Risk management is recognised as an essential tool to tackle the inevitable uncertainty associated with business and projects at all levels. But it frequently fails to meet expectations, with projects continuing to run late, over budget or under performing, and business not gaining the expected benefits.
The evident disconnect which often occurs between strategic vision and tactical project delivery typically arises from poorly defined project objectives and inadequate attention to the proactive management of risks that could affect those objectives. One of the main failings in the traditional approach to risk management arises from a narrow focus on the downside, restricted to the technical or operational field, addressing tactical threats to processes, performance or people.
This shortcoming can be overcome by widening the scope of risk management to encompass both strategic risks and upside opportunities, creating an integrated approach which can bridge the gap between strategy and tactics.
Integrated risk management addresses risks across a variety of levels in the organisation, including strategy and tactics, and covering both opportunity and threat. Effective implementation of integrated risk management can produce a number of benefits to the organisation which are not available from the typical limited-scope risk process.
This paper explores how to expand risk management to deliver strategic advantage while retaining its use as a tactical tool.
Strategy, Tactics and Risk
Businesses exist to create benefits for their stakeholders, and the corporate vision or mission statement defines the scope and extent of those benefits. However vision alone does not create business benefits, and many organisations use projects as the change vehicle to deliver the capability which leads to the required benefits, perhaps managing related projects through higher-level programmes. Defining the vision and business benefits is the realm of strategy, whereas projects, programmes and their deliverables describe the tactics by which the strategy is achieved. The relationship between these elements of a project-based business are shown in Exhibit 1.
Project (and programme) objectives sit between the strategic and tactical levels, since they are defined in relation to the strategic vision, and they in turn define the requirement for projects. Objectives are also used to measure the value of project deliverables. Many projects fail because of a disconnect between strategic vision and tactical project deliverables, often as a result of poorly defined project/programme objectives. This space between the two levels of strategy and tactics requires careful and proactive management if projects are to succeed in delivering the required benefits to the business. Yet it is precisely in this area occupied by project/programme objectives that businesses are most at risk.
All business activity is undertaken in an environment of uncertainty, arising from a range of sources (Hillson, 1999). These include technical issues, commercial constraints, management issues and external dependencies. Successful businesses however do not seek to avoid uncertainty, because they recognise the relationship between risk and reward. The “zero risk” enterprise or project does not exist, and indeed is not desirable, since the available benefits are determined to a large extent by the degree of risk an organisation is prepared to confront.
Risk is, however, not the same as uncertainty. Risk arises when uncertainty has the potential to affect objectives, and can be defined as “Any uncertain event or set of circumstances that, should it occur, would have an effect on one or more objectives” (Association for Project Management, 2004). There are uncertainties that cannot affect objectives, and which are therefore not risks. It is this relationship between risk, uncertainty and objectives that makes risk management such an important contributor to both project success and business benefits.
Project objectives provide the link between the overall vision and the projects which are established to implement that vision. They also define the acceptance criteria for project deliverables which provide the capability to realise business benefits. Project objectives are however affected by the uncertain environment within which projects and business are undertaken, resulting in a level of risk exposure. Risk management exists to address this risk exposure, leading to an acceptable and manageable level of risk (Hillson, 2003a). This increases the chance of meeting project objectives, which in turn maximises the likelihood of achieving the required business benefits. As a result, there is a clear link between risk management and business performance : effective risk management should lead to realised business benefits (Newland, 1997; Hillson, 1999).
Current Risk Management Scope
Risk management has developed over many years into a mature discipline with its own processes, tools and techniques, and with consensus over the main concepts and practices (for example compare Association for Project Management, 2004; Australian/New Zealand Standard AS/NZS4360, 2004; Project Management Institute, 2004; Institution of Civil Engineers, 2005; UK Office of Government Commerce, 2002; Institute of Risk Management, 2002). Nevertheless projects still fail to meet their objectives, and businesses are deprived of the expected and needed benefits, despite the theoretical principle that risk management should contribute to project and business success. Why is risk management failing to live up to its potential? (Charette, 2002)
At least part of the problem lies in the scope with which risk management is commonly applied, where two key limitations exist:
- Firstly, in most cases, the risk process concentrates on risks to projects, processes, performance and people, either addressing risks relating to technical functionality, or tackling issues of health and safety. The focus is almost entirely tactical, and does not consider strategic sources of risk, which might affect either the project or the wider business.
- The second limitation in the way in which risk management is typically implemented is to restrict scope to dealing only with uncertainties that have a potentially adverse affect, i.e. threats. This ignores the existence of upside risk, or opportunity, which can be defined as risk with positive impact. Many organisations are beginning to extend the risk process to deal equally with both opportunity and threat, seeking to maximise the benefits as well as to minimise the downside.
The current scope of risk management to deal only with tactical threats in the project arena reduces its ability to tackle the strategy/tactics gap outlined above, since the risk process only considers one side of the equation, i.e. tactics. This has a number of negative consequences, which include reinforcing the disconnect between projects and their strategic roots, resulting in projects being focused entirely on their deliverables instead of on the intended benefits. There are many recent examples of projects which successfully delivered on time, within budget and to performance, i.e. meeting their deliverables, but which failed to realise the expected benefits to the organisation.
The one-sided focus on threats also denies organisations the chance of exploiting opportunities through the risk process, and results in a one-way street where the only option is project failure to a greater or lesser extent.
Including both threats and opportunities within the risk process increases the chance of meeting project targets on the “swings-and-roundabouts” (or “unders-and-overs”) principle (Ruskin, 2000).
For risk management to achieve its potential of bridging the gap between strategic vision and tactical project delivery, two modifications are proposed to the scope of the typical risk process in order to broaden the existing focus on tactical threats alone. The first change is to include strategic elements, and the second is to include opportunities.
Strategic Risk Management
Extending the existing risk management approach to cover strategic risk is a simple task of building on what is currently in place. The typical risk management process (for example Project Management Institute, 2004, p. 237-268) has the following steps, which are undertaken iteratively throughout the project lifecycle :
- Risk management planning : defining the scope and objectives of the risk process, describing the techniques and tools to be used, stating the thresholds of acceptable risk to various stakeholders, detailing roles and responsibilities etc.
- Risk identification : exposing and recording all foreseeable risks which could affect objectives, together with information on their cause(s) and possible effect(s).
- Risk assessment/analysis : estimating the probability of occurrence and severity of impact for each identified risk and prioritising risks for further attention, grouping risks into categories to identify hot-spots of risk exposure or common causes, and analysing the combined effect of risks on objectives using statistical models.
- Risk response development : considering how to respond to each individual risk and to the overall risk exposure, selecting a strategy which is appropriate, achievable and affordable, allocating each response to an owner.
- Risk monitoring : ensuring that agreed actions are implemented effectively, monitoring the effect on risk exposure, and communicating risk information to stakeholders with appropriate detail and frequency.
- Risk review : updating the risk process to assess the status of existing risks, determine the effectiveness of agreed responses, identify new risks, and review the overall risk process.
This process can be simply extended to address strategic risk in addition to the tactical area simply by focusing on uncertainties which might affect strategic objectives (Hillson, 2003b). If a risk is defined as “an uncertainty which if it occurs would affect one or more objectives”, it becomes possible to define various types of risk by reference to the different objectives affected. So tactical risks are uncertainties that could affect tactical objectives, and strategic risks are uncertainties that could affect strategic objectives. The same is true of risks to reputation, environment, safety, projects, programmes etc. The primary requirement for implementing strategic risk management is therefore to identify those strategic objectives which might be affected by uncertainty, for example the benefits defined in the business case, or stakeholder needs, or corporate goals.
The other required change to the tactical risk process to enable it to be used for strategic risk management is identification of roles and responsibilities at an appropriate level. Where tactical risks might be managed by the project manager or a functional manager, strategic risks are the responsibility of senior management. It is therefore necessary to consider who is suitable to be the risk process owner as well as individual risk owners at the strategic level.
With these modifications, the standard risk process can be applied at a strategic level, allowing identification, assessment and management of strategic risks.
If such a broadened approach is adopted however, it is important to ensure a clear relationship between the different levels of the risk process. This requires use of shared language and definitions for risk, a common risk process framework (including compatible tools, templates, report formats etc), a supportive risk-aware culture, and staff at all levels who are committed, competent and professional in their approach to risk management. These are the characteristics of a “risk-mature” organisation, able to handle risk effectively at all levels (Hillson, 1997; Hulett, 2001).
The definition of a risk as “an uncertainty which if it occurs would affect one or more objectives” also allows inclusion of opportunities as well as threats within the risk process, since an opportunity is simply an uncertainty with a positive effect on an objective. In the same way that the typical tactical risk process can be extended to deal with strategic risks by focusing on strategic objectives (Hillson; 2003b), the threat-based process can also be modified to address opportunities by including upside risk (Hillson, 2002a, 2003c, 2003d).
The standard process steps outlined above can be applied equally to proactive management of opportunities, including risk management planning, risk identification, risk assessment/analysis, risk response development, risk monitoring, and risk review. Some process modifications might be appropriate to encourage opportunity identification alongside threats (e.g. using SWOT Analysis, or constraints analysis, or force field analysis; as described in Hillson, 2003d), and different response strategies (Hillson, 2003d) are required for opportunities (e.g. exploit/share/enhance instead of avoid/transfer/reduce).
It only requires a small process change to include upside opportunities in the typical risk process, although a more significant change may be required in the attitudes and habits of the people involved, who often find it hard to escape the threat-focused mentality associated with traditional approaches to risk management (Hillson, 2002b).
This change to include opportunity within the definition of risk, and by implication to include opportunity management as part of the risk process, is increasingly being adopted across the risk practitioner community and in various industries (Hillson, 2002c), and is being reflected in various risk management standard documents published by national and international organisations as well as relevant professional bodies (reviewed in Hillson, 2003c), although it is not universally accepted by all risk practitioners (see debate in Hulett, Hillson & Kohl, 2002).
Integrated Risk Management
The evident disconnect which often occurs between strategic vision and tactical project deliverables typically arises from poorly defined project objectives and an inadequate attention to the proactive management of risks that could affect those objectives. On the risk management side, one of the main failings in the traditional approach arises from a narrow focus on tactical threats. This can be overcome by widening the scope of risk management to encompass both strategic risks and upside opportunities, creating an integrated approach which can bridge the gap between strategy and tactics.
Integrated risk management addresses risks across a variety of levels in the organisation, including strategy and tactics, and covering both opportunity and threat. Effective implementation of integrated risk management can produce a number of benefits to the organisation which are not available from the typical limited-scope risk process. These include :
- Bridging the strategy/tactics gap to ensure that project delivery is tied to organisational needs and vision.
- Focusing projects on the benefits they exist to support, rather than simply on producing a set of deliverables.
- Identifying risks at the strategic level which could have a significant effect on the overall organisation, and enabling these to be managed proactively.
- Enabling opportunities to be managed proactively as an inbuilt part of business processes at both strategic and tactical levels, rather than reacting too little and too late as often happens.
- Providing useful information to decision-makers when the environment is uncertain, to support the best possible decisions at all levels.
- Creating space to manage uncertainty in advance, with planned responses to known risks, increasing both efficiency and effectiveness, and reducing waste and stress.
- Minimising threats and maximising opportunities, and so increasing the likelihood of achieving both strategic and tactical objectives.
- Allowing an appropriate level of risk to be taken intelligently by the organisation and its projects, with full awareness of the degree of uncertainty and its potential effects on objectives, opening the way to achieving the increased rewards which are associated with safe risk-taking.
- Development of a risk-mature culture within the organisation, recognising that risk exists in all levels of the enterprise, but that risk can and should be managed proactively in order to deliver benefits.
Strategy and tactics are connected through project objectives, which are both affected by uncertainty, leading to risk at both strategic and tactical levels. An integrated approach to risk management can create significant strategic advantage by bridging the strategy/tactics gap, and dealing with both threats and opportunities, to enable both successful project delivery and increased realisation of business benefits.