Risk management has an interesting relationship with complexity. Established approaches to project risk management are based on a classical linear project execution model. The rise in truly complex projects represents both an opportunity and a need for fresh thinking.
Complexity is sometimes seen as a source of risk in itself, one of the factors to be considered during a risk assessment. At the same time, emergent behaviour presents interesting challenges for the risk management process, the way we understand and seek to modify risk to help us achieve beneficial outcomes.
Risk management has been plagued by attempts to embellish the important principles distilled into the standard ISO 31000. These elaborations generally do little more than divert resources into unproductive effort. It would be a mistake to respond to complexity in projects with a new flight of risk management fancy. The core of sound risk management is not affected by the nature of the system to which it is applied. The effect of uncertainty on objectives, the standard’s definition of risk, is a valuable concept no matter what our objectives or how we pursue them.
In the previous ICCPM opinion column, Terry Williams set out a pragmatic and useful way to view project complexity. He said:
“A project becomes particularly complex when it combines three effects: it is very complicated (lots of parts and lots of interconnections), it is highly uncertain (so there are likely to be many changes or disruptions) and it is heavily time-constrained (so there is no time to sit back and re-plan sensibly – disruptions need working-around immediately)”.
In the face of real complexity and emergent behaviour, we need to relax our insistence on using detailed plans and forecasts as the baseline for understanding risk, yet we must know what success means. Our attention has to shift to definitions of success that can survive mid-course adjustments as we respond to evolving circumstances. This will be challenging for those drilled in the idea that success means being on time, on budget and within specification.
Other developments are likely to involve shorter monitoring and review cycles based on large amounts of small observations, closer integration of risk management with change management, and greater autonomy to act on uncertainty at lower levels in the management team guided by light constraints rather than rigid centralised controls. Weak signal detection will be increasingly valuable to make emergent behaviour visible while there is time to react.
This means drawing on the observations of people involved in executing work, rather than only involving management and supervisory personnel. Information gathering has to be open to important matters arising that have not been contemplated in the design of the reporting process. This is a role for which narrative capture techniques may be useful.
Discovering how to manage risk in complex projects is itself an exercise in managing complexity. We need to experiment and test ideas on several fronts so that we can identify what works and build on it.