Right-sizing risk management

Between the knife and the sledgehammer.

Estimating the scale of a change or project is notoriously hard, and yet, it's important to 'right-size' your approach.

When considering this, a number of key questions need to be answered: how flexible are aspects like timeframes, budgets, and outcome requirements or specifications? How comprehensively planned, documented, resourced, managed, and governed should it be? How important is the project to us? 

How risky is it?

All of these questions are important and set projects up for success … or failure. 

But it’s that last one, and the implications for risk management and mitigation, that I want to focus on. Both small businesses - which tend to have an elevated appetite for risk, and corporates - who tend to be the opposite, should be able to see how this focus supports finding an approach which is the right-size for your business.

As we explore this, there are a couple of quotes which come to mind:

“Never bring a knife to a gunfight”, and
“Don’t use a sledgehammer to crack a nut.”

We want to find the sweet spot between the knife and the sledgehammer.

‍Risk: mitigation vs management 

What you invest in a project or change is often proportional to the risks you can accept. When this plays out in businesses, the terms “risk mitigation” and “risk management” are often used interchangeably.

But they are very different.  

Risk mitigation describes efforts to remove or at least reduce an identified risk either in terms of its likelihood of occurring and/or the severity of its impact should it occur.

Risk management on the other hand is all about identifying and understanding the landscape of risks present in an endeavour, defining an appetite for these risks, and then managing our responses to fit that appetite.

Regardless of whether you’re mitigating, minimising, or simply tolerating risk, the key is to understand and agree your appetite for that risk.  This is crucially important because managing risk is always a game governed by the law of diminishing returns - the more you want to control risk the more you need to invest.  As we try to bring risk closer to zero the investment required tends to increase exponentially.

As important as it is, defining the appetite for risk is often overlooked or not made explicit.
Let’s change that.

‍Over-mitigating project risk

When we undertake a business project we’re seeking a set of outcomes from an investment of time and money.  The more we try to de-risk a project, the less we have to invest in pursuing the desired oucomes of the project itself.

Over-mitigation (the sledgehammer approach) is essentially failing to manage risk to an agreed appetite.  This may be because there is no agreed appetite or because the project team isn't working properly to it.  This may include behaviours like:

• Over-documenting / too much project administration.
• Difficulty making decisions - too much passing up the chain of command or creating too many governance-gates (with all the time-consuming writing of briefing papers this involves…).
• Limited ability to incorporate or react well to changes in the project landscape.

As business owners, senior leaders, project or programme sponsors, members of steering groups, etc., it is tempting to rigorously mitigate risk and leave as little room as possible for things to go wrong.  To be sure, this approach, often favoured by large advisory organisations and corporate entities, almost always delivers a strong outcome in terms of mitigating risk…but at what cost?

The consequences of over-mitigation can be many and varied but a few themes are easily identified:

• The project is expensive and may, sometimes significantly, exceed its budget.
• The project duration can stretch out considerably (this tends to put further pressure on the budget) - in some cases this can lead to projects being cancelled as not enough is actually delivered, within an expected timeframe and budget, leading the sponsor to withdraw their support.
• Opportunities to adapt the project can be missed - a good example of this is when we’re dogmatically specifying system requirements to fit an existing process we may miss the opportunity to actually improve the process by taking advantage of better system functionality.
• Accountability for making risk-related decisions is avoided - the "not on my watch" effect. Decisions are passed up the chain with all the attendant time and cost this involves.

‍How can we do this better?

The key here is to right-size our approach.  This means clearly understanding what we are trying to do and the various ways this might be achieved, the risks associated with our chosen approach, and maintaining a focus on keeping the cost - benefit calculation in our favour.

In more practical terms: 

• Start the project with a risk workshop where the actual appetite for risk is considered and agreed as well as the more usual focus on identifying risks and mitigants. To ensure this workshop serves its purpose it is essential for appropriate decision makers to be involved and to define and agree where the buck stops and ensure they are actively involved in the ongoing task of managing risk.
• Consider dispensing with a layer of governance - as a business owner or senior manager this might mean participating in the regular project meetings - rather than needing a steering group or project manager to spend a lot of time writing reports and waiting for decisions to be made.
• It may mean less rigorous documentation where the need to “dot every i and cross every t” is replaced with a more minimum viable solution type approach.  
• Being comfortable relying more heavily on the experience of the team involved to make good decisions “on the fly”.  Similar to a delegated financial authority structure most businesses will be familiar with - this requires clarity for all involved, a sense of empowerment and a tolerance for people making decisions that may not align perfectly with what we may have done ourselves.
• Having an expectation that by allowing for more risk, more things will go wrong - this is unavoidable. This is offset however by an increase in project efficiency and supporting an environment that fosters more creativity and innovation - often leading to better project outcomes. By paying close and ongoing attention to the likelihood and severity of risks we can control the likely consequences and ensure that these fit within our appetite.

The key here is in finding the right balance between the knife and the sledgehammer.  Like most questions of balance it tends to be found through a combination of experience and intuition.

At Redvespa we’re adept at right-sizing our approach to match the outcomes our clients desire, the resources they wish to commit, and their appetite for risk.  If you’re keen to make a change in your business but are concerned that the cost of doing so might outweigh the benefit, have a chat with us and let's talk through what the options might look like and how we can keep that all important cost - benefit calculation well in the positive.