Dante Healy [00:00:02]:

Hello, everyone. Welcome to Business Breaks. I'm Dan Tehealy. And together with my co host, John Byrne, we're talking about risk. Not the kind that sits neatly in a risk register, but the kind that creeps in when things move fast, plans shift, and no one has the full picture. Digital projects don't fail because of one big thing. It's usually something small ignored or unseen, until it's too late. Risk management at its heart is about spotting that uncertainty early, and acting before it grows.

Dante Healy [00:00:36]:

And we've seen projects get caught out, not by poor planning, but by poor listening. So let's get into it. Now, John, before we dive in, give us a quick one. What's a moment where a risk caught you off guard?

John Byrne [00:00:54]:

I've actually got loads of examples of that, and I'm I'm going to go with one that actually didn't just catch me off guard, ended the project. That was how big of a risk, it turned out to be. I don't think I've actually mentioned this one to you before. We were doing a project putting in an ERP system. We were part of a bigger group of companies, so we were putting their they had two ERP systems. You were putting in one of them, the the one that they said they wanted to go with. And then one day, we went into the office ready to, not far off going live where to be informed that the company had just spun off a a a load of another section, and all the licenses for that ERP were being spun off with the with with the thing they were they were spinning off. So we have no licenses for the for the ERP system anymore, and that ended our project.

John Byrne [00:01:45]:

And that was not a risk. We were it didn't make it onto any risk registers. That was not something that we even contemplated the impossible. And it seemed to, like, caught everybody completely off guard. Wasn't just those on the project team, people who worked in the company. One person who, was was a very senior person went off on two weeks' holidays came back to a brand new ERP system. Well, a very old ERP system that he had always be bound with the fact that the rest of the company were using, but he was delighted that he had the the more modern one. He went off on two weeks holidays, and they spun off a a chunk of the company and sold the licenses for the more modern system with what they'd spun off.

John Byrne [00:02:26]:

So, yeah, I I so there was nothing we could have done about that. We we were not aware of it. We were never made aware of it, and it was a big enough project that you would have thought somebody would have, at least told us not waste too much time on that project.

Dante Healy [00:02:41]:

That's that's really interesting. And, yeah. I mean, I've got quite a few stories I could tell. One interest, I guess, one personal one for me that really stands out was when I was managing a project team, and it was on a program for transforming finance. And it just so happened, one of my colleagues who was head of an accounting department had retired, and then her backfill decided instead of, backfilling, it was someone who was promoted into her position. He left the company to, join a start up. So there was a gap in what was the day to day business. And because there was no time to find a suitable backfill, I was transferred from project management to operational finance.

Dante Healy [00:03:30]:

And I had to manage that team for about seven months, which meant during that time, I had to prioritize the day to day running two different teams, which was okay, but it it had its own challenges. It it was it was really an interesting situation because it did mean that my project slowed down, but I was able to also see opportunities in the operational finance team to improve things. So there was a kind of, what I lost in terms of my, objectives at the start of the year, I gained in terms of delivering on other things and seizing the opportunity. So it was kind of a mixed bag of, results. But I guess if we start with the basics on risk, the kind of risk that often get overlooked when digital projects move fast, and it's easy to focus on delivery and forget that really, real resilience comes from how well you prepare before things go wrong. So on the subject of strategy, if you over optimize for current conditions, you basically leave no room to move when something shifts, and that's when projects start to crack. So should we talk about what proactive risk strategy actually looks like in practice? And how do you spot risk you don't see yet? And how do you make sure you stay ahead of them when the project keeps changing shape? And also, making sure you bring the right people into the loop without slowing things down or losing control. How have you found managing that in your experience?

John Byrne [00:05:21]:

I suppose well, one of the key things is you kinda touched on it there with the planning. Never assume that just because you planned for everything, you're you're covered. Something will come out of left field. I think I've said it before many, things about adding contingency that, you know, your your project is not going to go according to plan because something that something that you weren't expecting will come out of nowhere and hit you. But the fact is while you don't know what exactly that is, you should just know and and and have contingency for something. And, you know, that that is ultimately the the only thing that you can do is building in enough contingency and and Brazilians, as you said, to to, try and cope with it, but to also your own mental, your own emotional setup. Have a growth mindset. Don't be fixed.

John Byrne [00:06:18]:

Don't think that because you've planned a, b, c, d, e, don't get thrown when you get to a, b, and something's gone wrong, and you're gonna have to skip c and go straight to d or or something like that. Don't let that completely throw you. Just be more willing to be be a bit slow with the power. Be willing to accept it, make the best of it, and keep going. I think, you know, risks that you you can't foresee really derail things when, you you panic when they come out, you know, rather than just trying to you know, you can't relax, but, trying to find how how to proceed as opposed to trying to force the original plan to walk even though it's it's gone off the rails at this stage. How about yourself?

Dante Healy [00:07:10]:

Yeah. I think it's about contextual awareness. And you don't just focus on your project plans. You have to look at it in the context of the overall business. So if you're not aware what's happening in the business, you're gonna get caught out of left field. And especially, it's tricky, but it's not impossible. And it's actually quite doable in larger organizations, which have a lot of visibility in the news. If you, for example, go to Google and you set up your personal email alerts for any notifications on a company or a term, like, I don't know, Global Global Food Co, Inc.

Dante Healy [00:07:50]:

And then, you know, they every time there's something in the news, like they're looking to acquire another business, oh, that means at some point there'll be some merger or acquisition, that sort of thing. Or even in the countries that are impacted by the project, if it's a global project, you'll be able to see where maybe there's certain shifts, uncertainty policy changes that could impact the operations of the project, or require more focus on things like, I don't know, logistics because of, what's a hot topic right now? Trade wars. Yeah? So tariffs, that will slow down logistics. It will also increase costs, so you have to factor that in and think about, well, are there smart ways to deal with it? What would you as a leader, and not you, but the executive sponsors maybe anticipate? So there's things you can do if you're proactive. And I think the best thing is just to talk and have regular conversations with people who know what's going on across the organization. That helps you at least gauge what's happening. For example, when I was working on a procure to pay system, there was, one person who told me that there was, there is a microchip shortage. And this was for when I was working for the automotive company way back when.

Dante Healy [00:09:22]:

He informed me there's a micro, chip shortage, and he said in six months we'll have a shortage of production vehicles if we can't secure a new supply line. So they had buffer stock in the form of contractual commitments. But beyond that, there was gonna be a problem. There was gonna be a bottleneck. So it's things like that where people who are switched on can anticipate what's gonna happen and where they are in the process, if that makes sense.

John Byrne [00:09:52]:

That's it. And then just kinda maintain the flexibility to not to panic, you know, on a situation like that. There's nothing you can do about it. Yeah. Yeah. When in reality, that the the whether they can find another backup or not, you just need need to be flexible to, take on board. That's a risk. If it's a major risk that, you know, if if what you're doing is is in that situation needs the chips, then it goes into your risk register and that.

John Byrne [00:10:22]:

But even if you kind of are doing a project right now, that's not a risk. We we don't deal with those. You know, that your part of the company might deal with them, but what our project is doesn't deal with them. We don't have to worry about it. Well, you know, be aware of it still because it can have knock on effects that you're not expecting. Somebody you're relying on to give some input into the project at a certain point, it affects them, and they're in panic mode at that stage. So your project is not getting any kind of input from them when you think it's going together. And it's that kind of knock on impact.

John Byrne [00:10:55]:

So in in that example, like like what we were mentioning from the beginning, it's not so much the project, the the risks that you see, it's the risks you don't see. In that situation, the risk you see is the shortage of, chips. If you've made a determination, no impact we're putting in any RP system, so we don't care about those chips. Well, actually, yeah, but when you get down to it, you're you're, you know, a a procure to pay system, you probably do need to have, you know, input from the procure to pay management the pure pure to pay director. Mhmm. And they're in panic mode because they're now trying to find a a I think so. You're not getting that

Dante Healy [00:11:32]:

suppliers. So, you know, in a normal process, there'll be a a tender negotiation. These things take time to set up. Like, if you have different tiers of supplies, you may have a tier one supplier who you know is gonna have a problem. Maybe tier two, tier three might not have the same level of constraint, but you have to be able to onboard them quicker or have an exception process that you haven't you haven't planned to automate within your system. So, again, it has impacts on potential scope changes, and maybe even funding constraints. If costs go up, it means less money less funding for your projects.

John Byrne [00:12:15]:

That's it. So that's it. So you're you're kind of you're looking at the big picture things as you're saying, but you're kind of having to do a little bit of what if thinking, and it's not direct stuff. Direct stuff you'll see. Direct stuff will go on to your risk register. Somebody will pick up on the direct stuff, and you'll get mitigation plans. It's the indirect stuff. There's there's things that, oh, in the broader context, this is gonna happen, but it's not a risk to our project because we're not doing dealing with that.

John Byrne [00:12:45]:

Well, well, what what are knock on effects? Are are there will there be money restraints because of it that could have a knock on effect on your project? Will there be personnel restraints? Maybe the risk is not even a bad thing that's happening in context. Maybe you're in an industry that's growing so rapidly. Well, then there's an extra little bit of a risk. Your industry is growing so quickly. The people you need involved in your project are getting offered jobs in other places and will live. And that that that's gonna throw you. Even if it's not your project team, if it's somebody you need feedback from, you're you're in trouble. So it's trying to think of those things that you know, it's it's the knock on effects that you miss usually.

John Byrne [00:13:29]:

You'll get the big risk or the big opportunity, but miss the knock on effects.

Dante Healy [00:13:34]:

Yeah. One of the most frequent risks that emerge are changes to people. Because talents are short. The real talents, like, it's very easy in a project to maintain a risk register and have the discipline to keep things on there. Not so good when you're updating it if people are busy, and even harder to make sense of what's there. Mhmm. To think beyond the first order, here's a risk. But do you really understand it? And what does it mean in terms of your project if it materializes? Not just immediate risk, but, you know, the second and third order effects.

John Byrne [00:14:13]:

Yeah. And even, like, another example I can think of where, a risk hit me that I wasn't expecting was I think I may have mentioned that in a previous, episodes. We we were working in a in a project now where our risk register had things on it to do with personnel, such as they have to do their day jobs. They may not have time. We have to do the but the sponsor, the very senior person in the overall company, the project sponsor, left to get a a got a, you know, a better opportunity in another company. We hadn't got that down as a risk that a sponsor was going to leave. Yeah. That that, you know, that wasn't, you know, our personnel risk where and we did hope that people would be leaving because it was a merger situation.

John Byrne [00:14:56]:

So we kind of knew that there there was gonna be a lot of flux, but we were not expecting the the project sponsor, somebody at that senior level to go because they were in the company that was effectively the one that took over the other company. So they were the ones that were safe, but he just got a, you know, he he got

Dante Healy [00:15:11]:

Better offer.

John Byrne [00:15:12]:

Yeah. He got an opportunity to be a CFO in a in a larger well, not in a larger, in another company. So it was basically a promotion for him that, you know, he couldn't pass up. But it wasn't something we had down in our risk register that he was going to go. Yeah. I mean, other people we talk, you know, were at risk of of, being let go or just not liking the new culture, especially the ones coming from the the other company. But, people from our company, the senior people from our company, we weren't expecting anybody to go and talk. They'd all be delighted with their great new growth opportunities when we were wrong.

John Byrne [00:15:46]:

Mhmm. Mhmm.

Dante Healy [00:15:48]:

But yeah. I mean, and, again, these things hit out hit you and emerge out of left field. These are not things that you plan for. No. No. You know, if if you're if you're finding that your risk is because you hadn't asked your team at the start of the project when are you planning to take vacation or leave? And then they they go on holiday just before the launch, and you hadn't you hadn't planned for it, that's on you. But if they're leaving, and and you didn't know because they didn't tell anyone how you're supposed to know about it. You can't plan for everything.

John Byrne [00:16:23]:

Exactly. And that that is and and, again, you you're you're you you have a little bit of contingency built in, so that might help do it. In a situation like that, it actually the contingency was no use whatsoever because it didn't delay us. It didn't do anything. It it just meant, though, that our, somebody new came in as a sponsor who wasn't really that bothered about the project. It wasn't their project. And so, you know, it in the end, it didn't really impact our project, but there was potential there that it could have. It was a risk that we didn't plan for.

John Byrne [00:17:00]:

We we it didn't didn't cause us any delays. But by the same token, where our project probably would have been extended if the original sponsor was there because we achieved what we had to achieve, but there was other things we could have then done in a separate project. That separate project never materialized because the new person just yeah. It was they inherited this. It wasn't their project. They other things that they wanted to put their mark on, so they just kind of, you know, tolerated us until we were finished what we were supposed to deliver, and then that was the end of our of of us.

Dante Healy [00:17:34]:

And there's levels of senior sponsorship, you know, and the other risk is which you will never figure out, even if it's sourced internally or it emerges internally is that you have senior people and then you have even more senior people. So your executive stakeholder might be the CFO, but then there's another CFO who's responsible from a larger area of the finance team, who's actually the boss of the the CFO, who's the sponsor of your project. And then suddenly, everything changes again, because they have a different view. And especially, when you got backfills, as you say, they'll have a different set of priorities. They'll believe that there's a different there are different drivers to the business or different approaches to how you affect the transformation and leave your mark. Plus, they'll want to have their own stamp on the organization.

John Byrne [00:18:29]:

Exactly. Yeah. And then you almost almost have to have two risk registers. You know, that you've you've got the official risk register that everyone can see, but, you know, even if you can spot something like that that, oh, you you think the executive sponsor is going to be replaced or something like that, that's probably not something that you want to put on the official risk register. No.

Dante Healy [00:18:52]:

No. Yeah. Yeah. There's the the politically correct risk register, the corporate risk register, and your private risk register.

John Byrne [00:18:59]:

Mhmm. And that's it. And as a project manager, you need to have both and you need to be ready to to react to both. But but having said that, it's not all on you. I mean, you know, you you you you have a small project team usually, small core project team. I know how big the project might be, and it's bringing in other teams and that, but there'll be a small enough core project team. You know, make sure that they that everybody feels happy enough within that core team to be able to flag up. Well, I heard rumors about something.

John Byrne [00:19:31]:

Just keep an eye on it because if it comes true, it turns out to not be just a rumor or an actual thing. That could have a, you know, some unforeseen consequences. Mhmm. Even though even if you can't name what the consequences are, Dan, just be aware then and be ready to bounce off whatever comes React. Yeah.

Dante Healy [00:19:51]:

And, yes, as they say, it's the punches you don't see coming that hurt the most. Interesting. So I guess if we can shift the topic to, something that's harder to measure, which we've touched upon, which is, I guess, people. And what often makes or breaks delivery is culture. And when something unexpected hits, such as a blocker, design flaw, user pushback, or even something outside of the organization itself, the business management. It's usually not your risk log that saves you. It's how the team responds. And that comes down to, you know, cohesion, trust, ownership, and often how people behave when the pressure is on.

Dante Healy [00:20:40]:

So you can have that, all all the tools, and trackers, and frameworks, and perfect, you know, risk ceremonies and meetings. But if people don't feel safe to raise concerns or take initiative when things heat up, the risks usually build up in silence when people are frozen. So how do you build a risk aware culture that doesn't just tick boxes, but actually helps the team cope when things go sideways? What have you found works for you, John?

John Byrne [00:21:18]:

Creating an environment where people are happy to brainstorm effectively. You know, that that is what you're kind of almost inviting them to do. Let's brainstorm. What could go wrong? You know? Mhmm. Let's not even worry about how do we solve for it. Let's just worry about, well, what what could go wrong? Even some fire out things, you know, and then try to measure them well. Do do these things have an impact, or do they not? But, you know, not not to uncertainty don't shoot down anybody that that, you know, comes up and say, oh, that would never happen. You know, try to encourage people to flag things early and that, you know, make sure that they're aware.

John Byrne [00:22:01]:

You'd much rather they flag a potential problem early. Mhmm. That'd be really, really good at firefighting and have a problem after it already has happened. Yeah. You know, if you if you can flag it early, you might be able to avoid it or at least avoid the worst of it. And how about you if you if you come up with major examples of of this or or what you did to

Dante Healy [00:22:25]:

try to I think it depends on the capabilities of the team. And you have some team members who can function independently. And then you have a sometimes you'll have a team where everyone needs handholding, and it seems like nothing moves without you, which it which can be really frustrating, but then you need structure around that. And you need to also have a plan where structure breaks that you can, be flexible with it. Allow people to move outside of the structures and not worry about audits as long as the intent is correct. Mhmm. So giving people ownership, when they're trying to address risk, but also, you know, have some guardrails around that as well. You know, it's it's more about, again, coming back to that sensing, and reward people who bring bad news early.

Dante Healy [00:23:22]:

And it's not about it's about trying to minimize the amount of firefighting that goes on. And, you know, it's things like if you can try and be proactive. So maybe having discussions framed around what what would you expect would fail in the project if it did fail. So like pre mortems in Agile, you know, you can almost get your mind, calibrated to thinking, what would I do if things went wrong?

John Byrne [00:23:53]:

Yeah. And also, I think, you know, a good good strategy as well to get people thinking in terms of risk, is is not even just thinking about what could go wrong in the past when you're doing the you know, we've we've we've closed the phase down on the project or we've we've we've reached the milestone on the project of that and we're having a good discussion and asking what nearly went wrong. Mhmm. You know, we we've managed it. We know what went wrong, but were there other things that we just avoided that we got a little lucky with. It just gets people thinking in terms of, you know, if you can think historically, well, what were the risks there? Oh, this could have gone wrong. That could have gone wrong. We had a really close call there.

John Byrne [00:24:33]:

And then they're kinda thinking, okay. They were risks. What did we miss before it happened? It just gets their brain thinking in terms of, okay. Now let's apply that to what's going. So that if a similar situation happens again, we won't be relying on luck to not go wrong. We'll actually be able to be proactive about making sure it doesn't go wrong.

Dante Healy [00:24:53]:

Exactly. And actually, thinking about my point about having structure when your team are weak, the ideal would be having people who can think for themselves, who aren't just busy doers, but actually proactive thinkers. Because that I I've I've managed both sets of teams, and the people who can tell you why why a recommendation you've given won't work. Who won't who will push back, but do it I mean, a lot of the time they'll do it respectfully, but they'll explain why things are more nuanced. And they'll tell you, some things that perhaps they see as concerns and risk, and sometimes they're right, sometimes it's not quite right. But at least bringing issues on, bringing issue bringing concerns up is a healthy culture, and what you need is really to be people focused if you want your people to function. It's not always convenient as a leader, or a manager, to have people come up with issue. But again, maybe some of that avoiding the burnout, if you're leading projects, is being able to filter signal with noise.

Dante Healy [00:26:11]:

So I think, well, filter the signal through the noise, and look out for what's really uncertainty. What could have, damaging effects if not addressed urgently or understood urgently versus what is probably not gonna be a major issue for your project.

John Byrne [00:26:31]:

But And yeah. The key thing there as well is those to acknowledge what people are telling you and, don't be flippant about ignoring it. You know, even if it's something that you think that's not gonna have any impact on the project, still be be thankful that they gave it to you on that. Because if you if you brush aside too many you know, even if they are very unlikely situations or things that won't have any impact, if you brush people off too often when you're doing that, they'll stop coming to you with potential risk. And then that's when one of them will will hit that they they could have come to you and told you, but you've been ignoring them so many times that Mhmm. They just gave up.

Dante Healy [00:27:11]:

Yeah. And and that's that's the thing. You know? There's an element of reinforcement. And if your team aren't aren't really strong on risk management or risk awareness, there are there are tools. There's coaching. There's training. There's, there's just sharing as well, having discussions, during your team your team group sessions. So there's always an element of making sure you keep your team members in the loop on on things that they should be aware of and acknowledge.

Dante Healy [00:27:44]:

And even if it's just context, because there are and, yeah, having conversations, you might think it's, the relationship piece is intangible, isn't it? So it's hard to quantify, but there's a lot of value in having discussions and getting different perspectives in your organization and even in your industry when you get the opportunities.

John Byrne [00:28:12]:

Yeah. And as well, I suppose the the the other thing is it's okay to have a very large long risk register. You know, there there you know, we said earlier that there's kind of two risk registers, your own personal one and the the official one. Or even the official one, you know, there there'll be risks put into various reports and stuff like that. Those risks tend to be the big high impacts, you know, risk, but that's not the risk register. I think sometimes people see, you know, like, five to 10 risks and and think that's the risk register. No. That's that's what's being called out to the more senior people as the biggest, likeliest risks, likeliest that high impact risks.

John Byrne [00:28:55]:

Mhmm. But your risk register could have dozens of of potential risk. I mean, it is one of those things. You're you're kind of trying to think about every possible risk and mitigation for it in advance, and then most of them will never happen and you'll, you know, never look at them again. But then when that one does happen, you go down the risk register and you realize, okay. It was considered a low impact flow lowting risk, but this was our mitigation for it. It's actually gonna have a little bit more of an impact than we thought, but Mhmm. We have a little bit of a a mitigation already thought out.

John Byrne [00:29:28]:

Maybe we need to adjust it at this stage, but we have something to start with. So, you know, you you kind of I think sometimes when when especially new project managers come in and they look at previous decks and reports and that, and they they think that the risk register is only a few risk, you know, it's not it's a it can be a very long and and the best ones are very long.

Dante Healy [00:29:55]:

Yeah. Well, if you're lucky as an organization to have a chief risk officer

John Byrne [00:30:00]:

Mhmm.

Dante Healy [00:30:01]:

Then, yeah, you'll know that each they'll be enforcing a a risk management process that involves not just project level risks, but department level risk, operational risk. You know, when I was working in financial services, we had a, in The UK, we have a a regulatory project. Well, a number of them, you know, for, for example, in UK financial services, there's three lines of defense. There's AUXA, which is operational risk and Control Management, an equivalent for issue like ORSA. And then ICAP, which is for banking organizations, which, involves reporting risk and capital planning under Basel rules, and looking at materiality of risk. So you prioritize what risk could emerge given the current climate. And and again, it's prioritization. Sorry.

John Byrne [00:31:03]:

As I said, that's a good thing to, you know, it goes back to what we we mentioned earlier where, the operational risk and the the, you know, the overall corporate risk registers and stuff like that. If they exist, you should look at them from your project point of view because, you know, yes, those risks aren't about your project exactly. But if any of those risks are are high impact and and likely to happen, they'll have knock on effects. They will take they'll take finances away from your project or they'll take people away from your project. Or they'll make their business users that you're relying on getting to do the testing or to get feedback from or or requirements gathering piece. It will if if those risks happen, it pulls that away. It takes away their time. So be aware of at least the key risk, you know.

John Byrne [00:31:50]:

I'm not saying reads the whole operational risk register, but they'll have prioritized them and graded them like you said, and they'll have some high highly likely ones. They'll have some high impact ones. Be aware of just what they are and think, right, if that happens

Dante Healy [00:32:05]:

With the implications?

John Byrne [00:32:07]:

Yeah. What are the implications? You know? And and don't think, well, they're not part of our project. It's the risk itself isn't part of your project, but the people and the, resources that that risk will impact your project may be relying on them at some stage. So just be aware of it. You know, there's not a lot you can do, but be aware of it. And then if if the worst happens, at least you're not gonna be panicking. There there was a certain amount of, you know, in the back of your head somewhere, you you kind of knew it was a possibility, and you might even have thought of a solution. It it came up.

John Byrne [00:32:43]:

And even if you didn't think of a solution, at least you're kind of, okay. We know what it is. And if you know what the operational risk mitigation is, well, that might work for for you a bit as well.

Dante Healy [00:32:54]:

Thanks, Sean. Agreed. And I guess moving on, let's talk about technology because most of our projects are digital. And most digital projects today lean on vendors, cloud platforms, and external APIs. Now you've got service level agreements that cover the risk, which says which assumes a vendor will assume most of the responsibility. And it's great for speed and scaling, but it still comes with a catch. And ultimately, you're still accountable for delivery even when the risk sits somewhere else. And for example, in terms of cybersecurity, when we talk about technology, we've seen some recent some really recent examples in the news.

Dante Healy [00:33:43]:

So for example, Marks and Spencer halted online orders after a cyber breach. Corp had empty shelves due to IT disruptions. Deloitte got their name dragged into a ransomware claim, which was tied to, data leakage of a client system. And these weren't theoretical risk. They were actually very public, and real. So I guess, how do you manage risk in areas you don't directly control? What's your approach, when you place trust in others for for a component or even the whole delivery? And how do you make sure you build resilience in a setup that's heavily outsourced without grinding delivery to a halt? I mean, how have you managed it, John?

John Byrne [00:34:35]:

And the the you know, not I'm I'm not saying this is the answer for all things, but for for this, you know, we'll we'll get into some some of the things. But it does kinda bring up the, the the situation. Sometimes you just have to accept that the risk is there and that there's not gonna be anything you can do about it, move on. Don't let it paralyze you for or fear. Because like a lot of those things that that you said, it's it there's a there it is very difficult. I mean, you are not and your team are not cybersecurity experts. You're relying on the cybersecurity experts to have have done it. I, I I seen though there was a thing in the news over here, Oracle as well, that they had some, issue with our database that had and had been going on for years that they, you know, their their answer wasn't to own it.

John Byrne [00:35:28]:

It was to deny it and, you know, make things even worse. And these are company that you'd be kinda thinking, you know, if you're looking at digital things set on their database or Azure or, AWS and that that you're assuming they will have security at the top of their thing. You know, I'm sure they do, but their securities can can be bypassed if somebody is determined enough. And, you know, sometimes just acknowledging that risk exists is all you can do. There's not a lot you can do if, their security platform falls down. You know, you you have your service level agreements. You know, you can check to see what is the fallback if something fails. But, yeah, it's it's it's yeah.

John Byrne [00:36:21]:

And you can do all the checks you want at a certain point. I think you you you have to your your risk mitigation was going to this big multinational expert company who can fight off all these Cyrus threats. If they failed, I don't really think there's a lot you can do. You've done all the mitigation you can. You just have to hope that they're really good at fixing the problem on their end. How about you? But you're, I know you have a slightly different because I I tend to work with SaaS products where, you know, that everything is sitting out there whereas you you you kind of tend to use, more either private cloud or or on prem. So you may have a different, different you may have a little bit more I don't know, actually. Do you have any more options than than I would have with my project? Or, are you still kind of out there? Mercy.

Dante Healy [00:37:19]:

Well, it's all hybrid cloud these days, but it's it's a flavor of cloud. You've got a combination of on prem with cloud. So it's what what would you call it these days? Multicloud? But definitely hybrid, at best. There are still a few organizations that still have their own hosting, but uncertainty, the ERP vendors, SAP trying to force people onto cloud, which I guess is, you know, moving from a car you own to a car you rent type server model, or should I say computer? Let's call it what it is. And then there are organizations who who pay for their own data servers. And, as you say, these aren't small organizations. I mean, you've got Microsoft. They're trillion dollars, trillions of dollars of market value.

Dante Healy [00:38:14]:

They're selling they're heavily invested in cloud services, data lakes, and and they they have regularly outages. When I say regularly, they happen. Right? At least once a year in my experience. And even if there's 99% availability, they'll be back up in maybe twenty four hours. And what usually happens is unless you paid an extortionate, I don't know what you'd call it, platinum service to Microsoft where they will prioritize your availability, it's usually you you can't do much when it happens except for wait for it to be fixed and hope they prioritize you. Even if you're a big account, if you haven't paid for the level of service, you're not really going to be able to tell Microsoft, you know, where to go and easily switch over to Amazon or Google. It's not so easy.

John Byrne [00:39:16]:

That's it. And and the one thing about that is, you know, you're a big account. So who do you think are a big account to? Microsoft, they have many companies that are bigger than you. They've even got companies that are smaller than you but are buying more licenses than you. You are not a big account no matter who you are. That is and that's in everything. I I do recall that in a previous role that I had, not as a project manager. And the guy I reported to, he was a PLC, and his thing was, we're a PLC company.

John Byrne [00:39:47]:

Well, you know, these people should be kind of they they adapt our, things, and I'm kind of laughing at them saying, no. These these are small businesses that we're dealing with. You know, they're they're not giving us ninety days credit because we're a PLC. They still need to pay the bills. They're giving us thirty days credit, and we don't like that. That's our problem. They don't have to supply us because, you know, we may be a big, big company, but to them, we're just an ordinary customer because, you know, they they've got loads who are buying just as much of them as we are.

Dante Healy [00:40:15]:

Yeah. It's being able to have that situational awareness and know how hard you can push.

John Byrne [00:40:20]:

Yeah.

Dante Healy [00:40:21]:

Because they can make trouble for you if you're too noisy. You might get a little bit of leeway with a person who but then they're they're they're protected by their own internal systems that only escalate if they deem it really important.

John Byrne [00:40:37]:

That's it. And they do have themselves covered and that most of them will say, you know, they've got 99.5% uptime, something like that. So when something goes wrong, they just point to it and say, well, this is the point 5%.

Dante Healy [00:40:48]:

Yeah.

John Byrne [00:40:49]:

But we told you that it's in the service level agreement.

Dante Healy [00:40:52]:

And if you wanna know when your servers go gonna go home back up again, here's our website that tells you where all the servers are, which ones are out, which ones are in. Oh, look at that. You're in Region 2, and that's still out.

John Byrne [00:41:06]:

Yeah. That's it. So, you know, again, it does come down to for for all the great things and and with risk management and it does let you mitigate there. There are certain risks that, a, you you can't mitigate. Your your mitigation was going to one of the big, big suppliers thinking that they'll they're less likely to fail than the other one. But when they do fail, that'll be a mitigation. It didn't work. You just have to accept that and, continue on when when it does finally come back up.

Dante Healy [00:41:37]:

Yeah. And there are sort of, like, things you have to be aware of even with cybersecurity where there are even people who can, spoof. I think was it co op where someone had actually gone into the, an IT person's team's account and then got them to download software that was ransomware, and and and held the organization to ransom, and unlock it. And again, this is through their own Microsoft corporate teams, where they could message them directly, I presume, because they had their email address. And that really bugs me because you know on LinkedIn, if you want to have verified where you work, LinkedIn will verify it. But I noticed when I verified, I suddenly had a whole load of spammy emails because Microsoft sold my data I presume through LinkedIn after I verified. Yeah.

John Byrne [00:42:37]:

I don't I'm not sure if they sell it but I I think it's it's people can even though technically, culture not supposed to. I don't think there's anything stopping them from

Dante Healy [00:42:45]:

Scraping.

John Byrne [00:42:46]:

Scraping all the the thing. I've got the exact same thing myself there. And and it it goes into the spam. I don't know what they're hoping to achieve via because it just goes into to the spam when they do it. But, every now and again, I'll look to see what's in the spam and read these things. And, yeah, I got that exact same thing because, you know, I I I had a a new email address, and I put her onto the LinkedIn just in case because I was reaching out to people for that particular job, you know, on that part of that company on LinkedIn to get some, information from them. So I attached that that that new work email to LinkedIn so that if they did a search for me, they could see they could find me. And then suddenly that email started getting but everything on both emails that I have registered with LinkedIn, everything goes into the the spam.

John Byrne [00:43:34]:

So both emails catch it, you know, and and do it. So I'd I'd love to know what people think is the point of doing that, that, yeah, you're a stranger reaching out to you out of nowhere and calling you, you know, by the name that you've got on LinkedIn. You know, so many people

Dante Healy [00:43:51]:

I've had people, contact me in one of my work emails, saying that and this was, you know, the corporate client email and saying, oh, I love your podcast, you know, I've got an opportunity for you here. And I'm just gonna say this right now, once I have an opportunity, assuming any of them even bother to listen to the show, is that I auto set any external email that I deem as spam to have a rule that automatically deletes it. So it's wasting your time, but actually one other thing that came up was one person called me, and I asked them, where did you get my number? And they told me it was a vendor. And the only time besides having interactions with that vendor, you know, implementation specialist, They're they weren't one of the big one. Well, they are big. You know, that's the funny thing. Some of these grow really fast. But what they did was a friend of mine who works for that vendor, he asked me for a, some performance feedback, because he had his end of year appraisal.

Dante Healy [00:44:58]:

I put my email address. I think it must have had some sort of terms and conditions about putting sharing my work email, but they insisted on the work email to validate the performance review. And then guess what? When I when that person called me three months later, turned out that vendor had sold my email to them as a lead. I mean shocking right?

John Byrne [00:45:25]:

So there's a risk that you don't think about when you're

Dante Healy [00:45:28]:

Just time wasting spam.

John Byrne [00:45:30]:

Yeah. And and that's it you know and in fairness that that that example that I gave where I I used the email. It's for a project that was a it's not on the risk register anywhere that we're going to be getting a load of spam because, you know, people people realize that you're doing a project and and you're you're getting in. I suppose that's one of the least, you know, it's it's it's just a not a nuisance, but it it's not gonna have too much impact. So it'd be a low risk thing. It wouldn't even get on your risk register. It's a personal, thing. But if people are doing that, people are watching, you know, you're on a project for whatever business you're doing, whatever the project, and they're able to get hold of your email address and that will then there's a cyber security risk because it it doesn't that's how they get in in the worst place.

John Byrne [00:46:16]:

You know, the the people we're gonna know about are just trying to sell us something or sell our details. But it could just as easily be somebody who's a who who has intent of, well, basically trying to get into whatever the ERP or or the data with lake or whatever it is that you're creating. They're looking to figure out how are they going to manipulate you and the people on your team that they can find out all this information and and and simple ways like what you've just said that you'd never have thought of. And, then that means they can socially try to engineer the situation where they get in until cyber security is breached. How do you mitigate that?

Dante Healy [00:46:53]:

Exactly. I mean, this is spam. These are legitimate businesses trying to reach out and and see if there's any opportunity. You know? But, I mean, I get you can get your your personal numbers, scraped from or even just random number generators, and you just happen to be the number that gets called. They're they're generic things. Yeah. I mean, employment scams. Job scams are the latest one at the moment given the current

John Byrne [00:47:23]:

They're latest. They're kind of low risk though because when it's that generic, you you kind of unless you're a complete idiot, you're not going to fall for it. But it's when they actually know who you are and how reaching out to your work email and and they they've done a bit of research. And that's kind of where a lot of this got the social engineering thing. So that's the cybersecurity risk there is, you know, and it's not just you. It's other people on your team that like that example you gave. They got into a the official warped teams, group, and they got they they managed to convince somebody to download a piece of software that they shouldn't have been downloaded. That's that's a legitimate risk.

John Byrne [00:48:02]:

And, you know, you might think, my company is too small. The project I'm working on is too small. They seem to be coming down and and going after smaller and smaller and smaller companies. They're not just going after the big ones anymore. So, cybersecurity is a legitimate risk and really should be on your risk register to have some kind of mitigation, e even if that mitigation is just, making your team members most companies now will have some kind of a cybersecurity training. Make sure all members of your team have renewed their cybersecurity training because that's pretty much all you can do and then hope that they have enough coupon not to download something and not to fall for it. But, you know, it's it's the generic stuff you can kind of get away with because the generic stuff is is, rarely ever actually applies to you. They're just chancing their arm.

John Byrne [00:48:52]:

But it's when they've done their homework and they actually know who you are, what company you're working for, and what your project is, that can be believable. And that's where the big risk is.

Dante Healy [00:49:04]:

Yeah. Yeah. Thanks, John. So I think we've gone to the end of this episode. Really good discussion. What are your key takeaways from this, discussion? Should we say this, this topic?

John Byrne [00:49:24]:

Have a you know, get the balance right. You have a risk centric mentality when you're going into the project of of recognizing risks exist, trying to figure out what they are, what they are, but don't let them paralyze you. Don't let them kinda make you so afraid to do something that you think, you know what? There's too much risk here. We're not gonna bother down this part of the project. They exist. Come up with the best, you know, list of them you can. Come up with, best mitigations for them you can. Then be willing to accept that sometimes the mitigation won't work or it will only partially work.

John Byrne [00:50:02]:

And, yeah, you know, you but but just keep thinking throughout the project. It's not something that you do at the beginning and then forget about. You'd be constantly trying to update and and have people flagging potential risks and and doing it. And and then you you walk on and, you know, building in that bit of contingency, I think we've said it several times in in past podcasts. That is one of your best mitigations for risk that eventually a risk will happen that you it's just gonna take you longer or it's gonna cost you more. So if you have enough of a contingency built in, you will be able to afford the extra time and the extra money without, killing the project on you. But, that's the main thing I think, to to to be able to advise I can give. How about you?

Dante Healy [00:50:48]:

I think, ultimately, you have to recognize what you can control and what you can't control. There's just some risk that aren't worth really monitoring, because they'll be for example, if there's a touch wood, it never happens. But if there's another world war, for example, then I guess we're all in trouble. But that being said, you're still ultimately on the hook for risk, even the ones you don't control sometimes. And you just have to just be ready, and be prepared to have those uncomfortable conversations. That being said, for the ones you can control, it's best to aim to spot the risks, and act on them early enough before they become issues. So risk, like anything, risks like mistakes and quality defects. The earlier you fix them and acknowledge them, the easier it is to deal with, and build ways to, you know, identify when weak signals actually imply bigger trends in the future.

Dante Healy [00:51:59]:

And then, again, as you say, ask yourself what what are the implications? What might happen if this materializes? And then the final piece is really about the culture. And it's about making sure your team feel comfortable to have those uncomfortable discussions, and be be comfortable raising issues on items that aren't immediate issues. So raise risks that aren't issues before they become issue. And also, make sure that the risk framework is taken as a strategic tool that isn't just a one time exercise. It's a continuous process of monitoring and reviewing. And also, make sure your team treat risk as part of delivery, and it's not separate exercise.

John Byrne [00:52:49]:

No. Exactly. That's actually a very good point. It's, it's part and parcel of the, you know, we we've mentioned before you that the the business case needs to be constantly revisited. The plan needs to be constantly revisited. The risk register needs to be constantly revisited. Actually, every every piece of documentation that you do for a project, those need to be constantly revisited.

Dante Healy [00:53:10]:

Yeah. Yeah. You never know when you need it. Exactly.

John Byrne [00:53:12]:

Exactly. And changes changes happen, so you need to reflect those new changes because it may change the perspective of, you know, what what wasn't deemed the risk before and now suddenly is, and what was deemed the risk before and now suddenly isn't.

Dante Healy [00:53:25]:

It's it's an ironic thing that, you know, like everything, if you're doing a good job, it necessarily doesn't have the visibility it deserves because it goes unnoticed when it works. But it's also what keeps your project moving forward. So, yeah. Thanks for sharing that. And I guess that's a wrap from us. Thanks again, John. And, from those who are listening, we'll be back with something that causes just as many headaches in your project management when it when things go south. So, John, pleasure as always.

Dante Healy [00:54:00]:

Thank you very much.

John Byrne [00:54:01]:

Thanks, Dante. Talk to you soon.