INTRODUCTION

Before its launch, the Titanic was touted as being unsinkable. Its tragic maiden voyage in 1912 is a realization of risk, which is the possibility of a hazardous event. Risk has a variety of dimensions that can be broken into two distinct categories: technical and resource. Technical risks are those that threaten the performance of a system. Resource risks are those that present the possibility of cost increases or schedule delays. When technical risks are realized, they result in system impairment or even outright failure. The occurrence of resource risks leads to additional cost and/or longer schedules.

There are some notable examples of technical risks. These include the Space Shuttle disasters in 1986 and 2003; the nuclear disasters of Chernobyl in 1986 and Fukushima in 2011; and the oil spills from the Exxon Valdez oil tanker in 1989 and the Deepwater Horizon drill in 2010. Not all technical failures are catastrophic. For example, the Hubble Space Telescope was put into space with a primary mirror that was polished to the wrong shape. It was a problem that took years for NASA to fix with servicing missions. A recent example of a disastrous system failure is the Boeing 737 MAX aircraft, which experienced fatal crashes in 2018 and 2019. This failure culminated in the indefinite grounding of the plane. While technical failures occur from time to time, resource issues are a far more common occurrence. Most projects do not experience significant technical issues, but the vast majority suffer from cost overruns and schedule delays. In some industries, such as aerospace and defense, more than 80% of projects experience cost overruns, and 90% experience schedule delays. Average cost growth for development projects exceeds 50%, and one in six more than doubles in cost. This imbalance of risk between technical and resources is due to a lack of attention to the issue of resource planning and management. This book has been written to address the issues of risk management of resources—the importance of addressing and planning for risks, the common problems encountered in resource risk management, and ways these can be fixed. Throughout we will also address technical risk, especially its connection with resource risk. The two have a strong connection, as technical problems typically have significant resource impacts. While many of the issues and solutions we discuss also apply to technical risk, the focus of this book remains resource risk.

The most well-known examples of big cost overruns and long schedule delays are for large projects. The absolute dollars and years spent on these complex systems can be enormous. When NASA began planning the successor to the Hubble Space Telescope, which is now called the James Webb Space Telescope (JWST), it convened a meeting of managers, scientists, engineers, cost estimators, and other program professionals to determine how to design a system with a price tag of $1 billion or less. In inflation-adjusted dollars that amounts to approximately $1.5 billion. Despite the initial plans for JWST to cost less than Hubble, JWST is much more complex. It has a bigger mirror that is in a folded-up configuration when launched and then unfolds in space. JWST will be outside of a low Earth orbit after it is launched. Current launch capabilities for astronauts are only to low Earth orbit, so there is no option to repair it once it is launched. The planning for JWST started in 1996 with an expected launch in 2007. There was a significant amount of cost and schedule growth from program initiation. This resulted in a program replan in 2005. In 2010, JWST was called the “Telescope That Ate Astronomy”¹ because it was consuming a large amount of the space science budget. As a result, other astronomy objectives could not be achieved due to lack of available funding. As of March 2020, the planned launch date was in 2021, a 14-year delay and the expected program costs exceed $9.7 billion, a more than sixfold increase from the initial plan.² Programs with this amount of cost growth often get cancelled. However, sometimes even problem programs, when they are high priority, continue onward.

Even though resource risks are most prominent in large projects, significant cost and schedule growth often occur in more mundane endeavors. For example, in 2004, the City of Huntsville, Alabama, signed a contract for construction of a 1,100-bed addition to the local jail for $25 million. The initial schedule was to complete this effort in three years. However, the city called a halt to construction after an inspection discovered cracks in the support beams. Due to these findings, it terminated the contract with the builder. The city then hired another company to finish the project. These actions led to significant delays and cost increases. The addition was eventually finished in May 2010, three years behind schedule.³ Also, the city and the original builder sued each other. This resulted in the City of Huntsville spending another $3 million in legal expenses and paying the original contractor an additional $2 million. The total cost of the project exceeded $80 million,⁴ more than triple the initial contract. Even though it might appear that such a project should be simple, jails require sophisticated components such as electronic locks and security systems with which average building contractors may not have experience. The City of Huntsville did not vet the contractor before awarding the contract but merely went with the lowest bid from an out-of-town company that had never worked with the city. As this example reveals, cost overruns and schedule delays can occur in what may appear to be simple building and infrastructure projects.

Understanding risk is challenging. The second law of thermodynamics states that entropy, which is the level of disorder in the universe, is always increasing, unless there is some intervening action that occurs to stop it. My son once tossed a plate from our dinner table. When it hit the floor, the plate shattered. The plate was in one piece on the table only moments before and was nice and orderly. An intervening action would have been to catch the plate as it fell off the table. There was nothing to be done to make the plate more orderly, but there are plenty of opportunities, especially in the hands of a small boy, to quickly make things messier. Entropy is a complicated process. The famous physicist and mathematician John von Neumann once stated that no one really understands entropy.⁵

Similarly, risk is a difficult concept to grasp. It too always seems to be increasing everywhere. Like a dinner plate on a table, there is little that can change, if anything, to make it better, but many ways things can go wrong. There are many more ways for costs and schedules to increase than to decrease. This includes all kinds of projects—aerospace, defense, infrastructure, construction, and many others. Some projects are inherently riskier than others, but all projects bear some resource and technical risk. A former NASA colleague of mine once wrote, “without some intervening action chaos will eventually rule project management.”⁶ To guard against risk, much more “intervening” action is needed, especially in the measurement and management of risks. This does not mean that we should not take risk. Risk-taking is as American as apple pie. Walter Wriston, the CEO of Citibank/Citicorp from 1967 to 1984, noted in the 1980s that society had become averse to risk to the point it had become another four-letter word. He argued for risk-taking by stating, “The driving force of our society is the conviction that risk-taking and individual responsibility are the ways to advance our mutual fortunes.”⁷ However, that does not mean we should take risks blindly. We need to understand the risks we face and use that information to make rational decisions. Not doing so has led private companies to take too few risks and government organizations to take too many. Private companies, faced with bankruptcy if they take on too much risk, often err on the side of risk avoidance in the absence of proper risk management. By contrast, government organizations, which lack incentives to avoid hazards, often take on too much risk.

The term “black swan” is often used to refer to unpredictable events that have extreme consequences.⁸ Risk management often ignores them. Due to their significant consequences, plans should be made to deal with black swan events. The phenomena that lead to such events have the property that no matter how severe the consequences of such events in the past, it is only a matter of time before an even worse one occurs in the future. Reducing their impact requires careful consideration, fast action, and even overreaction. For example, during the COVID-19 pandemic, Taiwan swiftly acted early in the outbreak in January 2020 to shut its borders and require people to wear face masks.⁹ As a result, by May 2020, the island nation had only 440 confirmed cases of infection and six deaths. Normalizing for population, Taiwan had only 18 cases per million people, tiny compared to the global average of 513, which translates to only 0.3 deaths per million people, compared to 35.3 globally.¹⁰

Current risk management practice is a fantasy conceived of optimism and willful ignorance. I have firsthand experience with this in my profession. I have worked as a consultant with NASA and the Department of Defense and have served as a government employee at a Department of Defense agency. During my time as a civil servant, I worked closely with project managers and senior leaders, including several generals and admirals. I have had an inside view of how decisions are made. Project managers do some things extremely well. They ensure the development, production, and operations of complex systems, and those systems work as designed most of the time. Many projects involve solving hard engineering problems. You know the saying, “It doesn’t take a rocket scientist”? Well, sometimes it does. Government weapon systems and aerospace programs are examples where many rocket scientists are needed. Many other organizations in a variety of fields, such as infrastructure, mining, and chemical processes, also require sophisticated engineering. All these organizations have detailed, sound approaches to the technical planning process. However, most of the time, these same projects lack solid resource planning. Instead, resource risks are routinely ignored and lack proper consideration. Planning for the resources required by a portfolio of systems is poorly done and extremely shortsighted. Alas, to many project managers, risk is often just another four-letter word.

This book is written with the intention to provide information that can help fill the risk management void that exists in project management practices. The common occurrence of large cost overruns and long schedule delays provides overwhelming evidence of significant cost and schedule risk in most projects. It also demonstrates that in general this risk is not being managed well. The case for quantitative analysis of risk for projects is made. There are several problems with the current state of practice because even when risk is quantitatively assessed, it is not done well. Several of these issues are addressed, and ways to fix them are provided. Risk does not need to be just another four-letter word. It is an important part of project management. When managed correctly, it can be used to make smarter decisions and help ensure project success.