Episode 49-Risk Management: How Do You Identify and Handle Risk?

Episode #49
Original Air Date: 01.01.2018

30 Minutes

Listen Here

Our Guest This Episode: Bob Mahler

Bob Mahler joins the cast to discuss Risk Management and how to promote a culture of proactive risk.

Bob Mahler has over 20 years of project management experience and is the Director of Business Development and an instructor with Velociteach. His project management roles began as “military operations” while in the U. S. Army. Bob became a communications expert as a Green Beret, fulfilling many roles during training and combat missions around the world.

Bob’s technical skills led him to the telecommunications field in a variety of roles. He has managed a range of infrastructure projects for regional markets as well as strategic national projects including disaster recovery projects in support of hurricanes Katrina, Rita, and Wilma, responses to California wildfires, the Virginia Tech shooting, and a wide range of federal law enforcement training needs. Bob holds a B.A. in Organizational Leadership, an M.B.A. in Technology Management, and is a certified PMP, PMI-ACP and PMI-RMP.

Bob Mahler joins the cast of Manage This to talk about risk management. Given his background, Bob knows about the impacts of risk. He served on the team that developed the Risk Management chapter in the 6th Edition PMBOK® Guide. Andy and the team discuss that experience with Bob, plus practical advice for project managers who want to create a culture of proactive risk. For example, who should own a risk? How do you know when to escalate? Does every project need to perform quantitative analysis?

Favorite Quotes from Our Talk:

"I think risk methodology on any project is probably one of the hardest things I’ve gotten stakeholders to agree to  because first it starts with the methodology.  How do you get 15 or 20 people to agree on definitions?  What is a low, medium, or high risk?  Low, medium, or high probability?  What is a risk?  What is an issue?  What is a fact?"

- Bob Mahler

"As soon as you begin to make assumptions about what you think you know, you’re going to have a problem.  There’s what you know and what you don’t know."

- Bob Mahler

Share With Others

NICK WALKER:  Welcome to Manage This, the podcast by project managers for project managers.  Every other week we meet to address the issues that matter to you as a professional project manager.  We have something for everyone, whether you’ve been in the field 30 years or 30 days.  This is where the rubber meets the road.  This is our way of helping you be more productive, more creative in the world of project management.

I’m your host, Nick Walker, and with me are two of the most creative and productive guys I know, Andy Crowe and Bill Yates.  And Andy, we have in the studio today not only an expert with some pretty impressive credentials, but also a member of our team.

ANDY CROWE:  Yeah, he’s an expert, and he’s one of our favorite people here.  Bob Mahler’s joining us, and I can’t wait.

NICK WALKER:  Well, let’s meet him.  Bob Mahler has more than 20 years of project management experience, beginning as a Green Beret in the Army, serving in Egypt, Kenya, Qatar, Saudi Arabia, and Kuwait.  Later he managed projects in the telecommunications field with Nextel, Nextel Partners, and Sprint Nextel.  He worked on disaster recovery projects during hurricanes Katrina, Rita, and Wilma; in response to California’s wildfires; and the Virginia Tech shootings, as well as other federal law enforcement projects and with the Department of Homeland Security.  He is the Director of Business Development and an instructor with Velociteach, preparing project managers for the PMP exam.  Bob, it’s a privilege to have you here with us on Manage This.

BOB MAHLER:  And it’s a privilege to be here.  Thank you for that rousing and somewhat fanciful introduction.

NICK WALKER:  Well, first of all, we want to thank you for your service to our country and the armed forces.  I’m curious to know how your experience as a Green Beret kind of prepared you for your other roles to come later.

BOB MAHLER:  That’s an interesting question.  First of all, you’re very welcome.  I served because it’s amazing what you can do when you’re a young 20 year old, and you have no idea that you shouldn’t be doing it.  One of the things about being in Special Forces for me was that, while in the regular Army, you’re very task focused; and then when you wander off to be more than you have already been, as you do in Special Forces, you become very people focused, relationship focused.  And so that was an easy transition while performing small projects there into the civilian space.

NICK WALKER:  And sometimes people focused into very difficult situations that you’ve been involved in.  I mean, recovery from hurricanes and from wildfires?  That must be a little bit difficult.

BOB MAHLER:  Well, the one difficult commonality I find in all of my projects are people.  Without people, all of my projects would probably run very smoothly.

ANDY CROWE:  Right.  This would be a good gig if it weren’t for the stakeholders; right?

BOB MAHLER:  Absolutely correct.

NICK WALKER:  Well, let’s talk a little bit about this because already I’m impressed with you because Bill has informed me that, not only were you a contributor to the PMBOK Guide, but you were – Bill, what’s the wording again?

BILL YATES:  A “significant contributor.”

NICK WALKER:  A significant contributor.

BILL YATES:  And I’m looking, I mean, this is page 652 of the Sixth Edition PMBOK Guide.  So I’m not making this stuff up.  He’s a significant contributor.

NICK WALKER:  It says so.

BOB MAHLER:  Did they spell my name correctly?

BILL YATES:  They spelled it correctly, yes.

BOB MAHLER:  Then I just have significantly done something.  I wouldn’t get too – I wouldn’t start singing my praises as far as being a significant contributor because, when they put the word out for volunteers for risk subject matter experts, a total number of four actually responded.  And I think they were just happy to get that many.

ANDY CROWE:  And Bob, this is something like those situations where they tell everybody to take a step forward who volunteers, and the other people take a step back maybe.  You’re kind of left exposed.

NICK WALKER:  And maybe only four were brave enough.  So consider yourself among the brave.

ANDY CROWE:  I think only four were intelligent enough and qualified enough to be significant.

BOB MAHLER:  Sure.  Let’s run with that.

ANDY CROWE:  Okay, let’s.

NICK WALKER:  Well, let’s go ahead and run with that a little bit because risk management, I mean, that was your basic contribution to that; right?

BOB MAHLER:  I think in the realm of project management in general, after having lived my first life in Special Forces, I’ve always gravitated towards risk because I have an affinity towards the good, the bad, and ugly.  And there’s quite a bit of it that’s ugly.  The reason I have tried to specialize in risk management is because so many people treat it like the first rule of Fight Club.  And for those of you unaware…

ANDY CROWE:  You don’t talk about it.

BOB MAHLER:  …you just don’t talk about Fight Club.  And no one wants to talk about risk management until right after someone gets an eye poked out.  So volunteering for PMBOK 6 was an opportunity for me to, in some small way, try to promote proactivity as opposed to reactivity, which usually costs more and hurts a lot more.

ANDY CROWE:  I agree.  And just out of curiosity, Bill, do you know the second rule of Fight Club?

BILL YATES:  No, remind me what that is.

BOB MAHLER:  You do not talk about Fight Club.

BILL YATES:  So you see how I kind of parlayed that; right?  I didn’t talk about it.

ANDY CROWE:  You know what, we’ve talked about risk before, Bob.  And risk is an area of expertise for you, as we said.  It’s something you’ve gravitated toward.  Talk to us a little bit about the evolution from the Fifth Edition PMBOK Guide to the Sixth.  And I would say evolution’s probably the right word.  It’s not revolutionary.  You still have a lot of the same processes there.  It’s grown some, as have many areas of the PMBOK Guide.  What’s your take on the evolution of that section, that knowledge area?

BOB MAHLER:  That’s a great question, and I have to give most of the credit to my counterparts who worked with me.  One gentleman named Dave in Oregon; a gentleman with the Israeli Defense Forces, which was very interesting; and Dr. David Hillson, the Risk Doctor from London, did an excellent job of crafting us and herding us like cats.  And very quickly we understood that, while PMBOK 5 was pretty good as it relates to risk, there were quite a few flaws.  One easy example is the process of controlled risks.  You don’t actually control anything.  So one of the things we decided we were going to do was implement a new process called “implement responses and execution” because that’s really what you’re doing.  You’re not controlling anything.

ANDY CROWE:  Right.  You’ve planned, and you’ve analyzed, and now you implement.

BOB MAHLER:  We tried to gravitate away from being more reactive in the way risk management sounds in PMBOK 5 to being more proactive.  And as we all know, being more proactive is just much better project management.

ANDY CROWE:  You know what, Bob, there’s a movement to trend away from the word “control” in general.  For instance, you don’t control communications anymore.  You monitor communications.  And so that whole monitoring and controlling process group, I think the word “control” is getting a bad rap.  But you’re right, you don’t control risks.  You monitor them.  You manage them. And you do what you can with them.

BOB MAHLER:  No matter what you call it, you’re always looking for the variants.  I’m always looking for the “what has happened” and the “why it has happened” before I can begin to figure out how to do anything about it.  And as a practitioner, I do like the standardization and the naming conventions in PMBOK 6.  But ultimately, in the real world, I just want to be as proactive as possible.

ANDY CROWE:  I like that.  You know what, Bob, years ago I was in a motorcycle accident.  It was a big heavy cruiser, and I was – it was an interesting cascade of risks, or an intersection.  Some people call it a “risk ladder” because a lot of times it’s not one risk that hits you, it’s an intersection of several.  And I had just refueled, I was back on the road, and I was trying to reset my odometer to keep track of my fuel.  I was having problems with it, and traffic had stopped in front of me, and I wasn’t paying attention.  I was momentarily distracted.

But another thing had come into play is that my front tire pressure was low, and I did not know that.  And so when I applied the brakes particularly hard, the bike locked up, I went into what’s known as a “low-side fall,” the bike skidded in front of me, and I went up under a vehicle.  Broke several ribs, was injured from it.  My pride was injured worse, and my bike was injured worse.  But it’s funny to me the way risk works because a lot of times these things dovetail, and one risk will impact another, will impact another, and suddenly you have a pretty substantial outcome there.

BOB MAHLER:  First of all, I’m glad you’re okay.  I didn’t know about the accident.  That happened before my time.  But I think what you’re describing to me is not being aware of the risks around you.  And by missing a foreseeable risk, it cascaded.  One of the things I’m fond of saying is, if you don’t control risk, it will certainly take control of your project, and it will absolutely cascade.

ANDY CROWE:  You know the funny thing, though?  I had all of these things.  I believed in a particular way of doing it, or at least I said I did.  Now I really believe in a particular way of doing those things.  But I had a process that I did not follow.  And it’s funny because it only takes one time to get your attention.  But you think I look bad today, you ought to see the pavement.

BOB MAHLER:  Isn’t a belief sometimes called an “assumption,” something you hold to be true or false in the absence of proof?

ANDY CROWE:  There you go.

BOB MAHLER:  Which is an automatic risk?

ANDY CROWE:  There you go.

BILL YATES:  That’s true.

NICK WALKER:  So does risk management include then a list of things to be constantly looking for?  Are you looking for trouble?

BOB MAHLER:  I think risk methodology on any project is probably one of the hardest things I’ve gotten stakeholders to agree to  because first it starts with the methodology.  How do you get 15 or 20 people to agree on definitions?  What is a low, medium, or high risk?  Low, medium, or high probability?  What is a risk? And what is an issue?  What is a fact?  And then, after you come up with a solid methodology, trying to convince all of them not to introduce their own biases into that methodology so you can remain objective all the way through the project, which is, I’ve got to say it, darn near impossible.

Different stakeholders have different risk tolerances, thresholds, experiences, ideas.  And it’s very difficult to run any project and not have those biases creep in.  I believe they’re called “cognitive biases,” and sometimes I just call them “deliberate biases.”

ANDY CROWE:  I have a friend at an organization that today got let go.  He was a high-ranking official at an organization.  He saw that risk coming of another very good friend who got promoted as a result.  And so it’s interesting because those two would have viewed that risk impact very differently.  One would have viewed it very negatively and fearfully, and another would have viewed it as a potential good outcome.

BOB MAHLER:  That is an interesting connection.  One person is downsized, and another person is promoted.

ANDY CROWE:  And so I guess the point is, when you said it’s difficult to get people to agree on the way they look at risk, there’s a reason.  People have different agendas that are impacted differently.

BILL YATES:  Right.  People bring – they have different interests.  They’ve got different skin in the game.  If a risk takes place, if one risk occurs, then, hey, great, now we get to use this other technology that I wanted to use all the time, but I couldn’t get anybody to approve it.  Now I’ve got approval suddenly because there’s the urgency of this risk.  So, yeah, I get that, Bob, that it adds to the complexity of trying to manage risk and keep people in alignment with your risk plans because they may come to it with different motivations.

BOB MAHLER:  One of the techniques I’ve used to try and convince people to at least get on the same page and agree with a methodology is to quantify as much as possible.  I might say, “Hey, boss, there’s a medium risk that might occur next week,” and that tells him nothing.  But as soon as I say, “Hey, boss, there’s a medium risk with a potential impact of $50,000,” I will absolutely get his or her attention.  People notice…

ANDY CROWE:  You’re at least going to get an email back, aren’t you.

BOB MAHLER:  People notice numbers right away.

BILL YATES:  Yes, that’s so true, yeah.  One thing I want to ask you, since we do have a “significant contributor” in the room with us.  The Sixth Edition PMBOK Guide has more emphasis on overall project risk, and it talks about kind of this idea of, okay, portfolio and program management.  And managers sit above the project and the project manager.  So you really need to, as the PM, as the Project Manager, is assessing the overall project risk and individual risk events that impact just my project, for instance.  At some point I have to have the awareness to escalate that to a program manager or somebody above me.  And just practically speaking, what advice do you have, or is there any guidance that you saw coming out from those conversations about when is it appropriate to escalate?  How do you define those thresholds?

BOB MAHLER:  I’m glad you asked that question.  And one of the conversations we had with the core committee was trying to tie the PMBOK Guide, the Practice Standard for Program Management, and Portfolio Management together in a better fashion.  Because many people are good at, in my experience, many people are good at projects and try to take that same methodology and ideology into the program world.  And it’s very different.


BOB MAHLER:  And many project managers, in my opinion, it’s very easy for them to put blinders on and think that, as long as my team, my product, service result, my customer is okay, I’m not really concerned with the impact to others.  And history is showing us that, if you’re a program manager, you must be aware of all of the moving parts.  But if you’re at the bottom level, you need to expand your vision and see what your impact is to the others around you.

ANDY CROWE:  Right.  You know what, Bob, I’ve told this story in class before.  But that was one of my biggest project failures was doing something, looking out for what I thought was my customer, and finding out that my organization was also my customer; that my organization now had to support this application that I was developing.  Customer was delighted.  The end-user, the customer, loved the application we wrote.  My own organization, though, would not take it because I had not properly gotten their requirements in the requirements gathering phase.  I was only looking outward and wasn’t thinking about it in the program context.  And it’s so easy to get those blinders on, look in one direction, and you missed things on the periphery, which sometimes are the most important things of all.

BOB MAHLER:  One of the key takeaways from my time in the military is always keep your head on a swivel because, if you’re walking straight ahead on patrol, or even just down the street trying to go to Chipotle, you may not see the car coming from the left or the right that actually runs you down.

ANDY CROWE:  If you weren’t bigger than me, I think a new nickname could come out of that.

BOB MAHLER:  I’m not even sure what that nickname might be, but it’s probably not going to be a good one.

ANDY CROWE:  So this idea of escalation, you know, one thing, Bill, that the PMBOK Guide makes a big point of is, if you are going to escalate a risk, once it’s been escalated, you no longer own that risk.  It’s an interesting perspective, and I like it.  So you’re not just raising awareness.  You’re actually escalating and passing the risk onto somebody else in the organization.

BILL YATES:  Yeah.  I like that, too.  I like the idea of – I can just envision someone holding a package.  And they’ve got ownership of that package until somebody else takes it out of their hands.


BILL YATES:  So there seems to be clarity in there.  And I really – I’m with you, I like this idea of, until somebody else owns this risk, I’ve got it.  But then once I do have a clear – I have a program manager who says, oh, wait a minute, I have other projects that are going to be impacted by this.  We’re going to take it over.  Then there is that clear transition.  Yeah.  Yeah, I like that.

BOB MAHLER:  I love the idea of passing that risk off to someone else because one of the problems in my career has been senior stakeholders believing that project managers own all of the risks.


BOB MAHLER:  And it’s actually not true.  The project manager in lay terms owns the responsibility for making sure the methodology is being followed, making sure we are doing what we are supposed to do per the plan, while keeping awareness and understanding my limits of authority.  As soon as I hit my limit of authority, my responsibility is to pass it to someone with a greater level of responsibility while I communicate and coordinate.  So I’m glad that PMI finally said, you know what, let’s bring a little bit of reality to this.

ANDY CROWE:  Right.  Bob, I’ve got a question for you.  I am neck deep in the Sixth Edition PMBOK Guide these days.  And one of the things that’s carried over – it’s enhanced some, but the concept was still in the Fifth Edition – is this idea of qualitative and quantitative analysis that we do to analyze the different risks coming through.  Of course qualitative looks at the qualities of the risk.  And then quantitative attempts to put hard numbers, which you referred to earlier, say this is a $50,000 risk, et cetera.  How do you know, so you don’t have to do quantitative for necessarily every risk, some of those qualitative is enough, how do you know?  Do you have any kind of rule of thumb or heuristic that you use to decide when it’s important to do quantitative?

BOB MAHLER:  I don’t have a rule of thumb for that.  And when I teach, I give a great example to try and explain the differences between qualitative and quantitative.  When I’m walking through the store with my wife, I like to pick up various items – say, for example, olive oil.  There are 15 kinds of olive oil.  The stuff I will buy costs about 3.50.  The stuff she buys costs about 8.50.  And when I look at those individual items as I work my way through the store, I’m assessing the quality of the product and the cost.  I’m really looking at the quality and what I can get for the price.

I really don’t begin to understand how bad it is until I get all the way up to the counter, and I begin to add all of those things up.  And then I go, are you kidding me?  I have 15 items, and this is going to cost me 125 bucks?  The rule of thumb I like to use is, when the aggregate amount of all of those individual risks begins to concern you based on your industry, your project, your experience, you should probably do something about it.  Because that nagging in the back of your head, that’s your risk tolerance telling you it’s time to do something.

BILL YATES:  So the qualitative analysis has taken place, but there’s still the sense of, okay, we don’t quite know enough about this risk.  We’d better dig deeper.  Let’s pull out some quantitative tools so we can understand the impact better.

BOB MAHLER:  Absolutely.  As soon as you begin to make assumptions about what you think you know, you’re going to have a problem.  There’s what you know and what you don’t know.  I’m very black and white when it comes to risk.  I can’t avoid it all.  But the more I know, the more I can plan for, the more I can reduce it, and the more knowable or foreseeable risks are going to run me over.

BILL YATES:  Yeah.  Andy, one of my favorite tools is simulation for that reason.


BILL YATES:  You know, just being – oh, let’s just let the risk happen.  Let’s put it in a controlled box, have the risk occur, and then see what the impact is.

ANDY CROWE:  Yeah, and you know what, there’s a lot of cool tools out there to help you do Monte Carlo analysis, things like that.  But simulate, throw a bunch of scenarios, see what happens when it happens.  How much does it impact?  How does that feel?  What does it look like?  I can tell you I wish I had simulated the motorcycle going down, rather than actually experiencing it, though.

BOB MAHLER:  I actually, while working for a hazmat team with Sprint Nextel, simulated a fire suppression system going off in a cellular switching environment because the switch engineers told me they would be okay without powered air-purifying respirators or self-contained breathing apparatuses while they were 200 feet from the door.  I asked them, “What are you going to do if you’re in here and the fire suppression system goes off and sucks all the oxygen out of this place?”  And the gentleman told me quite calmly, “We’ll just hold our breaths, and we will walk the 200 feet to the door.”  And I said, “Really.  Let’s simulate it.”

And after about a hundred feet of gasping, they figured out pretty quick that, through that simulation, it just wasn’t going to work.  I love simulation.  If you come up with some sort of physical response to a risk, and you cannot simulate it, it always concerns me because reality is always different from fiction.  You don’t believe me, grab one of those two-story telescopic ladders at your house, drop it out the window, and see how fast you and your wife and your kid and your dog can get down it in a simulated fire.

ANDY CROWE:  So I’m going through SCUBA training right now.  And it’s interesting that you throw this out because there are quite a few things you simulate during that, and you always scuba dive with a buddy.  You simulate issues going with your air system, various things going wrong, getting entangled, getting trapped, the whole system failing, et cetera.  And it’s quite interesting to go through those simulations.

BOB MAHLER:  So you said SCUBA.  I said SCBA, Self-Contained Breathing Apparatus.  Basically the same idea, only we’re not underwater, which would be awful.  They also make you run through simulations to buddy breathe in case a person goes down, or they run out of oxygen, or they have to change an oxygen bottle in a hazardous environment.  So again, I’m with you.  If you can’t simulate it, you’re probably going to have an issue.

BILL YATES:  I want to come back to a concept that you were talking about, Bob, which is having a point person for every risk and making sure there’s an owner.  Just practically speaking, where do you usually suggest that people document that?  And then what kind of follow-up do you have on that to make sure somebody’s still got the ball?

BOB MAHLER:  I like to document it in the risk register.  That’s the easiest place that everyone can understand.  As I said earlier, the project manager does not own the risks.  The people doing the work own them.  And in one easy example, if I’m a construction project manager sitting in that very cool air-conditioned trailer, and the bucket loader starts having a problem, then the bucket loader operator is the risk action owner.  The yard foreman is the risk owner.  He ensures that he actually does it.  And after the risk has been dealt with or not, one of them reports to me, and then I document and I report  up, as well.  In any event, no matter who’s assigned to do what, make sure they agree to it because no one likes to be voluntold to do anything.

BILL YATES:  Right, yeah.

NICK WALKER:  You mentioned that there were flaws in the Fifth Edition of the PMBOK Guide.  And are we to assume now that all those flaws have been corrected, that everything is totally comprehensive?

ANDY CROWE:  Nick, opportunities.  There were opportunities in the Fifth Edition…

BOB MAHLER:  Opportunities for improvement.

ANDY CROWE:  …that were addressed in the Sixth Edition.

NICK WALKER:  Okay.  So…

BILL YATES:  By the significant contributors.

NICK WALKER:  Yes.  So being the significant contributor that you were, did you address all of those?  Are we out of opportunities?

BOB MAHLER:  I think there is always an opportunity for improvement as the methodology changes and the project environment evolves throughout the global project space.  There were some open-ended concepts in PMBOK 5 that I think we’ve done a pretty good job of addressing.

NICK WALKER:  Well, before we go, we want to just make sure that you get a chance to maybe recommend some resources.  You know, there’s probably people listening saying, “I need more.”  You know, “This is my downfall, risk management.”  What kind of resources would you recommend that could take people further down that road?

BOB MAHLER:  So the average practitioner can learn quite a bit from PMBOK 6 for general concepts.  But I always recommend that they purchase or download the “Practice Standard for Risk Management” to get – bleah.  It has the very detailed definitions and concepts specific to risk management.  Those two you should always have.  If for nothing else, you’ll look like you’re doing your job.

BILL YATES:  And if you’re a member of PMI, you can download that, the soft copy, for free, I think.

BOB MAHLER:  You can absolutely download it for free.  But if you have a hard copy, when your boss walks by you’ll look like you know what’s going on.

ANDY CROWE:  If you have a subscription to Netflix, the movie “Risky Business” with Tom Cruise is always a possibility, as well.

NICK WALKER:  Bob, thanks so much for being with us here on Manage This today.  We appreciate your expertise.  But before you go, we’ve got a present for you.  You may already have one of these great Manage This coffee mugs.  But if not, that one’s yours.  If so, just add it to your collection.

BOB MAHLER:  I appreciate the mug, and I hope in some small way I made the tiniest bit of sense.

NICK WALKER:  I think it’s more than tiny.  Andy and Bill, as always, thanks for your expertise, as well.

We always like to remind our listeners that there’s a double benefit from listening to this podcast.  We have free PDUs for you, Professional Development Units toward your recertifications.  To claim them, go to Velociteach.com and select Manage This Podcast from the top of the page.  Click the button that says Claim PDUs  and just click through the steps.

That’s it for us here on Manage This.  We hope you’ll tune back in on January 16th for our next podcast.  In the meantime, you can visit us at Velociteach.com/managethis to subscribe to this podcast, to see a transcript of the show, or to contact us.  And tweet us at @manage_this if you have any questions about our podcasts or about project management certifications.  We are here for you.

That’s all for this episode.  Thanks for joining us.  Until next time, keep calm and Manage This.

2 responses to “Episode 49-Risk Management: How Do You Identify and Handle Risk?”

  1. Michael Koltuniak says:

    I truly enjoyed this podcast, and I wish I could work alongside Bob (he is an awesome leader!)

Leave a Reply

Your email address will not be published.