A lack of understanding about the terms used to interpret risk assessments on major projects has created a culture of misinformation – one that could undermine investment.
With risk management increasingly viewed as an add-on responsibility of the project manager, the misinterpretation of key risk data is becoming widespread. Over-reliance on risk software tools could be partly to blame, encouraging project managers to become complacent about reporting risk management data back to the business.
As a result, investors and other stakeholders may be unaware that their risk exposure is greater than they had thought. This is a recipe for disaster and if mitigation strategies prove ineffective, investors could be forced to pull out – potentially leading to business insolvency.
As well as highlighting the need for training to ensure risk management data is properly understood and accurately reported, the problem seems to lie in a lack of adherence to standardised terminology as defined by ISO31000. This can make it difficult for non-specialists, such as investors, to understand the significance of the information they are shown.
What’s being misinterpreted
When reporting on risk assessment data, managers will usually use one of three terms to describe its significance.
When referring to ‘current’ risk mitigation data, this denotes actual information, based on the manager’s knowledge of today’s position prior to implementing any planned controls. ‘Post’ risk mitigation data is a robust analysis of where the business or project expects to be, once planned controls have been implemented. ‘Target’ risk mitigation data is more aspirational information, with a much higher degree of uncertainty.
Problems arise if risk or project managers misuse these terms or fail to interpret them properly.
Alongside the lack of adherence to standardised terminology, sometimes risk analysts are introduced to help manage risk on a specific project without being given a strategic brief to see it through properly. They may be one step removed from operational processes and procedures, which makes it difficult to see the big picture.
“The collapse of the Metronet PPP project is a high-profile example of what can happen when risk is poorly managed”
To avoid this scenario, those responsible for risk management should ensure they have a clear understanding of the requirements of all stakeholders and structure their reporting around these.
If cost or time expectations are exceeded on a project, stakeholders may seek more information. They may not realise until this point that their understanding of the risk exposure of their investment had been flawed. It is too late to turn back the clock and they may decide to cut their losses. If alternative funding can’t be found at this stage, the project or business could stall.
Warnings from history
The collapse of the Metronet PPP project in 2009, costing taxpayers an estimated £410m, is a high-profile example of what can happen when risk is poorly managed. As well as identifying corporate governance failings by the project consortium, a report published by the National Audit Office in 2009 highlighted a lack of good quality risk management information.
The key to preventing such disruption is to increase risk management understanding at all levels, which requires greater focus on training. As a risk management specialist, it is not unusual to attend meetings where risk management data is in danger of being misinterpreted, with potential cost implications amounting to millions of pounds.
To avoid this, the risk or project manager has a responsibility to interpret risk data in accordance with current industry standards and make sure it is properly understood.
Bill Zuurbier is director of risk management consultancy Equib