Risk management is obviously about looking forwards, scanning the uncertain and unclear future in an attempt to discern what awaits us. It offers businesses, projects and individuals a “forward-looking radar”, identifying threats to be avoided and opportunities which might be captured.
Even though the precise details of such uncertainties may remain unclear, the “risk radar” can make us aware of their location and size, helping us to formulate appropriate action plans in advance.
But what about the other direction, the “rear-view mirror”? Does the past have any relevance to risk management? How can risk management look backwards?
Strictly speaking there is no risk in the past, since it has already occurred (although we may remain uncertain about what actually happened and what it means!). But George Santayana said, “Those who cannot remember the past are condemned to repeat it.” So we must review the past in order to learn for the future. For risk management this means addressing the following questions:
- What types of risk can be identified on my project or business? Are there any generic risks that might affect similar projects?
- Which identified risks actually occurred, and why? This includes problems that could have been foreseen as threats and missed opportunities that could have been captured.
- What preventative actions could have been taken to minimize or avoid threats? What proactive actions could have been taken to maximize or exploit opportunities?
- Which identified risks did not occur, and why? Which responses were effective in managing risks, and which were ineffective?
- How much effort was spent on the risk process, both to execute the process, and to implement responses?
- Can any specific benefits be attributed to the risk process, e.g. reduced project duration or cost, increased business benefits or client satisfaction etc.?
You can use the results from this type of lessons-learned exercise to update risk identification tools such as checklists, to incorporate preventative risk response strategies into future projects, and to improve the effectiveness of risk management. It might also be possible to estimate return on investment (ROI) for the risk process by comparing specifically attributable benefits with process costs.
If we do not learn lessons from our past, we will repeat it. I often hear people say, “This risk affects all our projects, and it usually happens!” This is shocking, from a risk perspective!! For a risk to happen once is understandable, since uncertain events can occur even on the best-managed projects. If the same risk occurs twice, that is unfortunate, because the chances should be less than the first time. But for the same risk to happen a third time is unacceptable, as it exposes a lack of learning from the past.
So as we look behind us, we must focus on the challenges ahead and use the risk process to help us move forward safely towards our objectives. But we must also remember our past, learn the lessons from our journey to this point, and not repeat the same mistakes.