David Hillson stated that “the risk people are business prevention people” at the beginning of his presentation at Gower Experts Forum at National Centre for Project Management.
He noted that 2009 CHAOS results are not that different from those of the beginning of CHAOS: 24% of projects fell into the ‘Failed’ category last year, 44% were ‘Challenged’, and only 32% were successful. Hillson stated that Project Risk Management is supposed help. “Risk Management gives us a clear focus and helps us achieve our objectives.”
Hillson believes that project success is a key driver of risk management. Hillson is the self-described Risk Doctor. However, he makes a lot of sense. Risk management:
makes us proactive, not reactive
It creates the space necessary to manage effectively
It ensures focus and consensus.

Hillson identified three areas that can be improved when it comes to risk management: Processes, Principles, and People.
Hillson defines risk to be “uncertainty which matters”, i.e. Uncertainty that could pose a risk to our project objectives. He said, “We don’t have all the uncertainty in the world on any of our risk registers.” We filter out the important by determining whether it will impact our objectives. Different risks are important at different levels. What is important for project objectives may not be relevant to strategic objectives. We must also remember that not all risks are bad. Hillson explained that “Opportunity or threat are two types of risk, but they are both risks.”
Hillson also mentioned the principle that project risk is different than risk events. Sponsors often ask, “How risky this project is?” The answer is not “Here’s my risk register.” Instead, a different judgment is applied to the concept risk as distinct from risk. Risk is not equal with all the risks.
Our standard risk processes are missing two things.
How do we implement the risk management?Hillson pointed to the fact that most standard risk processes end with determining what the mitigating actions should look like. There is no place to actually do risk response. He explained that while people assume that this will be incorporated into project tasks, it could be better managed.
When do we learn?The risk management process is a circle – identify-assess-plan-review – so where does it stop? There is no final step after project completion that will incorporate the lessons learned into the post-implementation review.
People work on projects. Our risk attitudes determine how we respond to risks. Hillson stated that understanding and managing people’s risk attitudes will improve risk effectiveness. Hillson spoke about a range of risk attitudes, and it all depends on the event. You might be very cautious when abseiling your first time, while you might be more cautious if you gamble with matchsticks. Depending on your goals, where you should be is up to you.
Hillson stated, “We focus only on the tools and forget the people.”
It was an interesting presentation. David Hillson’s book, Managing Risk in Projects can be purchased at Amazon.co.uk and Amazon.com.