes us believe the trend could be disrupted / changed? To illustrate this point, in the previous century it was said that investing in real estate was safe, and the likelihood of it depreciating very slim. However, as we all know that was dramatically turned on its head in 2008 in much of the world, with massive consequences, even for organizations that had a strong risk management program that included risk quantification methods. Whilst historical data can and should be consulted, it should not dictate our understanding of a risk. Reflection and context of the current situation is key - we must look beyond the numbers.
In my opinion, the answer lies in finding a balance. Get the most out of the “calories” invested in your risk management program. Risk quantification is a valuable tool; however, it should not be the protagonist or raison d’être of risk management. It is effective under certain conditions but could be a distraction if our risk management team is too lean or if we do not fully understand the limitations of its outputs – or, if we do not understand how to use it properly.
In conclusion, the most important area of focus is to successfully identify risks that matter and implement meaningful and effective treatment and management plans in a timely manner. Balance could be found by exploring the possibility of including semi-quantitative methods for some risks, adjusting the frequency at which we update the risk quantification models in accordance with the project and team characteristics, or making sure the allocation of resources allows time and energy for all the risk management process steps.