the global risks threatening organizations are daunting; strong project leaders know how to build resiliency
BY DONOVAN BURBA
PORTRAITS BY DAVID DEGNER
Mohamad ElHelaly, PMI-PBA, PMI-RMP, PMP, Orascom Construction Industries, Cairo, Egypt
PHOTO BY HAYDAR HADI/ANADOLU AGENCY/GETTY IMAGES
“The breaking down of national barriers to the flow of goods, capital and people introduces systemic risks and a range of other new concerns for organizations.”
—Roland Teo, Eastern Health Alliance, Singapore
Terrorist attacks. Droughts. Failing states. Executives have always had plenty to worry about, and shrewd organizations have always prepared for worst-case scenarios. What's different now? The global risks executives view as most likely to be realized are broader than ever before, according to the World Economic Forum's Global Risks Report 2016.
The report shows a clear shift in the risks that are keeping organizational leaders up at night and threatening the viability of projects and the safety of teams. Large-scale involuntary migration, extreme weather events and a failure to address climate change were the risks that almost 750 global respondents cited as most likely to occur. Climate change was cited as the most impactful, followed by weapons of mass destruction and water shortages. It's a contrast to early this decade, when economic concerns consistently topped the annual survey.
The same globalization that has made business easier also has changed the risk landscape, says Roland Teo, deputy director, risk management office, Eastern Health Alliance, Singapore. “The breaking down of national barriers to the flow of goods, capital and people has brought immense opportunities, benefiting many countries and economies,” he says. “However, this also introduces systemic risks and a range of other new concerns for organizations. It allows for faster and wider transmission of risks, springing from one industry or country into several countries or sectors.”
In a world where local flare-ups can turn into global conflagrations seemingly overnight—and angry voters choose Brexit over the status quo—project professionals need to be vigilant. Identifying emerging risks is just step one. Project leaders can excel by knowing when to escalate strategic risks up the organizational ladder and how to turn threats into opportunities.
Perhaps no region has a wider variety of high-impact risks than the Middle East. Popular uprisings that overthrow governments, international sanctions and financial uncertainty are some of the factors that make projects in the region particularly risky, says Mohamad ElHelaly, PMI-PBA, PMI-RMP, PMP, senior risk management engineer, Orascom Construction Industries, Cairo, Egypt. A few years ago, Orascom was nearing completion on a US$350 million power plant project in Baji, Iraq, only to see it taken over a month later by militant group Islamic State. It was a risk management nightmare come true—an increasingly common scenario for people like Mr. ElHelaly.
Iraqi forces patrol Anbar province in June, part of operations targeting Islamic State militants.
“Anticipation is getting harder and harder, with all the attacks happening worldwide, currency fluctuations, revolutions, things like that,” he says. “It's been more than five years now since Egypt's revolution and the Arab Spring, so we're trying to anticipate how things will go.”
The changing nature of global risks has forced project management practitioners to change how they identify and mitigate risks at both the project and portfolio level. For starters, identifying the fundamental causes of risks is a big first step toward heading them off, Mr. Teo says.
“Most important is to understand the nature and drivers of systemic risks and the potential vulnerabilities within organizations and countries,” he says. “Instead of looking for cures to treat the symptoms, we need to treat the root cause and then build resilience to shocks by strengthening their risk management systems and strategies.”
To do so, he recommends a three-part approach that addresses risk at the project and management levels and also offers independent assurance. “The first two lines of defense include managing risk with contingency/disaster management plans. They should explicitly include potential cascading failures and systemic risks by operations, and support from the risk management function and the management,” he says. The third line of defense is to ensure compliance with policy and procedures.
For Mr. ElHelaly, identifying the risks to his organization's projects means drawing on a vast network, which includes consultancies that specialize in political risks, his organization's employees throughout the Middle East and various media sources. The diversity of sources produces a lot of information, but the process of sifting through it helps identify what's true. “That's how you verify the information,” he says. “If it's from one source, you're taking the risk of not having accurate information. But different sources will confirm information or tell you what pieces you're missing.”
“Anticipation is getting harder and harder, with all the attacks happening worldwide, currency fluctuations and revolutions.”
—Mohamad ElHelaly, PMI-PBA, PMI-RMP, PMP, Orascom Construction Industries, Cairo, Egypt
Mapping the risk landscape is just the first step, of course. Knowing when and how to escalate a risk up the organizational ladder comes next. National Security Technologies in Las Vegas, Nevada, USA recently created an enterprise risk management process to identify strategic risks emanating from lower-level risk management processes, says Thomas Andrews, PMI-RMP, PMP, project and risk management division manager. (The organization contracts with various U.S. federal defense agencies to execute R&D projects.) Mr. Andrews and a team of subject matter experts developed the necessary procedures and tools to establish and manage the process. An enterprise risk register now tracks and scores risks that require elevation to the enterprise level, helping the risk management team (made up of a risk manager and risk integrators from each business unit) decide when to bring them to the attention of senior management.
“We use traditional risk-handling strategies to address our enterprise-level risks. They are: accept, mitigate, avoid and/or transfer,” he says. High-scoring risks require that a formal risk response plan be developed by the risk owner and submitted for senior management review.
The risk management team holds risk review meetings with senior management every three months to go over new and emerging risks. Funding instability is a recurring risk. Although the political situation in the U.S. is far more stable than in many other countries, elections and partisan gridlock can be disruptive to organizations reliant on federal funding for projects.
“Our business is dependent upon steady government funding. Each year, particularly in election years, the stability of the funding stream is compromised,” Mr. Andrews says.
A WORLD OF TROUBLES
The global risks of highest concern to executives vary by time horizon and region. The risk they most commonly anticipate through mid-2017 is involuntary migration—but looking ahead through the next decade, water crises are the top concern.
GREATEST RISKS DURING 2016 AND FIRST HALF OF 2017:
52% involuntary migration
28% state collapse or crisis
26% interstate conflict
GREATEST RISKS DURING THE NEXT 10 YEARS:
40% water crises
37% failure of climate change adaptation
27% extreme weather events
25% food crises
TOP RISK BY COUNTRY:
CYBERATTACKS Estonia, Japan, Malaysia, U.S.
FAILURE OF NATIONAL GOVERNANCE Brazil, Peru, Bolivia
FISCAL CRISIS Russia
ASSET BUBBLE China, Australia
Source: Global Risks Report 2016, World Economic Forum. Methodology: 742 people in organizations around the world were surveyed in late 2015.
“[After] the revolution, investment has dropped to less than half. We have to accept some riskier projects to keep going.”
—Mohamad ElHelaly, PMI-PBA, PMI-RMP, PMP
RECALIBRATING RISK APPETITES
Not all risks are bad, of course. Even political instability and extreme weather can become project opportunities. The key is to define the organization's risk appetite. “Fundamentally, organizations need to be clear about their strategy and long-term objectives and map them to their risk appetite,” says Mr. Teo. “Then they can consider mid-term and short-term objectives using risk tolerance to support operations.”
With increased uncertainties becoming the new normal in many parts of the world, some organizations are adapting by carefully increasing their risk tolerance. At National Security Technologies, the increase in risks that led to Mr. Andrews and the risk management process development team establishing an enterprise risk management process in turn increased the company's risk appetite.
“The process has created an environment in which risk is managed, rather than avoided,” he says. “There's confidence now that risks are being identified and dealt with proactively. Risk owners are required to develop risk response plans to address risks in the event they occur. In this way, risk uncertainty is analyzed and managed.”
In other cases, such as Mr. ElHelaly's in Egypt, external events have left organizations with no choice but to take on riskier efforts. Prior to the revolution five years ago, his organization maintained a portfolio well-balanced between low-risk and high-risk projects. Now, although the portfolio is moving slowly back in that direction, it can't afford to be so choosy.
A new enterprise risk management process “has created an environment in which risk is managed, rather than avoided.”
—Thomas Andrews, PMI-RMP, PMP, National Security Technologies, Las Vegas, Nevada, USA
“Before the revolution, we controlled which projects we wanted to take and when we wanted to take them,” he says. “Afterward, investment has dropped to less than half. We have to accept some riskier projects to keep going.”
But some risks aren't worth taking. At the end of last year, Mr. ElHelaly helped his organization conduct a risk assessment on a lucrative joint project opportunity in Iraq. The company had worked in the country before and was considering bidding on a gas treatment plant construction contract.
“We were going to bid along with a Russian company, where they were the project owner and we would be the contractor,” he says. “But that company had sanctions from the European Union and the United States, so doing business with them would have put us at risk.” Economic sanctions could have been extended to Orascom, which also could have faced difficulties being paid by the Russian company, he notes. “If we had gone through with the project, it would have implications across the whole business, across our 27 sister companies. So we decided not to.”
It was a difficult decision to make, he says, requiring months of research and debate. The company's history of taking on risky projects in dicey locations made it an even tougher call. “We're a risk-taking company. We're still going to places like Iraq and Algeria, but with a more calculated risk approach.” PM
SEPTEMBER 2016 PM NETWORK
PM NETWORK SEPTEMBER 2016 WWW.PMI.ORG