veryard projects - innovation for demanding change

containing uncertainty

veryard projects > programme management > risk management
we offer our approach material links



Nothing ventured, nothing gained. The higher the level of risk you are prepared to take, the higher the rewards that may be achieved. If you invest in the stock market, you will know that it is usually the riskiest ventures that promise the highest returns. And the same is often true in technology projects: the greatest potential benefits may come from using the newest, and therefore most uncertain, tools and methods.

Thus risk management is not about avoiding risks altogether. It is about facing risks deliberately and systematically, avoiding taking unnecessary risks, and carefully managing the risks that you have decided to take.

Recently, one of the largest perceived risks for many software organizations has been related to the year 2000. Many organizations have conducted specific risk assessments of their millennium compliance programmes. However, our approach to risk management is applicable to any large project or programme.

Veryard Projects carries out risk management assignments using the SCIMITAR risk management methodology, in association with Antelope Projects.

on this page

concepts of risk
ownership: singular and plural
distribution of benefits, costs and risks

benefits of risk management

on other pages

internet risk
risk broker
crisis management
project management


contact us

'I thought ,' said Piglet earnestly, 'that if Eeyore stood at the bottom of the tree, and if Pooh stood on Eeyore's back, and if I stood on Pooh's shoulders ...'

'And if Eeyore's back snapped suddenly, then we could all laugh. Ha Ha! Amusing in a quiet way,' said Eeyore, 'but not really helpful.'

'Would it break your back, Eeyore?' asked Pooh, very much surprised.

'That's what would be so interesting, Pooh. Not being quite sure until afterwards.'

[A.A. Milne, The House at Pooh Corner]
'Don't you think you'd be safer on the ground?' Alice went on, not with any idea of making another riddle, but simply in her good-natured anxiety for the queer creature. 'That wall is so very narrow!'

'What tremendously easy riddles you do ask!' Humpty Dumpty growled out. 'Of course I don't think so! Why, if I ever did fall off - which there's no chance of - but if I did -'

Here he pursed up his lips, and looked so solemn and grand that Alice could hardly help laughing. 'If I did fall,' he went on, 'the King has promised me - ah you may turn pale, if you like! You didn't think I was going to say that, did you? The King has promised me - with his very own mouth - to - to'

'To send all his horses and all his men,' Alice interrupted, rather unwisely.

[Lewis Carroll, Through the Looking-Glass]

Benefits of Risk Management

Proper risk identification and management yields benefits both to the project and to other stakeholders.

The project increases its probability of satisfying its stakeholders. This should yield job satisfaction and career benefits to the individual project team members, especially the project manager. It also improves the team's collective identity, morale and spirit, which will be of benefit if the same team goes on to tackle other, perhaps even more challenging tasks.

Furthermore, since the risk management system allows risks to be openly spoken of, it allows project team members to share their worries openly, rather than feel obliged to suppress any mention of the negative. This makes it easier for the project to manage stress levels.

And for the stakeholders, the existence of a proper risk management system reduces the chance of unpleasant surprises.

Concepts of Risk

Let us suppose a large project or programme, involving some technological developments and some organizational changes, perhaps some changes in business practices. There are several interested parties, which we can refer to as stakeholders. The word 'stakeholder' provokes the question: have we left anyone out?
Each stakeholder has a set of things that he/she expects the project to achieve. Let's call these objectives. I'm not going to distinguish here between positive objectives (=creating new things of value to the stakeholder) and negative objectives (=not reducing the value of things the stakeholder already has). 
The stakeholder may also have a set of expectations about the way in which the project is to achieve these objectives. Let's call these strategies In practice, objectives and strategies often get mixed up. Some people get very worried about this, but I think there are usually much more important things to worry about.
A risk is then anything that might get in the way of achieving an objective, following a strategy, or in any other way disappointing a reasonable expectation of any stakeholder. Don't make too much of the word 'reasonable'. You can only discount an expectation as unreasonable after you've gone through a proper process of negotiating stakeholder expectations. If you haven't bothered to talk to a stakeholder, then any expectations - however ridiculous they seem to you - are reasonable.
To be manageable, a risk needs to be detectable. A risk indicator is an observable event or measure that indicates either that the unwanted event has occurred, is occurring or that its probability has significantly increased. Sometimes known as triggers.
We then distinguish between internal risk and external risk. An internal risk is one which can be completely contained by the project, and does not need to be exposed to external stakeholders. Example: We are planning to conduct volume tests this week. If the network goes down, or there is some other problem outside our control, we'll have to get a few people to come in at the weekend and do the tests then. Fortunately, there is a small allocation in the project budget for paying overtime, so we don't have to get approval for this, we can just go ahead and do it.
An external risk is one which cannot be contained by the project. If the unwanted event occurs, the project will be forced to renegotiate its terms of reference, either demanding additional resources or adjusting stakeholder expectations. Example: We are assuming that the software vendors will supply a bug-free millennium-compliant version of the software by Easter 1998. If they don't, we will either have to switch to a rival software product, which will completely blow the budget, or we will have to slip our delivery dates.

veryard projects - innovation for demanding change

Ownership: Singular or Plural

veryard projects > programme management > risk management > ownership

Ownership of the risk means clearly locating the responsibility for the risk and the authority to fix the risk, either with the project in the case of an internal risk, or with a specific stakeholder in the case of an external risk.

Example: Successful implementation of the systems we are developing assumes that all our major suppliers install a web service interface by Easter 2002. If this doesn't occur, we shall need to develop an additional suite of programs, at a cost of £xxx. Ownership of this risk belongs to the Purchasing Director, Mr yyy, and he has agreed to allocate the necessary funds for the additional development if it is required.

There are two basic ways of handling the ownership of a risk.

One way is to assign ownership of the risk to a given stakeholder. That stakeholder then "bears" the risk, which means taking responsibility for containing the risk and protecting other stakeholders from any unwanted consequences. The risk owner may carry out actions to reduce the probability of the risk and/or to reduce the impact of the risk, but these are, in a sense, "private" to the risk owner.

(Of course, we may want to audit the risk owner, to get assurance that the risk owner can in fact bear the allocated risks, and that the risk owner has adequate risk management provision.)

The other way is to take joint action to reduce uncertainty. This means shared actions to reduce the probability of the risk, and joint contingency plans to be carried out if the risk event occurs.

Contingency planning is about achieving flexibility of response, especially where several people or groups have to respond in a coordinated way to emerging circumstances.

(This is the basic difference between contingency planning and disaster recovery. The latter is not about flexibility of response but about a pre- programmed survival reflex.)
more Three Notions of Contingency
Crisis Management

veryard projects - innovation for demanding change

Bearing Limit

veryard projects > programme management > risk management > bearing limit

Any given party has a bearing limit, which defines how much cost and risk it can bear. Above this limit, the party cannot be expected to contain the costs and risks allocated to it, and these may spill over the contractual boundaries to its partners. In the worst case, a party unable to bear its costs and risks goes into liquidation, and the remaining costs and risks then have to be picked up by another party.

In some cases, the bearing limit can be determined fairly precisely. This is particularly true in cases that are covered by various forms of indemnity insurance, since the bearing limit can be taken to be equal to the level of insurance cover. In other cases, the bearing limit is itself a matter for negotiation.

Within a hierarchical organization, there is a bearing limit at each level of the management hierarchy. In other words, there is a maximum level of responsibility that can be delegated downwards. Above this limit, the responsibility remains with upper management. (For example, if a trading bank loses half a billion dollars, this cannot be blamed solely on a rogue trader with an authorization limit of 50 million dollars. To pretend otherwise is either foolish or corrupt.)
more Bearing Limit also links to notions of Containment and Encapsulation.

veryard projects - innovation for demanding change

Calculating risk

veryard projects > programme management > risk management > calculating risk


This is described in many textbooks. Insurance companies employ highly trained professional mathematicians, known as actuaries, who perform the necessary statistical calculations. You need a degree in mathematics or statistics to understand these calculations.


Investment companies have another way of calculating risk, known as beta. Basically, if you invest in a high-risk company, such as gold mining or a high-tech start-up, there is a real possibility that you will lose all your money. To compensate for this risk, the investor expects a higher rate of return than would be paid by a a "safe" investment, such as US Government bonds or shares in a multinational corporation. This is described in books on corporate finance.


But managers making executive decisions in ordinary companies usually don't use these sophisticated calculations. These managers have a simplistic and distorted view of risk, which means that the risk management strategies adopted by these companies are usually inadequate and unbalanced.



veryard projects - innovation for demanding change

Distribution of Costs, Benefits and Risks

veryard projects > programme management > risk management > distribution


One of the prime concerns of any living body is to control the flow of fluids in and out. In a commercial enterprise, the first level of control is a financial one. So let us think of benefits, costs and risks as being fluid. Unless properly contained, revenues may leak out of an enterprise, and excess costs and risks may leak in.

So what is the business equivalent of the cell membranes that prevent the body from drying up or bursting? The structure and viability of the enterprise are maintained by its interfaces: the commercial contracts and intra-organizational agreements that control the inward and outward flow of benefits, costs and risks.

We need modelling techniques for understanding and managing the distribution of benefits, costs and risks in large federated business situations.


Let us suppose a large complex development, involving multiple parties. Negotiation between the parties determines how the benefits, costs and risks of the development shall be distributed among the parties. The resulting agreements are captured in contracts or other agreements between the parties.

(If the parties are parts of a single large corporation, these agreements may be relatively informal, and enforced/adjudicated by senior management. If the parties are legally independent entities, then the contracts may be legally binding documents,enforced/adjudicated by the public legal system.)


Costs, benefits and risks are distributed in three ways. Traditional cost-benefit techniques cater for these three dimensions of distribution as follows: 
traditional technique
1 They are more or less likely to occur. (In other words, they are distributed in 'probability space'.)  Various (more or less mathematical) techniques are used to reduce the complexity of many different possible futures down to a single expected outcome.
2 They are likely to occur at different times. (In other words, they are chronologically distributed.) To compare costs and benefits occurring at different times, accountants use the techniques of discounted cashflow (DCF) to reduce all cashflow to its net present value (NPV).
3 They affect different people, in different organizations, units, locations, enterprises. (They are distributed in 'stakeholder space'.)  Various (more or less political) stratagems are used to reduce the complexity of many different stakeholders with competing perceptions and preferences. These include power politics (where a single stakeholder dominates the decisions), compromise, log-rolling, consensus-seeking and various forms of voting. 
However, these three dimensions of distribution are not orthogonal. You don't necessarily get the same answer if you collapse probability space and stakeholder space before discounting for time as you will get if you collapse probability space and stakeholder space after discounting for time. Among other things, this is because each stakeholder has a different risk profile and a different cost of capital.

In any case, if the procurement decisions are also distributed, there is little point in artificially centralizing the costs and benefits (and risks). Instead, each stakeholder needs to develop a business and risk case from his/her/its own perspective, while considering the likely procurement behaviour and risk management strategies of the other stakeholders. Thus in a federated world, it is not enough to do a business case and risk management strategy from your own perspective. You have to work out ways of making a system or process profitable and safe for each of the participants, as well as making services attractive and affordable to the customer. This means that you need to have an estimate of the likely business case from the other stakeholders' perspective. You need to have some appreciation of each stakeholder's intentions. An indication of intentions can be based on an analysis of responsibilities.

Business Relationship Models

We use business relationship models to describe the relationships between a network of business parties in terms of responsibility and delegation. Within risk management, such models are used as follows:

Next Action

veryard projects - innovation for demanding change

[home page]

[contact us]

This page last updated on January 31st, 2002
Copyright © 1997-2002 Veryard Projects Ltd
in asssociation with 
antelope projects
CBDi Forum