Are You Overcomplicating Risk Management?

by Andrew Romanek

Published in the June 2019 Edition of

The consequences of poor risk management can be catastrophic. In just the last 15 years, Hurricane Katrina, the financial crisis of 2008, the Deepwater Horizon oil rig explosion, and the Fukushima nuclear crisis all stem, at least in some part, from risk management failures. As recently as 2018, Wells Fargo agreed to a $1 billion settlement when federal regulators cited a lack of effective risk management as the root cause of their scandal involving unauthorized creation of consumer accounts.

While the maturity and awareness of risk management within organizations continues to increase globally, are we to the point that organizations are embracing its value? Has there been a paradigm shift in culture or are they simply checking boxes? Some findings published in the latest edition of The State of Risk Oversight (Beasley et. al., Spring 2019) indicate that we have a long way to go. Based on survey responses from 445 business executives spanning a number of industries and sizes:

  • Only 23% of respondents described their risk management as “mature” or “robust” with the perceived level of maturity declining over the past two years.
  • Less than 20% of organizations view their risk management process as providing important strategic advantage.
  • Approximately 68% have experienced at least “somewhat” of an operational surprise in the last five years.

The lack of belief in, or focus on, risk management extends to the project level. Within the field of environmental engineering consulting, this culture is pervasive across peer firms. As frequently as weekly, failures occur in the most basic tenants of project management. These failures have roots in either poor project management or poor risk management, or both. So why the lack of attention on risk management? There are three primary reasons:

  1. We don’t have the time.
  2. We don’t recognize the benefit.
  3. We overcomplicate the process.

Reason #1 is easily addressed and will not be touched on more in this article. If people recognize the benefit and do not overcomplicate the process, they will find the time. Reason #2 is not difficult to overcome either. Think back to a project failure or a project that required extensive rework, or simply think back to the last time you said to yourself that you would have done something differently if you had to do it over again. In many of these cases, we criticize ourselves for not coming up with the obvious solution AND for not having recognized the potential risks of doing something a certain way. For a simple problem, five minutes of risk assessment could prevent far more time-consuming corrective actions.

As for Reason #3, risk management is too often viewed as a prescribed process and we overcomplicate implementation. In risk management guidance, you will find mention of methods such as the Delphi technique, SWOT (strengths, weaknesses, opportunities, and threats) analysis, impact matrices, modeling, and audits. These all have their place, and each can be useful depending on the needs of the project.

However, for those managers that may not incorporate risk management into their routine project management activities, there is an alternative approach. Put aside your guidance and first define what your objectives are for risk management implementation. As necessary, be specific as to the tasks of your project. Once your objectives have been defined, and assuming you are bought into the value of risk management, or are at least ready to approach constructively, start simple. Streamline risk management to best suit your needs and the objectives of the project.

  • Use a risk register – Don’t overcomplicate this activity. It can be as simple as identifying risks, potential impact, and mitigation/contingency actions.
  • Document lessons learned – This is a common defined process in most project management programs, but one which project managers do not often follow through with. Documenting lessons learned makes the risk identification process simpler on new projects. A best practice is to populate lessons learned as they occur and not wait until the end of a project.
  • Involve your team – Share your risk register with your team and ask for their input. Also ask for input from managers and others that may have more experience.
  • Involve peer or expert review – Consulting 2-3 independent experts in your field to discuss a problem is an upfront expense but can save a lot later and help with external buy-in on decisions and/or recommendations.
  • Create a framework around decision support – Take actions such as building a decision tree for complex problems with multiple potential outcomes and contingency actions.

The unexpected will still happen, and it is an unrealistic expectation to believe that all potential risks can be identified. If something happens that you did not identify, don’t get discouraged. This does not necessarily mean that your risk management activities failed or were wasted. You will be more cognizant of what went wrong and will see the benefits in cases where a risk you identified is realized but also mitigated.

Incorporating simple risk management will inevitably lead to a better-managed project. Developing and implementing a streamlined risk management process could be viewed as unnecessary and a waste of effort; however, in addition to being the most responsible course of action, it will ultimately save time and effort and, most importantly, give you and your team peace of mind.


Beasley, Mark, et. al., “2019 The State of Risk Oversight – An Overview of Enterprise Risk Management Practices.” ERM Professional Insights. 10th Anniversary Edition, Spring 2019.