Introduction to the interviewee:
David Hillson (CMgr, FRSA, FIRM, FCMI, HonFAPM, PMI-Fellow) is known as “The Risk Doctor”. In his eyes, a doctor is a trusted professional who helps you when you have a problem that needs his expertise, especially if you’re not sure what’s wrong. That reflects his role very well. “Doctor” also introduces ideas of consulting, diagnosis, treatment, prevention is better than cure, and promoting wellbeing and health. The medical metaphor works for him on many levels.
David has a reputation as an excellent speaker and presenter on risk. His talks blend thought-leadership with practical application, presented in an accessible style that combines clarity with humour, guided by the Risk Doctor motto: “Understand profoundly so you can explain simply”.
He also writes widely on risk, with eleven major books, and over 100 professional papers. He publishes a regular Risk Doctor Briefing blog in seven languages to 10,000 followers, and has over 4000 subscribers to the RiskDoctorVideo YouTube channel (www.youtube.com/RiskDoctorVideo).
David Hillson has over 25 years’ experience in risk consulting and has advised leaders and organizations in over fifty countries around the world on how to create value from risk based on a mature approach to risk management, and his wisdom and insights are in high demand. He has also received many awards for his ground-breaking work in risk management over several decades, including “Risk Personality of the Year” in 2010-11, the PMI Distinguished Contribution Award.
Definition of Risks
Q1. You’ve noted that risks are more than uncertain future events, so what is “risk” by definition in VUCA era?
David Hillson: I start with the idea that risk is “uncertainty that matters”. All risks are uncertain, but not all uncertainties are risks. Most uncertainties don’t matter, and the only ones that we need to consider are the ones that could affect our ability to achieve our objectives. Risks include events that might or might not happen in the future (for example, a key supplier might go out of business), but it also includes non-events, such as variability in tasks that we already plan to do (for example, a trial may take longer or shorter than planned), or ambiguity in key aspects of our projects (for example, we may not fully understand part of the client’s requirement). Variability and ambiguity are uncertainties that matter, but they are not uncertain future events.
There’s a lot of talk about VUCA (Volatility, Uncertainty, Complexity, Ambiguity) as a framework for identifying and managing risk. VUCA was based on leadership models developed by Bennis & Nanus in 1985, and it was adopted by the US Army War College in 1987 to describe the world after the end of the Cold War. It’s since transferred to the business world, but I’m not a great fan of VUCA as I think it’s an incomplete framework, and it can limit our thinking about risk to just those four categories. But it does help people to think about other types of uncertainty, not just uncertain future events, so that’s a good thing.
Qualities of Risk Practitioners
Q2. What qualities should project leaders have in order to deal with risks? You’ve said risk leaders need to “dance the TANGO”; what does it mean?
David Hillson: Project leaders need to be curious! We should always ask the next question. What could happen? What would we do it if it happened? Why did that occur, and could we have changed it in advance?
We also need dual-focus, the ability to keep our eye on the main objectives and purpose of our project, while being fully aware of the detail. All risks affect our ability to achieve objectives, but they usually arise unexpectedly, in those areas of the project which we think are OK. So we must maintain a relentless laser-focus on our objectives, but also know what’s going on in the dark corners of our project.
All project leaders need to be able to delegate, involving others in identifying and managing risk. We need multiple perspectives on our project, with everyone looking out for things that could be significant uncertainties.
The idea of “dancing the TANGO” was developed with my colleague and friend Agnieszka Gasperini, who uses Argentine TANGO as a metaphor for leadership strengths and skills. TANGO is an acronym, standing for Trust, Agility, Naturalness, Guidance, and Ownership. Each of these attributes can be applied to the challenge of managing risk effectively in projects:
• Trust. Risk practitioners must be trusted if they are to engage stakeholders in the risk process, because we provide advice on things that are naturally uncertain.
• Agility. There are many risk tools and techniques, but there is no one-size-fits-all approach. We must be able to combine the elements into a cohesive approach that meets the risk challenge. This demands agility and the ability to improvise.
• Naturalness. Risk practitioners must engage stakeholders in a way that feels natural and normal, without being too formal or bureaucratic. We should be seen as caring professionals who want to help others achieve their goals.
• Guidance. It’s important to communicate clearly about risk, and tell people when we need to change direction. This allows us to move together to address risk effectively, with a shared understanding of the risk challenge.
• Ownership. Risk practitioners must not become detached or operate in a silo, but the risk process must be fully integrated into the way we run the project. We all need to own the risk process, as well as specific risks, and be committed to managing them effectively.
Influencing Factors of Risk Attitude
Q3. What are the major factors that influence risk attitude? What’s the right attitude towards risk?
David Hillson: The attitude adopted towards risk by individuals and by teams is affected by a range of factors. These include external influences, such as the organizational environment, corporate culture, competitive situation or regulatory requirements. But there are also internal factors, such as cognitive biases that affect our own judgement and the way our team functions as a group. Typical biases include groupthink, anchoring, loss aversion, and the illusion of control. Finally, our perception of risk is affected by the project itself, whether it is strategically important, complex, innovative, time-critical, highly-visible, etc.
All these factors combine together to influence where we are positioned on the risk attitude spectrum, which ranges from highly risk-averse, through risk-neutral and risk tolerant, to strongly risk-seeking. Each individual will find themselves at a different place on this spectrum, and the team together will also settle at a shared position, although this is often not a conscious choice.
But there is no “right” attitude towards risk! It’s important that we understand our individual risk preference, the default position that we adopt unconsciously when we’re faced with uncertainty that matters. But it’s also important for us to know that our preferred risk attitude may not always be appropriate. If we are naturally cautious, but we’re leading a project with high levels of innovation, we may need to get out of our comfort zone and be more adventurous. On the other hand, if we are naturally risk-seeking but we’re involved in a safety-critical project, we’ll need to curb our tendency to take risks. This requires a level of emotional intelligence, the ability to understand ourselves and modify our internal environment, intentionally choosing to act outside our comfort zone.
Risk Management Maturity
Q4. How should we measure an organization’s risk management maturity?
David Hillson: Risk management maturity reflects the capability of an organization to manage risk effectively. There are four main factors to consider when we are assessing how prepared an organization is to manage risk:
• Culture. One of the main influences on how an organization approaches risk is its corporate risk culture. This reflects the values, beliefs and norms about risk, and sets the context for the way risk is perceived and treated. Risk management maturity requires a strong risk culture, which can be measured in various ways.
• Process. Although managing risk requires much more than simply having a risk process in place, process is still important. We need a risk methodology that is tailored, scaleable, flexible, robust, and up-to-date.
• Experience. The quality of our people has a huge effect on the risk management maturity of our organization. We need people with the right risk knowledge, skills and experience, as well as systems for maintaining risk competence across the organization.
• Application. Having an efficient risk process and experienced people operating in a supportive risk culture is a good start, but it counts for nothing if we don’t actually manage risk in practice. A risk-mature organization applies risk management across the business to support risk-informed decision-making at all levels, from board-room to tea-room.
In 1997 I developed the world’s first maturity model framework to provide a consistent way of assessing risk management maturity, using these four attributes. The Risk Maturity Model (RMM) has been used widely since then, with major organizations in various industries and countries benchmarking their current maturity and developing structured improvement plans to move to the next level.
Risk Ailments and Health
Q5. As a risk doctor, according to your observation, what are the most common mistakes in risk management?
David Hillson: I wrote a book in 2014 called “The Risk Doctor’s Cures for Common Risk Ailments”, which addresses the ten most common problems with risk management. The book is structured using the medical metaphor, with each chapter giving a description of one risk ailment, diagnostic symptoms, the prognosis if it is left untreated, a couple of case studies, and treatment options. The ten common risk ailments include risk blindness (not seeing risks), risk amnesia (not learning risk-related lessons from the past), risk muteness (unable to communicate about risk), risk obesity (taking on too much risk), risk depression (focusing only on negative risks), and risk myopia (missing long-term risks or those with wider impacts). I’ve recorded a few short videos about some of these ailments, available at https://www.youtube.com/playlist?list=PLXcr0g-yn-gQGxQaBKSspOdP4slGZQZqa.
Q6. “Health is not just absence of disease”, so how should an organization maintain risk health?
David Hillson: The medical world offers many positive strategies and tips for staying healthy, including good nutrition, regular exercise, sufficient sleep and rest, good relationships, mental and physical relaxation, and emotional expression. These strategies should be included in an overall healthy lifestyle, making them part of day-to-day life and building good habits that keep us strong and well and able to fight off disease and illness.
We can also implement strategies that promote healthy risk management and help us to avoid developing further risk ailments in the future. These include:
• Develop a mature organizational risk culture;
• Demonstrate clear risk leadership;
• Regularly enhance risk management capability;
• Ensure intentional learning and
• Maintain momentum.
No single strategy will ensure the risk health of your project or organization, but together these five offer a powerful way of keeping your risk management approach strong and healthy. This is especially true if they are built into your overall “risk lifestyle”, becoming part of everyday practice in the way you approach risk. This short video explains in more detail: https://www.youtube.com/watch?v=HLjXPIjykKg.
Q7. What are your suggestions on managing opportunities to create value?
David Hillson: My simple definition of risk is “uncertainty that matters” – all risks are uncertain, and all risks would affect our objectives if they happened. But this doesn’t only include potential bad things, or threats. Possible good things, or opportunities, are also “uncertainties that matter” – they may never happen, but if they do then they make it easier for us to achieve our objectives.
This means that threats and opportunities are the same; the only difference is the sign of the impact. As a result, they can both be managed in the same way – identify and prioritize them, develop and implement responses, review and update our assessment, learn lessons. So I recommend an integrated risk process that addresses both threats and opportunities together. This allows us to achieve two goals at the same time: minimize threats and maximize opportunities, protect value and create value, prevent bad things happening and promote good things.
Including opportunities in the risk process has been a major focus of my thought-leadership work for the past twenty years or more. My most recent book offers practical guidelines on how to do this in projects. “Capturing Upside Risk: Finding and managing opportunities in projects” was published in June 2019, and I hope lots of people will find it helpful.
AI and Risk Management
Q8. In your opinion, how will Artificial Intelligence (AI) influence risk management?
David Hillson: I think there’s a lot of hype about AI, and many people are expecting it to revolutionize the world in ways that aren’t realistic. In risk management, we can use technology to assist us in data mining, exposing connections between risks that aren’t immediately evident, discovering root causes, and analyzing complex interactions. But this isn’t AI, it’s just faster and better data processing. Intelligence involves judgement, wisdom, intuition, serendipity etc. I think it will be a very long time before technological systems can replicate or replace that. The truth is that we don’t really understand how our own intelligence works! So I think there will always be a place for a human in the process, to think, consider, ruminate and wonder.
I recoded a short interview on this topic with an AI expert in Oman, Dr Salim Al-Harthi, which you can watch here: https://www.youtube.com/watch?v=fdBjaLZeuyQ.