Let's say you were not feeling well, and felt that you needed to go to the doctor for help. Let's also say that you had a history with this doctor in which your interactions tended to produce lists of all the things that might be wrong with you, but never produced any treatment for these candidate diagnoses. Let's say you were still offered regular follow-ups, to monitor the state of this situation, but your doctor was unable to sketch out a credible path which would lead you to improving your health. Would you still want to continue to see this doctor? Even if you felt that you might have a serious disease, wouldn't you ask yourself if you were already doing all the things that could be done?

Would you take the time to go back to the doctor, just to continue to monitor the progression of your disease? And would your decision likely also depend upon your perception of the seriousness of the disease? Finally, if your condition was indeed serious, but potentially untreatable, wouldn't you perhaps really rather not want to know?

These are some of the challenges and dilemnas with the practice of risk management. It can offer a process to collect, aggregate, summarize, and report on risks, but if it is unable to also organize and follow through with a systematic approach to arresting the progression of the risk, and ultimately mitigate its effects, risk management may not be delivering sufficient value to offset the costs which are involved in performing the process itself. If all risk management does is diagnose, and does not produce treatments, the fact that it's being practiced may even mislead, distract, and provide a false sense of security, rather than doing what it should be doing - containing small problems before they become large ones.

Risks simply cannot be avoided in business; here is no such thing as a risk-free wealth generating strategy. Risk management must thus be a four-legged stool; it must consider all aspects of managing risks - identification, analysis, advocacy, and action. But managing this uncertainty is itself, at best, an imperfect combination of science and art. Like the practice of medicine, it often may focus on the wrong things. It may also identify incorrect or incomplete sources of risk in project management, and may do this as frequently as an incorrect diagnosis is made in medicine (something that itself is surprisingly and unacceptably high, despite considerable focus). It is thus not enough to just 'practice' risk management. One must measure it, and improve it, to determine if the outcomes are actually being effective at reducing risk, to verify that the risks being managed are the right risks, and to act to readjust things if they are not. In a way, effective risk management is similar to practicing preventative medicine: one must assess whether it is reducing the frequency of projects with problems.

Our ability to properly analyze risks in project management is certainly not any more effective than diagnostic procedures are in medicine,  and our ability to focus attention will always be limited by our knowledge and allocated resources. Thus, we must focus on the precious few, and we can be overwhelmed by identifying more risks than we can analyze and effectively mitigate. The solution to this dilemna is not to just spend more on risk management, because that strategy requires more resources, rather than less. Instead, the strategy should be to apply quality management approaches to risk management, to learn how to do risk management better. Risk management must also be applied to itself, and an attitude of paranoia about whether the risks that are being managed are the right ones must be fostered. Until that is done, the costs of performing risk management may easily exceed the benefits, and cultural resistance may prevent your risk management processes from achieving their true potential.

A recent book, Risk Intelligence, provides insights about how to perform risk management more strategically, and more intelligently. In the book, the author, David Apgar, focuses on how an organization's risk management capability can be evaluated relative to their competition. Apgar's view is that risk management must produce a competive advantage. If you are not managing risks as effectively as your competition, or are managing risks that occur randomly (just due to normal uncertainties of projects, all companies are exposed equally to these), you are actually wasting money doing that risk management, because it is not delivering you a competitive advantage in the long run.

Apgar suggests assessing a 'risk intelligence quotient' for each risk that is being managed, based upon an assessment of each of the following questions:

1. How often do you have experiences related to this risk?
2. How relevant are these experiences to what might influence this risk?
3. How surprising are these experiences?
4. How diverse are these experiences as sources of information?
5. How methodically do you keep track of what you learn from them?

To compute your risk IQ score, each of your risks is assigned a '1' if there's no reason to think you're any different than anyone else in considering the factor relative to others; a '2' is assigned if you have evidence to believe you are significantly better than others; and a '0' is assigned if you believe others may be better than you with respect to this factor and this risk. The average of these can then tell you how well you're doing, and over time, if you are improving your risk IQ or not. Apgar also suggests 'triaging' your risks, to decide which ones you can best handle with the resources you have available.

Apgar suggests using 4 strategies to improve your risk intelligence:

1. Recognize which risk are learnable (i.e. those that can be made less certain if you have time and resources to learn more about them)
2. Identify the risks you can learn about fastest (because you can't act on everything)
3. Sequence risky projects into a "learning pipeline" (to accomodate dependencies across risks, and maximize the uncertainty you are reducing)
4. Organize networks of partners to manage integrated collections of risks (with particular attention to whether participants are 'dabbling' in risk management, or are actually focusing on the reduction of risk itself)

To systematically improve an organization's risk management capability, he also suggests implementing the following steps:

1. Choose projects, problems, and ventures with learnable risks in mind
2. Score your risk intelligence for the options you're considering and triage them
3. Look for patterns in your risk intelligence scores and try to improve them
4. Conduct a risk strategy audit of your main activities
5. Classify your new risk pipeline in terms of gaps that threaten growth
6. Assess the strength of your risk assessment results relative to your competition
7. Determine market placement risks and how those relate to organizational positioning & culture
8. Look for opportunities to transform learnable risks into risks that all competitors will have an 'equal playing field' on (especially where the uncertainty cannot be managed)
9. Determine how relevant existing customer risks are to future target markets
10. Look for opportunities to unlock the constraints between risk and growth