Due to the introduction of capped liability in federal government ICT contracts there is now more focus on formal approaches to Risk Management than ever before. This begs the question of whether risk can be successfully reduced to a set of procedures and methodologies, or whether it remains an issue driven by subjective judgement.
Risk management first gained formal Commonwealth recognition with the October 1996 report "Guidelines for Managing Risk in the Australian Public Service". This report was something of a watershed in government circles as it provided formal recognition of procedures for identifying and managing risks.
Almost ten years later, the next major development has been the risk management procedures accompanying changes to the government's position on limiting liability in government contracts. These latest changes provide methods to estimate a contract's liability cap based on its risk profile.
Standard language, forms and methodologies have brought new rigor to managing risk in government projects. Simply put, risk management is the process of identifying, classifying and dealing with key risks. Any company tendering for government business should ensure that at a bare minimum they have a good understanding of these standard approaches.
However, it is a serious underestimation to assume this process alone will guarantee successfully risk-managed projects. Significant differences in the way government agencies and ICT suppliers expect to deal with risk exist and only when both sides have good insight into the other's perspectives can a sound risk management plan arise.
Consider a recent example of an outsourcer with a strong background in the rigorous application of formal and complex methodologies. This outsourcer undertook a development project based on a 'partnering solution'. The client was a small policy agency with a strong intuitive view of risk (primarily political risk). This agency wanted someone who would 'stand up before the Minister' if something went wrong.
Both the agency and the outsourcer had a strong belief in the appropriateness of their own approach, but each lacked the techniques to surface issues and deal with them. The project started to go badly. The outsourcer attempted to correct the problems by adding more structure and adherence to the process. The customer could not see the point of this and could not see why they were becoming more and more involved in what they thought was an 'IT problem'.
A successful outcome was only achieved after an external party was brought in to mediate and sort out the differences in approach. Neither party was wrong; the completely different perspectives on their approach to risk and project management fouled them up.
This type of problem occurs more frequently than one would expect. Mismatched project and risk management expectations can revolve around:
- apportionment of risk, responsibility and control
- differences between quantified and unquantified (political) risk
- the amount of stakeholder consultation that is available
Fortunately there are a number of excellent techniques for dealing with such issues in the early stages of a project. Intermedium's upcoming one day course on Preparing Effective Risk Management Plans will cover these techniques as well as the relevant government guidelines and methodologies.