Developing project risk management

Share to0

Conference PaperRisk Management14 July 2004

Ward, Stephen

How to cite this article:

Ward, S. (2004). Developing project risk management. Paper presented at PMI® Research Conference: Innovations, London, England. Newtown Square, PA: Project Management Institute.

From the numerous studies on--and discussions about--project risk management (PRM) has come an expansive body of research looking at the concerns of--and the methods for--practicing PRM. This paper examines six dimensions for developing the current practice of PRM, each of which focuses on the choices that organizations can make to incrementally evolve their PRM approach into a fully integrated risk management practice. It opens by discussing the strategic view of PRM. It then details PRM's six dimensions: what, when, why, whichway, who, and wherewithal. It explains each dimension's nature--in relation to four stages of choice--and in doing so, explores such PRM concerns as perceiving risks as threats and as opportunities, managing uncertainty, improving organizational performance through risk management, understanding the objectives of managing risk, and appointing a manager who is responsible for implementing PRM.

Stephen Ward
School of Management, University of Southampton

Proceedings of the PMI Research Conference
11-14 July 2004 – London, UK

This paper argues that project risk management can be developed in six separable directions or dimensions that might be defined simply in terms of two nominal bounds or limits:

- Interpreting “risk” narrowly as a threat event, or broadly as an implication of significant uncertainty;

- Applying risk management very late when detailed plans are in place, or very early when a project is being conceived;

- The purpose of the risk management activity adopting objectives with a narrow, specific process focus, or a broad strategic capability focus;

- The nature of the process employed using ad hoc, naive, add-on, off-the-shelf processes, or integrated, holistic adaptive processes;

- Involving some relevant players in an ad hoc manner, or all players in an integrated, balanced manner;

- The resources applied using limited ad hoc resources informally, or using whatever cost-effective level of resources is appropriate in a flexible, formal manner.

Choices in each dimension indicate the ways in which organizations can incrementally develop risk management practices to the level of fully integrated risk management.

Keywords: risk management, integrated, enterprise-wide, dimensions, benchmarking

 Copyright © 2004 S.C. Ward School of Management, University of Southampton, SO17 1BJ, UK

Introduction

In recent years there has been significant development of “state-of-the-art” project risk management (PRM) and a burgeoning literature on PRM processes and case- studies of applications. However, common practice, often inappropriately regarded as “good practice” or even “best practice,” lags considerably behind. While PRM in some form is quite widespread, the scope and quality of this activity is generally quite limited. While even limited PRM can be very beneficial, much greater benefits could be achieved from more extensive and sophisticated efforts. This paper explores a number of ideas for encouraging the development of PRM whatever the extent of an organization's existing practice.

Taking a strategic management approach to PRM development implies three main concerns (Johnson & Scholes, 2002):

- Understanding strategic position;

- Understanding strategic choices;

- Turning strategy into action.

In risk management terms, understanding the strategic position is about understanding the nature and extent of current PRM practice, in terms of external environment, internal resources and competences, and the expectations and influences of stakeholders. This includes understanding and questioning assumptions or constraints that might have a fundamental influence on selected PRM development strategies.

Understanding strategic choices involves understanding the options for developing PRM in terms of both the directions in which development might proceed and the methods of development. Selection of strategy involves evaluation of the suitability, feasibility, and acceptability of possible development options (Johnson & Scholes, 2002).

Turning strategy into action is concerned with successfully implementing the chosen strategy via appropriate administrative structures, resourcing, exploiting existing competences, and effective management of change.

In the development of PRM, each of these three elements is important. However, the key element is to identify the nature of PRM development -choices -available, because unless the range of possibilities for developing PRM are clarified it is not possible to make the most effective choices about developing PRM activity.

Dimensions of Risk Management Development

Exhibit 1 suggests six dimensions or directions in which PRM might be developed. For easy reference these dimensions are given the labels: “what,” “when,” “why,” “whichway,” “who,” and “wherewithal.”

In each dimension, a range of approaches is possible, depicted by the column entries. The columns in Exhibit 1 represent stages of development and entries in each row illustrate the nature of possible progression in each dimension. The use of four stages for most of the dimensions is somewhat arbitrary, but sufficient to illustrate the possibilities for progression. The development choices indicated for each dimension are in some cases suggestive rather than definitive, and in several dimensions a much more detailed and complete set of choices could be articulated. The key idea is that for each dimension there is a spectrum of possible choices, moving from left to right with choices on the extreme right presenting the highest level of development, and choices to the left, the lowest. The approaches at the extreme right of Exhibit1 might be regarded as a clarification of what organizations aspire to when pursuing “fully integrated” PRM. Exhibit 1 indicates the variety of ways in which organizations might develop more effective PRM, even if they do not aspire to “fully integrated” PRM.

The six dimensions in Exhibit 1 are separable in the sense that choice of approach in one dimension need not dictate choice of approach in other dimensions. Thus, in a given organization, any combination of choices from each dimension might be possible. In practice certain combinations of choices would be unlikely to occur. For example, if few resources are formally allocated to risk management, the operation of formal PRM processes and significant use of sophisticated software tools would be very difficult, if not impossible, to sustain. Clearly, a version of Exhibit 1 could form the basis of a framework for assessing the extent of PRM currently operated by an organization, or serve as a framework for benchmarking comparisons. This is discussed briefly at the end of the paper.

Dimension 1: Interpretation Placed on the Term “Risk”

The “what” dimension of Exhibit 1 has a fundamental impact on the nature of PRM carried out and the benefits achievable. A limited definition of risk will limit the application of PRM, while a broad definition of risk will encourage and facilitate a wider use of PRM.

Four convenient scenarios to characterize choices of risk interpretation in the “what” dimension are:

  • Risk as threat events;
  • Risk as threat and opportunity events;
  • Risk as downside departures from performance expectations as a consequence of variability due to possible threats and opportunities in a risk efficiency framework;
  • Risk as downside departures from performance expectations as a consequence of uncertainty that includes threats, opportunities, and all sources of ambiguities in a risk efficient framework.

In dictionary definition terms “risk” is usually described as “hazard, chance of bad consequences, loss, exposure to mischance.” In an organizational context this definition results in the common view of risk as a possible adverse effect on organizational performance, and a source of risk as a threat. With this perspective PRM becomes primarily a threat focused activity concerned with protecting corporate assets and keeping projects “on track.” The possibility of managing a threat to create possible opportunities or enhancements in project performance may not even be considered. Yet it is rarely advisable to concentrate on reducing neutralizing threats without considering associated opportunities to enhance performance, just as it is inadvisable to pursue opportunities without regard for the associated threats (Ward & Chapman, 2003). If PRM is regarded as a means of improving performance, there is no reason why possible welcome effects, or opportunities, should not also be considered as well as threats. Threat and opportunity are often separable, but they are usually closely interdependent and should be managed as such. For example, concept stage decisions always alter a project's exposure to potential threats. Often the potential for losses needs to be carefully weighed against the potential for gain offered by perceived opportunities.

To emphasize the desirability of a balanced approach to opportunity and threat management, the term “uncertainty management” might be used in preference to the terms “risk management” and “opportunity management.” However, uncertainty management is not just about managing perceived threats, opportunities, and their implications. It is also about identifying and managing the sources of uncertainty, which give rise to and shape perceptions of threats and opportunities. For example, Ward and Chapman (2003) argue that an uncertainty management perspective addresses not just particular threats or opportunities, but uncertainty about:

  • The variability associated with estimates of project parameters;
  • The basis of estimates of project parameters;
  • Design and logistics;
  • Objectives and associated priorities;
  • Relationships between project parties.

Uncertainty management implies exploring and understanding such origins of uncertainty before seeking to manage it, with no preconceptions about what is desirable or undesirable. Key concerns are understanding where and why uncertainty is important in a given project context, and where it is not. This represents a significant progression from the scope of threat orientated PRM, and a necessary progression if “fully integrated” PRM is to be achieved.

Dimension 2: The Stages in the PLC to Which PRM Is Applied

The “when” dimension of Exhibit 1 is concerned with the stages in the project life cycle (PLC) to which PRM is applied. In this dimension, “fully integrated” PRM would imply that PRM was applied in appropriate ways in all stages of the PLC starting with project conception. This is a rather simplistic characterization of decision areas, but it serves as an indication of the range of decisions, moving from largely short-term, tactical decisions during project execution on the left of the “when” row in Exhibit 1, to increasingly significant decisions about the nature of the project moving to the right. Chapman and Ward (2003) discuss in some detail the nature of the PLC stages and potential roles for risk analysis and management in each successive stage.

Dimension 3: Objectives for PRM

The “why” dimension of Exhibit 1 involves choices about the intended purpose of PRM. The essential purpose of PRM in organizations is to improve organizational performance via the systematic identification, appraisal, and management of risks to that performance. However, Exhibit 1 indicates four levels of objective that might be held for PRM activity, focusing on process, application, performance, and strategic capability. “Process focused” objectives represent the most limited objectives, “strategic capability” objectives the most extensive. “Fully integrated” PRM would employ PRM aimed at all four levels of objective.

Exhibit 2 suggests example objectives that correspond to each of these levels. Many of the entries are derived from lists of benefits that are typically suggested as being obtainable from effective PRM (see for example Office of Government Commerce, 2002: Appendix A; Chapman & Ward, 2003). Exhibit 2 presents these benefits as potential objectives for PRM (i.e., outcomes to be consciously aimed for with appropriate PRM activities, rather than favorable outcomes that accrue automatically). The underlying assumption is that potential benefits will only be achieved if they are first recognized as such, and then mechanisms for their achievement are built into PRM practice.

Process-Focused Objectives

Process-focused objectives pursued at a specific project stage are the most limited kind of objective, concerned merely with achieving particular phases in a particular PRM process application. In crude terms the PRM process might be described in terms of six phases such as: “define the context,” “identify risks,” “estimate risks,” “evaluate risks,” “treat risks,” “monitor and review.” The process objectives entries in Exhibit 2 column 1 then relate directly to achieving the output of these phases. Given this correspondence, it is not necessary to undertake a comprehensive PRM process to achieve one or more of the process objectives. For example, a given application of PRM might be primarily concerned with the identification of risks, and so stop the PRM process once the “identify risks” phase is complete. Such an approach to PRM would preclude pursuit of all the other process objectives listed in column 1, and consequently severely limit ability to pursue objectives in subsequent columns of Exhibit 2. In principle, the process objectives in column 1 could be elaborated to reflect more sophisticated phase structure descriptions of the PRM process, and therefore more specific process objectives. Indeed, this is a primary motive for articulating formal process frameworks in more detail than the simple six-phase characterization (Chapman & Ward, 2003).

Application-Focused Objectives

Application-focused objectives in column 2 of Exhibit 2 relate to the way risk is managed in a specific project stage. The first five application-focused objectives relate to the degree of anticipation sought in treating or responding to identified risks, starting with a largely reactive objective for PRM labeled “crisis management,” to a strongly proactive objective for PRM labeled “strategy formulation.” In its most limited form, a “crisis management” objective implies a concern for purely reactive “fire fighting,” that is mitigating the effects of a serious and urgent problem or event. It also implies a concern to ensure systems can recognize crises quickly, and respond rapidly and decisively. A more anticipatory, “contingency planning” objective might involve planning for potential events by setting aside contingent resources, such as rapid response capability or back-up operating facilities. A “business continuity” objective involves similar concerns, but implies more active management in attempting to change the probability of certain identified possibilities occurring as well as attempting to mitigate potential adverse impacts (or exploit potential opportunities). A “proactive control” objective implies a wider set of concerns, subsuming crisis management and business continuity objectives, but also the formulation or modification of performance targets where appropriate. Beyond proactive control, PRM might be applied to influence project strategy. This extends concern beyond the evaluation and development of contingency plans in support of project base plans, to the evaluation and formulation of project strategy, and seeking to influence the basic nature of the project. This might include consideration of the appropriate parties to be involved in the project, their motives, and the scope of performance criteria adopted.

The latter three objectives in column 2 of Exhibit 2 arise from pursuit of the first five objectives, but are likely to be achieved to a greater extent the more anticipatory the RM application. For example, improvements in project evaluation and design are more likely to be achieved with a strategy formulation objective than a business continuity objective.

Performance-Focused Objectives

The performance-focused objectives in column 3 of Exhibit 2 extend beyond the way risk is addressed in individual projects and relate to improved performance over a stream of projects and in corporate performance as a whole. Performance in terms of objectives with this focus is in principle more measurable than performance in respect of process- and application-focused objectives. Objectives in column 3 offer the most obvious ways of measuring the effectiveness of PRM efforts.

Strategic Capability Objectives

“Strategic capability” objectives in column 4 of Exhibit 2 imply a longer-term perspective of potential benefits from PRM than even performance-focused objectives. Strategic capability objectives go beyond short to medium-term improvements in organization and project performance, in being concerned with fundamental qualitative improvements in PRM capability and related benefits. This includes the achievement of fundamental shifts in risk thinking, which make subsequent use and development of PRM easier, more efficient, and more effective, thereby facilitating a virtuous circle of continuous improvement. For example, a complacent, risk-averse culture based on a widely held view that “uncertainty and risk are negative issues, and PRM is just more bureaucracy,” should give way to a new PRM culture based on a shared view that “uncertainty is the source of our (commercial) opportunities, and we need to understand uncertainty in order to exploit opportunities effectively.” This kind of culture change can make an organization more exciting to work for and make going to work more enjoyable. This in turn can lead to higher quality staff wanting to join (and stay with) the organization, with obvious general long-term benefits (Chapman & Ward, 2003).

Links Between Levels of Objectives

The example objectives in Exhibit 2 form a tentative hierarchy of objectives for PRM. Pursuit of “process objectives” contributes to or facilitates the achievement of application objectives, which in turn contribute to the achievement of performance objectives in the short to medium term.

A shortcoming of much current practice in PRM is the lack of recognition given to the different levels of objectives for PRM in Exhibit 2. Partly this may reflect a failure to identify the full range of potential benefits achievable. Partly it may be due to a lack of clarity about how lower-level objectives (to the left in Exhibit 2) contribute to the achievement of higher-level objectives (to the right in Exhibit 2). Chapman and Ward (2003) discuss some of these linkages, but this is an area that would benefit from research with organizations that have been successful in pursuing level 3 and 4 objectives for their PRM activity.

Whatever the precise mechanisms linking achievement of objectives in one (lower) level with the next, it is certainly the case that limited attainment of process objectives will severely curtail performance in terms of higher-level objectives. For example, current PRM practice does not progress, in process objective terms, much beyond the fourth objective in column 1 of Exhibit 2 (“determine the significance of sources of risk, and likely effect on performance”). Often this involves little more than plotting identified risk events on a probability impact grid, assigning notional priorities, and then assigning responsibilities for managing these risks. More sophisticated analysis employs Monte Carlo simulation to progress to the next process objective (“assess the appropriateness of performance criteria”) to derive distributions of project performance in cost and time terms, although on its own this may not add a great deal.

The next process objective (“identify options for treating risk, assess these options, select appropriate options, and plan for implementation”), takes place in most PRM processes, but beyond recording proposed actions there is often no formal analysis undertaken to assess and compare the cost effectiveness of alternative treatment options. This severely limits progress that can be made in pursuing higher-level objectives and attendant benefits. Specifically, Chapman and Ward (2003, 2004) have argued that effective PRM should pursue risk efficient approaches to project designs, plans, and treatment of sources of uncertainty that evaluate tradeoffs between risk and expected performance associated with alternative courses of action.

Dimension 4: Nature of the PRM Process Applied

The “whichway” dimension of PRM development describes the nature and quality of the PRM processes employed, given choices made in the other five dimensions. In this dimension choices relate to the degree of formality and documentation in PRM processes, the scope of processes, and the sophistication of tools and techniques employed. Exhibit 1 suggests one relatively simple way of characterizing the range of choices in this dimension.

At the minimal end of the whichway spectrum, PRM processes are informal and ad hoc with little or no documentation. More developed PRM requires the introduction of formal, documented processes, developing a common, generic process, moving from purely qualitative analysis to increasingly sophisticated quantitative analyses, and using documentation to inform ongoing PRM development. Fully integrated PRM involves “expert” use of formal processes that do not imply a rigid, paint-by-numbers approach, but a flexible approach, which varies in depth and complexity to suit the context. Fully integrated PRM also involves an emphasis on continuous improvement in PRM processes, and a concern to use best practice techniques (as distinct from common practice).

 Formalization implies the use of structured processes to PRM, which makes explicit the tasks to be carried out in a given context, and helps to clarify the relative importance and role of each task. For example, a simple specification might describe the PRM process in terms of identifying, analyzing, assessing, treating and monitoring risk. A more detailed, nine-phase framework includes specific reference to define, focus, structure, and ownership phases that broaden the scope of the process in comparison to simpler frameworks (Chapman & Ward, 2003; Simon, Hillson, & Newland, 1997). These four phases have an important bearing on the quality and scope of PRM. The define phase highlights the importance of documentation that consolidates information about the context of the PRM activity. The focus phase recognizes that individual PRM applications need to be planned to ensure an efficient and cost-effective approach. The structure phase highlights the importance of understanding assumptions made and the potential for interdependencies between different sources of risk and their effects. The ownership phase draws attention to the importance of appropriate allocation of risks and associated incentives to manage them (Chapman & Ward, 2003)—a central issue in PRM. In addition to addressing these considerations, the quality of the PRM process depends on the depth of analysis undertaken. For example, efficient and effective risk identification usually requires more than unstructured brainstorming. Structured approaches using particular frameworks to prompt identification of risk sources are usually much more appropriate.

The extent of quantitative analysis is another aspect of quality in the PRM process. Issues here include the manner in which estimates are obtained, the form in which uncertainty is quantified, treatment of dependency between different sources of uncertainty, methods used to combine and evaluate risk, and the extent to which trade-offs between different risk/return options are considered (Chapman & Ward, 2002, 2003). Use of simplistic techniques such as probability impact grids offer limited and misleading quantification of uncertainty, which can obscure the nature of underlying uncertainty that requires management (Ward, 1999a). Integrated PRM would involve higher quality processes that incorporate appropriate attention to quantification. Efficient and effective quantitative analysis requires a “constructively simple” iterative approach that starts with a simple model of uncertainty adding detail in subsequent iterations only when it is useful to do so (Chapman & Ward, 2000, 2002). In Exhibit 1 terms, a high level of PRM is achieved in the whichway dimension by adopting processes capable of handling the forgoing considerations, and by seeking continuous improvement in the quality of analyses undertaken.

Another process design consideration is the range of projects that will be subject to formal risk management. A simple answer is “all projects.” However, different levels of process will be cost effective for different sizes and types of projects, which transforms the question into “what kind of risk management process should be used over the range of projects of interest”? In general, a comprehensive approach will tend to be most useful when projects involve one or more of the following:

  • Substantial resources;
  • Significant novelty (technological, geographical, environmental, or organizational);
  • Long planning horizons;
  • Large size;
  • Complexity;
  • Several organizations;
  • Significant political issues.

In time, organizations institutionalizing PRM may apply different guidelines for applying risk management to projects, dependent on the degree of presence of the factors listed above. However, such sophistication needs to wait on the development of experience with a comprehensive process on selected projects.

Dimension 5: Parties Involved and Allocation of Responsibilities for PRM

The “who” dimension of Exhibit 1 refers to the parties involved and the location of PRM activity in the organizational structure and project teams. Widespread corporate application implies PRM employed in all projects and throughout all levels in the organization hierarchy, from corporate and business unit levels, down to the smallest operating units, teams, and even individual operatives.

Development of PRM requires recognition of where PRM processes already occur in the organization and then decisions about where further attempts to develop PRM should be made, and who should be involved. Such decisions might adopt a “logical incrementalist” approach (Quinn, 1989), first targeting projects where the benefits from PRM will be greatest, and using this experience as a learning process before attempting more widespread deployment. In a project-based, contracting organization, a natural starting place for PRM is at project manager level, working down into project components and then teams. Further development of PRM might be targeted at function-based units that provide support to projects.

The parties involved in establishing an organization's PRM activity include those who might champion the initiative, the individual or project team responsible for making it happen, those who use the associated risk management systems and procedures, and those who subsequently support and maintain PRM activity. Outside parties may also be influential, such as banks or major customers.

A particular issue is the design of the organizational PRM infrastructure and the associated allocation of responsibilities for corporate-wide systems and processes. From a corporate perspective, responsibility needs to be clearly allocated for (Hopkin, 2002):

  • Development of PRM strategy and standards;
  • Implementation of standards and procedures;
  • Monitoring compliance with established standards.

The experience, seniority, and role of the PRM initiative project manager are obviously of critical importance. That such a manager is appointed with these responsibilities is a basic tenet of effective project management. A key aspect is the choice of roles allocated to corporate and business unit “risk officers,” line management, internal audit, and other specific functional areas. Even if it is agreed to designate a particular individual as “guardian of the organization's risk management architecture, strategy, and protocols” (Hopkin, 2002, p. 136), or as corporate facilitator of risk management development, the variety of roles that could be undertaken is large, and dependent on a variety of situational factors under top management control (Ward, 2001). As Ward observed, risk management departments are not always best located or equipped to progress the general development of risk management throughout the organization.

For a particular organization, the establishment of fully integrated PRM should also include the development of PRM activity in other partner or agent organizations. For example, an organization contracting with buyers or suppliers ought to be concerned with the potential for risk transfer between the contracting parties. The nature and extent of PRM operated by buyers and suppliers should have some influence on the nature and extent of PRM undertaken by their business partners. In particular, a client organization might seek to manage risks by implicitly transferring them to contractors via firm, fixed-price contracts, but this implicit transfer might not be a guarantee that contractors will identify all relevant risks or accept responsibility for managing them. This is one reason why some client organizations, such as the UK Ministry of Defence, require offering contractors to demonstrate risk management expertise by requiring them to submit PRM plans along with their fixed-price tenders.

Dimension 6: Resources Applied to PRM

The “wherewithal” dimension concerns the extent of resources formally invested in developing and maintaining PRM activity. Such resources include personnel in terms of both numbers and expertise, the time allocated to PRM, the provision of supporting infrastructure, and funds applied to the management of identified uncertainty. The greater the investment of such resources, the easier it will be to move toward more integrated PRM in terms of the other five dimensions, and the choices made in the other five dimensions may be influenced by the resources available.

In terms of personnel resourcing, choices include decisions about the number, expertise, and location of dedicated PRM personnel deployed, the resources available to them, and the extent of training to develop the expertise of other employees. An obvious issue is the location and size of any corporate PRM support. In project-based organizations, resourcing of PRM for projects might involve:

  • No specific PRM support for project managers, but limited training in PRM techniques;
  • The provision of a central risk analysis support unit, which project managers can call on as necessary;
  • Project managers provided with PRM support in the form of a full-time, dedicated risk analyst.

Formal allocation and resourcing of time dedicated to PRM is another important aspect of wherewithal choices. Clearly, project managers may spend much time on PRM matters as a truly integrated aspect of their decision-making. However, for Exhibit 1 purposes, it is more useful to consider choices about time formally and explicitly set aside for PRM deliberations, whether by individuals, committees, or project teams. For example, a directive that formal project review meetings should also consider PRM issues may not result in much additional PRM if it has to be squeezed into already busy one-day review meetings. A directive accompanied by an expectation that PRM deliberations should involve an additional full day's consideration is a rather more substantial resource commitment. Similar observations apply to the establishment and maintenance of information systems to support PRM.

Approaches taken to risk financing arrangements are also part of choices in the wherewithal dimension, and are not confined to insurance arrangements. A key issue is the arrangements made for self-insurance via contingency funds, the size of such funds, and which level in the organizational hierarchy is responsible for holding them. The location and motivational effects of contingency funds are a very important aspect of effective, integrated PRM (e.g., Chapman & Ward, 2002). In addition to contingency funds, specific expenditure could be allocated to manage particular sources of risk, be they threats, opportunities, or sources of uncertainty such as variability in specific areas of performance. Fully integrated PRM would recognize that decisions have to be made about investment expenditure of this form that may lie outside the bounds of particular projects.

Conclusions

The framework depicted in Exhibit 1 characterizes PRM development in terms of six separable dimensions and four stages. The dimension and stage descriptions are based on the experience of the author and others, and are consistent with the general literature on PRM practice; however, there is scope for empirically testing these proposals and developing more detailed descriptions of progressive choices in each dimension.

Working toward fully integrated PRM requires attention to each of the six dimensions, and ultimately choices to the extreme right of Exhibit 1 in all dimensions. Most organizations are much short of this, and many may be operating only at stage 1 in all six dimensions. For a given organization, development to the next highest stage in each dimension relative to current practices is likely to be the most practicable option in the short term. However, development of practice toward fully integrated PRM need not proceed evenly across all dimensions simultaneously, and at any given time practices in each dimension may not correspond to the same nominal stage in Exhibit 1. For example, an organization's practice may be largely threat orientated, stage 1 in the “what” dimension, start on individual projects when outline project plans are still fluid as in stage 3 of the “when” dimension, and correspond to stage 2 development in all other dimensions. Plausible and preferred pathways through the possible development stages could form a useful subject for research.

Capability to Develop PRM

For a given organization, the selection of directions in which to develop PRM based on the criteria of suitability, feasibility, and acceptability, will be driven by existing organizational capability to undertake PRM. An important aspect of this capability is the available knowledge, experience, and expertise of organizational personnel in respect of risk management and their motivation to develop PRM (Ward, 1999b). However, the ability to develop PRM is also dependent on a supportive organizational infrastructure. In broad terms, this includes tangible aspects of infrastructure such as the nature and quality of administration and information systems. It also includes more intangible, cultural, “way we think and do things around here” aspects such as the willingness to innovate, act proactively, and learn from experience. It includes risk aspects of culture such as the degree of trust and openness that prevails, attitudes to risk and uncertainty (Hunt, 2003), tolerance of mistakes, receptiveness to creative thinking, and so on.

There is certainly scope for a better understanding of what organizational capabilities are necessary for the attainment of the different stages of PRM development in the six dimensions of Exhibit 1. However, development of PRM need not be wholly dependent on existing organizational capabilities for PRM. Indeed, thoughtful design of risk management processes can serve to challenge and manage a variety of cultural barriers to effective uncertainty management (Chapman & Ward, 2002, ch. 12).

Benchmarking

Assessing where an organization's current PRM practice lies with respect to the stages in Exhibit 1 is a necessary precursor to making decisions about directions in which to develop PRM. This suggests an additional role for the six dimensions framework in guiding benchmarking exercises. Organizations seeking to monitor their own progress in PRM development, or to compare their PRM practice with that in other organizations, could limit their attention to a subset of dimensions (e.g., just focusing on the nature of PRM processes employed—the whichway dimension). However, Exhibit 1 illustrates how limited such a comparison would be. While benchmarking against all six dimensions might be difficult, the framework at least highlights areas where comparisons might be attempted, thereby offering some guidance in the design of benchmarking studies. However, if benchmarking overall competence in risk management is the aim, then any benchmarking framework must also address the range of capability factors indicated above. At present there is a need for frameworks that convincingly capture the important aspects of capability.

One approach to developing generic benchmarks involves the concept of risk maturity and associated models. Such models attempt to simplify the benchmarking process by defining a specific number of maturity levels ranging from organizations with no formal PRM processes to a state of fully integrated PRM. One general model, concerned with enterprise-wide risk management maturity from DeLoach (2000), is an adaptation of a maturity model for software engineering organizations developed by the Software Engineering Institute (SEI) of Carnegie-Mellon University (Paulk, Curtis, Chrissis, & Weber, 1993, 1995). DeLoach's model identifies five levels of maturity: initial, repeatable, defined, managed, and optimizing. A PRM specific example from Hillson (1997), also influenced by the SEI maturity model, identifies just four levels of PRM maturity: naïve, novice, normalized, and natural. Hillson provides a substantially more detailed characterization of each maturity level than DeLoach, identifying features under four attributes: culture, process, experience, and application, but still incorporating only a subset of factors related to the six development dimensions of Exhibit 1 and organizational capability for PRM development.

Maturity models provide a simplified and pragmatic method for roughly assessing the level of PRM in an organization by anchoring advice on a few specified scenarios (the maturity levels), which may not correspond particularly closely to prevailing PRM practices in an organization unless a low-resolution model is adopted. In the absence of any other frameworks, such advice is potentially helpful. However this does not facilitate appreciation or consideration of the full range of possible choices for PRM development set out in the six dimensions framework, or consideration of capability development measures that might be linked to development of PRM in specific dimensions of Exhibit 1.

Chapman, C. B., & Ward, S. C. (2000). Estimation and evaluation of uncertainty: A minimalist first pass approach. International Journal of Project Management, 18, 369-–383.

Chapman, C. B., & Ward, S. C. (2003). Project risk management: Processes, techniques and insights (2nd ed.). Chichester, UK: John Wiley & Sons Ltd.

Chapman, C. B., & Ward, S. C. (in press). Why risk efficiency is a key basic concept for best practice project management. International Journal of Project Management.

Chapman, C., & Ward, S. (2002). Managing project risk and uncertainty: A constructively simple approach to decision making. Chichester, UK: John Wiley & Sons Ltd.

DeLoach J. W. (2000). Enterprise wide risk management: Strategies for linking risk with opportunity. London: Financial Times/Prentice Hall.

Hillson, D. A. (1997). Towards a risk maturity model. . The International Journal of Project and Business Risk Management, Spring 1(1), 35-45.

Hopkin, P. (2002). Holistic risk management in practice. London: Witherby & Co. Ltd.

Hunt, B. (2003). The timid corporation—Why business is terrified of taking risk. Chichester, UK: John Wiley & Sons Ltd.

Johnson, G., & Scholes, K. (2002). Exploring corporate strategy. (6th ed.).Sixth edition. Harlow: Pearson Education Ltd.

Office of Government Commerce (2002) Management of risk: guidance for practitioners. London: The Stationery Office.

Paulk, M. C., Curtis, W., Chrissis, M., & Weber, C. B. (1993). Capability maturity model, Version 1.1. IEEE Software, 10(4), 18-–27.

Paulk, M. C., Weber, C. B., Curtis, W., & Chrissis, M. (Eds.). (1995). Capability maturity model: Guidelines for improving the software process. Addison-Wesley.

Quinn, J. (1989). Strategic change: Logical incrementalism. Sloan Management Review, Summer, 45-60.

Simon, P., Hillson, D., & Newland, K. (1997). Project risk analysis and management (PRAM) guide. Norwich, UK: The Association for Project Managers.

Ward, S.C. (1999a). Assessing and managing important risks. International Journal of Project Management, 17(6), 331-336.

Ward, S. (1999b).Requirements for an effective project risk management process. Project Management Journal, 30(3), 37-43.

Ward, S. (2001). Exploring the role of the corporate risk manager. Risk Management: An international journal, 3(1), 7-25.

Ward, S. C., & Chapman, C. B. (2003). Transforming project risk management into project uncertainty management. International Journal of Project Management. 21, 97-105.

Exhibit 1 Six dimensions of project risk management development

Six dimensions of project risk management development

Exhibit 2 Levels of objectives for risk management

Levels of objectives for risk management
This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI or any listed author.

Like what you just read?

Log in or register for a free PMI account to get access 
to even more articles like this one.

or

Offer from our training partner

Advertisement

Offer from our training partner

Advertisement

Related Content

Offer from our training partner

Advertisement