APM Risk SIG Conference 2019

1. Risk Management: the human factor
Behavioural management perspective on common risk practice

2. Andy Abu-Bakar CEng MIMechE MAPM
Head of Risk & Engineering Services
OGC Management of Risk (MoR) and Managing Successful Programmes Practitioner
Chartered Engineer
Career:
• Costain / Rhead Group: Risk Management Consulting
• QinetiQ / HVR: Project / Programme Management Consulting
• Ministry of Defence: Project Manager, Systems Engineer, Aircraft Trials and Certification
Key skills:
• Risk management & improvement
• Project Controls
• Quantitative Risk Analysis & decision support
• Project & Programme Management

3. Costain Risk Services
• Maturity assessment
• Organisational risk
effectiveness: culture,
practice, data quality,
process
• Identification and support in
implementing targeted
improvements
• Risk identification &
workshop facilitation
• Risk process, procedures,
register development
• Operation of the risk
process: reviews,
maintenance & reporting
• Schedule / cost risk analysis
• Building and assuring
confidence models
• Defining overall risk
exposure
• Sensitivity and options
analysis
• Risk management
fundamentals
• Risk identification techniques
and definition
• Assessment & estimating
practice
• Risk modelling techniques
Risk Improvement Quantitative analysis
Implementation Training

4. Are we getting value from risk management?
▪ Costs of risk management
▪ People
▪ Software
▪ Training
▪ External support
▪ Responding to risks
▪ Increasing sophistication in risk management – processes, standards, tools, guidelines,
approaches
▪ Are we getting the return we expect from the investment?
▪ It’s carried out by people – need to recognise how our behaviour influences the effectiveness of
risk management

5. This presentation
▪ Behavioural considerations, biases and the effect on risk practice
▪ Applying Costain’s CBS approach
▪ Considerations in determining risk provision

6. Human factors throughout the risk process
From ISO 31000:2018
Identification:
- Workshop dynamics
- Definition & atomisation
- Failure to update / review
Evaluation:
- Focusing on the things
that matter
- Confirmation bias &
commitment escalation
Consequences where these
are not addressed:
• Lack of understanding of true
risk exposure
• Risk is not properly managed
• Decisions are ill-informed
• Opportunities to adjust course
or cancel ill-fated projects are
missed
• Team behaviour is influenced
by prior experience: only good
news is presented
Analysis:
- Anchoring & overconfidence
- Modelling complexity
Treatment:
- Ineffective / immature
treatment measures
- Lack of action
Reporting:
- Failure to review risk reports
- Failure to communicate bad
news

7. Applying Costain CBS
Examining 2 risk management scenarios using behavioural science

8. Cultural Behavioural Safety
▪ Whilst Health and Safety across
construction industry has improved
over past 20 years, the majority of
incidents today are behaviour-related
▪ CBS rolled out across Costain in
2010
▪ application of behavioural science to
increase safe behaviours
▪ “Getting people to do the right things
because the want to, not because the
have to”
Estimated working days lost per worker due to work-related incidents
(Great Britain). Source: HSE historical statistics 2018

9. ABC model: how the environment drives our behaviour

10. ABC model: how the environment drives our behaviour
▪ Antecedents: prompt which is present before behaviour occurs
▪ Behaviour: things we say or do
▪ Consequences Reinforcers (cause behaviour to increase):
• R+ (get you something you want)
• R- (help avoid something you don’t want)
Punishers (cause behaviour to decrease)
BF Skinner, Harvard circa 1950

11. ABC example
Antecedents Behaviour Consequences
Driving on
motorway above
the speed limit
R/P N/L S/U
P L U
R N S
P L U
• How would behaviour change after experiencing consequences?
• Consequences are much more effective at driving behaviour (20:80 rule)
Consequences
Fine / penalty
Get to destination quicker
May have accident
Antecedents
Road signs
Highway code

12. The consequence chain – project environment
▪ Consequences usually provided by
line manager
▪ Acceptable behaviour is modelled
through words and actions of
managers and leaders
▪ No good saying the right things if
actions don’t match
▪ Don’t break the chain
Project Team
Project
Manager
Project
Sponsor
Executive
Board
Risk Manager
“The project SRO, project
manager and project board have
a key role to play in creating a
supportive [risk] culture… If they
show through their words and
actions that risk management is
important, others will follow.”
OGC MoR guidance for practitioners

13. Scenario 1: briefing risk analysis results to the PM
▪ Risk manager for project
▪ Project’s first schedule risk analysis
▪ Spent 3 months developing model, inputs,
estimates etc.
▪ Results show range of outturn significantly
later than planned
the Project Manager’s response?……

14. What’s behind the PM’s response?
▪ Commitment escalation
▪ Sticking to the initial decision when it has become irrational to do so.
▪ “We told the board only last month that the project would be complete by the end
of the year: the risk modelling has to match.”
▪ “We agreed to a budget of £90m only last month. We can’t ask for more now!”
▪ Confirmation / congruence bias
▪ Actively seeking information which supports existing belief / view
▪ People set higher standard for evidence which contradicts their existing views
▪ Rejection of unfavourable evidence: “that can’t be right”

15. Antecedent Current Behaviour Consequence R/P N/L S/U
Company / project risk
policy
Risk management plan
/ strategy
Behaviour of peers and
senior leaders
Performance
expectations from line
manager
Option 1: PM accepts analysis
outputs and communicates this
to project sponsor / board
Angry response form line manager / board P L S
Future career prospects could be blighted P L U
Time required to understand analysis detail in order to
communicate this to board / develop options
P N S
Project may need to be re-sanctioned or may be cancelled: team
may lose jobs
P L U
Option 2: PM rejects analysis and
demands the risk manager revisit
to produce more palatable
results
Avoid dedicating time to developing response plans and / or
revisiting the investment case / project scope
R N S
Avoid having to report bad news to the board / project sponsor R L S
Can maintain claim that project is on track R L S
Could be disgruntlement from project team and risk manager P L U
All punishing
consequences
Largely reinforcing
consequences
• Whichever behaviour is demonstrated, it will set a precedent for the future
• How will the project team approach a similar situation next time?
That’s the wrong answer! – consequence analysis
(undesirable behaviour)
This consequence is
the most compelling
for the individual

16. That’s the wrong answer! – consequence analysis
(promoting the desired behaviour)
Antecedent Desired Behaviour Consequence R/P N/L S/U
Company / project risk
policy
Risk management plan
/ strategy
Behaviour of peers and
senior leaders
Performance
expectations from line
manager
PM accepting the outcomes from
analysis and developing response
approach with risk manager / PT
Potential recognition from project board / sponsor for
transparency on risk position
R+ L U
Avoid confrontation with board for not disclosing information
earlier
R- L U
Further career through experience of handling difficult projects R+ L U
Dedicate time to developing response plans P L S
May need to revisit project investment case / project scope P L U
• Better balance of positive consequences for the desired behaviour, although no RNS
• Largely driven by the consequence chain = leadership
• It’s not always possible to remove all negative consequences

17. The risk manager’s role in preparing the ground
▪ Early buy-in and engagement
▪ Explain the process
▪ Be open about the assumptions,
omissions, constraints
▪ Get ownership of the inputs
▪ Give people the opportunity to
develop responses and test
options

18. Scenario 2: participation in the risk process
▪ Limited engagement with risk activities –
identification, assessment, risk reviews, etc.
▪ View that risk is a distraction from the day job
▪ Senior team show little interest in risk
▪ Team criticise risk information but unwilling to
help fix it
“You’re the risk manager, aren’t you?……”

19. Antecedent Current Behaviour Consequence R/P N/L S/U
Company / project risk
policy
Risk management plan
/ strategy
Behaviour of peers and
senior leaders
Performance
expectations from line
manager
Project member refuses to
participate in review process
Save time and can focus on ‘the day job’ R- N S
Avoid blame if risk information is found to be incorrect R- L S
Potential disgruntlement from risk manager P L U
Desired Behaviour
Full participation in risk process
(identification, review) and
ownership of risk data
Time consumed in developing risk information P N S
May receive recognition from line manager / PM for clarity and
grasp of risk data
R+ L U
Risk process may support resolution of concerns and key threats R+ L U
Avoid having to explain poor quality risk information to PM / board R- L U
Reinforcing
consequences are
comparatively weak
Reinforcing
consequences dominate
• Underlying issue is that the project team do not feel they owner or are
accountable for the risk information or for managing risk
• Acceptable behaviour is modelled by the PM / senior leadership team
Scenario 2: You’re the risk manager! –
consequence analysis (undesirable behaviour)
Environment (and in
particular leadership
behaviours) can help move
these from ‘Unsure’ to ‘Sure’
This RNS dominates –
may need to address by
tackling time priorities

20. Determining risk provision
Case study of assessment and behavioural considerations

21. Determining risk provision – assessment considerations
Example risk analysis output using Primavera Risk Analysis
• Basis of estimate
• Shape of forecast, confidence level
• Profiling
• Unknown-unknowns
• Ownership and exclusions
• Contract arrangement

22. Determining risk provision – behavioural considerations
▪ Parkinson’s law
▪ Where to set the baseline? Challenge vs realism
▪ Supplier competition / bidding
▪ Low initial estimates in order to secure work
▪ Establishes adversarial approach which will prevent effective risk management
▪ Risk drawdown arrangements – effect on supplier risk estimates
▪ Protocol for releasing funding back to business – beware unintended consequences

23. Considering behaviour in improving risk
management effectiveness
Practical and cultural considerations to help improve risk practice

24. Key influences on risk management effectiveness
OwnershipAccountability
Quality of
information
Effective
Prioritisation
Active
management
of risk
Volume of risk
data
• Ability to aggregate
/ summarise
• Tailor risk set to
manageable volume
• Clear risk definitions
• Biases, estimating
approach
• Ownership should
mirror scope
breakdown / work
allocation
• Clarity of
ownership
Risk owners:
• Held to account for
risk information and
response action
• Allocated resources
for managing risks
Leadership behaviour and
organisational culture
Risk
expertise

25. How do we improve the return on risk management?
Project / Organisational Leaders Risk professionals
• Set clear expectations and model positive risk
behaviour:
- Show an interest in risk and emphasise its
importance in project success
- hold scope owners to account
- recognise good risk practice
• Demonstrate how to respond to bad news –
encourage transparency and early visibility
• Demand high quality risk information to inform
decisions
• Scaling the approach to suit needs of the project
• Help owners focus on action and the risks that matter
• Communicate and seek buy-in
• Engage with senior leadership to emphasise their role
• Promote range thinking
• Help other functions (finance, procurement,
commercial) understand and take account of risk
behaviours

26. Questions?
andy.abu-bakar@costain.com
www.costain.com