One of the critical knowledge areas learnt and practiced in project management is Project Risk Management. Lack of such knowledge compromises the probability of project success. Most other research papers will list lack of, or poor risk management amongst the litany of reasons for project failure. Project management is a very risky business due to the uncertainty of the next minute, hour, day, week and year. Proactive risk management is crucial, more so these days when the business environment is ominously fluid due to the advent of the digital disruption and cyber threats.. Project Management Institute’s (PMI) ‘A Guide to Project Management Body of Knowledge,’ (PMBOK 5th Edition), defines Project Risk as “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality.”
The Association of Project Managers (APM) states that a risk is “an uncertain event or set of circumstances that, should it occur, will have an effect on achievement of one or more objectives” – APM Body of Knowledge 6th Edition. Add to this the modified Murphy’s Law “Anything that can go wrong will go wrong, if not managed .” The PMI definition is preferred because it balances both the pessimistic ‘threat’ and the optimistic ‘opportunity’. History is fraught with cases of project failure due to poor risk management. A classical example of a project that poorly managed risk is the oft-mentioned Titanic, which took 4 years in development and only 4 days at sea.
The ‘unsinkable’ Titanic set sail on April 10, 1902 with about 2,229 passengers on its maiden voyage, but sank 4 days later with a loss of over 1,500 lives (68%) who could not be saved because of lack of risk management. Very recently Maersk, the Danish shipping giant Maersk reported in a press release on 16 August, 2017 that:- “In the last week of the quarter we were hit by a cyber-attack, which mainly impacted Maersk Line, APM Terminals and Damco.
Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted. We expect the cyber-attack will impact results negatively by USD 200-300m.” This was the ‘NotPetya’ malware, which attacked a number of global giants on 27 June 2017. Maersk did have risk response plans in place e.g. information security measures, but alas these were not enough. Risk management entails the following 6 processes (PMBOK 5th ed.):
- Plan Risk Management
- Identify Risk
- Perform Qualitative Risk Analysis
- Perform Quantitative Risk Analysis
- Plan Risk Response
- Control risks
These processes involve coming up with a risk breakdown structure (RBS), a tool used to identify risks, which are then assessed and prioritized using the probability/impact matrix. The risks are well elaborated on the Risk Register elaborated above, a document which lists the risks, their probability*impact ranking, potential risk response and responsibility. The result of these processes is the implementation of an elaborate strategy as follows:
- for opportunities (positive risks) – exploit, share, enhance, or accept;
- for threats (negative risks) – avoid, transfer, mitigate , or accept.
Going back to the Maersk example, their response in the A.P. Moller – Maersk, Interim Q2 Report, August 2017 reports was:- “Information security has a high business priority at A.P. Moller – Maersk. This cyber-attack was a previously unseen type of malware, and updates and patches applied to both the Windows systems and antivirus were not an effective protection in this case. In response to this new type of malware, A.P. Moller – Maersk has put in place different and further protective measures and is continuing to review its systems to defend against attacks.” In other words, their risk response had been inadequate as they were caught unawares.
It cost them $200m -$300m. To conclude, I question that if international giants, the likes of Maersk, can be exposed to risks, what about local Zimbabwean giants in the telecommunication, banking, insurance, retail, manufacturing, mining and construction sectors, not to mention the public sector? I pose a straightforward question to the executive reader, “Are you performing Risk Management in your organization?” and “Do your project managers inform you about risk management through a risk register?”
If your answer to any of the two questions is “No,” then the Murphy’s unmodified Law applies. My advice is, train your subject matter experts such that they become ‘au fait’ with project management best practice, and institute an enterprise-wide risk management framework in your organization regardless of its size.
Engineer Tororiro Isaac Chaza, PMP
