Introduction
“I cannot conceive of any vital disaster happening to this vessel. Modern shipbuilding has gone beyond that.”
—RMS Titanic Captain Edward J. Smith, 1907
“We are ready for any unforeseen event that may or may not occur.”
—Dan Quayle, quoted in Cleveland Plain Dealer, 27 September 1990
Things don’t always go according to plan. That’s why we have risk management.
In the case of RMS Titanic, both management and operations thought the risk of catastrophe was low, and indeed—measured objectively—it was. The Titanic was, in many respects, a marvel of safety engineering, with watertight compartments designed to keep it buoyant even in case of collision. It traveled in shipping lanes filled with other ships, so that even in case of disaster, help would arrive quickly. All of these steps reduced the risk, but as we all know, did not eliminate it altogether.
A report on the late-2000 financial crisis by the leaders of the Group of Twenty (G20) nations focused on the failure of risk management as one of the root causes. They wrote, “During a period of strong global growth, growing capital flows, and prolonged stability earlier this decade, market participants sought higher yields without an adequate appreciation of the risks and failed to exercise proper due diligence. At the same time, weak underwriting standards, unsound risk management practices, increasingly complex and opaque financial products, and consequent excessive leverage combined to create vulnerabilities in the system. Policy-makers, regulators and supervisors, in some advanced countries, did not adequately appreciate and address the risks building up in financial markets, keep pace with financial innovation, or take into account the systemic ramifications of domestic regulatory actions.” When risk management fails, the damage can be incalculable.
Risk, fundamentally, is the measurement of uncertainty about the future as it applies to us—our project objectives, corporate goals, or personal goals. How long will the project take? How much will the project cost? Will the project be successful? The answer is, of course, that even when probability is firmly on our side, certainty is elusive. We can make educated guesses; we can analyze probability; we can identify potential scenarios. But we don’t—we can’t—know, at least not until an event happens, or until we pass the point when the event could happen.
Lack of knowledge, however, does not equal helplessness. Risk management and cost analysis provide tools to help us measure the limits of our knowledge, estimate the range of potential futures, and empower us to take action.
The discipline of risk and cost analysis helps managers—project and others—integrate risk into cost proposals and estimates, to determine the likelihood of achieving cost objectives, to determine appropriate levels of reserve, and to establish a common vocabulary to enable project teams to manage risks effectively.
Managers and leaders are often asked to provide cost estimates under conditions of uncertainty, and then to manage according to those estimates regardless of subsequent events or issues. To do that, the estimates have to take into account uncertainty: they must measure—and act upon—risk.
Risk management as a formal discipline is a relatively recent idea. Before the development of statistics beginning in the 17th century, the modern word “risk” didn’t even appear in the English language! Uncertainty, of course, was well known. The ancients sacrificed animals to the local gods as insurance against risk, and prayer is still a well-known and well-respected response to life’s many dangers: “From lightning and tempest; from earthquake, fire, and flood; from plague, pestilence, and famine/Good Lord, deliver us.” (Book of Common Prayer, 148)
The root of the word “risk” goes back to Homer’s Odyssey: when the crew of Odysseus’ ship are devoured by the monster Scylla, Odysseus survives by clinging to the roots (rhiza) of a fig tree high atop a cliff face. This became a metaphor for any difficulty or danger at sea, evolving into the Latin risicum and the Spanish risico. As the first use of what we think of as modern risk management involved sea trade, it was altogether natural that the word, stripped now of its naval heritage, became a stand-in for all sorts of danger.
In common language, risk is often used as a synonym for bad potential events, but risks can be positive as well. A stock market investment can gain as well as lose in value; a technology business started in a garage can turn into Hewlett-Packard—or end up in an even smaller garage.
Nobel physicist Niels Bohr and baseball malapropist Yogi Berra are both credited as having said, “Prediction is hard—especially when it’s about the future.” The future is, indeed, uncertain. How long will it take? How much will it cost? The answer to those questions often depends on events that haven’t happened yet. What if something goes wrong? Alternatively, what if we get lucky?
Risk management doesn’t (and can’t) predict the future. It is instead an attempt to measure the uncertainty of the future as it applies to the objectives of the project, no matter whether those events are negative (downside risks) or positive (upside risks). We identify risks, we analyze risks, we develop potential responses to risks, we execute our response plans—and we adjust as necessary.
Good luck!