Saturday, January 30, 2021

Big words in risk management


Sometimes, people use big words and I have to pause and look them up -- using an online dictionary, of course. Here's three of the biggies from the domain of risk management which are explained below with some examples:
Knowledge errors and omissions: There's a project event coming up. The circumstances and factors for success are not really random ... it's the knowledge base for the assumptions you make and facts you know .. or don't know ... that are the determinates.

You say: I'm X% confident I've thought of everything. (Of course, that leaves 1 - X lack of confidence ... )

The outcome is more or less binary: either it comes off, or not. Value earned! (I'll leave arguments for partial success to others)

Whats the big word? EPISTEMIC. Epistemic risk is the risk of missing or erroneous knowledge, the risk that a fact is -- in fact -- not true, or a fact is missing, or a fact is actually unknown.
Memory aide: epistemic risk is around episodes ... events, and the like.
So: epistemic : episodic

Epistemic risk is said to be "reducible", meaning: you have free will to add/modify/delete from the knowledge base for each episode. Nonetheless, running repetitive simulations in the style of a Monte Carlo to discover possible episode outcomes doesn't help much because the same lack of knowledge or untrue fact shows up the same way every time in the simulation.

But, in the PM domain, it's not all about missing the facts or misjudging the situation. Random stuff happens: it may rain on your event. Such is not 'missing knowledge'.

Random stuff: Rather than missing a fact here or there, or making a wrong assumption, sometimes it's just random small variations: it takes a little longer or a little shorter to do something, or it costs a bit more or less each time you do it, or the tool is a little sharper or a little duller. Exact outcomes are a bit unpredictable, and over the short run exactness is not controllable. But outcomes do tend to cluster within a range of values; in the short run, the range is said to be "irreducible".

Simulation is great for this kind of stuff: You usually get a different outcome each time you run the simulation because you're simulating small random effects: the temperature is a little higher or it's a little lower. The simulation report captures most of the possibilities, some more probable than others. For PM, the 'Monte Carlo' methodology is quite common for these types of risks.

A sort of big word for such randomness is 'STOCHASTIC', referring to effects that happen by chance, and such chance effects have a range ... or distribution ... of possibilities, with each possibility having a probability. (The probability of rain at 3pm is less than 20%)

What's the big word? ALEATORY. Aleatory risks are stochastic in their character. The risk outcomes are distributed over a range, and values within the range have probabilities, all such accumulating to 1 or 100%. (If the distribution is continuous, meaning all possible values, then the probabilities are actually calculated over very small increments using calculus methods)

'They say' aleatory risks are irreducible or uncontrollable. That would seem to say that there's nothing you can do about them. Not true. See my comments below.

So, as a risk manager or project manager, what can you do with this? What should you do with all this? As a risk manager, you have an obligation to address risks that are material to project success.

Ask around: In the first case, epistemic risk, if you only have one shot at it, you ask questions until you can't think of anything else, and then you ask a third party to ask questions. After processing the answers, and when you can't conceive of a plot hole, you pull the trigger, as it were.

Apply lessons learned: But also in the first case, if you have a second chance, you can apply lessons learned from the first attempt, change the knowledge base, and thereby change the confidence it will work out. This is the so-called Bayesian method. Looking for a lost nuclear bomb or a lost submarine? This is the way to do it.

Address stochastic sources: In the second case, aleatory risk, it's somewhat of a process control problem: keeping the outcomes within limits of acceptability. 

In the short run, if the tool is dull, you have to live with the stochastic outcomes; they're irreducible, as it were. Longer term, you take executive actions to mitigate outcomes, to wit: sharpen the tool. 

You can look for weaknesses in the process, change the tooling, retrain the staff, add or subtract staff, adjust the environment, or address any other element that contributes or influences the stochastic nature of the risk.

You're in charge. Get on with it!




Buy them at any online book retailer!