March 2010 Project Management Journal DOI: 10.1002/pmj 87
Cover to CoverKenneth H. Rose, PMP, Book Review Editor
Those curious about the state of projectrisk management will find Hillsonscompact treatment of the topicinformative. He reaffirms the disci-plines foundation, reviews current best prac-
tice, and identifies new developments. Yet, he
pulls no punches that organizations struggle
with risk management. He describes the fac-
tors he believes are necessary to be successful.
Hillson notes that risk is rooted in the con-
cept of uncertainty. His explanation gives the
reader a way of understanding the sources and
context of risk from an individual viewpoint,
broadened to the global view. He expresses the
relationship of uncertainty to risk as uncer-
tainty that matters. Yet, he is quick to note
that uncertainties are not equal. The challenge
is to identify what is important to the project
and design appropriate responses. This is
becoming harder to do, as project managers are falling behind in
their ability to grasp and apply knowledge timely in the new world
order of information and change.
Risk management has a special, if underappreciated, impor-
tance to project management because projects are particularly
risky. Common characteristics, such as complexity, assumptions,
and constraints, introduce uncertainty into projects. But with no
lack of theory for doing project management, projects continue
to fail at significant rates. Hillson maintains that a major reason
is unforeseen eventsrisks.
Risks, both threat and opportunity, apply whenever there are
objectives. In general, there are project-level risks and overall
project risks. The latter is greater than the sum of individual risks
on projects. Project managers represent the project view while
sponsors must interface with the overall project risk arising from
outside the project.
Hillson provides a pragmatic approach to risk management
within formal processes identified typically in standards and
methodologies. There are good descriptions of how to go about
preparing a risk management plan. For example, he addresses
how to separate risks from issues and problems using a three-
part structured risk statement to drive clarity.
On the people side, he emphasizes being aware of the atti-
tudes toward risk management. Not only do individuals carry their
own biases, but collectively groups exert influ-
ence, too. Hillson helps the reader understand
the influence of attitudes in the risk manage-
ment process. He notes that practice in overall
project risk management is weak, particularly
in risk response execution. Analysis to action is
often the missing link; people do not follow
through, which tends to reflect attitudes
toward the value of risk management.
Hillson laments the tendency to separate
risk management and project management. He
contends risk management needs to be built-
in not bolt-on, and woven into the complete
project life cycle to realize full benefits. Because
energy for risk management tends to wane after
identification, project managers need to sus-
tain appropriate levels of energy end-to-end in
order to do risk management well, especially to
activate risk responses effectively.
He goes on to address integration beyond the project,
between the project and the organizations vision. This relation-
ship creates a hierarchy of risks that require attention, or enter-
prise risk management. It needs to be coordinated actively, not
just done in isolated areas. From the project perspective, the
natural interface upward is in the program structure that has its
own Program Risk Management.
To make risk management work, Hillson offers critical suc-
cess factors that have two characteristics: their presence pro-
motes effectiveness and their absence hinders it. He identifies
factors internal and external to the project. For example, a user-
friendly risk management process tends to support success for
which he offers pragmatic suggestions for implementing.
Similar treatments are there for factors external to the project,
such as management support.
Hillson gets at four primary motives for doing risk manage-
ment and notes that only one really counts. Organizations do risk
management reluctantly because of a contract or regulation. Its
done out of a fear of failure or blame. It is done to copy someone
else. The one motive that counts, however, is demonstrating ben-
efits, and he describes a good approach to marshalling them.
Whether you are developing your own competency or trying
to jump-start better risk management in your organization, this
book is a solid resource.
Reviewed by Paul E. Shaltry, PMP, a partner in Catalyst ManagementConsulting LLC, Worthington, OH, USA, and member of the PMI Standards
Program Member Advisory Group.
Managing Risk in Projectsby David Hillson
Gower Publishing Limited, 2009, ISBN:9780566088674, paperback, 126 pp.,$47.45 Member, $49.95 Nonmember.
Project Management Journal, Vol. 41, No. 1, 87 2010 by the Project Management InstitutePublished online in Wiley InterScience (www.interscience.wiley.com)DOI: 10.1002/pmj.20156