Photo of Roulette Table

Influencers Part 2: Risk

February 17, 2017  |  Time: 1:00:04  |  Subscribe in iTunes

Risk is an organizational problem that reaches into our ability to make sound business decisions. We should think of stakeholders (and activating them to be positive and helpful), remember to check assumptions, and recognize that risks shift as priorities and the external environment do. Beyond the project-level risks, and past even basic quantification of risk and impact, we need PMs to consider the ultimate business value of their projects – and whether the project should even be done. Yep, even for a project, risk is an organizational concern that has a perspective shaped by the very organizational culture. Listen in to this episode and hear influencers Andy Jordon, Beth Spriggs and Bruce Harpham describe their insights and their approaches to handling risks and consulting with others about it.

Listen online or read the full podcast transcript below.

About the Speakers

portrait of Andy JordanAndy Jordan

Roffensian Consulting Inc

Andy Jordan is President of Roffensian Consulting Inc., an Ontario, Canada based management consulting firm with a strong emphasis on organizational transformation, portfolio management and PMOs. Andy has a track record of success managing business critical projects, programs and portfolios in Europe and North America in industries as diverse as investment banking, software development, call centers, telecommunications and corporate education.

Andy is an in demand speaker and moderator who delivers thought provoking content in an engaging and entertaining style, and is also an instructor in project management related disciplines. He always strives to provide thought provoking presentations that drive his audience to challenge accepted norms while providing actionable content that can be applied in the real world. Andy’s first full length book ‘Risk Management for Project Driven Organizations’ is now available.”

portrait of Beth SpriggsBeth Spriggs

Leadership for Educational Equity
Vice President of Technology

Beth Spriggs, PMP, is an experienced coach, trainer and speaker. Currently she serves as the vice president of technology at Leadership for Educational Equity (LEE), a major nonpartisan organization. For more than 16 years, she’s solved unsolvable problems, tamed unruly projects, and pulled off the impossible for organizations by deploying technologies that work for customers while positioning clients for what’s coming next.

Her extensive portfolio consists of everything from bite-sized undertakings to years-long overhauls that impact every aspect of the organization, but her focus has always been technology project management. Some of Beth's contributions include delivering webinars for and NTEN, speaking at NTEN's Nonprofit Technology Conference and DC Web Women's Conference; and attending PMI's Global Congress NA 2015 as an Expert. Beth was's member of the month August 2015.

portrait of Bruce HarphamBruce Harpham

Bruce Harpham is the author of the forthcoming book "Project Managers At Work," (Apress) which showcases the career paths and lessons learned from project professionals from NASA, Google, Apple and other leading organizations. Bruce Harpham is also a columnist with and runs the blog. Bruce lives in Toronto, Canada.

Full Podcast Transcript

0:00:02 Kendall Lott: Hey PMs, I found another interesting podcast for you. This one focused on career building, yours. Out of the Long Island Chapter of PMI come Brian Wagner and James Kittle who banter with interesting guests on careers and career success. Listen to the Scope of Success Podcast and learn business life lessons one interview at a time. Subscribe now on iTunes and follow them on Twitter and Facebook.


0:00:28 Andy Jordan: The business side of things is just as important and becoming more important than the ability to read a Gantt chart or build a project schedule. And I think I'm really trying to take PMs there by the scruff of the neck and say, "Listen, you're not project managers anymore, you're managers."

0:00:46 Beth Spriggs: For me it starts with a category of risk that gets very little attention, which is assumptions.

0:00:54 Bruce Harpham: If we think about risk as a four letter word, then I think that has the subtle affect of discouraging people from raising their hand and saying, "I think you should consider this risk."

0:01:06 KL: “A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities and that may be avoided through preemptive action.” That's the first definition of risk at And that's the topic of today's discussion. Avoiding risk through preemptive action, that's what PMs do, or at least we sure as hell try. The key is to accurately identify risks. The sooner a risk is identified the better chance of it being averted or minimized. In this episode, I spoke with three influencers from to find out how they look at risk and more importantly, how they manage it. We start at the portfolio level, where projects are viewed as units, assets actually, investments, just like a financial portfolio. Then we approach it from the opposite angle, almost at the DNA level, assumptions among the team, how ignoring stakeholder assumptions or making your own assumptions about their assumptions can lead to unintended or undesirable outcomes. Lastly, we examine risk as it relates to organizational culture and behavioral economics. How the culture of an organization is a determining factor in deciding how much risk to take on, or how much risk is taken on.

0:02:15 Announcer: From the Washington DC chapter of the Project Management Institute this is PM Point of View, the podcast that looks at project management from all the angles. Here's your host Kendall Lott.

0:02:26 KL: My first guest is Andy Jordan, Founder and President of Roffensian Consulting Incorporated in Ontario Canada, a small boutique management consulting firm that focuses on PMOs and strategic initiatives. He is the author of Risk Management for Project Driven Organizations: A Strategic Guide to Portfolio, Program, and PMO Success. In the title of your book you talk about risk management for project driven organizations, so let's talk about project driven organizations in the sense that, it just struck me that all organizations must be having projects, because they're trying to do change, but you're talking about project driven organizations, what is that? 

0:03:04 AJ: If I'd [0:03:04] If I’d had my druthers, I would've called it The Project-centric… which I think is a slightly better term, but it's really about organizations that recognize that the project needs to be the center of the way the organization operates. At the end of the day, the day to day stuff is easy, it's what they do all the time, it's what most staff are focused on. It’s the stuff that is different, it's the change that becomes difficult for an organization, it's where the problems arise. It's where the risks in this context come into things. So it's really about organizations that focus on doing the project stuff right, and to use an old analogy, it's looking after the pennies and the dollars will look after themselves if you like, the projects are the pennies here.

0:03:46 KL: Well, if we're focusing on those organizations, it sounds like your argument is ultimately that all organizations have to be project driven, because that's the only place you're going to get change, or improvement, or satisfy regulators. 

0:03:55 AJ: I think some organizations are starting to consciously go there, and I think what's really driving that is the idea of portfolio management, which started in earnest I guess five to eight years ago. And organizations have recognized that portfolio management as a stand-alone entity, ie., “we do some annual planning and we try and include the PMO or similar function there, and then we try and execute on that stuff,” that's fine, but it only goes so far. And to really leverage the benefits of portfolio management we have to integrate it with everything else in the organizational structure, so the whole human resource planning stuff, the finance stuff. And that's really where we start looking at projects being an important part of the company or the organization to where projects are driving the organization forward. So it's sort of making it a project-centric, a project-centered organization.


0:04:51 KL: Why is risk different for a project driven organization? 

0:04:54 AJ: I wouldn't say it's necessarily different, I'd say it would be expanded. If you think about risk management from a project sense, regardless of whether that's micro level or macro level, there's two categories of risk, there's the risks within the project itself, the typical management strategy we have of eliminate, accept, mitigate, transfer, the stuff the PM is supposed to maintain the log on and have people look at on a regular basis, and all that good stuff. But then there's the risk management beyond the project, the risks that are associated with choosing project A over project B, with investing in becoming more efficient and more effective as opposed to expanding into new markets. The portfolio level risk of choosing vendor A who we've never used before versus vendor B, who we have used many times before, but sometimes has been problematic. So, I think the first piece of that, the project level stuff, we do pretty well as organizations. You don't need to get another book on how to do project management, or project manager risk management, but the organizational stuff, the decision to do project A over project B or the macro level portfolio level stuff, we're nowhere near as good at as organizations or as individuals, and that's where I think this needs to focus.

0:06:10 KL: You're suggesting it's the choice of projects, the choice of how to execute the projects that becomes a risk, is a new risk or one that we're less mature in? 

0:06:20 AJ: If you look at things from a CEO standpoint, I'm sure every CEO will tell you that they're very aware of their economic risks, their technology risks, their competitive risks, even things like reputation or regulatory and investor type risks. But if you then ask them how those risks affect their project portfolio, then things are going to get very quiet. They look at things as an organization, as a macro level, "This is going to affect our three-year, five-year, 10-year plan," they don't necessarily look at how those risks would or should drive project selection. Technological risk is an obvious example, all organizations these days are subject to the risks associated with the rapid advance of technology, but how many C level executives consciously consider that when deciding which projects they should be going through? 

0:07:14 KL: So, this should alter the course of deciding, which projects are in the portfolio in terms of gambling on a current technology versus something later or making a change in the business process based on a technology without thinking, "Wait, hold it, I know all this is going to change in three to five years, so why is this other part of my brain just kind of going along with the program?".

0:07:32 AJ: Exactly, all that stuff, but then also [0:07:34] labor in how easy is it going to be to get resources on these new technologies today versus how easy is it going to be to get replacement resources for existing technologies three years from now…? It gets scary quick.


0:07:53 KL: How do you make the good selection, how do you walk them through that? What is it you need them to see and what are some of the tools or methods or what should they be paying attention to, to make those decisions? 

0:08:03 AJ: The book talks about something called an organizational risk profile, which is really sort of trying to have the organization understand where it is exposed to different external and internal risks. How much money it is spending to try and manage or control those risks, how much effort it is expending on those risks. Not just the hard dollars, but the soft dollars if you like that we've got people looking and monitoring and stuff, and then the more traditional risk element there of how big is the impact of it going to be if it actually impacts us, but in terms of dollar terms and recovery resource terms. What's the likelihood of it actually triggering? But then going beyond that and saying, okay, once we understand these are the risks that we are consciously exposed to and some of those will come back to just standard operations and the risks that are inherent in running a business, but then when we start looking at project A or project mix A over project mix B, then we start understanding a little bit more as to how we're impacting those risks.

0:09:12 AJ: But then take that one step further to say, "Okay, what are we actually looking at in terms of total exposure, both in terms of how much money we are putting aside and how many people we're putting aside to manage risks today, in terms of conscious contingency spending, but also how much management reserve do we have for the impacts for those risks that we're not successfully managing?" And then looking at saying, "Okay, what's our real exposure here? Do we have a surplus or do we have a shortfall? Can we spend enough money or are we spending enough money? Are we dedicating enough resources to controlling the risks that we're consciously exposing ourselves to and if some of these risks hit or if the risks hit worse than the law of averages says they will, how exposed are we?" Potentially at the extreme if we don't have enough reserve in place, and we're not managing risks enough, then we're risking bankruptcy or we're risking having to be bailed out in the case of a public sector organization, if we don't have enough coverage.


0:10:18 KL: This strikes me as still very analogous to portfolio analysis. I take a bundle, I have different mixes I can have, I look at expected return at a cost…

0:10:30 AJ: No, it's really taking those concepts in a different way and I think to get buy-in, to get acceptance from organizations, they don't need a whole new way of looking at stuff, they need to be asked to look at the tools that they're already using in different elements of the business and apply them to a project execution approach. If we can go to a CFO who ultimately is going to be dragged into these kind of discussions, because it's money, and give them something that they go, "Hey, I kind of understand this, because this is like we do in another area," and then apply it to a project selection, a project execution approach, because this isn't just something you'd do at the time that you do your annual planning, this is something that is going to live and breathe as priorities change, and as actuals come in that are different from plan throughout the portfolio. Then this is something that they can relate to and buy into a lot easier than if it was some weird and wooly project management approach that just causes them to glaze over, because they're using PMI terms that nobody relates to.

0:11:33 KL: So it has the advantage of being a good communications tool in that sense, but it sounds like it has good underlying intellectual principles.

0:11:40 AJ: Yeah, I don't want to reinvent the wheel here, I'm just trying to say, "Let's apply some of these concepts specifically to a project world," and you could take this to a project manager and they're probably not familiar with a lot of the concepts here unless they've got a financial or accounting background, but you take it to an executive and this is going to feel, if not comfortable at least familiar.


0:12:06 KL: So is the goal to get Project Managers to understand the larger context they're in or for those that choose to enter a new level of their profession? Who is your audience in this context? 

0:12:18 AJ: The easy argument, if you like, or the easy buy-in to the concept is the executive level because they understand the concept, they just need to be convinced that the project and portfolio elements of this are an important part, and that's happening. But I think more importantly, it's looking at the project and program manager level and saying, not necessarily, "Hey, you need to understand the ins and outs or the math behind this," but you need to think beyond the project. It's no different, it's just a different flavor to the argument that says, "We shouldn't be managing to a triple constraint, we should be managing to ensuring that a project delivers its benefits, because that's how the organization actually grows and wins from this." And PMI is starting to get there now with its talent triangle that looks at leadership and looks at business and industry skills, as well as the technical project management elements. And I think I'm really sort of trying to take PMs there by the scruff of the neck and say, "Listen, you're not project managers anymore you're managers. And maybe more particularly you're leaders. But the business side of things is just as important and becoming more important than the ability to read a Gantt chart or build a project schedule."


0:13:31 KL: In recent podcasts actually, I've spoken with a couple of people, Sato Tomoichi and Stephen Devaux, both who are addressing issues at the critical path level that are actually... I was stunned when I heard it, I'm like "This is economics in project management," and they were taking this kind of principle of, "There's a risk adjusted expected return of what you are doing," to highlight to project managers, "You're handling an asset." That has some implications, because for example, if you have to put more money in onto the critical path and you're delaying schedule, there's a cost to that, it's an economic cost.

0:14:06 KL: For those of you who are interested, Stephen Devaux and Sato Tomoichi are featured in podcast number 25 and 27, PM Advances Part One: "Value" and Part Two: "Beyond the PMBOK."

0:14:17 KL: What I heard you say that was interesting was it's kind of like to shake executives up to say, "You guys probably don't see what's going on underneath the ice that you skate on, but people take your direction and contrive to build projects to make things happen for the strategic direction you have. And those are actually assets, so we have a portfolio of the labor and the output of all these change initiatives." And so, it's kind of a wake-up call to them, that what they would normally see dealing with dollars they can now see in the context of labor, in effort that is constructed around delivering change products.

0:15:00 AJ: And not only that, but it's starting to look at project execution as just another business line, if you like. It's a very different business line, but if we start thinking about, "We need to expand our sales capacity or our marketing capacity or our professional services capacity or whatever it might be," way before we actually say, "All right, let's spend more money on it," we engage with finance, we engage with HR, we start planning ahead, we put plans afoot, so that we have the right people in the right place at the right time with the right kind of environment for them to succeed. So that we can expand sales, expand marketing, whatever it might be.

0:15:38 AJ: Why do we treat projects any differently? Why do we suddenly think, "Oh we're initiating a project we should start thinking about where our resources come from," that's way too late in the day. When we do our annual planning and we say, "Okay, here's our Q1, Q2, Q3, Q4 projects," the Q1 stuff should already have been fully resourced, the Q2 stuff should be in market and the Q3 and 4 stuff should be with finance and HR to figure out how we're going to get those people there, especially with some of the emerging technology stuff, to go back to that. 'Cause you can't just go out to the street and find 12 people who are capable of developing complex solutions with modern technology.

0:16:14 KL: So these quarters should already be in play, there's a life cycle to this that we don't think of when we think of projects. We think, we've planned our four quarters of projects and next week we're starting. [laughter] It's January 1st lets go.

0:16:26 AJ: Yeah. I'll buy into the argument that a project is a temporary endeavor. And yes, we all know why, it has a start, it has a finish, but a portfolio isn't. We conveniently call a portfolio, the 2016 portfolio or whatever it might be, but the portfolio doesn't begin and end. It's just going on with convenient breaks for when we do our planning and make major changes to it. But there's always going to be overflow of initiatives from one portfolio to the next. It is just a business unit. I don't mean that just in terms of being simple, but it is no different from 'fill in the blank' other business unit.


0:17:06 KL: But where you started was now looking at the risk associated with an organization that does see itself as driving projects and an accumulation of projects. So this is a more specific analysis, it's not just the total expected outcome of your projects, but rather it's the understanding and aggregation of risk. That slice of the portfolio almost.

0:17:27 AJ: But we have to think about risk from a different lens. We have to have project managers who are looking at themselves almost as sub-portfolio managers rather than just project managers. They are responsible, if only on a temporary basis, for an element of the portfolio, and they need to manage the risks in their initiative, the risks of the investments that they're looking after. Not just in the context of that particular piece, but in the context of how it may damage other elements of the portfolio. "If I am late, if I am unable to deliver the $2 million of net new revenue that my project is supposed to deliver in the next 12 months, how does that impact the rest of the portfolio?"

0:18:09 KL: And that's what you're trying to propose for people to hear and see, is the tools and the method of exposing that information so a project manager could actually see that? 

0:18:18 AJ: Yeah, exactly that.

0:18:19 KL: It could be sent to them to say, "Hey, listen. You 19 folks running your 42 projects, this is how you look together from my perspective."

0:18:26 AJ: Yeah. So it's really looking at or having each of those individuals, those 42 people or 19 people whatever, to look at things from a 360 degree concept. How does their project influence other areas of the portfolio and the programs that they're part of? How do changes in other areas potentially affect them and how are they going to understand that? But then also going even one step beyond that to say, "What is the role they play on an individual portfolio risk that may have nothing to do with an individual project?" If we have a project that starts in Q1, that has a small vendor element and we've worked with that vendor before, we trust them, we'd consider them to be low risk, is the PM going to be worried about the risks there? Sure, but not overly so. If, on the other hand, that same vendor is going to be the critical part of the largest project in the portfolio for this year that kicks up in Q2 and we need to set expectations with this vendor, things are going to be managed a lot more tightly, a lot more aggressively than they've been in the past, we may ask that PM of the Q1 project to manage that vendor risk a lot more aggressively just to set the expectations for the more important project that's coming further down the road. Nothing to do with that project, everything to do with portfolio success ultimately.

0:19:47 KL: Wow. There's a lot of learning that needs to be done here, because I think it comes from not just the understanding but having a tool to actually see this. It has to be exposed, in my mind. And then somebody has to understand it well enough to then really talk about it. It's a coaching moment for a portfolio manager to sit with the project managers and figure that out.

0:20:05 AJ: Yeah, it's not just communication, it's understanding the context, understanding the dynamics and the interdependencies between all this. And ultimately to be successful it's a culture change for, if not portfolio managers, project managers to understand that they are now managing a part of a complex ecosystem not a stand-alone initiative.


0:20:31 KL: Where does the program manager fit into this? 

0:20:32 AJ: So I think that there's elements of them that are super PM, if you like, or large scale PM, because it's the same sort of concepts as the project level. They have the additional complexities to think of in that they are trying to manage a collection of projects for effective economies of scale, which in and of itself requires a change in risk management approach potentially and also introduces new risks. But at the same time, they're also dealing with the risk and uncertainty involved with time. The program is going to have elements of projects that have already completed and elements of projects that have not yet started, that may or may not be part of the current portfolio. So they've got that added complexity to think about, "Okay, what can I do now to manage risks in advance of a project actually starting or to mitigate risks that potentially are going to hit me later? How can I leverage risks that I've already successfully managed in the past to make my life easier on this project or this particular set of projects in the program?" It becomes a much more complex sort of set of variables, because they're adding time into the mix and they're adding sort of the managing up and managing down elements to the portfolio and the project.

0:21:47 KL: I was looking at the cover of your book and it has the eliminate, accept, mitigate and transfer, which your discussion seems to go so far beyond that. It's like given that that's happening, the question is, is what is the impact of what's left once you've made those decisions? And as we change or need to change management or change projects, how does that matrix or that overall outcome, that portfolio change? 

0:22:13 AJ: Back to the way that we actually sort of do that work is tremendously variable, and potentially we are going to be spending a lot more time as we start thinking strategically looking at the eliminate option, which is something at a project level that is very rarely considered. In fact, when I was taught project management way back when, when the world was black and white and I had hair, I was told eliminate is something that you very rarely ever do, because it usually means that you have to change something fundamental to the project and that won't be accepted. With a portfolio, eliminate is something that you're going to be doing every single day when you're making your decisions. You're going to decide that, "I cannot expose my organization to that degree of risk. I'm going to do something different." The return there is potentially great, the risks involved are way too high.

0:23:01 KL: What tools do we have available to us here? Is there stuff being built? Is there something we can use? 

0:23:05 AJ: The next generation PPM tools, Project Portfolio Management tools, are trying to get us to this level of information. The best thing we need is we need good communicators. If you've got the ability to communicate then the tool that sits between your ears is going to be able to serve you best. Software systems are great, but they don't substitute intelligence and the ability to make sound business decisions.


0:23:36 KL: Where do we find this portfolio manager and what makes him successful? 

0:23:41 AJ: I think the good news is that project managers today, PMs listening to this, people working on projects that are listening to this podcast now are being helped tremendously to become that portfolio manager down the road, if they want to be, by the evolution…PMI’s continuing certification requirements. I think that the move to the talent triangle that's putting a lot more focus on leadership elements and on business management elements are going to help create a much more rounded PM who understands the business impact of their work, and start setting them up to gain the experience that can ultimately lead them to be a portfolio manager. But I think that if an organization today is looking at the internal skillset or looking in the marketplace and saying, "What do I need to be able to do this?" Obviously somebody who's got a project background is going to be helpful, but they want their best business leader.

0:24:33 AJ: Take somebody who understands how to manage a department, how to manage a set of goals and objectives. Yes budgets, but achieving results rather than just maintaining fiscal control, that person is going to be able to succeed at the portfolio level. They may have no financial background at all, and I really don't care about that, because organizations have so many good financial tools and so many analysts within a finance department that can handle the money side of things and can plug it into the right computer systems. We need somebody who's got the right business acumen to be able to make the tough decisions, has got the willingness to step up and be held accountable for those decisions, and the intelligence to know that they're balancing the variables appropriately to have the greatest confidence that the decisions they make are gonna be the best ones.

0:25:25 KL: Andy's book, Risk Management for the Project Driven Organization, is available on Amazon. Look for his articles and webinars at


0:25:44 KL: Beth Spriggs is the Vice President of Technology at Leadership for Educational Equity, a nonprofit whose mission is to develop leadership skills for people who want to change education in their communities. She's an experienced project manager, coach, trainer, speaker and author.

0:26:00 BS: I'm a strong advocate for project management.

0:26:01 KL: Why is that? 

0:26:02 BS: I feel that these skills are applicable, actually in any role, no matter what. There are some hard technical skills around some pretty…you know… processes and templates and things that are out there for project management which are incredibly helpful. The soft skills, which are harder but that are essential, such as communication, how to influence people, how to get buy in, how to develop relationships. They're so critical to success in any project, and difficult to cultivate.

0:26:44 KL: Definitely.

0:26:45 BS: And with risk...

0:26:49 KL: Yeah, why risk? 'Cause that's not exactly a soft skill. I mean, it could be viewed that way maybe, but...

0:26:54 BS: Risk is interesting. Because there's a very set process for risk management. And it's pretty well-defined. And I have studied this, in all of the templates and everything I look at, it categorizes everything into the same four groups. You have the same probability times impact, you figure out your strategy for how you're going to deal with it before it happens, how you would deal with it if and when it happens, how often you review it, it's pretty set.


0:27:32 BS: For me, risk management is a mindset. So it's a little different. It is, are you actually thinking about risk in your daily conversations? Is it on your mind? Are you prompting other people to think about it? Are you constantly figuring out mitigation to what's going on? 

0:27:56 KL: So for you it seems more about being present in the risk. You're still asking the same questions it sounds like...

0:28:00 BS: It's the same questions. And while I do track it in a risk register, and we will go back to it and we review it, it is actually a point of conversation, and intersects in conversations all the time. It is not something that I do, and I set aside and I come back to, it is integrated into our thought processes and into our work.

0:28:22 KL: So to be more specific, can you give me an example of how we can see that in operation? 

0:28:28 BS: Someone will say, "Okay, we're working on this project, we're at the execution phase, and I'm trying to get this person to do this test for me, but they're not responsive, they're not doing X." I'm like, "Okay. Have you talked to them about this?" And I go "Look. You've identified a risk. What are we going to do to mitigate this risk?" And it's not something that's like, go write it in your risk register. It is integrated into all of our conversations.

0:28:58 KL: It sounds like it's a risk point of view.

0:29:00 BS: Yes. So when issues come up, I start immediately, my brain immediately goes to, "What are the risks associated with this? Either that are going to come out of it, or that caused it?" And then I think about either, "Did we fail in the mitigation, do we need to implement a strategy, because a risk just happened, it is now occurring, or did this now create a new thing that we have to address?" I find myself, all the time just in conversation, saying to other people, "Oh that's a great mitigation strategy, what you just came up with." And I point it out...

0:29:38 KL: They don't even know they're mitigating something.

0:29:39 BS: They don't know they're doing it. But what I do is, I bring it up, and I point it out and I say, "Look, what you're doing is you're now mitigating a risk that you just identified." Because I want people to be aware that we're actually constantly doing risk assessments all the time around us.

0:30:01 KL: You think that's a function of being a professional, a person in technology? 

0:30:06 BS: I think it's a function of being a human.

0:30:09 KL: That we're actually mitigating or managing risk.

0:30:11 BS: We manage risk constantly, like when you get up and get dressed you check the weather to manage the risk of what you're going to wear that day.


0:30:26 KL: The guide to the project management body of knowledge indicates that we start with scope. But you're inviting me to think about this from a risk lens. So if I'm you, I'm thinking or if I'm following this mindset that you have, it's like, "Oh scope is important, but I want you to think about it as this is the first way to start mitigating risk of failure by getting the scope right."

0:30:46 BS: Yeah. So rather than it being a step in the process, it is something I think about and integrate into every phase.

0:30:55 KL: So when you're doing the webinar, are you teaching about how to have this mindset or do you have some tools and tricks for getting us into this mindset or are you trying to just break the ice so people start thinking this way.

0:31:07 BS: For me, it starts with a category of risk that gets very little attention, which is assumptions.

0:31:16 KL: Okay. So assumptions in risk. Okay.

0:31:18 BS: So it starts as a category. There is a type of assumption we're not looking at, we're not necessarily putting into our risk registers. The difference between a risk and an assumption, is a risk is something that we know has not occurred yet. An assumption is a belief that something is the current state of truth. The assumption drives the expectation. So for example, I think that everybody loves cupcakes, that's an assumption. I think I'm going to sell 500 cupcakes, it hasn't happened yet, maybe I will, maybe I won't. That’s not an assumption. The assumption is that I think everyone loves cupcakes. Now if that assumption is totally wrong, then I'm certainly not going to sell 500 cupcakes.

0:32:13 KL: It's interesting, you're separating risk and assumptions, so in fact that's kind of what we're trained to do, you lay down the bedrock of assumptions, now we go and look at risks. But what you're saying, it seems to be, is the assumption itself is a risk.

0:32:25 BS: Yes.


0:32:30 BS: If I don't uncover that assumption I have a huge risk in myself. And so now, by figuring out the assumption I can now uncover if there is a risk, "Wait, not everyone does love cupcakes, oh I have a risk I might not sell 500." I'm now going to change the expectation or I'm going to change what I'm doing to sell them to meet the expectation. But I will be more closely aligned to the final expectation, therefore my final result will be better.


0:33:02 BS: There's an exercise I do, where it's just a spreadsheet where literally, you and your team sit and write down all your assumptions and then you score them. I already held that same assumption, I did not know you had that assumption and you give them a score and then you tally up your scores and then you look at the ones that scored the lowest, basically the assumptions that no one knew that you held...


0:33:27 KL: Become a risk? 

0:33:28 BS: Are a risk, that's your risk.

0:33:29 KL: I never thought of it that way.

0:33:31 BS: Those are the ones that you really have to pay attention to. Now that it is in the light of day, you actually can act on it. The thing that makes assumptions so risky is that we don't state them out loud, it's just something we hold true.

0:33:45 KL: They're kind of obvious, you feel.


0:33:47 BS: You think…they're obvious to you, because in your mind it is just truth, but that might not really be the case.


0:34:03 BS: And for me this does tie directly into technology in a lot of ways, because there are a lot of assumptions made in technology, so I really try to focus on the assumptions and how that plays into our risks.

0:34:14 KL: How does tackling these assumptions and the use of technology take me to an improved project management practice? 

0:34:20 BS: Yup. I'll give you two examples. On the end user side, when I'm delivering a tech product for someone else, there are a lot of assumptions they make, usually around security, they don't think about or call out security, they just kind of assume that security is a built in thing and just happens on its own. It is not something that ends up in the scope, it does not end up in their requirements list, no one's talking about it. They just think that security is a magic thing that just takes care of itself. They don't realize that it takes work planning, has to be put into your project plan to build out the proper security into what you're doing.

0:35:04 KL: I hadn't thought of that, just generally with technology builds you're saying security is assumed.

0:35:07 BS: It is.

0:35:08 KL: Rather than viewed as a risk.

0:35:09 BS: It is, yes, because when you are dealing with the technology in your daily lives, the security is built in and so people walk in with that assumption. So it does not end up on their requirements list. But then we have to think about that actively and still put it in.

0:35:26 KL: Which has implications for the project schedule and scope, which is to save money? 

0:35:31 BS: Yes. Because the technology is so user friendly and it is so easy, they make assumptions about how easy it is to build, how fast it is to build, the security that's built in and then they think that the timeline should be shorter. And it actually takes a fair amount of work to explain it and say, "No, this is g going to take more, it takes this money, because of this and we have to have this security."


0:36:01 BS: On the flip side, those of us who are building out the technology make a lot of assumptions, too. And it's usually... And this is another mindset I'm trying to shift. It's usually we assume that everyone else doesn't know how to use technology already.


0:36:17 BS: And that whatever we're building we have to make it fool-proof, total idiot-proof. Rather than, "Well, hey, people actually do know how to reset a password. They do it all the time. So, it's okay if they have to reset a password one time. It’s not going to kill your user adoption. It's not the end of the world if someone has to reset a password."


0:36:45 KL: How can project managers base on that set of assumptions? Because, you're kind of asking for them to understand their environment. How can they not know that? We're all raised with our phones. We're all walking in with our phones, but the work force is full of people who are literally raised on these phones, so how can we have such a dissonance there? 

0:37:05 BS: This is what I'm trying to figure out. It's like, if I'm at work and we built a mobile app and someone comes and says, "Oh, I'm supposed to use this mobile app, when do I get training?" I'm like, "What? Do you get training on the mobile apps you download on your phone? How did you forget?" It's like there is, there's some kind of breakdown and we really behave differently at work and what I'm trying to do is actually bring this to the forefront of our mind, so that people are actively thinking, "Wait, I do not need to behave differently at work. I should actually take all of the awesome knowledge of what I do in my personal life around technology and apply that into my work. I'm going to bring that into my assumptions." What it does is that it changes my assumptions in the other direction. So instead of walking in and assuming people don't know how to use technology, I walk in the door and I'm going to assume they do. I'm going to build stuff assuming they do.

0:38:00 KL: You better write that one done and check it.


0:38:02 BS: Yes. Yes. I'll write it down and make sure. I'll just do a quick survey: Do you have a Smartphone? 

0:38:09 KL: Your point's going to be that you're going to validate that in fact people do, say yes to that answer, that they do feel comfortable.

0:38:15 BS: Yes, yes.


0:38:20 KL: So, what are the risk implications? When we talk about that, getting that assumption wrong. Who's at risk? Why are they at risk? What do you see as the risk there? 

0:38:28 BS: Your project timeline's at risk, your project budget's at risk. There's a lot of communication breakdown.


0:38:38 KL: So what's your vision for the project manager who gets this, has the risk mindset generally, specifically tackles this area that you've highlighted around assumptions? 

0:38:49 BS: We have, one, better communication. The expectations are more clear, so that people aren't sitting there feeling that their expectations were not fulfilled, or done wrong. Because there are expectations on both sides from this, and I feel that we will actually get that more... We'll nail it, and we'll get the expectations fulfilled better. I think just overall, I think it's going to help keep our budget closer. It's going to help our timeline be more accurate. You're going to have better time estimates. But then all of that leads to, and especially if you're having more precision on meeting people's expectations, you will have more user adoption, you'll have more people bought in, you will be able to influence people more and I feel like the influencing part is also a big piece of it. So I see a lot of advantage kind of across the board in all those areas. If we really can get this, you know what we were saying, a base line of assumptions, think about the risk and the risk that those assumptions could cause. Can you flip it around? Are you communicating out your assumptions? And then are we setting the right expectations and getting other people's expectations met correctly? 

0:40:04 KL: This is really interesting to me, because I'm hearing all of the implication is a way to improve how the project is done, the act of doing project management and project completion. But what the project produces, let's call it a product or a service, but the product itself becomes more valuable in this atmosphere, and for you it's a mindset of risk is how you got there through your lens, but it's checking assumptions and one of the major assumptions is around the technology adoption. It's not only that my scope and schedule and budget will be tighter and better and I can communicate it better, but the thing that as a project management team, we have brought forward is actually going to be used better, it's going to be more valuable to the people who invested in this project to begin with.

0:40:45 BS: Yes. And I believe that because you have more closely met the expectations of those people.


0:40:53 KL: So, PMs. Think about risk and specifically in the area of risk as assumptions, which ties in with expectations. Project management is about designing activities for future deliverables, so it's really about expectations. You need to recognize your own assumptions and communicate with clients and your team to discover theirs. The more effectively you assess the expectations, the more useful and appropriate the product will be that you deliver. Check out Beth's webinars on Also, she has a blog on her website,, that's


0:41:37 KL: My next guest, Bruce Harpham, writes on technology and project management at Project Management Hacks, a blog for growth oriented professionals. You may know him from his copious articles on He is the author of the book Project Managers at Work, which will be coming out later this year.

0:41:53 KL: What got you into risk at all? 

0:41:56 BH: My first introduction to the concept of risk and it's something that continues to inform my thinking is through the prism of the financial industry, which has I think been on the forefront of developing, thinking around what is risk and how does it impact financial decisions.

0:42:18 KL: Did you start out in finance and then move to project management or the other way around? 

0:42:21 BH: I started off in the financial industry and then moved to projects later on.


0:42:31 BH: I think sometimes people have a view, that... an ideal scenario would be risk equals zero. The absence of risk. And my thoughts about that are twofold. First of all that sounds like a rather boring project, [chuckle] where there are no unknowns of any kind and one could say that that's conceptually impossible.

0:42:54 KL: As I say that's not even a project probably is it? 

0:42:57 BH: Indeed. And then the other piece is that you have to view risk as what is acceptable given your objective. To use a very brief investment example. You could have your entire portfolio in let's say US Federal Government Securities. And the risk would be extremely low. And the return would also be correspondingly very low. Therefore, many individuals choose to take on additional risk in return by investing in public companies and other kinds of investments. In the understanding that this will increase their returns.

0:43:44 KL: So fundamentally risk is what allows us to have an upside? 

0:43:47 BH: Yes, that's right.


0:43:54 KL: How do you see that playing out in the project management role? 

0:43:57 BH: So in the project scenario, I think the question is, do we understand all the risks that we're taking? Do we have some level of comfort around those? When I say all the risks we're taking, I would put an asterisk next to that, meaning, do we understand really what are the major risks that could have a some kind of significant impact? Would it cause the system to fail versus would performance be 0.5% diminished? Those are in different categories.

0:44:40 KL: It's kind of in the sense of catastrophic versus maybe efficiency.

0:44:44 BH: Yeah. And culturally what can you make happen? The way that I like to illustrate the cultural point around risk would be a contrast to Gmail, Google's free email service versus the online banking service that you use from whichever bank you use. If Gmail goes down for an hour, I'm bothered, but if my online banking service were to be down for a day, I would be extremely upset.


0:45:21 BH: There is, I would say, a smaller scope to take on risk in technology innovation in a large financial institution compared to a technology product that may have somewhat less impact if it were to fail.

0:45:38 KL: Do you think that's inherent in the nature of the management of a financial industry or a firm in the financial industry? 

0:45:44 BH: Well, it does seem to vary. Certainly if we go back to 2007 or so, I think many people in the financial industry were swinging for the fences and taking huge risks that in some cases destroyed companies. I would say, speaking from Canada, that the Canadian financial industry tends to be relatively more conservative than our peers in America or Europe. And that means on the positive side, we're less likely to go under. But during boom times we don't earn quite as much profit either.

0:46:25 KL: I think we've seen this in some discussions in behavioral economics. It's the fear of loss that's greater than our actual weighing of risk properly.

0:46:34 BH: Yes. And the behavioral economics point around the importance of loss, I think is very important. Where that mechanism can cease to operate, is when we don't understand what the risk is.


0:46:55 BH: So in terms of project activities that a peer may be doing, where the failure often occurs is in the risk identification step, which generally speaking occurs pretty early in the process.

0:47:13 KL: So how are you instructing people to tackle this? Is it around just the definition itself, is there a better technique than we look at when we look at the PMBOK or is it essentially, "Do your risk register? No I mean it, seriously."

0:47:26 BH: So, we have a lot of good fundamentals, but sometimes the failure comes in terms of execution in actually using them. So that's half the coin. The other half of the coin I think is in shifting how we talk about and think about risk. If we think about risk as a four letter word, then I think that has the subtle effect of discouraging people from raising their hand and saying, "I'm the technical specialist on XYZ and I think you should consider this risk." If people get attacked or take a hit to their status from raising a risk then we're never going to have a good picture.

0:48:09 KL: So you're back to your culture aspect, it has to do with the organization's culture.

0:48:14 BH: Yeah. I think it will manifest in a few different ways. First of all, I think it will significantly impact project selection. If we're sitting around at a table and we have a list of 10 projects, let's say five of them are regulatory, meaning, if we don't do this the executives go to prison.

0:48:34 KL: I vote for that, as an executive, I vote for... We pay attention to that. [chuckle]

0:48:40 BH: So those tend to get the green lighted pretty quickly.

0:48:43 KL: Oh, I failed the test didn't I, okay.


0:48:46 BH: Yes. And then if we look at the remaining ones on the list there's going to be some that are, maintain the system at its high level of performance. So we're upgrading from version 10 to 11. It's still a project, because things can go wrong, versus let's invent a brand new financial product and bring it to the market. It's going to require more persuasion or selling in some cases to get that at the door. You don't want to have a string of failed projects that you led or that you said okay to.


0:49:30 KL: Traditional ways of evaluating risk look at the impact and the probability, amongst other things, right? 

0:49:35 BH: Yes. Absolutely. Yep.

0:49:36 KL: Catastrophic here in the financial industry for example, where catastrophic means not only the loss of tremendous amounts of money, that's bad enough, but it actually means jail time for the decision makers. So what happens now is is a very small probability of something happening that could result in some sort of criminal charge becomes the first things or earlier project portfolio decisions that are made. Projects that will make that not happen is what they go after. And your argument is, if I understand correctly, if you actually weighed out all the risk, we've mis-weighed those.

0:50:14 BH: Yeah. The drive to avoid loss tends to kind of favor that, "Let's make the risk management system or technology even better." As opposed to, "Let's try and go to the market place and win and earn something more." It's never completely one or the other, but from everyone I talk to in my industry, if you compare 2016 to 10 years ago, the percentage of the project portfolio that is regulatory has gone from, let's say, a third to half.


0:50:54 KL: What is the effect on projects with respect to where they sit in culture? You're seeing in here in the project selection, do you see it in the project planning or execution or monitoring, control and monitoring phases? 

0:51:09 BH: Yes, I do. And the way that I see it manifest at the monitoring stage would be demand from a project sponsor that every time you give me an update on status I do want to hear about the classic factors, all around schedule, how is the budget doing? But, I also want to know... You gave me a list of 200 risks to begin with and you asked for these resources to be applied against that. How are we doing there? Are we going to hit that? You said there was a risk that big technology Company A, who is a key vendor to us may not perform. Is that happening? I think there's a growing maturity that I'm seeing at the executive level of that. If you want risk to be taken seriously on a project you have to ask about it.


0:52:11 KL: I would imagine they're asking them. Surprised we're seeing the maturations that they're beginning to ask, I would've thought the question was, how do they ask about it? Is it about how they engage with the IT or construction or new products person in the risk discussion? 

0:52:26 BH: Risk is sometimes perceived as somewhat squishy or vague, particularly when there is a limited amount of data. The executive maybe looking at a list of 20 risks and they all may have some kind of budget attached to them to kind of mitigate them and say, "Well, is risk seven really genuine." And it's their way to push back, and that's fair. And then, the PM has to have some kind of meaningful answer to say, "Actually no, we haven't really seen anything happen, but I think it might." And you have to be transparent about why did you put it on the list? Were you trying to be comprehensive? Or you think there was something specific that could've happened here? 


0:53:21 KL: Do you see people doing that comprehensive as a form of covering themselves to make sure that they can go on record that they've stated everything? 

0:53:28 BH: The kind of slang term people sometimes use is CYA.

0:53:32 KL: Yeah, yeah.

0:53:34 BH: And I think that's a big part of what is kind of below the surface that's motivating people. But, I think that people want to look good and they want to be associated with successful projects that deliver lasting results and then that kind of ego need, in a way, will motivate people to say, "Okay. If I only have so many work hours a week to work on the project, and so many of those are dedicated to risk, which ones should I really focus my attention on?"


0:54:16 KL: So project managers need to understand the value of risk. How do they need to interact with stakeholders? 

0:54:21 BH: There's two ways we can look at stakeholders here. One is to inform the identification and prioritization. And to play that role of being somewhat skeptical to say, to kind of take the textbook example, the legal stakeholders says, "Oh we can't do X because it could be bad." "Okay, walk me through why do you think that would happen. Has there been a fine awarded or cases that are relevant here?" And then the other piece is to ask stakeholders what they can bring to the table in terms of risk mitigation. So, absolutely invite them to raise their hand and say, "Risk A should be on the table. But also, what can you advise us to do?" So, I think sometimes people look at stakeholders as kind of the passive recipients of emails or communications.


0:55:25 BH: And that's I think often what actually happens. But I think stakeholders and subject matter experts, etcetera, can make a more significant contribution.

0:55:39 KL: So they're very happy to tell me all the risks if I bother to ask them. But then challenging them to tell me, "What can you bring to the table to solve it?" helps change my perspective at least, even as a consultant to using their sharp-eyed approach to what could go wrong in a more positive way. So I see it as make them active, and then make them positive. So I think that's an interesting set of techniques there to look at.


0:56:05 BH: And I think part of the larger story there, if you're dealing with someone who's, what I would call a professional expert, so an engineer, a lawyer, etcetera, I find in many cases, people that are professional experts like to be valued for their professional judgement and their opinion.


0:56:35 KL: What do you see the next thing that needs to be tackled in risk? 

0:56:38 BH: Well, if I think about risk management broadly, now going beyond the project context for a moment, I think there's a huge opportunity to bring big data and analytics to the story. And I've done some research and reporting on this topic. How can we better collect instances of things going poorly and use that to inform our decisions, because I think as much as people are trying to be more quantitative, there's a huge long road ahead to become more sophisticated in that way.

0:57:17 KL: You are so right, because so much this quantitative gives the appearance of a level of precision that simply isn't there. One of the things I found in project management often, and certainly in the risk space is, there's a false sense of understanding due to the application of numbers, and numbers can be multiplied and divided and shown to be precise.

0:57:36 BH: Sure.

0:57:37 KL: But they're not accurate.

0:57:38 BH: Yeah. There's kind of this idea of... I believe Alan Greenspan's book was called The Map and the Territory. The idea that if we're a bunch of generals and we're looking at a battlefield map that kind of gives us this sense of security that we understand what is going on, whereas the actually muddy battlefield represents a different reality. So that's where I think the next horizon is going to be, is in bringing better data and analytics to risk.

0:58:13 KL: Aaah, the muddy battlefield where we PMs spend our days. It can be rough, especially when you consider that handling risk is arguably one of our primary reasons for being. You can check out Bruce's blog at Also, don't forget to look for his upcoming book, Project Managers at Work, which tells true inspirational stories of successful project managers. I hope these discussions have spurred you to focus more on risk. Embrace it, be aware of your surroundings, keep the big picture in mind, know where your project fits into the whole portfolio, assume nothing, and weigh your risks wisely. Remember, the greater the risk, the greater the return. Special thanks to my guests Andy Jordan, Beth Spriggs, and Bruce Harpham.

0:59:00 S5: Our theme music was composed by Molly Flannery, used with permission. Additional original music by Gary Fieldman, Rich Greenblatt, and Lionel Lyles. Post-production performed at M Powered Strategies and technical and web support provided by Potomac Management Resources.

0:59:16 KL: PMPs who've listened to this complete podcast may submit a PDU claim, One PDU, in the Talent Triangle Technical Project Management with the Project Management Institute CCR System. Enter provider code: C046, the Washington DC Chapter, and the title PMPOV 0036 Influencers Part Two: Risk. Visit our Facebook page, PM Point of View to comment and to listen to more episodes. There, you will also find links to transcripts of all of our one hour productions. You can also leave a comment for me at, and of course you may reach me directly on LinkedIn. I'm your host, Kendall Lott, and until next time, keep it in scope and get it done.

1:00:00 S5: This podcast is a Final Milestone Production, distributed by PMIWDC.

1:00:03 S?: Final Milestone.

About the 'Project Management Point of View' Podcast Series

© PMIWDC and Kendall Lott

This podcast series is a collection of brief and informative conversations between MPS President, Kendall Lott, and a wide variety of practitioners and executives. His guests discuss their unique perspectives on project management, its uses, its challenges, its changes, and its future.