Managing Risk in Projects

On 9 July 2024, Routledge published the second edition of Managing Risk in Projects, written by our friend and business collaborator Dr David Hillson, also known as The Risk Doctor.

You can find the publisher's information about the book, and how to order it, here.

Dr Dale Cooper, Director of Broadleaf, was pleased to write the Foreward for the new edition. It is reproduced below.

Foreword

The international standard IEC 62198 Managing risk in projects – Application guidelines sets out principles for effective, efficient and consistent project risk management. The first of these principles is ‘Risk management creates and protects value’. The standard expands on this principle:

Risk management contributes to demonstrable progress towards organizational objectives and improvement of performance and quality in projects and the assets, products and services they create. The objectives shall be understood clearly by all parties.

This first principle is related directly to David Hillson’s pragmatic definition of risk as ‘uncertainty that matters’. Risk is characterised by uncertainty – if there is no uncertainty there can be no risk – and the effects of that uncertainty on the objectives, outcomes and value that an organization derives from undertaking a project.

The second principle in IEC 62198 is ‘Risk management is part of decision-making’, with the further commentary that:

Risk management helps decision makers make informed choices about the project, within each stage of its life, prioritize actions and distinguish among alternative courses of action. This implies that all decisions should consider risk.

This new edition of David’s book provides a concise view of current ‘good practice’ in project risk management, with a consistent focus on making sound and justifiable decisions that add value and generate better outcomes. He takes a high-level view, suitable for all project risk practitioners, that allows many general and wide-ranging aspects of project risk management to be discussed, including topics that are often omitted or treated only in a limited way in other books.

Three aspects are of particular interest: how projects fit in with an organization’s purpose and objectives, how complexity affects project risk management, and the importance of people in making project risk management work well. These topics and their implications are discussed throughout the book.

Projects are not isolated, independent pursuits. They are often part of programmes or portfolios of organizational endeavour, usually developed and implemented as vehicles for achieving strategic and business outcomes. When viewed in this way, project risk management has many features in common with enterprise risk management. Similar processes and tools can (and should) be applied, so uncertainty is addressed in a consistent way across the organization.

Setting projects into their organizational context has several implications.

• Projects start as soon as a business need is identified. Project management begins well before the delivery phase, and so must project risk management.
• The objectives for a project are rarely as simple as good delivery: completing the project on time, within budget and to an acceptable standard of quality. They usually include much wider requirements that reflect the business need.
• The effects of uncertainty on objectives can be positive, negative or both. Project risk management must focus on capturing opportunities as well as reducing threats.
• It is important to distinguish between individual risks, usually of interest within a project, and the overall risk of a project, usually of interest at an organizational level. This requires processes that facilitate allocating priorities to risks, so project managers can make better decisions, and that also support a sensible integrated view of project risk for executive decision makers.

The complexity of an organization’s environment and the projects in which it engages influences how its projects are implemented. Increasing complexity has encouraged a move from linear and waterfall methods towards agile approaches to project management. David includes a chapter in which he discusses volatility, uncertainty, complexity and ambiguity, the way organizations adjust what they do to remain resilient in these circumstances, and the implications for how they manage risks.

This is an important discussion because there is little consensus about the best way to address risks in complex projects. Traditional, common-practice risk management processes alone are rarely sufficient. They must be adjusted and augmented, initially with techniques from other forward-looking disciplines such as horizon scanning, scenario planning and futures planning that support better risk identification, and then with approaches directed towards improving continuity, adaptability and resilience. Comprehensive monitoring and review processes are likely to be needed too, to support proactive identification of trends and changes that indicate when new threats and opportunities may be emerging, in a project environment that is evolving in unanticipated ways.

A strength of this book is the recognition throughout that project risk management is not a theoretical process. It must be implemented by people, and people are central to its success in practice. Start with the notion of risk as ‘uncertainty that matters’: while business objectives provide the main guide to what is important, it is people, with their individual attitudes to risk and their personal risk appetites, who determine how much a source of uncertainty matters and the priority it should be allocated when making decisions.

Attitudes to risk are intertwined with and influence many aspects of projects and the organizations that undertake them. The attitudes to risk of executives and project managers, and the leadership these people provide, create and shape a culture that is appropriate for the risks the project faces. This in turn drives the enthusiasm and energy project teams devote to understanding uncertainty and managing risk in their roles, and the way they integrate risk-related thinking into their day-to-day project activities.

This reinforces IEC 62198’s third principle: ‘Risk management is an integral part of all organizational processes associated with a project’.

Risk management is not a stand-alone activity that is separate from the main activities and processes of the project or the organization. Risk management is part of the responsibilities of project managers and of staff at all levels. It is an integral part of all the organizational processes associated with a project, including strategic project and investment planning, project management and management of project change.

This second edition of David’s book includes useful new material that addresses a wide range of recent changes in the evolving landscape of risk and projects. It is a succinct book that belies the breadth of topics it covers. While the focus is generally high-level, it contains a wealth of detail that will allow executives and project managers to tailor their risk management activities to the particular circumstances of their projects and the kinds of uncertainties they face.

This book is written in David’s typically clear language that is easy to read and understand. I strongly recommend it.

Dr Dale Cooper, Broadleaf Capital International

Cammeray, New South Wales

November 2023