A Conversation With:
Head of Data Informed Transformation at Chaucer
Risk information is essential for successful project management, and the quality of its communication can mean the difference between a project being delivered on time and within budget and failing to do so. But traditional risk management has commonly fallen into the trap of compartmentalizing different areas of the organization and separating risk from project management or other business activities.
At worst this can lead to miniature, self-sustaining cultures of risk practice all working independently of each other.
Communication of risk is vital, especially when a business is working in siloes, but all too often risk messages are not given the priority they merit or are simply not properly expressed – exposing the business to levels of risk that could have been easily lowered, or even entirely mitigated.
We got together with Thomas Fletcher, The Chaucer Group’s Partner, Head of Data Informed Transformation, to discuss where businesses are going wrong with risk communication and how they can improve.
His experience includes Oil & Gas, Telecommunications, Public Sector, and the B2B Services Sector.
Thomas spent a year as the Head of Programme Risk Management for the development stages of the UK’s largest infrastructure investment in transportation.
Their team are all specialists in their fields and approach every engagement from the client’s perspective and as part of the client team. It’s a formula that’s been working since 1987.
TF "Whether it’s 8 by 8 matrices, the standard 3 by 3 ‘High Medium Low’, or systems with operational and business risk compartmentalized, most clients already have lots of different ways of capturing data in relation to risks.
But they tend to lack a way of actually communicating their findings, so generally, any data will just go into a standard report that never really gets changed and may not even be looked at.
You can have the most robust of risk frameworks but still, be operating in silos."
TF "When a risk event occurs, because something adverse has happened, I tend to find that many clients end up going back and conducting a review of why it happened, and what they will do differently in the future.
But how many of those lessons actually translate into carrying out preventative measures for the future and revised ways of working?
Businesses will sometimes start a project with a risk assessment, but it doesn’t necessarily get refreshed and updated during the lifespan of the project. Or they can get the scale wrong at the beginning –for instance, they might dive into unnecessary detail when taking a strategic view or go strategic when a more detailed approach would be more appropriate.
It’s about getting the right balance of approach, during those initial risk assessments, especially for more complex or longer-term projects. Infrastructure projects are a classic example.
All too often, you’re at the beginning of, say, a five or ten year infrastructure program and an engineering consultancy has already generated 150 risks, however, the design maturity is not there, or the project still requires strategic buy in & commitment to inform the decision.
The rough idea will be there, but it’s often not pertinent to make decisions at that time.
You might be able to collect lots of data from a risk assessment – and there can be something quite comforting about collecting volumes of data. But it’s the wrong kind of comfort; merely having a good deal of data doesn’t mean you know what’s truly going on or necessarily give you the insight you need to make the right decision.
Sometimes businesses expend a lot of energy on building a strong strategic view, but they don’t consider how they are actually going to manage this strategy or engage the supply chain in it.
So it tends to be that the biggest problem is choosing the right approach for the risk assessments and pitching them at the right level for the point that the project or program is at in the business life cycle."
TF "Too many approaches it from a ‘bad things are going to happen’ perspective.
In any project, things can, and will, go wrong and cause an adverse risk event to occur. Knowing this creates a danger of focusing on what you will do if that happens, rather than on the activities that need to be completed and timely decision-making to ensure the best possible outcome of the event you are managing.
The influence of risk management on delivering successful project outcomes hasn’t changed as the well publicized project success rate hasn’t changed in years.
With the industry debating among itself what we have to do to move forward. Risk functions haven’t had great success with clients in gaining senior-level commitment to actually take action off the back of what they are presenting from a risk perspective.
Everyone knows they’ve got to have, as part of good governance, a risk and audit committee, risk data collection, and group-level and divisional risk registers.
But why, if it is not changing the decisions that are made?"
TF "Many businesses feel that they have to ‘do’ risk, including collecting data, but it’s motivated by a sense of obligation, and therefore rarely impacts business and project performance and outcomes.
So you’ve got 100 items on your risk register – so what? The important thing is to understand what you are actually aiming for. What’s the event you’re trying to deliver successfully or prevent from going badly?
If you can articulate that, suddenly risk becomes real. People will understand it as part of their day-to-day job. And it is. Project and program management is risk management. The two are separated in terms of capabilities and professions, but they’re actually aiming to deliver the same outcomes and benefits."
TF "Once you strip away this idea that project management and risk management are two separate things, it becomes far easier for those outside the risk “sphere” to recognize it and incorporate it into their worldview.
Again, this can come down to taking a step back and revising the way you look at risk.
Taking the view of “what is it we’re trying to do, and how do we successfully achieve it, maximize the opportunities to deliver the project outcomes and benefits.
It also starts to prevent, or minimize, the things that could go wrong and allows risk to become part and parcel of the way everyone works."
TF "People tend to deal with risk well when they have the authority and knowledge – and almost comfort– to feel assured that, if something does happen, they can deal with it and don’t have to look elsewhere for help.
It’s when risks span the organization or an individual’s sphere of control that problems usually arise. The person who identifies a risk or issue may not want to share the burden or lose autonomy, or, worse, they may be unaware that something they’ve recognized within their function or area is having a downstream or upstream impact.
And when they do realize, they don’t know how to communicate that effectively.
TF "There can be a mentality of "Oh no, we can’t give this a risk score of 20 – that requires escalation. Can we make it 18 so the level stays on ‘Amber’, and we don’t have to escalate?”
This is often driven by the rigid structure and scoring employed by many organisations, which dictates that anything over a certain risk exposure score must be reported.
These reports often go ‘all the way up’ as a rule, heightening the pressure to ensure these risks are ‘really’ urgent or under evaluated."
TF "A risk can have a high score in the context of a project but may not really be relevant to a wider program. It’s a good example of why it’s important to get the balance right when communicating risk.
In this case, escalating the risk would be pointless; those working above the project level will not be interested in project risks and will expect you to just deal with it.
If you don’t need somebody to do anything about it why are you communicating it? You should be informing people of the potential requirement to act in the future, so there are no surprises.
However, you also need to give them confidence that you are managing everything and understand the necessary triggers for them to take a more active role in managing the risk.
These sorts of issues can contribute to the culture of fear around risk reporting. You get burnt because you report something but nothing happens or your report creates unnecessary fuss or irritation.
But this can lead to reluctance to flag or escalate issues that really do need further attention.
Personal bias is another unfortunate but natural reality. Risk reporting is very much driven by personal bias – removing some of that bias and moving towards a more objective approach should be an occupational goal for everyone.
But it can be difficult because you’re always looking from your personal perspective. When it comes to risk communication, that tends to mean that everyone’s behavior is always at least a bit colored by thoughts such as, “if this gets communicated how does that make me look?” or, perhaps the belief that you can manage certain risks alone, so you allocate quite low scores, when really you should be evaluating at a higher level.
Scoring is really there as a guide and to flag things up, but, in practice, it can actually make things more difficult. Really the focus should be on the decisions that you make after scoring and the actions you take as a result."
TF "Often I see issues, not with the level of priority clients put on the communication but with the way that they are choosing to communicate.
Sometimes you’ll see it given the appropriate priority, at least in theory, such as ensuring that the employees dealing with risk give a monthly update, but the tools to get the most out of the opportunity are missing and the employee can’t properly articulate their update.
Issues can arise from the context of the messaging and the story that it’s trying to tell, or from failing to understand and address the impacts on all the environments the business is operating in.
Often, the intentions are right, but, if the method of communication is wrong, people switch off and the message is missed. Risk communication can just become a tick in the box, and even the most well-planned processes add no value to the business.
TF "Unless they’ve got a natural interest, it tends to be something that people just ignore, but, in reality, everyone is actually managing risk – those at the upper levels of business more than most – they just don’t understand it as such.
Risk management actually happens every day, quite naturally.
It can be something as simple as deciding whether to take the stairs or the lift when carrying a heavy load. Everyone in an organization is likely to be carrying out some degree of risk management and communication but many will be working without the frame of reference to understand how their own work pertains to Enterprise Risk Management (ERM).
Most people will have a very personal view of risk and so manage it in a very personal way – based on their own career aspirations and personal drivers as opposed to organizational drivers, the two might be aligned but often aren’t.
But if you can make your organizational risk communication relevant to your audience, including the upper echelons of the business, they will see the value in it and be able to understand it.
TF "We thought we’d utilize the bowtie framework because such a large proportion of the Operations community was involved in the SAP deployment program.
But when it came to beginning to implement the bow-tie approach, it emerged that people were struggling to apply the model in the business environment, due to the complexity of the relationships between threats, controls, mitigations, and consequences."
TF "It’s a good example of risk management and communication executed poorly – the client had a great methodology for managing risk but just didn’t actually apply it or understand how to put it into the right context.
But once we’d done that, suddenly, not only did the senior leadership take notice, but everyone who was involved.
In the programme we had participants from four major functions – procurement, ops, finance, IT – to put software live, or make a business go live on that software, we had to get at least twelve groups working together to manage the risks of doing so.
We found that once we tied risk management and communication back to the business’s ability to get oil out of the ground, they started to become engaged.
Once the understanding of what the risk was really about and how the ‘bowtie’ works was instilled, the project became simple.
We only ever managed two risk events – we didn’t worry about communicating traditional programme risks and risk registers, because ultimately what would cause success or failure of the programme was managing these two events on an ongoing basis.
The first was bringing a whole new business unit live onto the solution; the second was upgrading – every time the solution was upgraded, you posed a risk to everyone already using the system and of creating an impact on the business’s ability to operate safely and effectively.
As long as those two events were managed, with nothing adverse happening, the programme was viewed as a success and you started to realise benefits a lot faster because of the adoption of this way of working.
With that client: once we’d got it hooked into the mainstream of the business and articulated the programme risks in a way that not just the programme team understood and had a vested interest in avoiding, but also the people on the other side, the recipients of this way of working, also had a vested interest in making it work.
As soon as you get that, it becomes less about risk management than about everybody working together to deliver the right outcome. But it was all based on that risk model and driving that change in attitudes – once it got traction it became the standard way of working."
For risk communication to succeed it needs to be understood as a different angle of project and program management.
Thomas has found that, in practice, you don’t necessarily have to have been trained or qualified in risk; you just need the right approach and understanding of how to manage it. How you access the data and present that back is key.
When a risk is communicated well, that’s usually because it is articulated in business terms, rather than risk terms. Even with the best data and expertise, if you present your findings poorly the audience will find it dry and boring, or even fail to understand, and the reaction will be “done, move on”.
If you can create a culture in which risk and project management are understood as two sides of the same coin and present your risk communication in a clear and engaging manner, then the battle is halfway won.
Manage your risk with clear visual data that grants you more visibility, making it easier than ever to understand and prioritize the correct approach.