Companies that seem to understand the necessity of risk-taking are sometimes prone to the following strange behavior: They try to emphasize positive thinking by ignoring the possible unfortunate consequences of the risk they’re taking. This is an extreme variant of the can-do attitude. After all, risk awareness involves at least a bit of can’t-do thinking, they reason, so it can’t be good. In order to stay positive, they steadfastly refuse to consider much of the downside. If there are things that could go wrong, that would make your project a total fiasco, for example, they would just have you not think about those things at all.
Now, nobody is so stupid as to ignore all risk. When people do this dumb thing, ignoring risk, they do it selectively. The way it typically works is, they take elaborate care to list and analyze and monitor all the minor risks (the ones they can hope to counteract through managerial action) and only ignore the really ugly ones.
- As a member of the Airlie Council, a Department of Defense (DoD) advisory group overseeing government software acquisition practices, I sometimes sit in on risk management briefings. I was particularly interested to see how one project that I’d been following from afar would deal with what I viewed as a truly daunting risk. Because it was building software to replace a Y2K non-compliant system, late delivery would be a real disaster. And I had heard that the code to be delivered was nearly six times larger than anything the contractor had ever been able to build in the time allocated for the project. The daunting risk was that the project would be late and leave the organization with no workable alternatives.
- When the project manager produced a list of his key risks, I was surprised to find that not one of them had to do with schedule. In fact, the major risk in his estimate was “PC performance,” the fear that the current configuration would not have enough horsepower. “But hey, don’t worry about that one,” he told us. “We have a plan for that, a beefed-up configuration.” I quickly came to understand that if he didn’t have a plan for how to counteract a risk, then he ignored it.
This is hardly a formula for sensible risk management. If you’re going to run toward risk instead of away from it, you need to keep both eyes open and firmly focused on what’s ahead.