Why are we typically so ineffective in performing project risk management? Why, in spite of all of our smart people, great tools and extensive experience are we continually surprised and impacted by things, we realize in retrospect, could have been anticipated and mitigated? These are questions that interest me greatly and have motivated me to learn more, think critically and now blog on this important topic.

There’s been a lot of great work done to help us better understand, and effectively implement risk management into the planning and execution of projects. In particular, Dr. David Hillson, aka “the Risk Doctor” has made huge contributions to our body of knowledge, and methodologies for successfully implementing risk management. His work has been, and continues to be, a source of great insight and inspiration for me and many others. If you’re seeking practical and valuable knowledge, training or advisory services on risk management, I highly recommend that you go to the Risk Doctor web site and check out what he has to offer.

Dr. Hillson talks about “Principles”, “Process” and “People” as the three key elements of risk management. The “Principle”…”Risk is uncertainty that matters” (quote from Dr. Hillson), establishes the foundation for the “Process” which provides an implementation framework, which is executed by “People”. It’s the “People” aspect of risk management implementation that is typically the most variable and problematic on a project, and the area I’d like to explore in this blog.

Dr. Hillson says, and I would certainly agree based on my experience, that the risk management competency of the “People” on a project team is a function of the culture; their understanding of, and effectiveness in, applying the risk management process, and the extent to which they have applied learning from past experience, both good and bad. Where my views and those of Dr Hillson and other risk management experts differ a bit, is in the prominence of the role of knowledge management in project and risk management. Although most experts in this field acknowledge a role for knowledge management within the risk management process, it’s obvious, and I suppose understandable, that they consider it to be supplementary rather than central. I on the other hand believe that project management and risk management are part of a more holistic and central knowledge management process. I also believe, and I’ve stated in past blogs, that thinking of risk in a larger knowledge management context might help project managers and their teams be more effective in handling the “People” element problems that today constrain the effectiveness of project risk management.

My “knowledge centric vs. risk centric” thinking goes like this. If the Project Plan represents the knowledge that must be applied to achieve the project objectives…and if risk is the uncertainty that matters in the knowledge that makes up the Project Plan,…then project and risk management work must be knowledge management activities. I know this is a gross simplification of the overall responsibilities of project and risk management, but I think the fundamental conclusion is valid.

The figure below illustrates my thinking on how project risk management competency and awareness maps across the knowledge domain. A complete project risk management plan must address all of the domain quadrants: Known-Knowns (KK); Known-Unknowns (KU); Unknown-Knowns (UK) and Unkown- Unknowns (UU). For each quadrant I’ve shown a few of the kind of questions that our people should be asking themselves as they build their risk register.