Extreme Risk Taking is Genetic……

A recent 2014 scientific study, Going to Extremes – The Darwin Awards: sex differences in idiotic behaviour  highlights the need for gender diversity.  The class of risk studied in this report is the idiotic risk, one that is defined as senseless risks, where the apparent payoff is negligible or non-existent, and the outcome is often extremely negative and often final. The results suggest that having an ‘all male’ or male dominated decision making group may be a source of risk in itself.

Sex differences in risk seeking behaviour, emergency hospital admissions, and mortality are well documented and confirm that males are more at risk than females. Whilst some of these differences may be attributable to cultural and socioeconomic factors (eg, males may be more likely to engage in contact and high risk sports, and are more likely to be employed in higher risk occupations), sex differences in risk seeking behaviour have been reported from an early age, raising questions about the extent to which these behaviours can be attributed purely to social and cultural differences. This study extends on these studies to look at ‘male idiot theory’ (MIT) based on the archives of the ‘Darwin Awards’. Its hypothesis derived from Women are from Venus, men are idiots (Andrews McMeel, 2011) is that many of the differences in risk seeking behaviour may be explained by the observation that men are idiots and idiots do stupid things…… but little is known about sex differences in idiotic risk taking behaviour.

The Darwin Awards are named in honour of Charles Darwin, and commemorate those who have improved the human gene pool by removing themselves from it in an idiotic way (note the photographs are both of unsuccessful attempts to win an award).  Whilst usually awarded posthumously, (the idiot normally has to kill themselves) the 2014 The Thing Ring award shows there are other options.  Based on this invaluable record of idiotic human behaviour, the study considered the gender of the award recipients over a 20 year period (1995-2014) and found a marked sex difference in Darwin Award winners: males are significantly more likely to receive the award than females.

Of the 413 Darwin Award nominations in the study period, 332 were independently verified and confirmed by the Darwin Awards Committee. Of these, 14 were shared by male and female nominees (usually overly adventurous couples in compromising positions – see: La Petite Mort) leaving 318 valid cases for statistical testing. Of these 318 cases, 282 Darwin Awards were awarded to males and just 36 awards given to females. Meaning 88.7% of the idiots accepted as Darwin Award winners were male!

Gender diversity on decision making bodies may help to reduce this potential risk factor in two ways.  First, by reducing the percentage of people potentially susceptible to MIT. Second, by modifying the social and cultural environment within decision making body, reducing the body’s tendency to take ‘extreme risk decisions’.

One well documented example is the current Federal Government. Given the extremely limited representation of women in the make-up of the current Abbott government, and some of the self-destructive decisions they have made, I’m wondering if there is a correlation. A softer, less aggressive, lower risk approach to implementing many of the policies they have failed to enact may have resulted in a very different outcome for the government.

Stakeholders and Risk

Probably the biggest single challenge in stakeholder communication is dealing with risk – I have touched on this subject a few times recently because it is so important at all levels of communication.

Projects are by definition uncertain – you are trying to predict a future outcome and as the failure of economic forecasts and doomsday prophets routinely demonstrate (and bookmakers have always known), making predictions is easy; getting the prediction correct is very difficult.

Most future outcomes will become a definite fact; only one horse wins a race, the activity will only take one precise duration to complete. What is uncertain is what we know about the ‘winner’ or the duration in advance of the event. The future once it happens will be a precise set of historical facts, until that point there is always a degree of uncertainty, and this is where the communication challenge starts to get interesting……

The major anomaly is the way people deal with uncertainty. As Douglas Hubbard points out in his book the Failure of Risk Management: “He saw no fundamental irony in his position: Because he believed he did not have enough data to estimate a range, he had to estimate a point”. If someone asks you what a meal costs in your favourite restaurant, do you answer precisely $83.56 or do you say something like “usually between $70 and $100 depending on what you select”? An alternative answer would be ‘around $85’ but this is less useful than the range answer because your friend still needs to understand how much cash to take for the meal and this requires an appreciation of the range of uncertainties.

In social conversations most people are happy to provide useful information with range estimates and uncertainty included to make the conversation helpful to the person needing to plan their actions. In business the tendency is to expect the precisely wrong single value. Your estimate of $83.56 has a 1 in 3000 chance of actually occurring (assuming a uniform distribution of outcomes in a $30 range). The problem of precisely wrong data is discussed in ‘Is what you heard what I meant?’.

The next problem is in understanding how much you can reasonably expect to know about the future.

• Some future outcomes such as the roll of a ‘true dice’ have a defined range ( 1 to 6) but previous rolls have absolutely no influence on subsequent rolls, any number can occur on any roll.
• Some future outcomes can be understood better if you invest in appropriate research, the uncertainty cannot be removed, but the ‘range’ can be refined.

This ‘know-ability’ interacts with the type of uncertainty. Some future events (risks) simply will or won’t happen (eg, when you drop your china coffee mug onto the floor it will either break or not break – if it’s broken you bin the rubbish, if it’s not broken you wash the mug and in both situations you clean up the mess). Other uncertainties have a range of potential outcomes and the range may be capable of being influenced if you take appropriate measures.

The interaction of these two factors is demonstrated in the chart below, although it is important to recognise there are not absolute values most uncertainties tend towards one option or the other but apart from artificial events such as the roll of a dice, most natural uncertainties occur within the overall continuum.

Putting the two together, to communicate risk effectively to stakeholders (typically clients or senior managers) your first challenge is to allow uncertainty into the discussion – this may require a significant effort if your manager wants the illusion of certainty so he/she can pretend the future is completely controllable and defined. This type of self-delusion is dangerous and it’s you who will be blamed when the illusion unravels so its worth making the effort to open up the discussion around uncertainty.

Then the second challenge is to recognise the type of uncertainty you are dealing with based on the matrix above and focus your efforts to reduce uncertainty on the factors where you can learn more and can have a beneficial effect on future outcomes. The options for managing the four quadrants above are quite different:

• Aleatoric Incidents have to be avoided (ie, don’t drop the mug!)
• Epistemic Incidents need allowances in your planning – you cannot control the weather but you can make appropriate allowances – determining what’s appropriate needs research.
• Aleatoric Variables are best avoided but the cost of avoidance needs to be balanced against the cost of the event, the range of outcomes and your ability to vary the severity. You can avoid a car accident by not driving; most people accept the risk and buy insurance.
• Epistemic Variables are usually the best options for understanding and improvement. Tools such as Monte Carlo analysis can help focus your efforts on the items within the overall project where you can get the best returns on your investments in improvement.

Based on this framework your communication with management can be used to help focus your efforts to reduce uncertainty within the project appropriately. You do not need to waste time studying the breakability of mugs when dropped; you need to focus on avoiding the accident in the first place. Conversely, understanding the interaction of variability and criticality on schedule activities to proactively managing those with the highest risk is likely to be valuable.

Now all you have to do is convince your senior stakeholders that this is a good idea; always assuming you have any stakeholders after the 21st December!*

____________________

*The current ‘doomsday’ prophecy is based on the Mayan Calendar ending on 21st December 2012 but there may be other reasons for this:

Averaging the Power of Portfolios

The interaction between dependent or connected risk and independent risk is interesting and will significantly change the overall probability of success or failure of an endeavour or organisation.

As discussed in my last post on ‘The Flaw of Averages’ using a single average value for an uncertainty is a recipe for disaster. But there is a difference between averaging, connecting and combining uncertainties (or risk).

Adding risk

Where risk events are connected, the ability to model and appreciate the effect of the risk events interacting with each other is difficult. In ‘The Flaw of Averages’ Sam Shaw uses the simile of wobbling a step ladder to determine the uncertainty of how safe the ladder is to climb. You can test the stability of one ladder by giving it a good ‘wobble’. However, if you are trying to determine the stability of a plank between two stepladders doubling the information from wobbling just one is not a lot of help. Far more sophisticated modelling is needed and even then you cannot be certain the full set of potential interactions is correctly combined in the model. The more complex the interactions between uncertainties, the less accurate the predictive model.

However, when the risks or uncertainties are independent, combining the risks through the creation of a portfolio of uncertainties reduces the overall uncertainty quite dramatically.

The effect of portfolios

Consider a totally unbiased dice, any one throw can end up anywhere and every value between 1 & 6 has an equal probability of being achieved. The more throws, the more even the results for each possibility and consequently there is no possibility of determining the outcome!

The distribution after 10, 100 and 1000 throws.

As the number of throws increase, the early distortions apparent after 10 throws smooth out and after 1000 throws the probabilities are almost equal.

However, combine two dice and total the score results in a very different outcome. Whilst it is possible to throw any value between 2 & 12, the probability of achieving a number nearer the middle of the range is much higher than the probability of achieving a 2 or a 12. The potential range of outcomes starts to approximate a ‘normal distribution curve’ (or a bell curve). The reason for this is there is only one combination of numbers that will produce a 2 or a 12; there are significantly more combinations that can make 7.

The more dice you add to the ‘throw’, the closer the curve becomes to a ‘normal distribution’ (or bell curve), which is normally what you expect/get, which is the origin of the name!

The consequence of this phenomenon is to demonstrate that the creation of a portfolio of projects will have the effect of generating a normal distribution curve for the outcome of the overall portfolio, which makes the process of portfolio management a more certain undertaking than the management of the individual projects within the portfolio. The overall uncertainty is less than the individual uncertainties……

Each project carries its level of uncertainty and has a probability of succeeding off-set by a probability of failing (see Stakeholder Risk Tolerance) but as more projects are added the probability of the overall portfolio performing more or less as expected increases, provided each of the uncertainties are independent! This effect is known as the Central Limit Theorem.

One important effect of the Central Limit Theorem is the size if the contingency needed to achieve a desired level of safety for a portfolio of projects is much smaller than the sum of the contingencies needed to achieve the same level of ‘safety’ in each of the individual projects. Risk management is a project centric process; contingency management is better managed at the portfolio level. Not only is the overall uncertainty reduced, but the portfolio manager can offset losses in one project against gains in another.

Whist this theorem is statistically valuable, the nature of most organisations constrain the potential benefits. From a statistical perspective diversity is the key; this is why most conservative investment portfolios are diversified. However, project portfolios tend to be concentrated in the area of expertise of the organisation which removes some of the randomness needed for the Central Limit Theorem to have its full effect.

It is also important to remember that whilst creating a portfolio will reduce uncertainty, no portfolio can remove all uncertainty.

In addition to the residual risk of failure inherent in every project, there is always the possibility of a ‘black swan’ lurking in the future. Originally conceptualized by philosopher Karl Popper and refined by N. N. Taleb, a ‘black swan’ is a risk event that has never occurred before, if it did occur would have and extreme impact and is easy to explain after the event, but is culturally impossible to predict in advance (ie, the event could be foreseen if someone is asked to think about it but it is nearly impossible to think the thought for a compelling reason). For more on black swans see: http://mosaicprojects.wordpress.com/2011/02/11/black-swan-risks/ 

The Law of Averages

The Central Limit Theorem is closely aligned to The Law of Averages. The Law of Averages states that if you repeatedly take the average of the same type of uncertain number the average of the samples will converge to a single result, the true average of the uncertain number. However, as the ‘flaw of averages’ has demonstrated, this does not mean you can replace every uncertainty with an average and some uncertain numbers never converge.

Summary

Both the Law of Averages and Central Limit Theorem are useful concepts; they are the statistical equivalent of the adage “don’t put all your eggs in one basket”. When you create a portfolio of projects, the average probability of any one project succeeding or failing remains the same as if the project was excluded from the portfolio, but the risk of portfolio suffering an overall failure becomes less as the number of projects included in the portfolio increases.

However, unlike physical laws such as gravity, these laws are not immutable – drop an apple within the earths gravitational pull and it will fall; create a portfolio and there is always a low probability that the results will not conform to normal expectations!

Certainly the probability of a portfolio of projects ‘failing’ is lower then the average probability of each project failing but a reduced level of risk still leaves a residual level of risk.

Managing risk

One of the most overlooked processes for effectively managing the day-to-day uncertainty that is the reality for every single project, everywhere, all of the time, is an effective performance surveillance process. This involves more than simply reporting progress on a weekly or monthly basis.

An effective surveillance system includes regular in-depth reviews by an independent team focused on supporting and helping the project team identify and resolve emerging problems. Our latest White Paper, Proactive Project Surveillance defines this valuable concept that is central to providing effective assurance to the organisation’s key stakeholders in management, the executive and the governance bodies that the project’s likely outcomes are optimised to the needs of the organisation.

Stakeholder Risk Tolerance

Managing the inherent risk associated with undertaking any project, anywhere, in any industry is a critical organisational capability. Within the organisations overall Project Delivery Capability (PDC) the maturity of its risk management approaches is central to the organisation’s ability to generate value (see more on PDC Maturity).

Only very immature or deluded organisations seek or expect to run ‘risk free’ projects. To quote Suzanne Finnamore: “Delusion detests focus and romance provides the veil.” Any sensible analysis of any business activity will indicate levels of risk; effective organisations understand and manage those risks better then ineffective organisation.

The skills that a mature organisation brings to the art of ‘risk management’ is to focus effort on managing risks that can be managed, providing adequate contingencies for those risks that cannot be controlled and deciding how much residual risk is sensible. The balance that has to be struck is between the cost and time needed to reduce the risk exposure further (the pay-back diminishes rapidly), the impact of the risk if it occurs and the profit to be made or value created as a result of the total expenditure on a project.

The sums are superficially simple; adding another $100,000 to the cost of a project to reduce its risk exposure by $10,000 reduces the value of the project by $90,000. In competitive bids, increase your bid price too much and the value drops to $Zero because the organisation fails to win the work! However, the situation is more complex; the nature of the risk may require the expenditure regardless of the potential saving (particularly in areas of safety and quality) and whilst expenditures are reasonably quantifiable, the actual cost of a risk event and the probability of it occurring are variable and cannot be precisely defined for a unique project. Our paper The Meaning of Risk in an Uncertain World discusses these issues in more depth.

To develop a mature approach to risk management, each layer of management has a role to play:

• The organisation’s governing body (typically a Board of Directors) is responsible for developing an appropriate risk taking policy and defining the organisations ‘risk appetite’.
   
• The Executive are responsible for creating the culture and framework that approached the management of risk within the parameters set by the Board in a capable and effective way.
   
• Senior management are responsible for implementing the risk management system.

The mark of a mature organisation is the recognition at all levels of management that having implemented these systems, the organisation still has to expect failure! Every single project has an associated risk and properly managed, these risks are at an acceptable level for the organisation. But if there is a probability for success, there has to be a corresponding probability of failure!

Assuming the organisation is very conservative and requires budgets to be set with appropriate contingencies to offer a 90% certainty of being achieved, and this setting is applied to all projects consistently, the direct consequence is an expectation that 1 in 10 projects will overrun cost. Certainly 9 out of 10 projects will equal or underrun cost but there is always the remaining 10%. Mature organisations expect the profits and un-spent contingencies on the ‘9 underruns’ to more then offset the ‘1 overrun’. However, these ‘expected failures’ tend to be totally ignored by immature executives who want to pretend there is ‘no risk’ and then blame the PM for the failure.

There are two aspects of dealing with the ‘expected failures’ implicit in any realistic risk assessment. The first is setting the boundaries of accepted risk at an appropriate level of the organisation. Aggressive ‘risk seeking’ organisations will set a lower threshold for acceptability and experience more failures that conservative organisations. But the conservative organisations will achieve far less.

Source: Full Monte Risk Analysis

Looking at the cost aspect of risk for the project above, the most likely cost for this project is $17,500 but this is optimistic with a less then 50% chance of being achieved. The range of sensible options are to set the budget at:

• The Mean (50% probability of being achieved) is $17,770.
   
• Add one standard deviation to the Mean increases the probability of achieving the project to 84%, but the budget is now $18,520.
   
• Add two standard deviations to the Mean and the probability of achieving the budget increases to 97% but the budget is now up to $19,270.

From this point, the pay-back diminishes rapidly, to move from 97% to 99.99% (six sigma), an additional $3,000 would be required in contingencies making a total contingency of $4,770 to effectively guaranteed there will be no cost overruns. Because of this very high cost for a very limited change in the probability of achieving the objective most projects focus on either the 80% or the 90% probabilities.

However, even within these relatively sensible ranges, making a sensible allowance for risk has consequences. Assuming all projects have a similar cost distribution and the organisations total budget for all projects is $10 million the consequences are:

• To achieve a 50%/50% probability of projects achieving budget, approximately 1.6% of the budget will need to be allocated to contingencies: $160,000
   
• To achieve an 84% probability of projects meeting the allocated budget, approximately 5.8% of the budget will need to be allocated to contingencies: $580,000
   
• To achieve a 97% probability of projects meeting the allocated budget, approximately 10.1% of the budget will need to be allocated to contingencies: $1,010,000

Whilst the mathematics used above are highly simplified, the consequences of risk decisions are demonstrated sufficiently for the purpose of this post (for more on probability see: WP1037 – Probability). To be 97% sure there will be no cost overruns, more than 10% of the available budget to undertake projects will be tied up in contingencies that may or may not be needed, the consequence is less than 90% of the possible project work will be undertaken by the organisation in a year. The projects ‘not done’ are opportunities foregone to be ‘safe’.

In a competitive bidding market, adding 10% to your estimate to be 90% sure there will be no cost overruns is likely to have a more dramatic effect and price the organisation out of the market resulting in no work. In either situation a careful balance has to be struck between accepted risk and work accomplished, this is a governance decision that needs input from the executive and a decision by the Board.

The governance challenge is getting the balance ‘right’:

• The higher the safety margin the more likely most projects will underrun and the greater the probability some of the contingent reserves will not be used and therefore opportunities to use the funds elsewhere are foregone.
   
• However, reducing the reserves increases the probability that more projects will overrun (ie, ‘fail’) and this increases the probability that in aggregate the whole project budget will be exceeded.

The challenge for the rest of management is making sure the data being used is as reliable as possible.

The second key feature of mature organisations is the existence of efficient scanning systems to see problems emerging backed up with effective support systems to proactively help the project team achieve the best outcome. The key words here are ‘proactive’ and ‘help’. The future is not set in concrete and timely interventions to help overcome emerging problems can pay dividends. This requires a culture of openness and supportiveness within the organisation so that the root cause of the emerging issue can be quickly defined and appropriate support provided, promptly and effectively. This approach is the antithesis of the approach adopted by immature organisations where the ‘blame game’ is played out and the project team ‘blamed’ for every project failure.

In summary, the organisation’s directors and executive managers need to determine the appropriate risk tolerance levels for their organisation and then set up systems that have the capability of keeping most projects within these accepted boundaries. Understanding and managing risk is a key element of PDC. But having done all of this, mature risk organisations know there are still ‘Black Swans’ lurking in the environment and remain vigilant and responsive to unexpected and unforeseen events.

Project and Organisational Governance

One of the themes running through several of my recent posts is the importance of effective Governance. Both organisational governance and its sub-set project governance.

Good governance is a synonym for ‘good business’, structuring the organisation to deliver high levels of achievement on an ethical and sustainable basis. This requires the optimum strategy and the right approach to risk taking supported by sufficient processes to be reasonably confident the organisations limited resources are being used to achieve the best short, medium and long term outcomes.

Project governance focuses on the portfolios of programs and projects used by the organisation to deliver many of the strategic objectives. This process focuses first on doing the right projects and programs constrained by the organisations capacity to undertake the work – Portfolio Management; secondly, creating the environment to do the selected projects and programs right- developing and maintaining an effective capability; and lastly systems to validate the usefulness and efficiency of the ongoing work which feeds back into the selection and capability aspects of governance.

Within this framework, portfolio management is the key. Strategic Portfolio Management focuses on developing the best mix of programs and projects to deliver the organisations future within its capacity to deliver. This means taking the right risk and having sufficiently robust system in place to identify as early as possible the ‘wrong projects’, so they can be either be reframed or closed down and the resources re-deployed to other work.

It is impossible to develop an innovative future for an organisation without taking risks and not every risk will pay off. Remember Apple developed the ‘Apple Lisa’ as its first GUI computer which flopped in the market, before going on to develop the Apple Macintosh which re-framed the way we interact with machines.

Apple Lisa circa. 1983

Obviously no organisation wants to have too many failures but good governance requires ‘good risk taking’. Apple had no guarantees the i-Pod and its i-Tunes shop would succeed when it started on the journey of innovation that has lead to the i-Phone, i-Pad and Apple becoming one of the largest companies in the world based on capitalisation. As Richard Branson says – ‘you don’t bet the company on a new innovation’ but if you don’t innovate consistently, obsolescence will be the inevitable result.

The balance of project governance focuses around creating the environment that generates the capability to deliver projects and programs effectively, effective sponsorship, effective staff development, effective and flexible processes and procedures, simple but accurate reporting and good early warning systems to identify issues, problems and projects no longer creating value (a pharmaceutical industry saying is that if a project is going to fail it is best to fail early and cheap!).

Good questions outrank easy answers! Every hour and dollar spent on governance processes is not being spent on developing the organisation. The challenge of good governance is to have just enough reporting processes embedded in an effective culture of openness and accountability to provide an appropriate level of assurance the organisations resources are being used effectively; whilst at the same time allowing innovation and development. Restrictive and burdensome governance processes are simply bad governance – they restrict the organisation’s ability to achieve excellence.

To help organisations understand these key governance processes we have updated our two White Papers on the subject:
Corporate Governance: http://www.mosaicprojects.com.au/WhitePapers/WP1033_Governance.pdf
Project Governance: http://www.mosaicprojects.com.au/WhitePapers/WP1073_Project_Governance.pdf

For more discussion around the subject of governance see the previous posts on this blog.

Cobb’s Paradox is alive and well

In 1995, Martin Cobb worked for the Secretariat of the Treasury Board of Canada. He attended The Standish Group’s CHAOS University, where the year’s 10 most complex information technology (IT) projects are analysed. The high level of failure led Cobb to state his now famous paradox: “We know why projects fail; we know how to prevent their failure—so why do they still fail?”

In 2011, another report into the management of IT projects asks the same question! This time the report was prepared by the Victorian Government Ombudsman, in consultation with the Victorian Auditor-General, it documents another series of failures largely created by executive management decisions. The report entitled Own Motion Investigation into ICT – Enabled Projects, examines 10 major Victorian Government ICT projects that experienced difficulties such as budget and timeframe blowouts or failure to meet requirements.

Portfolio Management
Problems identified by the Ombudsman in the area of Portfolio management and governance include a lack of effective leadership, accountability and governance. He was particularly concerned about poor project governance, the lack of accountability of project stakeholders and a lack of leadership — a reluctance to take tough decisions.

These failures contributed to poor decision making, and an inability or reluctance to make difficult, but necessary decisions. Leaders lead and determine governance practices; the resources needed to implement these facets of effective Portfolio management are readily available including:

•  PMI’s The Standard for Portfolio Management – 2nd Edition, available in Australia from http://www.mosaicprojects.com.au/Book_Sales.html#PMI, elsewhere from http://marketplace.pmi.org
   
• The Association for Project Management’s Directing Change, a guide to the governance of project management: http://www.mosaicprojects.com.au/PDF/APM%20GoPM%20booklet.pdf

Project Definition
It is impossible to deliver a project successfully if the decision to proceed is based on inaccurate assessments in the business case. The Ombudsman commented on the inadequacy of business cases, the failure to fully define requirements for new systems, a general reluctance to change business processes to better fit with off the shelf products (to reduce cost and risk) and a ‘tick the box’ approach to risk management (ie, avoiding any real assessment of risks and opportunities).

Linked to this lack of definition major project funding decisions were announced publicly before the business case was fully developed (representing either wishful thinking or a wild guess?), and high risk decisions being made to only partially fund some projects.

The solution to these issues is a robust and independent PMO that has the skills and knowledge needed to validate business cased before they go forward to management for decisions. Many years ago, KPMG released a series of reports that highlighted the fact that organisations that failed to invest in effective PMOs were simply burning money! The Ombudsman’s report shows that ‘burning public money’ is still a popular pass time.
– For more on PMOs and to download the KPMG reports see: http://www.mosaicprojects.com.au/Resources_Papers.html#Proj_Off

Risk Management
Many of the factors identified above and in my view the primary cause of most bad decisions is the abject failure of senior management to insist on a rigorous risk management process. Risk management is not about ‘ticking boxes’, it is about having the ethical courage to objectively explore the risks and then take appropriate actions to either mitigate the risk or provide adequate contingencies within the project budget. This failure was manifest by an inconsistent approach to contingency funding. There are many examples of high risk decisions being made without any contingency provisions:

• The Myki ticketing system was let to an organisation that had never delivered a ticketing system before. No contingencies were made for this high risk decision and the project is years late, $millions over budget and will only deliver a small part of the original scope.
   
• Agencies preferred to be on the leading edge rather than leveraging what had been done by others elsewhere. This may be justified but not without proper risk assessment, mitigation and contingency.

Government agencies are not alone in failing to effectively manage risk in ICT procurements. The same problem has been identified in major infrastructure projects, in a series of reports by Blake Dawson; see: Scope for improvement.

There are always difficulties in transferring project risks to vendors, and dealing with large vendors who may be more experienced in contract negotiation than their agency counterparts. Whilst modern forms of contract provide opportunities to adopt innovative procurement processes that could significantly reduce project risks for vendors and customers these were not used.

As our paper, The Meaning of Risk in an Uncertain World and the Blake Dawson reports clearly demonstrate, not only is it impossible to transfer all of the project risk to a vendor, it is totally counterproductive to try! Organisations that try to transfer ‘all of the risk’ end up with a much poorer outcome than those organisations that actively manager the risks in conjunction with their vendors.

Large ICT projects are inherently complex and necessarily involve some significant risks. But these can be mitigated to some degree by taking heed of the Ombudsman’s observations, lessons learnt in other projects and the implementation of robust and independent systems.

The PMI Practice Standard for Risk Management provides  good starting point.

Recommendations
The Ombudsman’s recommendations on how to address these issues can be applied to ICT and other projects undertaken by other state, local and Commonwealth government agencies, and in the private sector: Download the report.

In my opinion, the primary cause of these failings, referenced but not highlighted by the Ombudsman, is cultural. Executives and senior managers overtly preferring the status quo and the current power structures they have succeeded within over leading the implementation of change that will deliver improved outcomes for their organisations but make people more accountable and redistribute organisational power. This was the focus of my last posting; Culture eats strategy for breakfast 2!

As Martin Cobb observed in 1995, “We know why projects fail, we know how to prevent their failure — so why do they still fail?”  Unfortunately this is still a valid question more that 15 years later and, without leadership from the very top, I expect the effect of this report will be little different to the dozens of similar reports generated over the years and we will still be asking the same question in 2020.

The answer is culture and leadership – to change the culture within senior management ranks, the owners of organisations need to take actions similar to the Australian Federal Government and mandate effective processes and then measure performance in their implementation and use. The implementation of the Gershon Report that is being forced through the federal government departments is a Cabinet level initiative. It is still too soon to judge wether the initiative will be successful, effective culture change takes years to embed in major organisations, but at least the push has started at the right level. My feeling is that if the pressure is maintained for another 3 or 4 years (the original report was released in 2008) there may be some real benefits. To avoid similar reports to this one in the future, the leaders of other organisations need to take similar robust, strategic action tailored to the needs of their organisation.

Project professionals can help by effectively communicating to your top-level executives the real benefits of effective project governance. For many ICT and other technical/engineering professionals this represents is a whole new set of skills to learn, my book Advising Upwards may help!

Mistakes!

Experience is that marvellous thing that enables you to recognize a mistake when you make it for the second time and fortunately we all have a wonderful capability for accruing experience! It is almost impossible to do anything new without the probability of mistakes occurring.

A mistake is an error in action, calculation, opinion, or judgment caused by insufficient knowledge, poor reasoning, carelessness or a misunderstanding or misconception. Examples include forgetting our passwords; eating more food because it is served in a bigger bowl and overpaying for gym memberships and phone plans.

We all tend to:

• Look but not always see: when we look at something we think we see all there is to see, but we don’t. The eye’s area of clear vision is a cone of about 2 degrees – the size of a 5 cent coin (or quarter) at normal viewing distances.
• We connect dots we don’t know we’re connecting, the sub-conscious mind does this for us based on preconceptions and stereotypes!
• We wear rose-colored glasses and/or think the grass looks greener – our innate biases drive us to these errors (for more on ‘bias’ see: WP 1069 – The innate effect of Bias).
• We are really terrible at really appreciating probability, perspective, size and shape – if you don’t believe these two table tops are the same size go to: http://www.michaelbach.de/ot/sze_shepardTables/index.html.

Shepard's Parallelogram Illusion

From a stakeholder management perspective, the challenge is not eliminating mistakes – this is impossible, rather designing systems and processes in a way that will minimise unnecessary mistakes and accepting there will always be others that will require managing.

We can minimise mistakes by being aware we make them and avoiding the known traps and pitfalls. Joseph T. Hallinan’s book, Why We Make Mistakes is a good starting point.

Another impossible image by Roger Shepard

Dealing with the mistakes that occur requires acknowledgement of the error and appropriate actions to rectify the mistake. This applies equally to you, your team members and other stakeholders. The biggest mistake is expecting perfection (ie, the absence of mistakes)! The second biggest is failing to acknowledge a mistake once it has happened; as Confucius said “A man who has committed a mistake and doesn’t correct it is committing another mistake.”

So the next time the wheels fall off your project because someone made a mistake, rather than blaming the person, recognise mistakes are normal and be prepared to deal with ‘normality’.

Resilience v Risks

A common fallacy is the assumption that effective risk management systems will remove or eliminate all risk from a project or a business. $millions are spent by organisations trying to avoid risk and they fail. It is not possible to predict the future with certainty, if it was possible, casinos and bookmakers would be bankrupt.

What is possible is to proactively manage known risks in a way that maximises opportunity and minimises the damage caused by threats that eventuate. It is also possible to refine and improve systems to minimise variability and therefore increase predictability.

Sensible management balances the gains from improvements in the risk exposure against the costs and optimises the outcome. But this leave three areas of risk unaccounted. The first is the known risks that it is simply too expensive or too difficult to reduce any further. The second is the known risks that simply cannot be managed or transferred. The third category is the unknown unknowns, the risks we simply don’t know we don’t know about.

All three of these risks can be offset by the creation of contingency allowances but this is expensive and potentially wasteful. Because we cannot know what we don’t know it is impossible to calculate appropriate contingencies. Another approach is needed.

Resilience is the ability to recover quickly from an unforseen event or ‘the ability of a system to return to its original state after being disturbed’. Build resilience into you business unit or project team and you have the capacity to deal with the consequences of unforseen risks.

I have been rather aware of the recent problems experience by Qantas given I’m flying on one of their aircraft from Sydney to Argentina on Monday! The major issue was the uncontained explosion of a Roles Royce Trent 900 jet engine after take off from Singapore on November 4th. Commercial airline engines are not supposed to explode! Whilst they break reasonably frequently, all of the debris are supposed to be contained within the engine. The Qantas A380 suffered shrapnel damage to wiring, its fire systems and wing fuel tanks (the plane was extremely lucky to avoid a catastrophic fire).

One of the factors that saved the situation was the flight deck crew. By chance there were four highly experienced pilots and a second officer on-board. Qantas routinely use two experienced pilots as captain and First Officer, in addition there was a senior ‘check captain’ undertaking a ‘route check’ on the pilots and another senior officer checking the checker. Between them the crew had over 60,000 hours of flying experience and they still had to work flat out for over an hour to understand and control the situation before making a safe landing.

The flight crew had an abundance of resilience created by the experience of the flight crew. This was partly good luck and partly Qantas policy. There was enough brain power, experience and wisdom to stay on top of the situation. Whilst every airline trains its crews in flight simulators to deal with all sorts of emergencies, you can virtually guarantee Qantas had not trained its crews specifically for the circumstances that occurred on the 4th November. They were never supposed to occur; the situation was probably closer to what happens when a large aircraft is hit by a missile then any normal emergency.

So how do you build resiliency into a work team? There seems to be three elements.

• The first is to have practiced dealing with a range of emergency issues needing responses. This helps develop systems and procedures.
• The second is to have spare capacity available to the team. It’s unlikely you can afford the Qantas solution of two qualified captains ‘on deck’ but it should be possible to develop flexibility within the larger organisation to make resources quickly available and to have those people familiar and friendly with the core team so they ‘fit in’ quickly.
• The third element is trust. Everyone needs to be able to trust their team mates and understand their capabilities. The value of trust is discussed in our WP1030 – this is even more important when dealing with an unexpected risk event.

Resilience is not an accident; it is created by implementing strong processes, procedures and systems. These are far better value drivers than contingencies. Contingencies add no value; they are simply drawn down in emergencies. Resilient systems are also effective systems and therefore value creators.

However, there is a risk associated with resilience. Resilient system that can absorb issues and catch risks before they become significant appears to be a ‘comfortable system’. Unwise cost cutting can remove resilience and in the short term there appears to be no disadvantage. However, this is a very dangerous illusion. As the system is rendered less effective issues get picked up later and require more resources to correct. This further destabilises the system and the ‘tipping point’ into dangerous disfunctionality can easily be passed without anyone realising there’s a problem until the next risk event occurs and the system fails.

Resilience is a valuable asset. Management need to make sure it’s cultivated and nurtured to support the other aspects of effective risk management.

Procrastination is Genetic

We appear to be hardwired to procrastinate! Without an effective set of countermeasures, we almost inevitably delay difficult or uninteresting work until the last minute when time ultimately makes us choose the undesirable and risky.

A couple of interesting posts I’ve read on this are firstly by Timothy A. Pychyl, Ph.D., an associate professor of psychology at Carleton University in Ottawa, where he specializes in the study of procrastination (presumably as a theoretical concept; see: http://www.psychologytoday.com/blog/dont-delay). He suggests:

• The brain is built to firstly minimize danger, before maximizing rewards.
• Too much uncertainty feels dangerous so we avoid it.
• We are not good at predicting what might make us happy.
• Our capacity to regulate emotions is limited and our intentions and goals alter the information that the brain pays attention to.

In combination all of these traits make if far preferable to do something simple now for an immediate reward, or nothing at all, in preference to something more difficult and therefore risky for a more valuable reward in the future. This is called Hyperbolic Discounting; most of us will take $100 tomorrow in preference to $1000 in a year’s time.

The other source was posts by Dr. David Rock; http://www.psychologytoday.com/blog/your-brain-work . The overall consensus is we procrastinate by design but we can also manage this tendency by effective negotiations with our self. Brute force attempts to suppress procrastination by ‘force of will’ are doomed to failure; smart tactics that reward yourself for necessary achievements and accept the inevitable relapse from time to time are far more effective. Some ideas on personal time management are in our latest White Paper Personal Time Management.

Probably the most focused comment I found on getting stuff done though is a very short video at: http://www.youtube.com/watch?v=4P785j15Tzk&feature=player_embedded