basket of stocks that made up the index, some of which may now be worthless).
• Similarly, truly catastrophic events that could have wiped out humanity have not yet occurred. In general, there can be a failure to consider the possible extremes or situations that have never occurred (but could do so in reality), specifically those associated with low probability, large impact events. Having said that (as discussed in Chapter 2) the consideration and inclusion in analysis of truly rare events (especially those that are, in principle, present in any project context, such as an asteroid destroying life on the planet) are probably in general not relevant to include in project and business risk assessments, or for management decision-making.
• Group think. A well-functioning group should, in principle, be able to use its diversity of skills and experience to create a better outcome than most individuals would be able to. However, very often, the combination of dominant characters, hierarchical structures, an unwillingness to create conflict, or a lack of incentive to dissent or raise objections, can instead lead to poorer outcomes than if decisions had been left to a reasonably competent individual. The fact that individual failure is often punished, whereas collective failure is typically not, provides a major incentive for individuals to “go with the pack” or resort to “safety in numbers” (some argue this provides part of the explanation for “bubbles” and over-/underpricing in financial markets, even over quite long time periods).
Structural biases are where particular types of approach inherently create bias in the results, independently of psychological or motivational factors. An important example is a static model populated with most likely values that will, in general, not show the most likely value of the true output range (the “fallacy of the most likely”, as discussed in Chapter 4). Key driving factors for this include non-symmetric distributions of uncertainty, non-linear model logic or the presence of underlying event risks that are excluded from a base assumption. The existence of such biases is an especially important reason to use risk modelling; paraphrasing the words of Einstein, “a problem cannot be solved within the framework that created it”, and indeed the use of probabilistic risk techniques is a key tool to overcoming some of these limitations.
1.3 Key Drivers of the Need for Formalised Risk Assessment in Business Contexts
Generally, risk assessment will be useful where there is a significant level of investment (i.e. non-reversible commitments in money, time, resources or reputation), and where there is inherent uncertainty (as there usually is in any future situation). More specifically, the key drivers of the need for formalised risk assessment in business contexts include:
• The complexity of typical projects.
• The size and scale of the decisions, in terms of financial and other resource commitments.
• To provide support to the procedures required to identify and authorise mitigation actions, or to change project structures, and to assign responsibilities for executing the required measures.
• Corporate governance requirements, both in a formal sense relating to specific guidelines or regulations, and in the sense of optimising executive management and decision-making, i.e. to make decisions that are the best ones that can be made, are not just adequate, and create some competitive advantage.
• The frequent need to support decisions with quantified analysis.
• The need to be able to reflect risk tolerances in decision-making and in business portfolio design, and to be able to compare projects of different risk profiles.
These are discussed individually below.
Clearly, as projects become more complex, the potential increases as informal or intuitive risk assessment processes become inadequate, with risks overlooked or underestimated. On the other hand, in some cases, an intuitive awareness that one may be underestimating risks may – in the absence of a more formalised process – be overcompensated by planning with excessive contingency or pessimism; this can also be detrimental (discussed further in Chapters 4 and 5).
The notion of complexity may take several forms:
• Technical complexity, or the level of specialist knowledge required. A business project will often involve issues of a technical nature that cannot be fully understood, dealt with or mitigated without the involvement of experts.
• Organisational complexity. The cross-functional nature of many business projects means that one must rely on inputs from a wide variety of people of different expertise. In some cases, there may also be third-party resources, contractors, partners or government departments involved.
• Interactions. Even where individual risks are identified and managed reasonably well using informal approaches, the possible effects of a large number of risks on the key aggregate metrics of project success (cost, time, quality, etc.) are hard to estimate by purely intuitive methods; this is even more the case when there are interdependencies between them, such as the knock-on effects on other project tasks if one particular activity is delayed. Such interactions can easily be overlooked, but – even where identified – their existence can make it more challenging to develop an understanding of the aggregate impacts of risks, and to correctly assess the value of various mitigation measures. Formal processes and the appropriate tools can help to address such issues in a more robust and transparent manner.
• Lack of previous experience with certain key elements. The more experience with similar situations one already has, the less is the level of complexity: if all elements of a project were essentially identical to those in many other already-implemented projects, then prior experience should be invaluable in designing projects and optimising their risk profile. On the other hand, where a project has non-standard components (e.g. in terms of technical, product, geographic, legal, regulatory, environment, team resources, or the requirement for the involvement for a wider than usual set of organisational departments), then there is a higher likelihood that it contains risks that may be overlooked or underestimated. Even where previous experience exists, an excessive reliance on it can have pitfalls because:
• The time and place are different, and contextual circumstances are likely to have changed in some way.
• The fact that risks did not materialise in earlier projects does not mean that they (the same or similar items) cannot happen in similar current projects.
• It is easy to underestimate new factors that may be involved, unless proper consideration is given to trying to identify them. For example, a company may have successfully launched a new product in one European country and then finds that its launch in another country fails due to cultural, legal or local regulatory requirements that could have been anticipated and mitigated with a more formal assessment, including research and information gathering.
In practice, larger projects are typically more complex (or risky) than smaller ones, although this does not need to be the case, at least in theory. In addition, where a project is large (even if it is apparently “simple”, such as the undertaking of a major construction project using a prefabricated template), then the consequences of the materialisation of an unforeseen risk may be too large to be absorbed within the available budget, whereas similar risks in smaller projects could be absorbed without undue attention. In this sense, of course, the concept of scale is a relative one, depending on the context and organisation concerned.
Measures to respond to risk can include changes to project scope, structures, deliverables, timelines, budgets, targets and objectives. In many personal situations, the individual concerned can make decisions related to such topics without reference to others. In contrast, in organisations and businesses (and in some personal situations) such actions would almost
