Establishing the right risk culture

August 02, 2022 |   | 
4 minutes read
James Arrow

James Arrow

The only thing that is certain is change!

The ancient Greek philosopher Heraclitus is attributed with the saying that “life is flux” or, to paraphrase, the only thing that is certain is change. Despite that being ancient wisdom, good memes are clearly not embraced by everyone!

How many of your project teams develop cost or schedule estimates using only certain, deterministic, single-point values? Working like that today is much like trying to erect steelwork without a safety harness. It is not best practice or well-respected by your industry peers – in fact it is outdated and reckless. Alternatively, are your project professionals comfortable discussing funding requirements in more meaningful, probabilistic and uncertain terms? Are your project managers comfortable reporting the key risk drivers that influence the chance of their project’s success? Doing so, during an imminent period of tumultuous change, could make the difference between project success and business failure. Not only is budgeting in uncertain terms wise, private companies and public organizations recognize this as a fiduciary responsibility, to shareholders and taxpayers respectively.

The evolution of risk culture

Culturally, over the past century, we can see that the construction industry has evolved. For a moment, consider the iconic photo, taken in 1932, of construction workers pausing for lunch as they erect the steel frame of the Rockefeller Plaza in New York city. Modern day construction workers are distinguishable from those days of old - formally obliged to wear safety hats, safety shoes, safety harnesses and high visibility clothing. Policies and site safety culture have changed for the better.

At a broader, societal level, attitudes to risk have evolved too. Over recent decades, social norms have evolved so that drink-driving is not acceptable. You may hear that distracted driving is the new drink-driving, or that sitting is the new smoking. The message here is that, like genes, memes, ideas, attitudes, and culture all evolve. When it comes to project management though, do your colleagues have the mindset to recognize that cost and schedule risk is as much their responsibility as health and safety is?  

Safran - Culture Mini Series Graphic

Risk management is everyone’s business

A wise person once said, risk management is too important to be left to risk managers alone. Risk management, no matter the type of risk, is everyone’s business. To be clear, it is in the best interests of everyone on your team to do all they can to manage cost or schedule risk within their sphere of influence. Do you have the risk management culture or tools to support that approach?

With the wrong risk culture, risk management can become a checkbox exercise. Similarly, when there are low levels of risk management capability, teams often confuse risk analysis for risk management. In their 2021 book titled, “Risk: A User’s Guide”, authors Stanley McChrystal and Anna Butrico neatly sum up this common pitfall with the phrase, “The greatest risk to us is us”. Stan and Anna clarify by explaining that, too often, project teams fixate on the probability of risk rather than the nature of our vulnerability. While effective risk analysis is a critical first step, a more effective risk culture is one where team members take follow-up action to proactively manage risk. 

Identifying ownership of and accountability for risk management

Within highly capable or effective teams, all people possess common awareness of their shared exposure, and are able to report who is best placed to take action, and by which date or moment in time. Any issues concerning ownership, engagement and accountability are transparent and traceable.

In this context, it can be appreciated that risk culture and attitudes are the foundation from which all team actions are formed. Establishing and maintaining an effective risk culture provide the groundwork for performance capability multipliers, which we describe in our Improving Project Performance blog post. However, while this is a critical first step, establishing the conditions for team members to do the right thing is notoriously difficult, as I set out in part two of this series: Promoting a Discovery and Growth Mindset

This issue was laid bare in the aftermath of the financial crisis in 2008. At that time, there was an enlightening piece written in The Economist titled, “Confessions of a Risk Manager”. The article highlighted the fact that organizations which survived that period of disruption, were those that saw value in risk controls that provided good governance. In contrast, where there were pervasive risk control failures, “Psychology played a big part”. Within banking, “Traders saw [risk managers] as obstructive and a hindrance to their ability to earn higher bonuses.” This drove bias, and deeply ingrained flaws in decision-making processes. Risk management responses were half-hearted. In contrast to the law, where two parties have equal ability to make an argument that is fairly judged, banks have shown bias towards the business line, with focus on getting transactions approved rather than identifying and managing risk. Risks were a small part of the assurance process and reported as “always ‘mitigated’”. “Risk thinking therefore leaned towards giving the benefit of the doubt to the risk-takers” and “Collective common sense suffered as a result.” These cultural or psychological hurdles remain for many and are best tackled by employing risk processes, systems and tools that facilitate good governance.

Risk management as part of the fabric of every organization

In my Improving Project Performance blog post, I described hearing Dr David Hillson rally our project risk management community at the 2008 PMI conference. He was calling for us to get behind a universal risk standard (which became ISO 31000). He also said one other thing that stuck with me over the years: “Risk management is not a bolt-on solution. It must be built-in to all that you do.” This profoundly wonderful insight can be employed to your benefit, and is discussed further in my blog post entitled Stakeholder and Change Management. For now though, I shall close by restating that project risk management is much more than HSE (health, safety and environment). Project risk management should be employed to treat any uncertainty that may impact project objectives or business goals, at any lifecycle stage.  

In a world that is increasingly volatile, uncertain, complex, and ambiguous (VUCA), all risk analysis and project risk management processes have to be tightly and inseparably interwoven. Over the years, project personnel have demonstrated that they are capable of better managing HSE risk but not everyone is incentivized to go the extra mile. Are you a senior leader in the construction and engineering industry? Have you equipped your project management delivery teams with best-in-class tools? Empowering your teams to effectively manage cost and schedule risks, within their sphere of influence offers you the opportunity to improve the chances of project delivery success and give your organization a risk-based competitive advantage. Reach out and contact us if you need a trusted advisor to help you explore these ideas further.

Safran - Culture Consultation