I'm not sure there's all that much new here, perhaps nothing new at all, but here's a summary of the framework:
There are three categories of risks:
- Preventable risks for which there's no business upside per se. Coffee cup lids go in this category
- Opportunity risks for which there might be substantial business upside: programs and projects for 10,000 foot deep water wells belong here
- External threats over which there is little or no control, but may require defensive measures: tsunamis fall in this category.
If you do all this, you may not attract or retain a single customer. If you don't do this, you may spend a lot of money on non-value add adjudicating the misfortune of you and your associates. It may sound counter intuitive, but attention to preventable risks is actually lean in the long run. See: BP, stupid maintenance tricks; and Air France 447, pilot training?
We all know about opportunity risks. That's either making a decision to take a risk, or planning a risk response for an opportunity already being exploited, or estimating a risky outcome for something we've elected to do. ISO 31000 and the PMBOK Chapter 11 cover this ground pretty well. So does Edmund Conrow.
The thing about threat management is that there's too little attention paid to upkeep and maintenance of things that are supposed to work (infrequently and under stress) and there's too little attention paid to readdressing assumptions, environment, etc. Perhaps the countermeasures aren't even relevant anymore. How do you know?
So, perhaps the thing that's new here is the rearrangement of the dots which brings about an alternate narrative. That may be enough to make this framework worthy.
Bookmark this on Delicious