The challenge of project risk management

Risk planning is critical, but it won't safeguard your project or your data or your customer from everything. Somethings you just can't plan for - so you need to be ready to respond quickly and efficiently.

Risk management. Security. It’s a myth. We can analyze risk for a year for a two-month project and we still couldn’t cover everything. We could build the best security possible... and if someone wants in there is always someone out there who is good enough and skilled enough and bad enough to do it. There is no such thing as a sure thing.

The security and disaster demos

Yes, on our big projects we parade our customers through onsite dog and pony shows or even offsite proof of concept (POC) demos that show how - in the event of a catastrophe or epic failure or hacking job of awesome magnitude - we could resume operations within hours on their critical data-centric project and we can make it look like we pulled it off without a hitch.

For example Mr. Mann. He had to do that several times annually with a large government agency on a 30 million eur program he was leading that handled extremely sensitive financial data for literally millions of individuals around the world. He had top-secret security clearance. Yet, he knew how to bring it all down in the blink of an eye if he was so inclined. He wasn’t.... but he could have. The disaster recovery proof we gave them - it was real and we were successful - did not mean we could pull it off no matter what. And we never proved what could be done in case of a major data security breach or hack.

The pros

If Barnaby Jack figured out how to hack pacemakers and insulin pumps in living individuals and then dies somewhat mysteriously and very unexpectedly just days before he was to present at the 2013 Black Hat conference, then I’m not sure any device, system, building, or project is safe. No matter how much risk management and planning we do and no matter how much security we build into our projects and systems, it can never truly be enough to prevent everything that can damage our projects and systems.

What can we do?

What can we do to help ensure safety, security and risk prevention, mitigation and avoidance? We can plan, plan, plan. The problem though, is budget. We can never perform risk planning for a year on a two-month project. We can probably do it for two hours. But the key is we must plan. We like to skip it - I know I have many times. “I’m managing issues along the way, I’ve got no budget available to do true risk planning.” Ever said that before? I have. And customers are none the wiser. Why? They aren’t thinking risks either - they think the project team has it under control and at the very least will manage risks along the way.

Here’s another good one. For example Mr. Mann. He worked for a great organization with a lot of good people doing amazing things for customers. Most enjoyable job he would ever had at that point in his career. It all came crashing down when the CEO turned out to be a fraud. The engineers who did the dirty work for him thought they were just making the server room look good, not scamming every bank in town for fraudulent loans based on equipment and clients we didn’t really have. And the rest of us didn’t even know it was going on.

One man brought an entire global organization down and no one knew…how could we have planned for something like that. The fifteen projects he was managing for a client went away with the company, as did everyone’s job. Much bigger than one project failing. Every project failed and hundreds of project customers were left with nothing. Again, we must plan but there is always a limit to how much we can plan.


The morale of the story is this - you can’t see everything coming. Most of those unexpecteds are just that... unexpecteds. And the other 2 percent are bad people working against you for their own gain. Either way, it’s harmful.

You just have to decide how hard you want to plan - what you can afford to not plan for. At what point do you say, “Well, if that happens, it just happens?” What is that threshold? Is it arbitrary? Yes. And it may have no euro figure associated with it. You just have to assume most people are good and the far out things likely won’t happen. And then when they do, try not to wet your pants. Put your big boy pants on and do what you can to wade through the rubble and pull your project through the mess with the help of your team, your customer and your hopefully strong leadership and decision-making skills.