Eight to Late

Sensemaking and Analytics for Organizations

Archive for the ‘portfolio management’ Category

The failure of risk management: a book review

with 7 comments

Introduction

Any future-directed activity has a degree of uncertainty, and uncertainty implies risk. Bad stuff happens – anticipated events don’t unfold as planned and unanticipated events occur.  The main function of risk management is to deal with this negative aspect of uncertainty.  The events of the last few years suggest that risk management as practiced in many organisations isn’t working.  A book by Douglas Hubbard entitled, The Failure of Risk Management – Why it’s Broken and How to Fix It, discusses why many commonly used risk management practices are flawed and what needs to be done to fix them. This post is a summary and review of the book.

Interestingly, Hubbard began writing the book well before the financial crisis of 2008 began to unfold.  So although he discusses matters pertaining to risk management in finance, the book has a much broader scope. For instance, it will be of interest to project and  program/portfolio management professionals because many of the flawed risk management practices that Hubbard mentions are often used in project risk management.

The book is divided into three parts: the first part introduces the crisis in risk management; the second deals with why some popular risk management practices are flawed; the third discusses what needs to be done to fix these.  My review covers the main points of each section in roughly the same order as they appear in the book.

The crisis in risk management

There are several risk management methodologies and techniques in use ;  a quick search will reveal some of them. Hubbard begins his book by asking the following simple questions about these:

  1. Do these risk management methods work?
  2. Would any organisation that uses these techniques know if they didn’t work?
  3. What would be the consequences if they didn’t work

His contention is that for most organisations the answers to the first two questions are negative.  To answer the third question, he gives the example of the crash of United Flight 232 in 1989. The crash was attributed to the simultaneous failure of three independent (and redundant) hydraulic systems. This happened because the systems were located at the rear of the plane and debris from a damaged turbine cut lines to all them.  This is an example of common mode failure – a single event causing multiple systems to fail.  The probability of such an event occurring was estimated to be less than one in a billion. However, the reason the turbine broke up was that it hadn’t been inspected properly (i.e. human error).  The probability estimate hadn’t considered human oversight, which is way more likely than one-in-billion.  Hubbard uses this example to make the point that a weak risk management methodology can have huge consequences.

Following a very brief history of risk management from historical times to the present, Hubbard presents a list of common methods of risk management. These are:

  1. Expert intuition – essentially based on “gut feeling”
  2. Expert audit – based on expert intuition of independent consultants.  Typically involves the development  of checklists and also uses stratification methods (see next point)
  3. Simple stratification methodsrisk matrices are the canonical example of stratification methods.
  4. Weighted scores – assigned scores for different criteria (scores usually assigned by expert intuition), followed by weighting based on perceived importance of each criterion.
  5. Non-probabilistic financial analysis –techniques such as computing the financial consequences of best and worst case scenarios
  6. Calculus of preferences – structured decision analysis techniques such as multi-attribute utility theory and analytic hierarchy process. These techniques are based on expert judgements. However, in cases where multiple judgements are involved these techniques ensure that the judgements are logically consistent  (i.e. do not contradict the principles of logic).
  7. Probabilistic models – involves building probabilistic models of risk events.  Probabilities can be based on historical data, empirical observation or even intuition.  The book essentially builds a case for evaluating risks using probabilistic models, and provides advice on how these should be built

The book also discusses the state of risk management practice (at the end of 2008) as assessed by surveys carried out by The Economist, Protiviti and Aon Corporation. Hubbard notes that the surveys are based  largely on self-assessments of risk management effectiveness. One cannot place much confidence in these because self-assessments of risk are subject to well known psychological effects such as cognitive biases (tendencies to base judgements on flawed perceptions) and the Dunning-Kruger effect (overconfidence in one’s abilities).   The acid test for any assessment  is whether or not it use sound quantitative measures.  Many of the firms surveyed fail on this count: they do not quantify risks as well as they claim they do. Assigning weighted scores to qualitative judgements does not count as a sound quantitative technique – more on this later.

So, what are some good ways of measuring the effectiveness of risk management? Hubbard lists the following:

  1. Statistics based on large samples – the use of this depends on the availability of historical or other data that is similar to the situation at hand.
  2. Direct evidence – this is where the risk management technique actually finds some problem that would not have been found otherwise. For example, an audit that unearths dubious financial practices
  3. Component testing – even if one isn’t able to test the method end-to-end, it may be possible to test specific components that make up the method. For example, if the method uses computer simulations, it may be possible to validate the simulations by applying them to known situations.
  4. Check of completeness – organisations need to ensure that their risk management methods cover the entire spectrum of risks, else there’s a danger that mitigating one risk may increase the probability of another.  Further, as Hubbard states, “A risk that’s not even on the radar cannot be managed at all.” As far as completeness is concerned, there are four perspectives that need to be taken into account. These are:
    1. Internal completeness – covering all parts of the organisation
    2. External completeness – covering all external entities that the organisation interacts with.
    3. Historical completeness – this involves covering worst case scenarios and historical data.
    4. Combinatorial completeness – this involves considering combinations of events that may occur together; those that may lead to common-mode failure discussed earlier.

Finally, Hubbard closes the first section with the observation that it is better not to use any formal methodology than to use one that is flawed. Why? Because a flawed methodology can lead to an incorrect decision being made  with high confidence.

Why it’s broken

Hubbard begins this section by identifying the four major players in the risk management game. These are:

  1. Actuaries:  These are perhaps the first modern professional risk managers.  They use quantitative methods to manage risks in the insurance and pension industry.  Although the methods actuaries use are generally sound, the profession is slow to pick up new techniques. Further, many investment decisions that insurance companies do not come under the purview of actuaries. So, actuaries typically do not cover the entire spectrum of organizational risks.
  2. Physicists and mathematicians: Many rigorous risk management techniques came out of statistical research done during the second world war. Hubbard therefore calls this group War Quants. One of the notable techniques to come out of this effort is the Monte Carlo Method – originally proposed by Nick Metropolis, John Neumann and Stanislaw Ulam as a technique to calculate the averaged trajectories of neutrons in fissile material  (see this article by Nick Metropolis for a first-person account of how the method was developed). Hubbard believes that Monte Carlo simulations offer a sound, general technique for quantitative risk analysis. Consequently he spends a fair few pages discussing these methods, albeit at a very basic level. More about this later.
  3. Economists:  Risk analysts in investment firms often use quantitative techniques from economics.  Popular techniques include modern portfolio theory and models from options theory (such as the Black-Scholes model) . The problem is that these models are often based on questionable assumptions. For example, the Black-Scholes model assumes that the rate of return on a stock is normally distributed (i.e.  its value is lognormally distributed) – an assumption that’s demonstrably incorrect as witnessed by the events of the last few years .  Another way in which economics plays a role in risk management is through behavioural studies,  in particular the recognition that decisions regarding future events (be they risks or stock prices) are subject to cognitive biases. Hubbard suggests that the role of cognitive biases in risk management has been consistently overlooked. See my post entitled Cognitive biases as meta-risks and its follow-up for more on this point.
  4. Management consultants: In Hubbard’s view, management consultants and standards institutes are largely responsible for many of the ad-hoc approaches  to risk management. A particular favourite of these folks are ad-hoc scoring methods that involve ordering of risks based on subjective criteria. The scores assigned to risks are thus subject to cognitive bias. Even worse, some of the tools used in scoring can end up ordering risks incorrectly.  Bottom line: many of the risk analysis techniques used by consultants and standards have no justification.

Following the discussion of the main players in the risk arena, Hubbard discusses the confusion associated with the definition of risk. There are a plethora of definitions of risk, most of which originated in academia. Hubbard shows how some of these contradict each other while others are downright non-intuitive and incorrect. In doing so, he clarifies some of the academic and professional terminology around risk. As an example, he takes exception to the notion of risk as a “good thing” – as in the PMI definition, which views risk as  “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective.”  This definition contradicts common (dictionary) usage of the term risk (which generally includes only bad stuff).  Hubbard’s opinion on this may raise a few eyebrows (and hackles!) in project management circles, but I reckon he has a point.

In my opinion, the most important sections of the book are chapters 6 and 7, where Hubbard discusses why “expert knowledge and opinions” (favoured by standards and methodologies are flawed) and why a very popular scoring method (risk matrices) is “worse than useless.”  See my posts on the  limitations of scoring techniques and Cox’s risk matrix theorem for detailed discussions of these points.

A major problem with expert estimates is overconfidence. To overcome this, Hubbard advocates using calibrated probability assessments to quantify analysts’ abilities to make estimates. Calibration assessments involve getting analysts to answer trivia questions and eliciting confidence intervals for each answer. The confidence intervals are then checked against the proportion of correct answers.  Essentially, this assesses experts’ abilities to estimates by tracking how often they are right. It has been found that  people can improve their ability to make subjective estimates through calibration training – i.e. repeated calibration testing followed by feedback. See this site for more on probability calibration.

Next Hubbard tackles several “red herring” arguments that are commonly offered as reasons not to manage risks using rigorous quantitative methods.  Among these are arguments that quantitative risk analysis is impossible because:

  1. Unexpected events cannot be predicted.
  2. Risks cannot be measured accurately.

Hubbard states that the first objection is invalid because although some events (such as spectacular stockmarket crashes) may have been overlooked by models, it doesn’t prove that quantitative risk as a whole is flawed. As he discusses later in the book, many models go wrong by assuming Gaussian probability distributions where fat-tailed ones would be more appropriate. Of course, given limited data it is difficult to figure out which distribution’s the right one. So, although Hubbard’s argument is correct, it offers little comfort to the analyst who has to model events before they occur.

As far as the second is concerned, Hubbard has written another book on how just about any business variable (even intangible ones) can be measured. The book makes a persuasive case that most quantities of interest can be measured, but there are difficulties.  First, figuring out the factors that affect a variable  is not a straightforward task.  It depends, among other things,  on the availability of reliable data, the analyst’s experience etc. Second, much depends on the judgement of the analyst, and such judgements are subject to bias. Although calibration may help reduce certain biases such as overconfidence, it is by no means a panacea for all biases.  Third, risk-related measurements generally  involve events that are yet to occur.  Consequently, such measurements are  based on  incomplete information.  To make progress one often has to make additional assumptions which may not justifiable a priori.

Hubbard is a strong advocate for quantitative techniques such as Monte Carlo simulations in managing risks. However,  he believes that they are often used incorrectly.  Specifically:

  1. They are often used without empirical data or validation – i.e. their inputs and results are not tested through observation.
  2. Are generally used piecemeal – i.e. used in some parts of an organisation only, and often to manage low-level, operational risks.
  3. They frequently focus on variables that are not important (because these are easier to measure) rather than those that are important. Hubbard calls this perverse occurrence measurement inversion. He contends that analysts often exclude the most important variables because these are considered to be “too uncertain.”
  4. They use inappropriate probability distributions. The Normal distribution (or bell curve) is not always appropriate. For example, see my posts on the inherent uncertainty of project task estimates for an intuitive discussion of the form of the probability distribution for project task durations.
  5. They do not account for correlations between variables. Hubbard contends that many analysts simply ignore correlations between risk variables (i.e. they treat variables as independent when they actually aren’t). This almost always leads to an underestimation of risk because correlations can cause feedback effects and common mode failures.

Hubbard dismisses the argument that rigorous quantitative methods such as Monte Carlo are “too hard.” I  agree, the principles behind Monte Carlo techniques aren’t hard to follow – and I take the opportunity to plug my article entitled  An introduction to Monte Carlo simulations of project tasks 🙂 .  As far as practice is concerned,  there are several commercially available tools that automate much of the mathematical heavy-lifting. I won’t recommend any, but a search using the key phrase monte carlo simulation tool will reveal many.

How to Fix it

The last part of the book outlines Hubbard’s recommendations for improving the practice of risk management. Most of the material presented here draws on the previous section of the book. His main suggestions are to:

  1. Adopt the language, tools and philosophy of uncertain systems. To do this he recommends:
    • Using calibrated probabilities to express uncertainties. Hubbard believes that any person who makes estimates that will be used in models should be calibrated. He offers some suggestions on people can improve their ability to estimate through calibration – discussed earlier and on this web site.
    • Employing quantitative modelling techniques to model risks. In particular, he advocates the use of Monte Carlo methods to model risks. He also provides a list of commercially available PC-based Monte Carlo tools. Hubbard makes the point that modelling forces analysts to decompose the systems  of interest and understand the relationships between their components (see point 2 below).
    • Developing an understanding of the basic rules of probability including independent events, conditional probabilities and Bayes’ Theorem. He gives examples of situations in which these rules can help analysts extrapolate

    To this, I would also add that it is important to understand the idea that an estimate isn’t a number, but a  probability distribution – i.e. a range of numbers, each with a probability attached to it.

  2. Build, validate and test models using reality as the ultimate arbiter. Models should be built iteratively, testing each assumption against observation. Further, models need to incorporate mechanisms (i.e. how and why the observations are what they are), not just raw observations. This is often hard to do, but at the very least models should incorporate correlations between variables.  Note that correlations are often (but not always!) indicative of an underlying mechanism. See this post for an introductory example of Monte Carlo simulation involving correlated variables.
  3. Lobbying for risk management to be given appropriate visibility in organisation.s

In the penultimate chapter of the book, Hubbard fleshes out the characteristics or traits of good risk analysts. As he mentions several times in the book, risk analysis is an empirical science – it arises from experience. So, although the analytical and mathematical  (modelling) aspects of risk are important,  a good analyst must, above all, be an empiricist – i.e. believe that knowledge about risks can only come from observation of reality. In particular, tesing models by seeing how well they match historical data and tracking model predictions are absolutely critical aspects of a risk analysts job. Unfortunately, many analysts do not measure the performance of their risk models. Hubbard offers some excellent suggestions on how analysts can refine and improve their models via observation.

Finally, Hubbard emphasises the importance of creating an organisation-wide approach to managing risks. This ensures that organisations will tackle the most important risks first, and that its risk management budgets  will be spent in the most effective way. Many of the tools and approaches that he suggests in the book are most effective if they are used in a consistent way across the entire organisation. In reality, though,  risk management languishes way down in the priorities of senior executives. Even those who profess to understanding the  importance of managing risks in a rigorous way, rarely offer risk managers the organisational visibility and support they need to do their jobs.

Conclusion

Whew, that was quite a bit to go through, but for me it was was worth it.  Hubbard’s views impelled me to take a closer look at the foundations of project risk management and  I learnt a great deal from doing so.  Regular readers of this blog would have noticed that I have referenced the book (and some of the references therein)  in a few of my articles on risk analysis.

I should  add that I’ve never felt entirely comfortable with the risk management approaches advocated by project management methodologies.  Hubbard’s book articulates these shortcomings and offers solutions to fix them. Moreover, he does so in a way that is entertaining and accessible.  If there is a gap, it is that he does does not delve into the details of model building, but then his other book deals with this in some detail.

To summarise:  the book is a must read for anyone interested in risk management. It is  especially recommended for project professionals who manage risks using methods that  are advocated by project management standards and methodologies.

Written by K

February 11, 2010 at 10:11 pm

Posted in Bias, Book Review, Estimation, portfolio management, Probability, Project Management, Risk analysis, Statistics

The influence of related disciplines on project management practice

with one comment

Introduction

Project management is a relatively new discipline; one that has been formalized only in the last half century or so. Consequently, both academics and practitioners routinely draw upon knowledge in allied (or related)  disciplines in order to advance the theory and practice of project management.  Given this, it is of interest to ask:  what is the (current and future) influence of other, related disciplines on the profession of project management? A paper by Yoong Kwak and Frank Anbari entitled, Availability-Impact Analysis of Project Management Trends: Perspectives From Allied Disciplines, looks into this question.  This post is a summary and review of the paper.

Some terminology and assumptions first. An allied discipline, in the context of this paper,  is any discipline that is related to project management-  examples of this include Human Resource Management and Information Technology.  Availability is the volume of ideas relating to project management in an allied discipline and impact refers to the influence of that research on project management practice.  Note that availability and impact are treated as independent variables in the study.

Objectives, methodology and approach

The questions that Kwak and Anbari seek to answer are:

  • What trends in allied disciplines could have a significant effect on project management theory and practice?
  • How would these trends change (the theory and practice of) project management?
  • How would project managers have to change their mind-set because of the impact of these  disciplines?
  • What actions can be taken to meet the challenges posed by trends in allied disciplines?

Note that I have paraphrased their questions for clarity.

To answer these  question Kwak and Anbari surveyed a selected group of project managers and project management researchers, seeking their input on a range of issues relating to the above questions.    The surveys also solicited qualitative information through respondents’ opinions on the impact, trends and future of project management.  The italics in the previous sentence are intended to highlight the conclusions are based on subjective data gathered from a relatively homogeneous sample – more on this later in the review.

Based on the survey data, the authors:

  • Derived and plotted availability-impact relationships for each of the allied disciplines in a 2×2 matrix (in which each of the two variables took on the values ‘High’ and ‘Low’)
  • Identified how trends in these disciplines influence project management.
  • Conducted a structured survey to solicit opinions on how the project management community can respond to (or take advantage) of these influences.

By reviewing project management research literature, the authors identified the following eight allied areas as being potentially relevant to the future of the discipline:

  1. Operations Research/Decision Sciences/Operation Management/ Supply-Chain Management (abbreviated as OR/DS/OM/SCM)
  2. Organizational Behavior/Human Resource Management (abbreviated as OB/HR)
  3. Information Technology/Information Systems (IT/IS)
  4. Technology Applications/Innovation/New Product Development/Research and Development (TECH/INNOV/NPD/R&D)
  5. Engineering and Construction/Contracts/Legal Aspects/Expert Witness(EC/CONTRACT/LEGAL)
  6. Strategy/Integration/Portfolio Management/Value of Project Management/Marketing (STRATEGY/PPM)
  7. Performance Management/Earned Value Management/Project Finance and Accounting (PERFORM/EVM)
  8. Quality Management/Six Sigma/Process Improvement (QM/6SIGMA/PI)

I’m not an academic, and don’t claim to be current with research literature, but I think that psychology and economics ought to have made it to this list.

In the survey questionnaire, the authors asked respondents to rank  the above disciplines on a 7 point scale, for the following criteria:

  • The availability of project management-related information/knowledge/research in the discipline.
  • The impact of the discipline on project management.

The rating was done on an ordinal scale of 1 to 7.  Respondents were also asked open ended questions regarding trends in allied disciplines and how the project management community should adapt to or take advantage of these trends.

The authors describe the demographics of the survey population – I won’t go into details of this; please see the paper for details.

Results and Discussion

The current availability and impact of allied disciplines on project management – as perceived by the surveyed practitioners and academics –  is summarized in Figure 1 and the predicted future availability-impact relationships are shown in Figure 2.  I’ll discuss the current situation first.

Current Situation

The current situation is as shown below:

availability-impact

Figure 1: Current availability-impact of allied disciplines

According to the survey data, disciplines in the lower left quadrant are lacking in novel project management-related information and thus have potential for more research. They also do not have much of an impact on the field. In my opinion, even though there may be a lack of research directly related to project management  in these areas, there are plenty of papers whose findings can be adapted to project management – see  this post from an example drawn from a recent paper on strategy execution. My point: even research that isn’t directly related to project management can be relevant to the field.

Disciplines in lower right quadrant have plenty of research related to project management, but most of this work tends to have a low impact on the field. This seems reasonable– there’s a stack of research dealing with project performance and engineering/construction projects (this observation is based on a quick survey of papers that have appeared in the Project Management Journal over the last two years). Most of this research tends to have little effect on the field – for example, there haven’t been many radically new practices in the area of performance and construction management.

Disciplines in the upper left quadrant lack research but could potentially have a great impact on project management practice.  To me this quadrant presents interesting possibilities because it refers to areas which currently have no (or very little) project management-related research but which could, nevertheless,  have a high impact on practice. As described in my discussion of the low-low quadrant – a lot of research in other, unrelated fields  can be adapted to  project management.  Based on my readings, I believe behavioural science/psychology (focusing on the individual rather than the group) and economics fall into this category – as examples see this post for an example drawn from psychology and this one for one drawn from economics.  Unfortunately these fields are not considered by the authors.

This brings us to the upper right quadrant, which includes quality/process management and information technology. There’s little doubt that in recent years there’s been deluge of project-related research papers published in these areas. It is also clear that these areas have had a high impact on project management practice. However,  in my opinion, it is far from clear that the effect of this research has been positive ;  if anything it has lead to an unhealthy obsession with process and technology based approaches to project management.

Future situation

Future trends, according to those surveyed, are as depicted in Figure 2.

availability-impact2

Figure 2: Future availability-impact of allied disciplines

Let’s look at the disciplines that have moved:

PERFORM/EVM and STRATEGY/PPM have moved up to the high-high quadrant reflecting their (perceived) future importance. However, is this really the case or is it a case of availability bias? The latter is plausible, given the recent flood of papers,  articles and talks on topics relating to STRATEGY/PPM  in  journals and conferences. Practitioners and academics exposed to this constant barrage of information (propaganda?) on the topic cannot but help think that it must be a field of great relevance  The anticipated increase in importance of PERFORM/EVM, on the other hand, reflects the belief that project management will become more “metricised” or measurement-oriented.  This is no bad thing, providing the metrics are meaningful. In this connection, it is worth looking at Douglas Hubbard’s book  on the measurement of intangibles.

OR/DS/OM/SCM has moved from the lower left to the lower right quadrant reflecting the respondents’ perceptions that there will be more project management related research in these areas,  but that this research will continue to be of limited relevance to the profession.  On the surface, this seems quite plausible – as one of the respondents put it, “The impact of decision sciences on project management was high until the 1960s. Project management had its genesis in Operations Research. However, since the 1970s the relative importance, knowledge and research in this area has been decreasing [in comparison to other fields]…”  However, I’m not entirely convinced:  case can be made that radical advances in decision sciences may cause a reversal of this trend. The portents are already there – see Hubbard’s work on applied information economics, for example.

EC/CONTRACT/LEGAL has moved from the lower right to the lower left quadrant. I think this is quite possibly correct. Why? Well, because project management, ever since its inception, has been borrowing and adapting much from these areas. It is therefore only natural to expect that this will plateau out (if it hasn’t already)  and decrease as time goes on.

A note on relative availability and impact or IT/IS

From an analysis of the raw rankings of the disciplines, the authors infer that  IT/IS has, and will continue to have, an availability and impact that is much greater than  any other discipline. Presumably this is a consequence of IT/IS being ranked much higher on the 7 point scale than any of the other disciplines.  I can’t help but wonder if this is due to a bias in the surveyed population: if one interviews IT project managers or academics specializing in IT, it should be no surprise if they rate the accessibility and importance of technology as being much higher than that of other disciplines. Unfortunately Kwak and Anbari do not give a discipline-wise breakdown of the survey respondents, so I’m unable to judge if this is so.

Opinions of selected respondents

The authors also present detailed opinions of selected respondents.  On reading these I found nothing strikingly new. Two academics pleaded  for project management to be treated with more respect by other academics – i.e. be “recognized in the management faculty and accorded an equal status to with other traditional management science disciplines.” That academics are concerned about the status of the profession is only natural; whether this “equal status” is desirable is another matter altogether. Another researcher waxed eloquent on the effects of globalization and technology – trends that I think are evident to most practitioners.

The practitioners, on the other hand, focused on currently fashionable areas of practice: quality management/process improvement and portfolio management. There was also a mention of how a “project-based world” was needed in order to respond to “increasing complexity.”   The problem is that these terms mean different things to different people, consequently they don’t mean much at all (see this post for more on the confusion regarding  the term “complexity” in the context of projects).

Conclusion

The authors end with some general statements that they claim to have derived from the  survey data. These can  be summarized as follows:

1. OB/HR is becoming increasingly important as much of project work is about managing internal and external relationships. There is a growing recognition (finally!) that projects are more about people than processes.

2.  There will be an increasing dependence on software tools to manage projects. (IS/IT)

3, There will be an increasing focus on measuring performance and compliance with regulations and standards (PERFORM/EVM)

4. Portfolio management and quality/process improvement (STRATEGY/PPM and QM/6SIGMA/PI) will continue to get a lot of attention in industry.

5. New tools and techniques will emerge from the intersection between traditional management disciplines (OR/DS/OM/SCM and PERFORM/EVM) and newer ones (IT/IS and TECH/INNOV/NPD/R&D)

It isn’t entirely clear on what basis the authors make the above statements:  are they based on: 1) survey responses, 2)  research literature or 3) the authors’ opinions?   And, if it is the first:  can one make the above broad generalisations based on small surveys involving less than 100 respondents ? Perhaps not,  I think.

Finally the authors end with this plea

The project management profession is continuously evolving, so the project management community should be receptive to new ideas and also be sensitive to the yearning (!?) of the public and professional community so as to model project management practices to meet their expectations. “

This is true: the project management “community” remains fixated on classical practices and techniques,  many of which have questionable value. A degree of openness to new ideas and practices wouldn’t be amiss.

The paper attempts to gauge the current and future influence of allied fields on the research and practice of project management. It does so by surveying a sample of project management academics and professionals and making inferences based on the collected data. The sample is drawn from a population that is steeped in current practice and theory. As a result the respondents may not be aware of  the possibilities offered by fields that are currently not on the “project management radar.”  This might explain why the upper left quadrant is empty in both matrices.  To get around this the authors could have solicited the opinions of practitioners/theorists from allied disciplines.

To summarise: The authors infer some interesting trends from their data, but there remain some questions about the robustness of the inferences and the generalisations made from them.

Written by K

January 14, 2010 at 10:47 pm

Posted in Paper Review, portfolio management, Project Management

On the limitations of scoring methods for risk analysis

with 12 comments

Introduction

A couple of months ago I wrote an article highlighting some of the pitfalls of using risk matrices. Risk matrices are an example of scoring methods , techniques which use ordinal scales to assess risks. In these methods,  risks are ranked by some predefined criteria such as impact or expected loss, and the ranking  is then used as the basis for  decisions on how the risks should be addressed. Scoring methods are popular because they are easy to use. However,  as Douglas Hubbard points out in his critique of current risk management practices, many commonly used scoring techniques are flawed. This post – based on Hubbard’s critique and research papers quoted therein –  is a brief look at some of the flaws of risk scoring techniques.

Commonly used risk scoring techniques and problems associated with them

Scoring techniques fall under two major categories:

  1. Weighted scores: These use several ordered scales which are weighted according to perceived importance. For example: one might be asked to rate financial risk, technical risk and organisational risk on a scale of 1 to 5 for each, and then weight then by factors of 0.6, 0.3 and 0.1 respectively (possibly because the CFO – who happens to be the project sponsor – is more concerned about financial risk than any other risks ). The point is, the scores and weights assigned can be highly subjective – more on that below.
  2. Risk matrices: These rank risks along two dimensions – probability and impact – and assign them a qualitative ranking of high, medium or low depending on where they fall.  Cox’s theorem shows such categorisations are internally inconsistent because the category boundaries are arbitrarily chosen.

Hubbard makes the point that, although both the above methods are endorsed by many standards and methodologies (including those used in project management), they should be used with caution because they are flawed. To quote from his book:

Together these ordinal/scoring methods are the benchmark for the analysis of risks and/or decisions in at least some component of most large organizations. Thousands of people have been certified in methods based in part on computing risk scores like this. The major management consulting firms have influenced virtually all of these standards. Since what these standards all have in common is the used of various scoring schemes instead of actual quantitative risk analysis methods, I will call them collectively the “scoring methods.” And all of them, without exception, are borderline or worthless. In practices, they may make many decisions far worse than they would have been using merely unaided judgements.

What is the basis for this claim? Hubbard points to the following:

  1. Scoring methods do not make any allowance for flawed perceptions of analysts who assign scores – i.e. they do not consider the effect of cognitive bias. I won’t dwell on this as I have  previously written  about the effect of cognitive biases in project risk management -see this post and this one, for example.
  2. Qualitative descriptions assigned to each score are understood differently by different people. Further, there is rarely any objective guidance as to how an analyst is to distinguish between a high or medium risk. Such advice may not even help: research by Budescu, Broomell and Po shows that there can be huge variances in understanding of qualitative descriptions, even when people are given specific guidelines what the descriptions or terms mean.
  3. Scoring methods add their own errors.  Below are brief descriptions of some of these:
    1. In his paper on the risk matrix theorem, Cox mentions that “Typical risk matrices can correctly and unambiguously compare only a small fraction (e.g., less than 10%) of randomly selected pairs of hazards. They can assign identical ratings to quantitatively very different risks.” He calls this behaviour “range compression” – and it applies to any scoring technique that uses ranges.
    2. Assigned scores tend to cluster around the mid-low high range. Analysis by Hubbard shows that, on a 5 point scale, 75% of all responses are 3 or 4. This implies that changing a score from 3 to 4 or vice-versa can have a disproportionate effect on classification of risks.
    3. Scores implicitly assume that the magnitude of the quantity being assumed is directly proportional to the scale. For example, a score of 2 implies that the criterion being measured is twice as large as it would be for a score of 1. However, in reality, criteria are rarely linear as implied by such a scale.
    4. Scoring techniques often presume that the factors being scored are independent of each other – i.e. there are no correlations between factors. This assumption  is rarely tested or justified in any way.

Many project management standards advocate the use of scoring techniques.  To be fair, in many situations they are adequate as long as they are used with an understanding of their limitations. Seen in this light, Hubbard’s book is  an admonition to standards and textbook writers to be more critical of the methods they advocate, and a warning to practitioners that an uncritical adherence to standards and best practices is not the best way to manage project risks .

Scoring done right

Just to be clear, Hubbard’s criticism is directed against  scoring methods that use arbitrary, qualitative scales which are not justified by independent analysis. There are other techniques which, though superficially similar to these flawed scoring methods, are actually quite robust because they are:

  1. Based on observations.
  2. Use real measures (as opposed to arbitrary ones – such as “alignment with business objectives” on a scale of 1 to 5, without defining what “alignment” means.)
  3. Validated after the fact (and hence refined with use).

As an example  of a sound scoring technique, Hubbard quotes this paper by Dawes, which presents evidence that linear scoring models are superior to intuition in clinical judgements. Strangely, although the weights themselves can be obtained through intuition, the scoring model outperforms clinical intuition. This happens because human intuition is good at identifying important factors, but not so hot at evaluating the net effect of several, possibly competing factors. Hence simple linear scoring models can outperform intuition. The key here is that the models are validated by checking the predictions against reality.

Another class of techniques use axioms based on logic to reduce inconsistencies in decisions. An example of such a technique is multi-attribute utility theory. Since they are based on logic, these methods can also be considered to have a solid foundation unlike those discussed in the previous section.

Conclusions

Many commonly used scoring methods in risk analysis are based on flaky theoretical foundations – or worse, none at all. To compound the problem, they are often used without any validation.  A particularly ubiquitous example is the well-known and loved risk matrix.  In his paper on risk matrices,  Tony Cox  shows how risk matrices can sometimes lead to decisions that are worse than those made on the basis of a coin toss.   The fact that this is a possibility – even if only a  small one – should worry anyone who uses risk matrices  (or other flawed scoring techniques) without an understanding of their limitations.

Written by K

October 6, 2009 at 8:27 pm

Posted in Bias, Corporate IT, portfolio management, Project Management, Risk analysis

« Older Entries
Newer Entries »