Despite the long title, it is not entirely accurate. There is very little about proactivity and uncertainty in this book and the use of “product development” is too specific. This book is a beginner’s introduction to risk management and focusses almost entirely on the risk management in projects. Perhaps a more appropriate title would be “Managing Risk in Projects – an introduction to risk for non-engineers”.
Preston Smith & Guy Merritt
I do not like it when a book presumes to know its reader, and I especially do not like a book that insults the intelligence or diligence of a reader. This book is skirting the insult with statements such as “our experience with project teams tell us that they have very little time for reading and no patience for frills”. It acknowledges though that risk management is a crucial discipline and fundamental component of project management as prescribed in PMI and PMBOK and attempts to inform all project team members about managing “surprises” (their description of risk).
The book’s structure is laid out primarily to describe the process of risk management, rather than describe the methods to an extent where they can be applied. The chapters are listed below
- What is Risk and how is it managed
- Using project risk models
- The risk management process
- Step 1 – identifying Project Risk
- Step 2 – analyzing risks
- Step 3 – prioritizing and mapping risks
- Step 4 – planning resolution of targeted risks
- Step 5 – monitor project risks
- Risk Management toolkit
- Risk Management approaches and strategies
- Implementing a project risk management program successfully
- case studies from allied fields
Chapter 1 provides their definition of risk namely risk = uncertainty + possibility of loss + time component… I don’t agree with the time component requirement for risk. They argue that if an issue does not have a time component (i.e. there comes a time when it will pass either having occurred or having not occured) then it is irresolvable and therefore not a risk. This seems to be stuck in project thinking that has a start and a finish. In my opinion recurring (chronic) issues can be treated and managed through a risk management process.
Chapter 2 provides an overview of some risk models such as the standard-, simple-, cascade-, and Ishikawa (fishbone) models. I am not a supporter of the Ishikawa method, and the section dedicated to it in this book does it no favours to promote it through their poor description. The Ishikawa looks fancy and “advanced, but the application (and logic) of it leaves much to be desired. The authors have also not described the cascade method well enough to make much sense. I get the feeling they realised that interdependencies of components or events are required and added the model as an afterthought to address it. The most valuable portion of this chapter (and the entire book for me) is the standard risk model.
The standard risk model shows that a risk event does not necessarily lead to an impact (loss). When a risk event occurs, then there is a possibility of an impact or impacts. This would have been demonstrated better through the use of a fault-tree (or call it an impact-tree for this case). Each risk event has numerous possible impacts, and each impact from there has further impacts which also have further impacts etc. This would have covered the poorly described cascade model and Ishikawa model in a single way. If you simplify this impact-tree then you end up with the standard- or even simple risk model. Perhaps I should write an article to illustrate, but in the mean time the bow-tie model should suffice if you want to read further.
Chapter 5 (risk analysis) is rubbish in my opinion, focussing exclusively on deterministic qualitative methods. I recommend that other sources are used for conducting risk analyses. Search for stochastic, parametric, quantitative risk analyses for a more mathematically sound way of doing risk analysis. In the risk analysis toolkit of chapter 9 parametric methods are used on the completion dates of activities, why could these not be applied to risks?
Chapter 7 is useful to list risk mitigation approaches, but the reader should be aware of the priority and type of risk mitigation approaches prescribed by the Mine Health and Safety Act (MHSA) and OHS Act that are not completely compatible with those listed in the chapter. The MHSA for instance prescribes in Section 11(2) of the Act: a) eliminate risk b) control risk at source c) minimise risk d) i. provide PPE ii. institute a programme to monitor the risk. This book will tell you that redundancy is also an option or that transferring the risk is also an option… which is perhaps true in cases where insurance or “buffer capacity” can be taken, but in the Acts these are clearly not options.