Risk Management? Since you know already-in your bones, if not in your head, that risk-taking is a modern-day must, you might be inclined to persuade yourself that risk management must already be in place in your company. You might be inclined to think that it's what you've been doing all along. After all, you are paid to manage in an age of risk, and how else would you do that ex­cept by managing the risks?

Even if you're not practicing risk management yourself, you may have convinced yourself that it must be going on somewhere beneath you in the company. Again the logic is the same: We're paying these folks to manage projects and new endeavors that are full of risks, so whatever they're doing must be risk management. But it often isn't. It is often stasis-derived management applied to work where there is no stasis in sight.

The main component of stasis-derived management is what I call a production mentality. It is evident in the way managers talk. Here I am not referring to people who manage the assembly line, but people who manage development efforts. They will tell you about building a development "factory" (a production word), about "measuring" its "throughput" (both measuring and throughput are production concepts), about "process" (production concept), about "quality control" (production again), about "efficiency" and "return on investment" and "waste management" and "cost reduction" (all valid con­cepts for dealing with relative stasis). These are the signs of risk avoidance, of failing to get on with the business of the twenty-first century.

Here is a test of whether real risk management is happening in your organization. It's a hard test. Most companies fail it. But it's a fair test. I think you can see that an organization that fails the test or any part of it is really not managing its risks, and is therefore probably not tak­ing nearly enough risks.

Risk Management: The Hard Test: Pick a part of your company where the risks are greatest. It might be a scary project, one that the company's future de­pends upon. It might be a new product development or a launch into untried markets. Now apply to it the following hard questions:

• Is there a published census of risks? Does the list contain the major causal risks, not just the few outcome risks that we all fear? Is the risk list visible to all who are working on the proj­ect? Are there enough risks on the list to indicate careful risk analysis?

•        Is there a mechanism in place to elicit discovery of new risks? Is it safe for all involved to signal a risk?

• Are any of the risks on the list potentially fatal? Risk management that concentrates only on risks that can be han­dled makes a mockery of the notion of risk management. It's the fatal ones that need your most careful attention.

•        Is each risk quantified as to probability and cost and schedule impact?

• Does each risk have a transition indicator allocated to it to spot materialization? Is each transition indicator being mon­itored?

•        Is there a single person responsible for risk manage­ment? Where the attitude is that everybody is responsible for managing risks, nobody is responsible for it, since all those peo­ple have got Real Work on their plates.

• Are there tasks on the work breakdown structure that might not have to be done at all? The absence of such condi­tional tasks is a sure sign of no risk management at work.

• Does the overall effort have both a schedule and a goal, where the schedule and the goal are markedly different? If the schedule is the goal, there is no risk management at work. The earliest date by which the work could conceivably be done makes an excellent goal but an awful schedule.

• Is there a significant probability of finishing well before the estimated date? If there is not-if there is no reasonable probability of finishing 20 or 30 percent ahead of schedule -the schedule is a goal, not an estimate.

There it is: a nine-point indicator of whether risk man­agement is being practiced in your organization. They all count. You need to be able to say yes to all of them in order to pass.

Don't be discouraged if you can't answer yes to one or two of the questions; that just means you have some work to do. On the other hand, you should be very discouraged if you can't say yes to most of them. Companies that can't name their risks, that can't distinguish between goals and estimates, are in risk-avoidance mode, or they are taking risks blind. Neither is a good indicator.