Is there often strong internal resistance to a risk management program?
One of the difficulties with risk management is that, like quality programs, the thinking is that it will cost you money. With quality, it took a while for people to realize you could become more profitable by improving quality — you could reduce rework and change processes to build quality in from the beginning. In some quarters, that type of thinking still doesn’t exist. Risk management is similar, but even harder — you’re trying to show that by spending money, something won’t happen. The quantification of benefits is very difficult because you’re trying to prove a negative. But I rarely find that the question today is whether or not we should do risk management — it’s how much risk management should we do. The field is still very immature; you find lots of people doing risk identification, a smaller group doing risk analysis, and very few who are really doing risk management (determining the options, looking at the risk of each option, and understanding the full implications of t
