A forward-looking, proactive culture in project controls

This article was written with valuable contributions from John Hollmann, author of “Project Risk Quantification” (2016) and lead author of AACE® International’s TCM Framework (2006). John is the owner of Validation Estimating, LLC since 2005, and works with capital program managers and project leaders in a variety of industries from process to infrastructure to improve their cost engineering practices; i.e., estimating, risk quantification, project control, etc.

Time and time again we have seen projects be affected by delays, cost overruns, bad practices, and all sorts of high consequence issues. One might argue these are some of the reasons why Project Controls exists in the first place. Rather than talk about some specific ad-hoc solution to particular problems (we all do a lot of this), we thought that a frank and honest reflection on the culture of Project Controls with a focus on risks might be useful, together with a vision for how mindsets and attitudes can change for the betterment of our projects. This reflection includes a borrowed idea, the HSE Culture Ladder, and adapts it Project Controls and the Risk Maturity model.

The HSE Culture Ladder

The HSE Culture Ladder is a model used to assess and improve the maturity of an organisation’s Health, Safety, and Environment (HSE) culture, which has been consistently used over the years, as a framework for teams to change from within. This ladder has multiple steps in it, which an organisation may aspire to climb.

The HSE Culture Ladder

The ladder consists of five progressive stages:

• Pathological: Safety is disregarded, and blame is placed on individuals for incidents
• Reactive: Safety is only addressed after incidents occur
• Calculative: Organizations actively measure and manage risks through systems and procedures
• Proactive: HSE is embedded in the organization’s culture and continuous improvement is sought
• Generative: HSE is an intrinsic value, and the organization demonstrates exceptional performance and learning.

It is typically thought of as a progression (hence the name “ladder”), where an organisation can only get to a certain step by having improved and reached the previous one. For example, it is impossible to go from reactive to generative without changing the organization to also be calculative and then proactive. By identifying their position on the ladder, organizations can develop strategies to enhance their HSE culture, ultimately reducing incidents and fostering a safer work environment.

Adapting the HSE culture ladder for project controls

We can attempt to adapt this culture ladder for Project Controls, by keeping the names of the levels and then describing what this means for our specific domain:

Pathological
Delays and cost overruns are masked, blame is placed on individuals or groups, and everyone’s primary directive is to avoid being the one that gets blamed. This type of organisation lacks accountability for project outcomes. Project controls is of questionable value to the project and team. There is no explicit risk management role in project controls or the team.

Reactive
Project controls are implemented sporadically, mainly as a response to project failures or significant deviations from the plan. The focus remains on firefighting and resolving immediate issues and issuing the required monthly report without addressing underlying causes.
Project controls are somewhat valued members of the team. There is no risk management role in project controls, but there may be a risk function they coordinate with.

Calculative
The organisation has established systems and procedures for project controls, including scope, schedule, cost, and risk management. Metrics and performance indicators are tracked and analyzed regularly beyond just the required monthly report to ensure projects stay on track, and corrective actions are taken as needed.
Project controls are valued members of the team. There is no risk management role in project controls but they work closely with the risk management function.

Proactive
The organisation is actively gathering intelligence about the causes of performance issues and looking ahead to identify emerging risks, and creates plans to mitigate future risks. Metrics and KPIs all have future projections that guide decision making.
Project controls are highly valued members of the team. Project controls and risk management are integrated.

Generative
The organisation is envisioning and preemptively discussing many different versions of the future — event-based scenarios, “what-if”s, design adjustments, and alternative methods of delivery. Each version of the future comes with its current expected projection for metrics and KPIs.
Project controls are essential, sought out members of the team. Project controls and risk management are highly integrated.

It is generally thought that most project controls functions operate at the reactive level currently, though we aspire to become more proactive.

The IRM Risk Maturity framework is somewhat similar to a direct application of the Dreyfus model to Risk Management

By the way, the Institute of Risk Management’s Risk Maturity Framework provides what I think is a complementary framework for assessing and improving an organisation’s risk management capabilities across people, process, and technology dimensions. They also provide guidelines on how to improve on that scale.

Any organization seeking to enhance its project controls culture can leverage frameworks like the Risk Maturity Framework to ensure their risk management capabilities mature in parallel. For instance, a reactive project controls culture maps roughly to a “conscious” risk maturity. Progressing towards proactive project controls requires reaching the “expert” level of risk maturity (and integration of risk management in project controls during execution), where anticipating and mitigating risks is second nature.

By considering both cultural and capability maturity, organizations can take a holistic approach to transforming project controls into a proactive function focused on early risk identification and resilience. In the following sections, we will explore what it means to have reactive versus proactive project controls, including the limitations of reactive controls and recommendations for cultivating a more proactive discipline.

Reactive Project Controls — where most of us are

The existing culture in Project Controls is predominantly geared towards reporting, often emphasising the generation of detailed progress reports, cost and schedule analyses, and other performance metrics. This approach, while invaluable for keeping stakeholders informed, has inadvertently fostered a mindset that places more importance on capturing and documenting issues after they occur rather than working to prevent them in the first place. Risk registers are often not updated once construction begins. This has shifted the focus away from proactively identifying risks and implementing strategies to address them before they impact project performance.

I know it’s not because we choose to do things this way. I am of the opinion that this is due, at least in part, to the pressure faced by project teams to meet tight deadlines and satisfy (realistic? unrealistic? I’m not going to take a position on this particular debate right now) stakeholder expectations. In an attempt to balance the competing demands of time, cost, and quality, project teams often find themselves grappling with unforeseen challenges and deviations from the project plan. Getting the monthly report done on time too often becomes as much as one can do. This is when the primary focus of Project Controls becomes managing issues and their consequences, leaving little to no room for prevention and proactive risk management.

The time is now to implement more proactive risk management strategies integrated in project controls. This change should involve a greater emphasis on risk identification and mitigation not only during the planning but also the execution phases of projects. If we integrate risk management strategies and proactively address potential issues, Project Controls can evolve from a reactive reporting function to a forward-thinking, prevention-oriented discipline that anticipates and mitigates risks before they materialize. In turn, this will lead to more successful projects.

Proactive Project Controls — where we want to be

What does it mean to be proactive about risk? Being proactive about risk means anticipating, identifying, and addressing potential threats and uncertainties before they materialise and negatively impact a project or organisation. Proactive risk management is all about taking a forward-looking approach to risk, focusing on prevention and mitigation, rather than merely reacting to issues as they arise.

There are a few ways in which proactivity can be applied to the different areas of Risk Management:

Risk Identification: Proactively identifying risks involves systematically scanning the internal and external environment for potential threats and uncertainties that could affect the project or organisation. Participate in regular status meetings and get first-hand intelligence. This process includes analysing historical data, industry trends, and other relevant information to uncover potential risks.

Risk Assessment: Once potential risks are identified, proactive risk management involves assessing the likelihood and impact of these risks. This includes not only event risks, but also system attributes (e.g., weak teams) which result in greater uncertainty throughout the project. This requires evaluating the probability of each risk occurring, as well as the potential consequences if the risk materializes. Risk assessment helps prioritize risks and allocate resources effectively. When decisions need to be made (e.g., major changes), that is when the quantitative risk analysis (QRA) step of assessment comes in.

Risk Mitigation: Developing and implementing risk mitigation strategies is a critical aspect of proactive risk management. This may involve taking preventive measures to reduce the likelihood of risks occurring or developing contingency plans to minimize the impact if they do materialize. Risk mitigation strategies should be flexible and adaptable, allowing for adjustments as new information becomes available or as conditions change.

Continuous Monitoring: Proactive risk management requires ongoing monitoring of risks and the effectiveness of mitigation strategies. This involves tracking risk indicators, evaluating the performance of risk mitigation measures, and adjusting strategies as needed based on new data or changes in the project or organisational environment.

Communication and Collaboration: Being proactive about risk necessitates open and effective communication among team members, stakeholders, and other relevant parties. This fosters a shared understanding of risks and the importance of proactive risk management, ensuring that all parties are engaged in the process and aligned on the risk mitigation strategies.

Learning and Improvement: A proactive approach to risk management emphasises continuous learning and improvement. This involves learning from past experiences, as well as benchmarking against industry best practices, to refine risk identification, assessment, and mitigation processes over time.

By embracing a proactive approach to risk management, organizations can minimize the potential negative impacts of risks, improve project performance, and increase their overall resilience in the face of uncertainty.

Why forecasts alone are not enough

An example end date forecast: we reported it, so now what? The decisions that descend from this are more important than the forecast itself or even its accuracy.

Forecasting plays a crucial role in identifying potential risks and predicting future events. It is a key project control responsibility, but as with risk management, it is often poorly done. Reactive cultures use magic thinking assuming performance will recover because it has to. Calculative cultures often just extrapolate current performance. But even if done well, we don’t think it’s enough on its own to ensure the success of a project. Forecasting serves as a valuable input for decision-making, but the real value comes from taking appropriate actions based on analysis to address the potential risks and uncertainties that the forecasts reveal. After all if you don’t make a change, well, nothing changes.

Even worse, focusing solely on forecasting without analysis and taking corresponding actions can lead to a false sense of security, as the project team may believe that through working harder the forecast will come true without actually addressing risks at all! Of course, the decisions of whether and how to act are not the responsibility of project controls, but strong project controls make effective decision making more likely.

Prevention strategies (sometimes referred to as “risk treatmens”), on the other hand, focus on reducing the likelihood of risks occurring in the first place. These actions can involve improving elements of the project system such as processes, enhancing communication and collaboration, or investing in training and development to strengthen the project team’s ability to identify and address potential issues before they escalate. By emphasizing prevention, project teams can proactively reduce the chances of encountering major problems, ultimately improving project performance and success.

Mitigation strategies (sometimes referred to as “risk responses”), contingency or contingent risk response planning, aim to reduce the impact of potential risks on a project, should they occur. These strategies can include reallocating resources, adjusting schedules, and/or implementing alternative solutions to minimize the negative consequences of risks. By incorporating planned mitigation actions into forecasting, project teams can ensure they are better prepared to manage risks and recover from potential disruptions.

In conclusion, while forecasting is an essential aspect of project controls, it must be complemented by a focus on actions like prenvention and mitigation to truly enhance the resilience and success of a project. By using forecasting insights to inform decision-making and develop proactive strategies, project teams can navigate uncertainties more effectively and improve overall project outcomes.

Pre-mitigation

“Pre-mitigation” (risk treatment), refers to the act of proactively identifying and addressing potential risks and issues before they materialise or escalate, in order to minimise their impact on a project. This approach emphasises prevention and early intervention, as opposed to responding to issues only after they have occurred. There are three ways you can address risks before they materialise:
1) Reduce the likelihood (prevention)
2) Reduce the severity (mitigation)
3) Reduce the impact (cushioning)

Pre-mitigation strategies encompass various actions and processes designed to reduce only some or all three of these variables. Here are some examples of pre-mitigation strategies, in descending order of effectiveness:

• Find workarounds or changes that neutralise the causes of some of the major risks, if plausible.
• Plotting alternative courses of action and multiple possible responses for the major risks, and decide what the trigger points would be to change course.
• Implementing redundancy in resource allocation and scheduling to absorb potential disruptions or ease up on aggressive strategies if work is complex and fragile.
• Agree additional contingency or have insurance in place
• Monitoring early warning lead-indicators / KPIs to start interventions at the first signs of trouble

By focusing efforts on pre-mitigation as opposed to post-incident crisis management, as common in proactive project controls cultures, project teams can enhance resilience, reduce expensive firefighting, and improve the chances of project success.

Improving contingency planning through forecasting and proactivity

An example insight from nPlan Insights: use the forecast to highlight the areas of highest expected impact on the project outcomes.

Contingency planning, a crucial aspect of project controls, involves developing alternative strategies or plans to address potential residual risks or unforeseen events that may impact a project’s objectives. Improving contingency planning through better forecasting, analysis, and a proactive mindset can significantly enhance a project’s resilience and overall success.

Better forecasting plays a vital role in enhancing contingency planning by providing more accurate and timely predictions about the impact of potential risks and uncertainties considering risk response actions. By leveraging advanced tools and techniques, such as AI-led forecasting and predictive analytics, project teams can gain deeper insights into potential challenges and more effectively anticipate the likelihood and impact of various risks. With more accurate forecasts, project teams can develop more targeted and efficient contingency plans, ensuring that resources are allocated appropriately and potential issues are addressed effectively.

A proactive mindset, on the other hand, focuses on anticipating and addressing potential problems before they occur, rather than simply reacting to issues as they arise. By adopting a proactive approach to contingency planning, project teams can systematically identify potential risks, assess their impacts, and develop and test appropriate strategies to mitigate them. This forward-looking project controls approach not only helps project teams to better prepare for uncertainties but also fosters a culture of prevention and risk mitigation, ultimately reducing the likelihood and severity of delays and budget overruns.

Incorporating better forecasting and a proactive mindset into contingency planning can lead to more robust and effective plans, improving a project’s ability to adapt to unforeseen events and changes. As a result, projects are more likely to stay on track and achieve their objectives, ensuring greater overall success in the face of uncertainty.

Scenario analysis for proactive project controls

Scenario Analysis in nPlan Insights: comparing outcomes between different choices or possible future events

Scenario analysis is a powerful tool for proactive risk-aware project controls that helps project teams identify, assess, and manage potential risks and uncertainties. By exploring various plausible future scenarios, project teams can develop flexible strategies and contingency plans that account for a wide range of potential outcomes. This forward-looking approach enables project controls to anticipate and adapt to changes, improving project resilience and performance. And ultimately, better project controls analyses makes more effective decision making by the project manager more likely.

Scenario analysis involves steps such as identifying key drivers and uncertainties, developing diverse and plausible scenarios based on those factors, assessing the potential impact of each scenario, and formulating adaptive strategies that can be adjusted as conditions change. Continuous monitoring and updating of scenarios, as well as collaboration among stakeholders, are also critical for effective implementation. Such analysis calls for risk management to be integrated with project controls.

Incorporating scenario analysis into project controls can help project teams anticipate potential risks, develop adaptive strategies, and improve overall project performance. By embracing this proactive approach, project controls can shift from a reactive, reporting-focused function to a proactive, forward-thinking, prevention-oriented discipline.

Robust Decision Making for proactive project controls

If you want to know more, there is a fantastic discipline called DMDU which I will cover in a future post. For now, we’ll look at one of the techniques in DMDU, called Robust Decision Making. The founders of the group also published an introductory book to the topic that I thoroughly recommend.

An overview of all the steps in Robust Decision Making

Robust Decision Making (RDM) is a systematic approach to Decision-Making under Deep Uncertainty (DMDU), where the goal is to identify strategies that can perform well across a wide range of possible future conditions. Incorporating RDM into Project Controls can help transform the discipline into a more proactive function by enabling project teams to anticipate potential risks and develop flexible strategies to address them.

RDM enhances proactivity through comprehensive risk identification, scenario planning, adaptive management strategies, enhanced stakeholder collaboration, and continuous monitoring and learning. By incorporating RDM principles, project teams can improve the resilience and adaptability of their projects, allowing them to proactively respond to emerging risks and uncertainties. This ultimately increases the likelihood of successful project outcomes.

Conclusion and Recommendations

To foster a more proactive risk culture in Project Controls, organizations must focus on enhancing both cultural and capability maturity. Based on the analysis in this piece, we recommend the following actions that can progress Project Controls up the cultural ladder while also elevating risk management maturity:

• Provide training on proactive mindsets to instill a forward-looking culture focused on early risk identification and mitigation. This cultural shift from reactive to proactive aligns with progressing from novice to normalized risk maturity.
• Implement robust systems and procedures for real-time risk management integrated with change control while tracking metrics to monitor effectiveness. Moving from calculative to proactive project controls requires achieving normalized and natural risk maturity.
• Leverage advanced tools like AI and predictive analytics to enable data-driven forecasting and scenario planning. Adopting these technologies demonstrates natural risk maturity and a proactive project controls culture.
• Incorporate adaptable decision frameworks like Robust Decision Making that perform well under uncertainty. This enhances resilience, fitting a proactive culture and natural risk maturity.
• Structure processes to facilitate continuous risk monitoring, updating, and learning. Natural risk maturity and generative project controls culture are defined by embedded learning.
• Promote collaboration between project teams, business management, leadership, and stakeholders on risk strategy. Cross-functional alignment on risk management supports natural maturity and proactive culture.
• Implement performance incentives tied to proactive project controls integrated with risk management. Rewards for early identification and mitigation encourage desired cultural and maturity shifts.

We have published our own framework, called AI-SRA, which leverages AI to improve already-existing QSRA methodologies in project schedule risk management, which is inspired by the principles in this document. We’d be humbled if you were to take a look.

With a combination of mutually reinforcing improvements to culture and capabilities, organizations can achieve higher levels of project controls and risk management maturity, enabling successful delivery amidst uncertainty. The key is approaching both transformations holistically rather than in silos.