David Hillson has a wonderful knack for making the complicated and complex easily understandable. In this post from GpmFirst, he explains simply and clearly why risk management needs to be an iterative process and what happens if you rely on static risk registers.
Why Risks Turn into Surprises
The risk process aims to expose areas of particular uncertainty and indicate the best path to follow, yet the future still brings surprises, both good and bad. David Hillson describes four reasons why it is not possible to identify all risks in advance.
It is often said that successful risk management should lead to fewer surprises. Risk management acts as a ‘forward-looking radar’, scanning the uncertain future to identify things which might pose a significant threat to be avoided or an important opportunity to be explored. Even though it may not be possible to discern every last detail of the uncertain future, the risk process aims to expose areas of particular uncertainty and indicate the best path to follow.
Despite this aim, the future does still contain surprises, both good and bad. Some future uncertainties seem to be unforeseeable. There are four reasons why it is not possible to identify all risks in advance.
- Some risks are inherently unknowable. These are the true unknowns, where uncertainty lurks hidden in the future, unperceived by everyone until it strikes and delivers its surprise impact. In fact it might be true to say that these ‘unknown unknowns’ are not actually risks, since they are essentially invisible to the risk process. It is as if they don’t exist until or unless they happen, when they are no longer risks but they are either unexpected problems or unplanned benefits.
- Other risks are time-dependent, and only emerge with the passage of time. The ‘risk radar’ can only see a limited way into the future, and some risks exist below the time horizon. It may not be possible to identify such risks until later on, when they are closer in time. Until they rise above the time horizon they will remain hidden and unidentifiable.
- Some emergent risks are unforeseeable because they are progress-dependent. They cannot be identified until progress has been made. If a risk exists at the back of a building, I cannot discover it until I walk round the building and gain a new perspective. While I am standing in my current position at the front of the building the risk is invisible. Similarly, some integration risks may not be visible until coding and testing is complete.
- The last group of risks which can remain hidden from the ‘risk radar’ are response-dependent, also known as secondary risks, which only appear when action is taken to respond to an existing risk. Until action is taken these risks do not exist, so of course they cannot be seen before the response is identified.
With so many ways in which risks can be hidden from our forward-looking radar, it seems that risk identification is doomed to failure, since we are unable to identify unknowable risks, emergent risks or secondary risks. This is why risk management is not a single-shot process, but must be repeated on a regular basis. Risk identification should aim to identify all knowable risks at this point in time, recognising that some risks are currently hidden from sight. Identifiable risks should be assessed and appropriate actions should be developed. But the risk process must be iterative, coming back to identify risks which have become visible since the last time. This will include risks which have emerged with the passage of time and as a result of progress made, as well as secondary risks arising from implemented responses.
Unfortunately, risks which are inherently unknowable will always be able to surprise even the most expert user of the ‘risk radar’. But routine updates will minimise additional surprises from risks which are unforeseeable today but which become visible later.
First published by David Hillson at www.risk-doctor.com 2005.
Read David’s published books on GpmFirst and share your techniques and stories for effectively managing risk.