Managing risks in complex projects

Share

Share

CONFERENCE PAPER Risk Management, Complexity, Portfolio

Management, Information Technology 29 October 2013
Thamhain, Hans J.
How to cite this article:
Thamhain, H. J. (2013). Managing risks in complex projects. Paper presented at
PMI® Global Congress 2013—North America, New Orleans, LA. Newtown
Square, PA: Project Management Institute.

Abstract

Dealing effectively with risks in complex projects is difficult and requires

management interventions that go beyond simple analytical approaches.
This is one finding of a four-year recently concluded field study into risk
management practices of 35 large projects in 17 high-technology companies.
Almost one-half of the contingencies that occur are not being detected before
they impact project performance. Yet, the risk-impact model presented here
shows that risk does not affect all projects equally, but depends on the
effectiveness of collective managerial actions dealing with specific
contingencies. Some of the best success scenarios point at the critical
importance of recognizing and dealing with risks early in the project life
cycle and decupling them from work processes before they impact project
performance. This requires broad involvement and collaboration across all
segments of the project team and its environment, plus sophisticated
methods for assessing feasibilities and usability early and frequently during
the project life cycle. Specific managerial actions and organizational
conditions are suggested for early risk detection and effective risk
management in complex project situations.

Introduction

Uncertainty is both a reality and great challenge for most projects (Hillson,
2010, ¶2). The presence of risk creates surprises throughout the project life
cycle, affecting everything from technical feasibility to cost, market timing,
financial performance, and strategic objectives (Loch, Solt, & Bailey, 2008,
p. 28; Thieme, Song, & Shin, 2003, p. 104). Yet, to succeed in today's
ultracompetitive environment, management must deal with these risks
effectively despite these difficulties (Buchanan, & O‘Connell, 2006, pp. 34–
35; Patil, Grantham, & Steel, 2012, pp. 35–40; Shenhar, 2001, pp. 394–410;
Srivannaboon & Milosevic, 2006, pp. 185–190). This concerns executives,
and it is not surprising that leaders in virtually all organizations, from
commerce to government, spend much of their time and effort to deal with
risks-related issues. Examples trace back to ancient times that include huge
infrastructure projects and military campaigns. Writings by Sun Tzu
articulated specific risks and suggested mitigation methods 2,500 years ago
(Hanzhang & Wilkinson, 1998). Risk management is not a new idea.
However, in today's globally connected, fast-changing business world with
broad access to resources anywhere, and pressures for quicker, cheaper,
and smarter solutions, projects have become highly complex and intricate.
Many companies try to leverage their resources and accelerate their
schedules by forming alliances, consortia, and partnerships with other
firms, universities, and government agencies that range from simple
cooperative agreements to “open innovation,” a concept of scouting for new
product and service ideas anywhere in the world. In such an increasingly
complex and dynamic business environment, risks lurk in many areas, not
only associated with the technical part of the work but also include social,
cultural, organizational, and technological dimensions. In fact, research
studies have suggested that much of the root cause of project-related risks
can be traced to the organizational dynamics and multidisciplinary nature
that characterizes today's business environment, especially for technology-
based developments (Torok, Nordman, & Lin, 2011). The involvement of
many people, processes, and technologies spanning different organizations,
support groups, subcontractors, vendors, government agencies, and
customer communities compounds the level of uncertainty and distributes
risk over a wide area of the enterprise and its partners, often creating
surprises with potentially devastating consequences. This paradigm shift
leads to changing criteria for risk management. To be effective, project
leaders must go beyond the mechanics of analyzing the work and its
contractual components of the “triple constraint,” such as cost, schedules,
and deliverables, but also understand the sources of uncertainty before
attempting to manage them. This requires a comprehensive approach with
sophisticated leadership, integrating resources and a shared vision of risk
management across organizational borders, time, and space. Currently, we
are good at identifying and analyzing known risks, but weak in dealing with
the hidden, less-obvious aspects of uncertainty (Thamhain & Skelton, 2007,
pp. 37–40). Yet, some organizations seem to be more successful than others
in dealing with the uncertainties and ambiguities of our business
environment, an observation that is being explored further in this field
study.

What We Know About Risk Management

We Are Efficient in Identifying and Analyzing Known Risk Factors. With the
help of sophisticated computers and information technology, we have
become effective in dealing with risks that can be identified and
described analytically. Examples range from statistical methods and
simulations, to business case scenarios and user centered design. Each
category includes hundreds of specialized applications that help in dealing
with project risk issues, often focusing on schedule, budget, or technical
areas. Risk management tools and techniques have been discussed
extensively in the literature (Bstieler, 2005, pp. 267–280; Cooper, Grey,
Raymond, & Walker, 2005; Hillson, 2010, ¶2; Jaofari, 2003, pp. 47–52;
Kallman, 2006, p. 46). Examples include critical path analysis, budget
tracking, earned value analysis, configuration control, risk-impact matrices,
priority charts, brainstorming, focus groups, online databases for
categorizing and sorting risks, and sophisticated Monte Carlo analysis, all
designed to make project-based results more predictable. In addition, many
companies have developed their own policies, procedures, and management
tools for dealing with risks, focusing on their specific needs and unique
situations. Especially in the area of new product development, contemporary
tools such as phase-gate processes, concurrent engineering, rapid
prototyping, early testing, design-build simulation, CAD/CAE/CAM, spiral
developments, voice-of-the-customer, user centered design (UCD), agile
concepts and scrum have been credited for reducing project uncertainties.
Furthermore, industry-specific guidelines (i.e., DOD Directive 5000.1, 2007),
national and international standards (i.e., ANSI, CSA, ISO and National
Institute of Standards and Technology, 2000), and guidelines developed by
professional organizations (i.e., A Guide to the Project Management Body of
Knowledge (PMBOK® Guide)—Fifth Edition [Project Management Institute,
2013]), all have contributed to the knowledge base and broad spectrum of
risk management tools available today.

We Are Weak in Dealing with Unknown Risks. These are uncertainties,

ambiguities, and arrays of risk factors that are often intricately connected.
They most likely follow non-linear processes, which develop into issues that
ultimately affect project performance. A typical example is the
2010 Deepwater Horizon accident in the Gulf of Mexico. In hindsight, the
catastrophe should have been predictable and preventable. In reality, the
loss of 11 workers and an environmental disaster of devastating proportion
came as a “surprise.” While the individual pieces of this risk scenario
appeared to be manageable, the cumulative effects leading to the explosion
were not. They involved multiple interconnected processes of technical,
organizational, and human factors, all associated with some imperfection
and risk. Even afterward, tracing the causes and culprits was difficult.
Predicting and controlling such risks appears impossible with the existing
organizational systems and management processes in place.

We Are Getting Better Integrating Experience and Judgment with Analytical

Models. With the increasing complexity of projects and business processes,
managers are more keenly aware of the intricate connections of risk
variables among organizational systems and processes, which limit the
effectiveness of analytical methods. Managers often argue that no single
person or group within the enterprise has the knowledge and insight for
assessing these multi-variable risks and their cascading effects. Further, no
analytical model seems sophisticated enough to represent the complexities
and dynamics of all risk scenarios that might affect a major project. These
managers realize that, while analytical methods provide a critically
important toolset for risk management, it also takes the collective thinking
and collaboration of all stakeholders and key personnel of the enterprise and
its partners to identify and deal with the complexity of risks in today's
business environment. As a result, an increasing number of organizations
are complementing their analytical methods with managerial judgment and
collective stakeholder experience, moving beyond a narrow dependence on
just analytical models. In addition, many companies have developed their
own “systems,” uniquely designed for dealing with uncertainties in their
specific projects and enterprise environment. These systems emphasize the
integration of various tools, often combining quantitative and qualitative
methods to cast a wider net for capturing and assessing risk factors beyond
the boundaries of conventional methods. Examples are well-known
management tools, such as review meetings, Delphi processes,
brainstorming, and focus groups, which have been skillfully integrated with
analytical methods to leverage their effectiveness and improve their
reliability. In addition, a broad spectrum of new and sophisticated tools and
techniques, such as user centered design (UCD), voice of the customer
(VoC), and phase-gate processes evolved, which rely mostly on
organizational collaboration and collective judgment processes to manage
the broad spectrum of risk variables that are dynamically distributed
throughout the enterprise and its external environment.

Research Questions and Method

Despite extensive studies on project risks and its management practices

(Wideman, 1992; Jaofari, 2003, pp. 47–57; Kallman, 2006, p. 46), relatively
little has been published on the role of collaboration across the total
enterprise for managing risk. That is, we know little about organizational
processes that involve the broader project community in a collective cross-
functional way for dealing with risks identification and mitigation. Moreover,
there is no framework currently available for handling risks that are either
unknown or too dynamic to fit conventional management models. The
missing link is the people side as a trans-functional, collective risk
management tool, an area that is being investigated in this article with focus
on two research questions, which provide a framework for this exploratory
field study:

RQ1: How do contingencies impact project performance, and why does the
impact vary across different projects?

RQ2: What conditions in the project environment are most conducive to

dealing effectively with complex risks?

In addition, I state four important observations made during discussions

with project leaders and senior managers at an earlier exploratory phase of
this study. These observations provide a small window into current
managerial thought and practice. They underscore the importance of
investigating the two research questions and providing ideas for future
research and hypotheses testing.
Observation Contingencies in the project environment do not impact the performance of all
#1: projects equally.
Observation Early detection of contingencies is critically important for managing and
#2: minimizing any negative impact on project performance.
Observation Performance problems caused by contingencies (risks) are likely to cascade,
#3: compound, and become intricately linked.
Observation Contingencies in the project environment affect project performance more
#4: severely with increasing complexity and high-tech content of the undertaking.

While specific hypotheses testing appears premature at this early stage of

the research, the research questions together with the field observations
provide focus for the current investigation, including designing
questionnaires, conducting interviews, guiding data collection, and
discussing results. Furthermore, the field observations could provide the
basis for the development of formal propositions, hypothesis testing, and
future research.

Objective and Significance. Taken together, the objective of this study is to

investigate the dynamics and cascading effects of risk scenarios in complex
projects, and the management practices of handling these risks. Specifically,
the study aims to improve the understanding of (1) the dynamics of risk
impacting project performance, and (2) the human side of dealing with risks
in complex project situations. Part of the objective is to look beyond the
analytical aspects of risk management, examining the interactions among
people and organizations, trying to identify the conditions most conducive to
detecting risk factors early in the project life cycle and to handle them
effectively. The significance of this study is in the area of project
management performance and leadership style. The findings provide team
leaders and senior manager with an insight into the dynamic nature of risk
and its situational impact on project performance. The results also suggest
specific conditions that leaders can foster in the team environment
conducive to effective risk management, especially in complex project
scenarios.

Key Variables Affecting Risk Management

By definition, risk is a condition that occurs when uncertainties emerge with

the potential of adversely affecting one or more of the project objectives and
its performance within the enterprise system (ISO, 2009; PMI, 2013). Risk
can occur in many different forms, such as known or unknown,
quantitative or qualitative, and even real or imaginary. Risk is derived from
uncertainty. It is composed of a complex array of variables, parameters, and
conditions that have the potential of adversely impacting a particular
 activity or event, such as a project. At the minimum, three interrelated sets
of variables affect the cost and overall ability of dealing with risk, as
graphically shown in Exhibit 1:

1. Degree of uncertainty (variables, set #1)

2. Project Complexity (variables, set #2)
3. Impact (variables, set #3)
Understanding these variables is important for selecting an appropriate
method of risk management, and for involving the right people and
organizations necessary for effectively dealing with a specific risk situation.

Exhibit 1 - Dimensions of risk management

Data Collection Method

The work reported here is the continuation of ongoing research into risk
management practices and team leadership in complex project
situations(Skelton & Thamhain, 2007, pp. 36–47; Thamhain, 2011, pp. 40–
45). This article summarizes four years (2008–2011) of this investigation,
focusing on the risk management practices of 35 major product
developments in 17 high-technology, multinational enterprises with a
sample characteristics as summarized in Table 1.

PROJECT ENVIRONMENT METRICS

Total sample population 560

Companies 17

Product development projects 35

Project teams 35
Team members* 489

Product managers 9

R&D managers 6

Senior managers & directors 21

Average project budget $4.6M

Average project life cycle 18

(months)

* Total team = Total team sample – project managers – product managers – R&D managers –
senior managers
Table 1: Summary of sample statistics

The current research uses an exploratory field study format with focus
on four interrelated sets of variables: (1) risk, (2) team, (3) team leader, and
(4) project environment. All these variables, plus the components of risk
management, product development, team work, technology, and project
management are intricately connected, representing highly complex sets of
variables with multiple causalities. Researchers have consistently pointed at
the nonlinear, often random nature of these processes (Bstieler, 2005, pp
267–284; Danneels & Kleinschmidt, 2001, pp 358–370; MacCormack, 2001,
pp. 22–35; Thamhain, 2009, pp. 20–30; Verganti & Buganza, 2005, pp. 225–
235). Simple research models, such as mail surveys, are unlikely to produce
significant results. Instead, one has to use exploratory methods, casting a
wide net for data collection, to look beyond the obvious aspects of
established theory and management practice. I used my ongoing work as
consultant and trainer with 17 companies to conduct discussions,
interviews and some surveys, together with extensive observations, all
helping to gain insight into the work processes, management systems,
decision making, and organizational dynamics associated with project risk
management. This method, referred to as action research, includes two
qualitative methods: participant observation and in-depth retrospective
interviewing. This combined method is particularly useful for exploratory
investigations, such as the study reported here, which is considerably
outside the framework of established theories and constructs (Eisenhardt,
1989, pp. 535–545).

The Questionnaire was designed to measure (1) risk factors, (2) frequency of
risk occurrences, (3) impact on project performance, and (4) managerial
actions taken to deal with contingencies (risks). To minimize potential
misinterpretations or biases from the use of social science jargon, each of
the 14 risk classes (e.g., summarized in Exhibit 3) was defined specifically at
the beginning of the questionnaire.

Data Analysis. The data collected via questionnaires were evaluated and
summarized via standard statistical methods, while content analysis was
used to evaluate the predominately qualitative data collected via work
process observation, participant observation and in-depth retrospective
interviewing.

Results

The findings of this field study are organized into three sections: First, a
simple risk assessment model for tracking the effects of risk on project
performance is presented. Second, the type of contingencies that typically
emerge during project execution are identified and examined regarding their
impact on project performance. Third, the managerial implications and
lessons learned from the broader context of the quantitative and qualitative
part of this study are summarized in two separate sections of this article.

A Simple Model for Risk Assessment

“Risks do not impact all projects equally.” This observation from earlier
phases of this research is strongly supported by the formal results of this
field study. The managerial actions of dealing with the event, such as
eliminating or working around the contingency, greatly influence the ability
of minimizing the magnitude of problems caused and the cascading effects
that propagate through the organization. The dynamics of these processes is
being illustrated with the risk impact model in Exhibit 3, showing the
influences of the external and internal business environment.
The Model suggests that contingencies affecting one part of a project, have
the tendency to cascade throughout the project organization, with
increasingly unfavorable impact on project performance, and eventually
affecting the whole enterprise.

Exhibit 2 - Risk-impact-performance model

Based on the performance impact, the model identifies four distinct risk
categories:
Category-I No impact on project performance. Two types of risks fall into this
Risks category. First, events that might occur in the external or internal project
environment with potentially harmful impact on project performance in
the future. These contingencies, such as a delayed contract delivery,
labor dispute, technical issue, or priority change, are lurking in the
environment, whether they are anticipated or not. But, they have not yet
occurred, and therefore have not yet impacted project performance. By
anticipating these contingencies, management can take preventive
actions to mitigate the resulting impact if the event occurs. Second,
events that actually occurred were identified and dealt with before they
affected project time, cost, or other performance parameters.
Category-II Impact on task or project sub-systems only. The risk events have
Risks occurred in the external or internal project environment with potentially
harmful impact on project performance. However, by definition, these risk
issues occurred at a lower level of project activity, such as a task or sub-
system, and have not yet affected overall project performance. Examples
are delayed contract deliveries, labor disputes, technical issues, or
priority changes that can be solved “locally.” Although the resolution
might require extra time, it is not part of a critical path, and therefore the
performance impact is limited to a sub-set of the project. A similar
situation exists for issues that affect cost, quality, or other performance
parameters at the local level only. Thus, while these risks are expected to
impact the whole project, they have not yet affected overall project
performance. Therefore, timely managerial actions could minimize or even
avoid such performance impact.
Category- Impact on project performance. Events that occurred in the external or
III Risks internal project environment did impact project performance, such as
schedules, budgets, customer relations or technical issues. The impact
on project performance could have been a direct result of a contingency,
such as a failure to obtain a permit, or resulting from an issue at a lower
level, but propagating to a point that affects total project performance.
Examples are test failure on a critical activity path, or problems caused at
a lower level propagate to a point where they affect total project
performance. However, by definition, the impact is still contained “within
the project,” without affecting enterprise performance. Proper timely
management actions can lessen the impact on overall project
performance, and possibly minimize or avoid any harmful impacts on the
enterprise.
Category- Impact on project and enterprise performance. Events have
IV Risks occurred and have already significantly impacted overall project
performance and the performance of the entire enterprise. Similar to
Category-III, the effects could be immediate or cascading (i.e., Toyota's
“accidental acceleration”). Proper management actions can lessen the
final impact on both project and enterprise performance, but by
definition, a certain degree of irreversible harm has been done to the
project and the enterprise.

Contingencies versus Project Performance Impact

Using content analysis of the survey data from interviews and
questionnaires, managers in this study identified more than 1,000 unique
contingencies or risk factors, which have the potential of unfavorably
impacting project performance. These contingencies were grouped into 14
sets, or classes of risks, based on their root-cause similarities. A graphical
summary shows the 13 classes in Exhibit 3, ranked by average frequency as
observed over a project life cycle. Typical project performance impact
includes schedule slippage, cost overruns, and customer dissatisfaction. In
addition, risks also affected broader enterprise performance, such as market
share, profitability and long-range growth. On average, project leaders
identified six to seven contingencies that occurred at least once over the
project life cycle. However, it should be noted that not every contingency or
risk event seems to impact project performance, as discussed in the
previous section. As a most striking example, project managers reported
“the loss or change of team members” (cf Exhibit 3, set #6) to occur in 38
percent of their projects, an event described as a major risk factor
with potentially “significant negative implications to project performance.”
Yet, only 13 percent of these projects actually faced “considerable” or
“major” performance issues, while 22 percent experienced even less of an
issue, described as “little” or “no” impact on project performance. Hence, 60
percent of projects with lost or changed team members experienced little or
no impact on project performance. For most of the other 13 sets of
contingencies, the statistics is leaning more toward a “negative performance
impact.” On average, 61 percent of the contingencies observed in the sample
of 35 projects caused considerable or major impact on project performance.
The most frequently reported contingencies or risks fall into three groups:
#1 changing project requirements (78 percent), #2 changing markets or
customer needs (76 percent), and #3 communications issues (72 percent).
These are also risk areas that experience the highest negative impact on
project performance. They include approximately 80 percent of all projects
with “considerable” or “major” performance issues. The specific statistics
observed across all contingencies or risks recognized by project leaders in all
35 projects, is as follow: (1) 9 percent of the contingencies had no impact on
project performance [Category-I Risks]; (2) 16 percent of the contingencies
had some manageable impact on project performance [mostly Risk Category-
II plus some Category-III]; (3) 14 percent of the contingencies
had substantial, but still manageable impact on project performance
[Category-III Risks]; (4) 49 percent of the contingencies had a strong,
irreversible impact on project and enterprise performance [Category-IV
Risks]; and (5) 12 percent of the contingencies resulted in project
failure [mostly Category-IV Risks].

Mixed Performance Impact. Although the number of risk occurrences

(frequency) was approximately equally observed by all 35 project leaders, the
reported impact distribution was more skewed, with 20 percent of the
project leaders reporting 71 percent of all considerable and
major performance problems. This again provides strong support
for Observation #1 stated earlier that “contingencies in the project
environment do not impact the performance of all projects equally.” It is
interesting to note that although all projects (and their leaders) reported
approximately the same number of contingencies with normal distribution
across the 14 categories, some projects were hit much harder on their
performance (i.e., those 12 percent project that failed). This suggests
differences in organizational environment, project leadership, support
systems, and possibly other factors, which influence the ability to manage
risks.

Senior Management Perception. When analyzing the survey responses from

senior managers separately, we find that senior managers rate the
performance impact on average 30 percent lower than project managers.
That is, senior management perceives less of a correlation between
contingencies and project performance. Additional interviews with senior
managers and root-cause analysis of project failures strongly confirms this
finding. While senior managers and project leaders exhibit about the same
statistics regarding (1) the number of contingencies and risks occurring in
projects and (2) the distribution of risks across the 14 categories (as tested
by Kruskal-Wallis analysis of variance by rank), senior managers perceive
less performance issues directly associated with these risks. That is, they
are less likely to blame poor performance on changes or unforeseeable
events (risks), but more likely are holding project leaders accountable for
agreed-on results, regardless of risks and contingencies. The comment made
by one of the marketing directors might be typical for this prevailing
perspective: “Our customer environment is quite dynamic. No product was
ever rolled out without major changes. Our best project leaders anticipate
changing requirements. They set up work processes that can deal with the
market dynamics. Budget and schedule problems are usually related to
more conventional project management issues, but are often blamed on
external factors, such as changing customer requirement.” This has
significance in three areas: (1) perceived effectiveness of project management
performance; (2) conditioning of the organizational environment; and (3)
enterprise leadership. First, project leaders should realize that their
performance is being assessed largely because of project outcome, not the
number and magnitude of contingencies that they had to deal with.
Although overall complexity and challenges of the project are part of the
performance scorecard, they are also part of the conditions accepted by the
project leader at the beginning of the project, and therefore not a
“retrospective” performance measure. Second, less management attention
and resources might be directed toward conditioning the organizational
environment to deal with risks that specifically affect projects, because
senior managers perceive less of a linkage between risk and project
performance. This connects to the third area, the overall direction and
leadership of the enterprise that affects policies, procedures, organizational
design, work processes, and the overall organizational ambience for project
execution and control, an area that probably receives less attention from the
top, but could potentially influence project performance significantly, and an
area that should be investigated further in future research studies.
Exhibit 3. Risk classes, frequency and impact on project performance

Discussion and Implications

Seasoned project leaders understand the importance of dealing with project

risks and take their responsibility very serious. However, foreseeing
contingencies and effectively managing the associated risks is difficult and
challenging. It is both an art and a science to bring the effects of uncertainty
under control before they impact the project, its deliverables, and objectives.
Given the time and budget pressures of today's business environment, it is
not surprising that the field observations show project managers focusing
most of their efforts on fixing problems after they have impacted
performance. That is, while most project leaders understand the sources of
risks well, they focus their primary attention on monitoring and managing
the domino effects of the contingency rather than dealing with its root
causes. It is common for these managers to deal with problems and
contingencies only after they have impacted project performance, noticed in
schedules, budgets, or deliverables, and therefore have become Category-II
or III Risks. Only 25 percent of these managers felt they could have foreseen
or influenced the events that eventually impacted project performance
adversely. It is further interesting to note that many of the organizational
tools and techniques that support early risk detection and management—
such as spiral processes, performance monitoring, early warning systems,
contingency planning, rapid prototyping, and CAD/CAM-based
simulations—readily exist in many organizations as part of the product
development process or embedded in the project planning, tracking, and
reporting system. It is interesting to note however, that project managers,
while actually using these project management tools and techniques
extensively in their administrative processes, do not give much credit to
these operational systems for helping to deal with risks. Although this is an
interesting observation, it is also counterintuitive and needs further
investigation.

Decoupling Risks from Projects: Cause-Effect Dynamics

The field study provides an interesting insight into the cause and effect of
contingencies on project performance, including their dynamics and
psychology. Whether a risk factor actually impacts project performance
depends on the reaction of the project team to the event, as graphically
shown in Exhibit 2. It also seems to depend on the judgment of the manager
whether or not a particular contingency is blamed for subsequent
performance problems. Undesirable events (contingencies) are often caused
by a multitude of problems that were not predictable or could not be dealt
with earlier in the project life cycle. During a typical project execution, these
problems often cascade, compound, and become intricately linked. It is also
noticeable that the impact of risk on project performance seems to increase
with project complexity, especially technology content of the undertakings.
From the interviews and field observations, clearly even small and
anticipated contingencies, such as additional design rework or the
resignation of a key project team member, can lead to issues with other
groups, confusion, organizational conflict, sinking team spirit, and fading
commitment. All these factors potentially contribute to schedule delays,
budget issues, and system integration problems that may cause time-to-
market delays and customer relation issues, which ultimately affect project
performance. Realizing the cascading and compounding effects of
contingencies on project performance, the research emphasizes the
importance of identifying and dealing with risk early in the project life cycle
to avoid problems at more mature stages. The study also acknowledges the
enormous difficulties of actually predicting specific risk situations, their
timing, root-cause, and dysfunctional consequences, and to act
appropriately before they impact project performance.

Differences in Assessing Performance Issues between Project and Senior

Managers

Project leaders and senior managers differ in their “true cause” assessment
of performance problems, as was shown in the statistical analysis of Exhibit
3. Yet, there are additional implications to the perception of what causes
performance issues. These perceptions affect the managerial approaches of
dealing with risk. Specifically, we learn from the discussions and field
interviews that project leaders blame project performance problems and
failures predominately on contingencies (risk situations) that originate
outside their sphere of control, such as scope changes, market shifts, and
project support problems, while senior management points directly at
project leaders for not managing effectively. That is, senior management
blames project managers for insufficient planning, tracking and control,
poor communications, and weak leadership. Additional field investigations
show an even more subtle picture. Many of the project performance
problems and failures could be root-caused to the broader issues and
difficulties of understanding and communicating the complexities of the
project, its applications, and support environment, including unrealistic
expectations for scope, schedule, and budget, under funding, unclear
requirements, and weak sponsor commitment.

The significance of these findings is in several areas. First, the polarized

perspective between project leaders and senior managers creates a potential
for organizational tension and conflict. It also provides an insight into the
mutual expectations. Senior management is expected to provide effective
project support and a reasonably stable work environment, while project
leaders are expected to “manage” their projects toward agreed-on results.
The reality is, however, that project leaders are often stretched too thin and
placed in a tough situation by challenging requirements, weak project
support, and changing organizational conditions. Moreover, many of the risk
factors have their roots outside the project organization, and are controlled
by senior management. Examples are contingencies that originate with the
strategic planning process. Management, by setting guidelines for target
markets, timing, ROI, and product features, often creates conflicting target
parameters that are also subject to change due to the dynamic nature of the
business environment. In turn, these “external changes” create
contingencies and risks at the project level. Existing business models do not
connect well between the strategic and operational subsystems of the firm,
and tend to constrain the degree to which risk can be foreseen and managed
proactively at the project level. It is therefore important for management to
recognize these variables and their potential impact on the work
environment. Organizational stability, availability of resources, management
involvement and support, personal rewards, stability of organizational goals,
objectives, and priorities are all derived from enterprise systems that are
controlled by general management. It is further crucial for project leaders to
work with senior management, and vice versa, to ensure an organizational
ambience conducive to cross-functional collaboration.

Lessons for Effective Risk Management

Despite the challenges and the inevitable uncertainties associated with

complex projects, success is not random. One of the strong conclusions
from this empirical study is risks can be managed. However, to be effective,
especially in complex project environments, risk management must go
beyond analytical methods. Although analytical methods provide the
backbone for most risk management approaches, and have the benefit of
producing relatively quickly an assessment of a known risk situation,
including economic measures of gains or losses, they also have many
limitations. The most obvious limitations are in identifying potential,
unknown risk situations, and reducing risk impact by engaging people
throughout the enterprise. Because of these limitations and the mounting
pressures on managers to reduce risk, many companies have shifted their
focus from “investigating the impact of known risk factors” to “managing
risk scenarios” with the objective to eliminate potential risks before they
impact organizational activities. As a result, these companies have
augmented conventional analytical methods with more adaptive, team-based
methods that rely to a large degree on (1) broad data gathering across a wide
spectrum of factors and (2) judgmental decision making. In this field study, I
observed many approaches that aimed effectively at the reduction or even
elimination of risks, such as simplifying work processes, reducing
development cycles, and testing product feasibility early in the development
cycle. Often, companies combine, fine-tune, and integrate these approaches
to fit specific project situations, their people and cultures, to manage risks
as part of the total enterprise system. An attempt is being made to integrate
the lessons learned from both the quantitative and qualitative part of this
study. Especially helpful in gaining additional perspective and insight into
the processes and challenges of risk management, and in augmenting the
quantitative data toward the big picture of project risk management was the
information obtained while working with companies on specific assignments
(action research). This includes discussions and interviews with project
leaders and senior managers and the observations of project management
practices. Therefore, within the broader context of this study, several
lessons emerged that should stimulate thoughts for contemporary risk
management practices, new tool developments, and future research.

Lesson 1. Early recognition of undesirable events is a critical

precondition for managing risk. In addition, project leaders must not only
recognize potential risk factors in general, but also know when they will
most likely occur in the project life cycle. Recognizing specific issues and
contingencies before they occur or early in their development is critical to
the ability of taking preventive actions and decoupling the contingencies
from the work process before they impact any project performance factors.
Examples include the anticipation of changing requirements, market
conditions, or technology. If the possibility of these changes is recognized,
their probability and impact can be assessed, additional resources for
mitigation can be allocated, and plans for dealing with the probable
situation can be devised. This is similar to a fire drill or hurricane defense
exercise. When specific risk scenarios are known, preventive measures, such
as early warning systems, evacuation procedures, tool acquisitions and skill
developments, can be put in place. This readiness will minimize the impact,
if the risk situation actually occurs. While the field study clearly shows the
difficulties of recognizing risk factors ahead of time, it is fundamental to any
risk management approach. It is also a measure of team maturity and
competency and gives support to the observation made during this field
study that “contingencies do not impact performance of all projects equally.”
Lesson 2. Unrecognized risk factors are common in complex project
environments. Contingencies (even after affecting project performance) often
go unrecognized. In our field study, more than half of the contingencies that
occurred were not anticipated before causing significant performance
issues (Category-III Risks or higher). Most commonly, the impact is on cost,
schedule, and risk escalation. To minimize these problems, collective, team-
centered approaches of monitoring the project environment are needed. This
includes, effective project reviews, design reviews, focus groups, action
teams, gate reviews, and “management by wandering around (MBWA).”

Lesson 3. Unchecked contingencies tend to cascade and penetrate wider

project areas. Contingencies occurring anywhere in a project have the
tendency to penetrate into multiple subsystems (domino effect) and
eventually affect overall project performance. Many of the contingencies
observed in this field study, such as design rework of a component, a minor
requirements change, or the resignation of a team member, may initially
affect the project only at the subsystem level. These situations might even be
ignored or dismissed as issues of no significance to the project as a whole.
However, all these contingencies can trigger issues elsewhere, causing work
flow or integration problems, and eventually resulting in time-to-market
delays, missed sales opportunities, and unsatisfactory project performance.

Lesson 4. Cross-functional collaboration is an effective catalyst for

collectively dealing with threats to the project environment. The project
planning phase appears to be an effective vehicle for building such a
collaborative culture early in the project life cycle. The active involvement of
all stakeholders—including team members, support functions, outside
contractors, customers, and other partners—in the project planning process
leads to a better, more detailed understanding of the project objectives and
interfaces, and a better collective sensitivity where risks lurk and how to
deal with the issues effectively. Collaboration is especially essential for
complex and geographically dispersed projects with limited central
authority, and limited ability for centrally orchestrated control.

Lesson 5. Senior management has a critical role in conditioning the

organizational environment for effective risk management. Many risk factors
have their roots outside the project organization, residing in the domain of
the broader enterprise system and its environment. Examples are functional
support systems, joint reviews, resource allocations, facility, and skill
developments, as well as other organizational components that relate to
business strategy, work process, team structure, managerial command and
control, technical direction, and overall leadership. Senior management—by
their involvement and actions—can develop personal relations, mutual trust,
respect, and credibility among the various project groups, its support
functions and stakeholders, a critical condition for fosterong an ambiance
supportive to collective initiatives and outreach, conducive to early risk
detection and management.
Lesson 6. People are one of the greatest sources of uncertainty and risk
in any project undertaking, but also one of the most important resources for
reducing risk. The quality of communications, trust, respect, credibility,
minimum conflict, job security, and skill sets, all these factors influence
cooperation and the collective ability of identifying, processing, and dealing
with risk factors. This field study found that many of the conditions that
stimulate favorably risk management behavior are enhanced by a
professionally stimulating work environment, including strong personal
interest in the project, pride, and satisfaction with the work, professional
work challenge, accomplishments, and recognition. Other important
influences include effective communications among team members and
support units across organizational lines; good team spirit, mutual trust,
respect, low interpersonal conflict, plus opportunities for career development
and advancement; and, to some degree, job security. All these factors seem
to help in building a unified project team that focuses on desired results.
Such a mission-oriented environment is more transparent to emerging risk
factors and more likely to have an action-oriented, collaborative nature that
can identify and deal with emerging issues early in their development.

Lesson 7. Project leaders should have the authority to adapt their plans
to changing conditions. Projects are conducted in a changing environment of
uncertainty and risk. No matter how careful and detailed the project plan is
laid out, contingencies will surface during its execution that require
adjustment.

Lesson 8. Testing Project Feasibility Early and Frequently During

Execution Reduces Overall Project Risk. Advances in technology provide
opportunities for accelerating feasibility testing to the early stages of a
project life cycle. Examples are system integration, market acceptance, flight
tests, and automobile crash tests that traditionally were performed only at
the end of a project sub-phase or at a major integration point. However, with
the help of modern computers and information technology we can reduce
risks considerably by advancing these tests to the front-end of the project or
to the early stages of a product or service development.

Lesson 9. Reducing work complexity and simplifying work processes will

most likely reduce risk. Uncertainties originate within the work itself. The
observations from this field study show that the project work together with
its complexities and processes contributes especially heavily to the
uncertainties and risks affecting project success. Whatever can be done to
simplify the project, its scope, deliverables, and work process will minimize
the potential for problems and contingencies, make the project more
manageable, and increase its probability of success. Work simplification
comes in many forms, ranging from the use of pre-fabricated components to
subcontracting, snap-on assembly techniques, material choices, and high-
level programming languages.

Conclusion
Risks do not affect all projects equally is one strong conclusion from this
field study. Actual risk impact does not only depend on the risk event, but
also on the managerial actions of dealing with the contingency and its
timing, which influence the magnitude of problems caused by the event and
the cascading effects within the project organization. The risk-impact-on-
performance model developed in this article contributes to the body of
knowledge by providing a framework for describing the dynamics and
cumulative nature of contingencies affecting project performance. The
empirical results show that effective project risk management involves a
complex set of variables, related to task, management tools, people, and
organizational environment. Simple analytical approaches are unlikely to
produce desired results, but need to be augmented with more adaptive
methods that rely on broad data gathering across a wide spectrum of the
enterprise and its environment. The methods also have to connect effectively
with the organizational process and the people-side of project management.
Some of the strongest influences on risk management seem to emerge from
three enterprise areas: (1) work process; (2) organizational environment; and
(3) people. I observed many approaches that effectively reduced risks by
simplifying the work and its transfer processes, shortening development
cycles, and testing project feasibility early. The best success stories of this
field study point at the critical importance of identifying and dealing with
risks early in the development cycle. This requires broad scanning across all
segments of the project team and its environment and creative methods for
assessing feasibilities early in the project life cycle. Many risk factors
originate outside the project organization, residing in the broader enterprise
and its environment. Therefore, it is important for management to foster an
organizational environment conducive to effective cross-functional
communications and collaboration among all stakeholders, a condition
especially important to early risk detection and risk management.

Although no single set of broad guidelines exists that guarantees project

success, the process is not random! A better understanding of the
organizational dynamics that affect project performance, and the issues that
cause risks in complex projects, is an important prerequisite and catalyst to
building a strong cross-functional team that can collectively deal with risk
before it impacts project performance.

Bstieler, L. (2005). The moderating effects of environmental uncertainty on

new product development and time efficiency. Journal of Product Innovation
Management, 22(3), 267–284.

Buchanan, L., & O'Connell, A. (2006). Chances are. Harvard Business

Review, 84(1), 34–35.

Cooper, D., Grey, S., Raymond, G., & Walker, P. (2005). Project risk
management guidelines: Managing risk in large projects and complex
procurements. Hoboken, NJ: Wiley.
Danneels, E., & Kleinschmidt, E. J. (2001). Product innovativeness from the
firm's perspective. Journal of Product Innovation Management, 18(6), 357–
374.

Eisenhardt, K. M. (1989). Building theories from case study

research. Academy of Management Review, 14(4), 532–550.

Hanzhang, T., & Wilkinson, R. (1998). The art of war. Hertfordshire, UK:
Wordsworth Editions.

Hillson, D. (2010, February). Managing risk in projects: What's

new? PMWorld Today (Project Management eJournal) 12(2), Column #2.

International Organization for Standardization. (2009). ISO 31000, Risk

management: Principles and guidelines. Geneva, Switzerland: International
Organization for Standardization (ISO).

Jaofari, A. (2003). Project management in the age of change. Project

Management Journal, 34(4), 47–57.

Kallman, J. (2006). Managing risk. Risk Management, 52(12), 46.

Loch, C. H., Solt, M. E., & Bailey, E. M. (2008). Diagnosing unforeseeable

uncertainty in a new venture. Journal of Product Innovation Management,
25(1), 28–46.

MacCormack, A. (2001). Developing products on internet time. Management

Science, 47(1), 22–35.

National Institute of Standards and Technology. (2000). Managing technical

risk: Understanding private sector decision making on early stage,
technology-based projects (NIST Publication No. GCR 00-787). Washington,
DC: US Government Printing Office.

Patil, R., Grantham, K., & Steele, D. (2012). Business risk in early design: A
business risk assessment approach. Engineering Management Journal,
24(1), 35–46.

Project Management Institute. (2013). A guide to the project management

body of knowledge (PMBOK guide) (5th ed.). Newtown Square, PA: Project
Management Institute.

Shenhar, A. J. (2001). One size does not fit all projects: Exploring classical
contingency domains. Management Science, 47(3), 394–414.

Skelton, T., & Thamhain, H. (2007). Success factors for effective R&D risk
management. International Journal of Technology Intelligence and Planning
(IJTIP), 3(4), 376–386.
Srivannaboon, S., & Milosevic, D. Z. (2006). A two-way influence between
business strategy and project management. International Journal of Project
Management, 24(2), 184–197.

Thamhain, H. (2009). Leadership lessons from managing technology-

intensive teams. International Journal of Innovation and Technology
Management, 6(2), 117–133.

Thamhain, H. (2011). Critical success factors for managing technology-

intensive teams the global enterprise. Engineering Management Journal,
23(3), 40–45.

Thamhain, H., & Skelton, T. (2007). Managing globally dispersed R&D

teams. International Journal of Information Technology and Management
(IJITM), 7(2), 36–47.

Thieme R., Song, M., & Shin, G. (2003). Project management characteristics
and new product survival. Journal of Product Innovation Management,
20(2), 104–111.

Torok, R., Nordman, C., & Lin, S. (2011). Clearing the clouds: Shining a
light on successful enterprise risk management. Executive Report, IBM
Institute for Business Value, Somers, NY: IBM Global Services.

Verganti, R., & Buganza, T. (2005). Design inertia: Designing for life-cycle
flexibility in Internet-based services. Journal of Product Innovation
Management, 22(3), 223–237.

Wideman, R. M. (1992). Project and program risk management: A guide to

managing project risks and opportunities. Newtown Square, PA: Project
Management Institute.