Thamhein emphasized the importance of dealing with these risks early in
the project life cycle; however, he also
acknowledged the “enormous difficulties” of actually predicting the risk situations and understanding their systemic
complexity. He also noted that senior
managers rated the performance impact
of risks, on average, to be 30% lower
than project managers did—possibly
showing the higher expectations of the
project manager to manage perturbations and perhaps also revealing less
understanding of the cascading nature
of project risks.
Current Risk Management
Thinking and Practice
In this environment of complex proj-
ects, how are risks identified and man-
aged in practice? We use the term “risk”
here in the typical sense as relating to
any uncertainty that has an effect on
a project. We are not trying to look for
definitional distinctions, but recognize
two essential points. First, uncertain-
ties are a collection of both aleatoric
(i.e., those to which probabilities can
be objectively related) and epistemic
(i.e., those stemming from a lack of sufficient knowledge) with many combining
both aspects (Williams & Samset, 2010).
Second, risks might include “good”
opportunities as well as downside risks.
Risk management has become a core
part of project initiation and execution
since its formal recognition in projects
in the 1980s. However, the methods used
in practice still reflect the early reliance
on lists (or “risk registers”) of individual
risk items (Williams, 1994). The Project
Management Institute’s A Guide to the
Project Management Body of Knowledge
(PMBOK® Guide) – Fifth Edition (2013)
(which is an ANSI standard) in its lat-
est version makes brief mentions of the
existence of methods to deal with inter-
relatedness. In the United Kingdom, the
Association for Project Management’s
Project Risk Analysis and Management
Guide (2004) has an appendix on the
issue but later publications, including
their guide on Prioritising Project Risks]
(Association for Project Management,
2008), are clearly geared toward under-
standing and prioritizing individual
risks. Leitch (2011) points out that ISO
31000 offers no recommendations on
aggregating, splitting, or combining
risks. Indeed, an influential review risk
management standard in 2005 made no
mention of risk combinations (Raz &
Hillson, 2005). These standards do not
actually prohibit more systemic think-
ing. However, Hodgson’s (2002) Fou-
cauldian analysis shows how, although
More
rework
Tight
timescale
More
parallelism
Activities more
co-related
Activities
take longer
Design
change
More work on
unfrozen items
Delayed
system freeze
Figure 1: Generic delays in the Shuttle project.