Risk Management - Delusion, Illusion and Reality

Can we really manage risk, or do we delude ourselves by going through the

prescribed activities of 'risk management' giving the illusion that it's happening? Is
risk management merely a hypocritical ritual and applying some science to fate
through statistical mumbo-jumbo, decision trees, and quantitative analyses?
Let's consider the abandonment of NASA's space shuttle program caused by two
catastrophic crashes as a consequence of 'O' rings, insulating foam coupled with
complacency and poor decisions. Complacency was evident when NASA stated,
“nothing bad has happened yet” and "NASA came to accept that" indicating a 'wait
and see approach' rather than proactive intervention.
Closer to Earth we had the Deepwater Horizon explosion in 2010 that resulted in
multiple fatalities, an environmental disaster and a bill to British Petroleum in 2018 of
over US$65 billion. At the time ‘it’ was attributed to a "series of complex events,
rather than a single mistake or failure." The sad truth is that the events did happen
and recognised risks became ruthless reality.
If major organisations fail in their management of risk how can risk management live
up to its allusion of offsetting project failure, can risk really be managed?
Delusion
Risk management is addressed in Project Management bodies of knowledge,
international codes of practice and sometimes national standards. Some of the latter
advocate caution in a world of optimism bias. Some Clients demand that risk
registers are produced and risks are tracked and reported against. The 'top ten' risks
are then discussed sagely and opinions are shared and recorded. And if things do
go wrong the latter-day soothsayer can always say, retrospectively, "I told you
so"...which is far from being proactive.
Going through the motions of risk management gives a veneer of compliance and
'ticks the boxes'. Management audits will then show that processes are in place
giving an impression that 'risk management' is being carried out.
Risks will be identified, quantified, classified and regularised and a project team may
start to believe their own bull. Such belief breeds complacency and self satisfying
behaviour which results in an internal belief that risk has been contained under a self-
induced veil of delusion.
Illusion
Risk management would have us believe that risks may be transferred, treated,
terminated or taken. But taking on any venture we are 'taking' on risks, including the
risk that we believe others are taking risks for us. "It's a risk to try and be a success'
said Somerset Maugham. If we believe that it's only our risks that are important we
create a false impression of security that somebody else will be diligent with theirs.
‘Risk owners' will be assigned but this doesn't necessarily mean that ‘their’ risk will be
managed. Magicians use smoke and mirrors, and sleight of hand but in projects we
are exposed to puffery and overconfidence giving the illusion that such-and-such is
best suited to control our risk through a false sense of security possibly created by a
delusion on their side that they can manage risk.
If these “Others” then realise their risks then they will need to communicate the
problem. However, and all too often, they will initially declare that everything is under
control and, infamously, “nothing can go wrong”. The project team, under an illusion
that risks have been transferred, can then say with naive impunity, "It's your problem
and not mine". Illusion may well fuel delusion.
Reality
NASA and BP along with many other organisations such as Bearings Bank and
Union Carbide have experienced spectacular and catastrophic failures despite their
risk management systems in which they believed. Their approach to risk
management did not work and identified risks were ignored. Organisations must take
risk if they want succeed or possibly just survive, and risk, just like change, is
inevitable. But why are risks repeatedly ignored knowing that failure is highly likely?
A case in point was development of the multi-billion-pound T5 Terminal for London's
Heathrow Airport. The Owner of the project adopted a unique and, to date, a never
repeated procurement model with a total approach to risk management. A
collaborative culture in a partnering environment was created obviating many
construction disputes and reducing costs. This proved to be hugely successful
during the construction phase. Unfortunately, the opening day was disastrous as
'known risks' associated with baggage handling were allowed to 'happen'. This cost
GBP16 million in five days causing a "national embarrassment" and a parliamentary
enquiry.
Colin Powell said, "Don't let adverse facts stand in the way of a good decision" but
‘adverse’ and ‘good’ are matters of individual opinion. No matter what any risk
management process tells us or what a Monte Carlo simulation indicates it is the gut-
feel and opinion of the frail human that drives decisions. The 'reality' of a risk is in
the eye of the decision maker rather than the position of a risk within a risk register.
Conclusion
Humans are the decision makers and regularly override the 'facts' that risk
management identifies or forecasts. These decision makers may well be deluded
into thinking risk will not affect them or be under an illusion that somebody else will
be responsible and accountable.
Unfortunately, when a risk does happen there will be a realisation that something
went wrong and, inevitably, discovery that somebody related to Mr Murphy had
recognised that it could have happened. As NASA's chairman said regarding after a
space shuttle tragedy, "Obviously, it was wrong, but that is hindsight"; as we should
all know, hindsight is 20-20 vision.
"One man's risk is another man's opportunity" goes the saying and somebody
somewhere will take a chance on that risk, even if they know the consequences and
probability. But the question still remains, "Can we really manage risk?" or is it just a
sad fact that people can’t be managed!