Why you don't need to identify risks

In project management, we often treat identifying risks like a badge of honour. But here’s the reality check: anyone can point out potential problems. The real challenge – the one that separates the pros from the pretenders – isn't just about listing risks. It lies in assessing, prioritising, and managing them. And by managing, I mean actively monitoring, not adopting a ‘fire and forget’ approach. Risk management resembles adopting a pet; you need to pay attention, provide care, and yes, feed it regularly.

Take the Edinburgh Tram project, for instance. The team approved this infrastructure project in 2003, intending to complete it by 2011 at a cost of £375 million. Instead, they finally opened it in 2014, massively over budget at £776 million, and with a dramatically reduced scope – only eight miles of track instead of the planned 15.

The project team identified numerous risks early on, including potential disputes with contractors, issues with utility diversion, and the complexities of construction in a historic city centre. However, they failed to manage these risks effectively. Contractual disputes spiralled out of control, leading to a complete shutdown of construction for months. The team found utility diversion work far more complex and time-consuming than anticipated, causing significant delays and cost overruns.

Moreover, the governance structure of the project couldn’t handle the scale and complexity of the risks involved. Slow and often politicised decision-making hampered effective risk mitigation. The result? The project became a cautionary tale in UK public infrastructure development.

The Edinburgh Tram project demonstrates that merely identifying risks isn’t enough. You have to take meaningful action to mitigate them and put robust governance structures in place to manage them effectively. That’s the part everyone seems to forget – or conveniently ignore.

AI and technology won't save you from incompetence

Let’s be honest: no amount of fancy technology will fix incompetence. It's tempting to think that AI tools will solve all our problems. Spoiler alert: they won't. AI can help streamline tasks but it can’t replace critical thinking and elbow grease. You still need to do your own thinking and take action. Having the latest AI-powered risk management system won’t matter if you don’t know what you’re doing. It’s like trying to use a smartphone to fix a leaky tap – impressive? Sure, but utterly useless.

Don't expect technology to compensate for a lack of understanding or action-taking.

Consider the infamous "London Whale" incident at JPMorgan Chase in 2012. The bank's Chief Investment Office in London relied heavily on a sophisticated Value at Risk (VaR) model to manage its trading risks. This model, a pinnacle of financial technology at the time, was supposed to keep the bank's risk exposure in check.

However, the traders found ways to game the system, manipulating the inputs to make their positions appear less risky than they actually were. The model, despite its complexity, failed to capture the true extent of the risk. Moreover, when signs of trouble emerged, the bank's risk management team failed to properly investigate or escalate the issues.

The result? A staggering $6.2 billion in trading losses, regulatory fines, and a serious dent in the bank's reputation. This debacle shows that even the most advanced risk management technology is only as good as the processes and people behind it. JPMorgan Chase had the tools, but they lacked the critical thinking and robust processes to use them effectively.

The lesson? Technology can be a powerful ally in risk management, but it's not a substitute for human judgment, strong processes, and a culture of risk awareness. No matter how fancy your AI or risk models are, they're useless if you're not asking the right questions, challenging assumptions, and taking appropriate action.

So how can you master risk?

Appreciate before you automate. Before you start drooling over the latest risk management tool or GPT model, take a step back. Do you really understand and appreciate the nuances of risk management? If not, you're putting the cart before the horse. Master the basics first, then treat yourself to the shiny tools.

Stop blaming the PMO: it’s not their fault. Let's talk about the often-maligned Project Management Office (PMO). If you view them as mere ‘chore chasers’ when they ask about risks, it's time for some self-reflection. The problem isn't the PMO; it's you and your colleagues filling the risk register with meaningless fluff. If you’re lazily filling the risk register with filler risks that you either know won’t matter or haven’t articulated properly, you’re the one adding noise, not value.

If the risks were real and significant, you'd be eager to keep the PMO updated and ensure proper communication. So, go easy on the PMO and be hard on yourself. They're not nagging; they're trying to help you succeed.

Don’t overthink risk assessments. Some companies turn the science of risk assessment into a tedious exercise in futility. Suddenly, they focus solely on statistical probabilities and risk matrices. Sure, this approach sounds impressive, but they often turn it into a chore, losing sight of the real goal: managing risks effectively.

Always remember, you need to manage real-world risks, not create a statistical masterpiece. Don’t let the process become so convoluted that it distracts you from the core task: identifying what matters and what doesn’t. Tailor your approach based on the situation and actual exposure.

Prioritise effectively; not everything can be number one. Here’s another common issue: people get scared to make a call. So, they end up treating everything as a top priority. Guess what? Not everything is equally important. Be brave. Decide what the biggest risks are and deal with them first. Yes, that means making tough decisions, but that’s what risk management is all about. If everything is a priority, nothing is.

The political risk shuffle

In politically charged environments (which is pretty much everywhere these days), be wary of the "risk promotion" game. This is where someone elevates your risk to deflect attention from their own shortcomings. It's as common as coffee in an office and about as subtle as a fire alarm.

The real art of risk management is being smart about what risks matter and what risks are being weaponised for political cover. If you’re genuinely taking risk management seriously, you can use it to highlight areas that need executive-level attention, rather than becoming a pawn in someone else’s blame game.

Go beyond risk identification

In the end, identifying risks in projects is child's play. The real challenge – and the real value – lies in assessment, prioritisation, and effective risk management. It's not about creating a laundry list of potential problems; it's about knowing which one’s matter and doing something about them. And let’s not forget, this isn’t a one-time thing. Risk management requires ongoing monitoring, regular updates, and a willingness to adapt.

So, the next time someone proudly presents a long list of identified risks, resist the urge to applaud. Instead, ask the tough questions: How are we assessing these risks? Which ones are our top priorities? What's our plan for managing them? And most importantly, how will we monitor and adjust our approach over time?

Remember, in risk management, identification is just the beginning. The real work – and the real success – comes from what you do next. So, roll up your sleeves, engage your brain, and get ready to do a lot more than just point out problems. That's when risk management transforms from a bureaucratic exercise into a powerful tool for project and organisational success.