Project Management Institute

Beyond project risks

VOICES | In the Trenches

By Joel Crook, PMP, PgMP

FROM ROCKETS TO NATIONAL NUCLEAR SECURITY, my work has shown me that risk threatens far more than cost, scope and schedule. Wider-ranging risks—including to an organization's reputation, workers’ safety, a country's security and the environment—permeate everything defense and aerospace organizations do, whether strategic or tactical. To proactively manage risk, organizations in these and other fields are increasingly implementing enterprise risk management (ERM).

ERM is a risk-based approach to managing an organization in any industry, and it can be highly effective in supporting strategic planning, controlling risk exposure and achieving objectives. Managing risk at the organizational level is very different from managing it at the project level. Project risk management is concerned with risks that arise from the project's scope, but at the portfolio or enterprise level, it is virtually impossible to separate risk considerations from most organizational activities. For this reason, ERM is designed to break through organizational silos. It analyzes all risk across the enterprise, including operational risk, governance and compliance risk, project and program risk, financial risk and others. Risk management at this level plays an essential role in strategic planning and the growth of the organization.

ERM requires aggregating risk so that an overall risk position can be determined for a project, a program, a facility, a process, a site or the entire enterprise. Without risk aggregation, it's difficult for stakeholders and decision-makers to make a good comparison of alternatives. Aggregating allows business leaders to compare, for example, complex combinations of opportunities, expressed in dollars, and associated threats, expressed in units of reputation and units of environmental impact.

Normalizing Risk

But what is the common denominator that allows a cost risk to be aggregated with an environmental risk? And how can one aggregate financially tangible risks with financially intangible risks, such as community relationships, reputation and environmental impact? The answer begins with the normalization of risk.

To normalize risk, one must view it in terms of its cost impact. For example, a loss in corporate reputation can affect contract performance incentives and future contracts. An environmental impact risk could cause a cessation of operations for a period of time, which would equate to a specific dollar impact to sales. Once risks have been normalized in this way, they can be summed to indicate an overall risk position.

One of the most important benefits of ERM is that it enables corporate-level, riskbased decision making (RBDM). RBDM provides decisionmakers with a realistic picture of likely outcomes to their strategic initiatives by integrating risk into the cost-benefit analysis of all strategic investments.

RBDM is a powerful tool for determining the optimal mix of projects that best achieves the organization's strategic goals and objectives. RBDM is used to compare the value of the candidate projects, and the ones with the best cost-tobenefit, with the highest probability of success, are selected to be part of the annual portfolio of planned projects—a top-down process.

Once the project has been authorized, a project manager is selected, and the RBDM risk analysis becomes input to the project or program's risk management. At this point, the project risk is further refined, monitored and controlled, and escalated as necessary. Risk management now becomes part of a continuous bottom-up process.

When risk analysis is part of this process, it is important to understand that most issues are caused by a combination of events or scenarios, rather than a single causal factor. For example, the probability of one being involved in a car accident is relatively low, but will increase dramatically if the driver is drowsy and it is storming. Scenario analysis is a quantitative analysis technique that attempts to consider how many different, and often benign, risks can be combined to create catastrophic consequences. As NASA's (U.S. National Aeronautics and Space Administration) Risk-Informed Decision Making Handbook puts it, “Scenarios are used to identify ways in which a system or process in its current state can evolve to an undesirable state.”

Black Swan Events

Another aspect of ERM is contingency planning, which is developed in anticipation of the realization of a risk. The contingency plan addresses low-probability, high-impact risks because of the severity of the impact these risks can pose.

The most unpredictable category of low-probability risk is “black swan” events. These events often result from the synergistic realization of multiple risks or natural disasters, and their consequence can be extreme. When a 15-meter tsunami hit the Fukushima nuclear power facility in 2011 following a major earthquake, it disabled three of the facility's reactors. All three reactor cores melted in the three days that followed. Although black swan events can't always be prevented, contingency planning will increase the probability of successfully managing the event, should it occur.

Contingency plans should identify all trigger events as well as potential amounts of time, money or other resources needed to handle known—or even sometimes unknown—threats and opportunities. The plan is executed if a predetermined trigger event occurs. Once a plan is in place, regular training and practice will enable effective corporate-level management of the organization when it is in crisis.

When ERM is integral to key decision-making processes, the probability of meeting enterpriselevel business objectives and preparing the organization to manage future risks improves. But as powerful as ERM is, it is important to remember that it is not a crystal ball, and it can't be implemented overnight. ERM requires an investment of time and money, and the dedication of skilled and experienced leaders. PM


Joel Crook, PMP, PgMP, is the director of enterprise risk management for Consolidated Nuclear Security (CNS) LLC, Oak Ridge, Tennessee, USA. Before that, he was a program director for ATK Aerospace Systems, responsible for a system-level space launch vehicle program. The views are those of the author and do not necessarily reflect those of the United States government or any agency thereof, CNS or ATK.

This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI.




Related Content