beyond the textbooks
by Kelvin Murray
AS WITH MANY MANAGEMENT disciplines, risk management is too frequently relegated to an academic exercise. Many organizations do an excellent job of the initial steps of identifying and qualifying risks on paper but fail to develop and apply the findings of this analysis to deliver against the bottom line. These organizations squander an opportunity to leverage the knowledge gained to validate initial plans, progress toward improved efficiency, and drive better business decisions. Rightly applied, risk management goes beyond the textbooks to a true lifecycle approach—from the establishment of key roles within the risk management organization to the process of containing and closing the risks—and becomes an integral component of an organization's management processes.
The Risk Control Organization. Since risks can affect all parts of an organization, the most effective risk management process will be one in which people from all organizational units are actively involved and fully understand their risk management responsibilities. By establishing a formal risk control structure within the overall program control organization, individuals at all levels will be galvanized to include consideration and control of risk in their daily planning and decision-making.
The Risk Control Organization must cover all the activities included in the process, as illustrated in Exhibit 1. Specific roles should include:
■ Program Director—Charged with overall responsibility for risk management.
■ Risk Management Committee—Selected from the top levels of the program's project organization. Provides overall guidance on risk management activities. Regularly reviews risks that could potentially have the most significant impact on the program (the “Top 20” risks). Validates that correct ownership has been allocated for all risks.
■ Risk Manager—Acts as the engine powering the risk management process. Ensures owners are appointed for all risks. Maintains the risk register/database. Selects program-level risks and runs quantitative analysis models against the program plan. Provides administrative support to the risk management committee.
■ Risk Owners—Selected by the risk manager and/or the risk management committee. Responsible for formulating and implementing risk containment strategies. Risk owners are normally the managers most likely to be affected by the occurrence of the risks concerned.
■ Risk Action Managers—Assigned by risk owners, and charged with specific actions within the risk containment strategy.
Exhibit 1. The heart of this risk management process is the risk register, or database, which contains information about all the identified program risks and the actions taken to control them. People from all organizational units are actively involved in identifying, assessing, controlling, containing and/or closing risks.
■ Planning Manager—Ensures that risk control actions are incorporated into program plans and schedules. Provides the risk manager with versions of the program plan for risk modeling.
The Risk Management Process. Exhibit 1 illustrates a risk management process that has effectively supported a number of programs. At the heart of the process lies the risk register/database, containing information about all identified program risks and about the action being taken to control them. The information in the register must be dynamic, and must reflect the current status of risks and risk actions. Risk management activities and risk information must move ahead together. The information must not be “left on the shelf.”
The process in the exhibit consists of two complementary areas of focus, namely risk identification and assessment, and risk control, containment and closure. The shaded areas in Exhibit 1 indicate how the activities in the risk management process are subdivided into these two areas of focus.
Risk Identification and Assessment. Risk identification is the process by which the perception of a potential problem is translated into recorded information. This information must contain sufficient detail to enable effective assessment of the risk, thus supporting subsequent management decisions. As stated earlier, many organizations confuse this process with risk management itself, and, once risks are identified, assessed and logged, simply stop. An organization will only realize its risk management investment—and only achieve organizational improvement—when the risk management process is carried through to the later stages of risk containment and control.
Those working within their own areas of responsibility will recognize new risks during the course of the program. Risks will also be exposed at reviews and meetings, held internally or externally with the customer.
All new risks should be given draft status until the risk management committee has reviewed them. The committee can sanction the opening of a “live” risk, require that a further assessment is carried out, or reject the risk altogether. If a risk is rejected by the committee, then the reason for rejection is recorded on the risk control form and a copy is sent to the originator of the risk.
Following risk identification, qualitative risk assessment enables an organization to estimate the probability of a risk event occurring, and the potential impact of the risk on the program. The results of the assessment are recorded on a risk control form and the risk manager then shows the overall results on an impact/probability chart called a risk grid. These results are used to determine the priority to be given to the risk containment strategies and the level of management review to be afforded to each risk.
The least significant risks, called activity-level risks, are treated locally. The risk manager reviews the activity-level risks every month with the risk owner to monitor progress of risk control actions and to check these risks for possible inclusion in the program-level risk set. The risk manager reports all new activity-level risks to the risk management committee.
The risk management committee marks for full-blown risk modeling and containment the more significant risks, called program-level risks. These program-level risks will be subjected to quantitative assessment of their impact on program cost, schedule, and performance. Their effect on the program plan will be modeled, and the results briefed to the risk management committee. In addition, a further subset of the program-level risks, perhaps a “Top 20” list, will be reviewed in detail at regular risk management committee meetings.
Through the use of this hierarchical assessment approach, organizations can focus critical, in-demand resources on the most important program issues.
Risk Containment and Control. To truly take risk management off the shelf and deliver bottom-line impact, responses must be developed to the threats represented by the identified risks. Risks can only be managed effectively by committing responsible parties to positive actions geared to the risk containment strategy. Effective risk management will equate to optimizing the degree of containment against the probability and impact of the risk.
Reader Service Number 5135
The risk owner will analyze all identified risks to establish the appropriate containment strategy, even if no action is required immediately. Risk containment involves identifying a strategy for minimizing the effects of the risk. Rarely will the risk be completely eliminated. Risk containment, therefore, involves identifying the strategy for minimizing the effects of the risk to a level where the risk can be controlled and managed to ensure that the project objectives are achieved.
In producing the containment strategy, the risk owner also investigates potential secondary risks that arise as a direct result of a containment strategy. A containment strategy might represent a cost-effective approach to deal with the risk; however, the risks the strategy entails may be unacceptable. The risk owner's actual tactics will depend on the unique circumstances of the risk and its assessment. That said, strategies generally fall into one of the following categories:
■ Risk Reduction—Measures that will decrease the likelihood and/or impact of the risk to a point where it has reached a level of acceptability. As previously stated, it is not usually cost effective to completely eliminate a risk.
■ Risk Monitoring—The predicted impact could be judged acceptable when the cost of mitigation is taken into account. In this instance, the strategy would be to monitor the risk and only take action if the impact prediction becomes unacceptable.
■ Risk Protection—The adoption of parallel measures that will reduce the impact if the risk occurs. An example of this would be to seek a second source of supply for parts of the system that may develop technical or supply problems.
■ Risk Transference—Measures that will transfer the impact of the risk to another area where the consequences are considered more tolerable.
Having determined the risk containment strategy, the risk owner is responsible for implementing the strategy by allocating risk actions, with target completion dates, to the appropriate members of the program team (the “action managers”). The risk owner is responsible for ensuring that these actions are carried out and for amending or changing the actions as required to ensure that the risk containment remains appropriate. In this process, the real value of risk management is delivered—supporting a program or an overall organization as it works to meet high-level objectives on time and on budget.
The risk management committee provides a further level of oversight and control for program-level risks by reviewing the results of the risk modeling carried out by the risk manager. Where the committee identifies extra control measures as being necessary, the likely benefits of these measures can be verified through further modeling. Any necessary adjustments to the risk containment strategy can then be recorded on the risk database and relayed to the risk owner for articulation into on-the-ground action. Similarly, decisions made by the risk management committee arising from the regular in-depth review of the “Top 20” risks can be fed back into the risk control cycle.
Reader Service Number 5084
The risk manager ensures that the risk owners and action managers are aware of any changes to the risk control or risk action forms. The control process continues until the risk has been managed to an acceptable level and can thus be closed.
The risk manager should facilitate all these phases by holding regular risk reviews with the risk owners. These reviews allow the risk to be reassessed, taking account of changing project circumstances and the changing nature of the risk as the containment strategy takes effect. If this reassessment changes the risk actions and/or the qualitative and quantitative assessment, the risk manager updates the risk register.
Closing Risks. When the risk is no longer considered a threat, the risk owner, in conjunction with the risk manager, recommends the closure of the risk to the risk management committee. The risk can only be closed if the committee sanctions the recommendation. The risk manager then changes the status of the risk on the risk register from open to closed and records the reason for closing the risk on the risk control and risk action forms.
As part of the risk closure process, the risk manager facilitates a “lessons learned” analysis with the risk committee and/or the risk owner. The aim is to build on the successes and failures involved in managing the risk, allowing these to be applied/avoided when addressing other program risks. Again, these lessons should be recorded in the risk register/database for retrieval as needed. This approach enables an organization to gain multiple payback for its investment in risk management activities, and can act as a catalyst for continuous organizational improvement.
Beyond the Bookshelves. Organizations can significantly enhance overall program management, improving schedules, budgets, and all management decisions by deploying a lifecycle approach to realize the benefits associated with risk management.
Only through a highly proactive stance can the critical “next steps” be taken beyond risk assessment: ensuring that potential problems are mitigated as early as possible and that corporate decisions are backed by best-available information. Once a risk is identified and assessed, and the risk management team agrees on a solution, tasks must be assigned to specific individuals who are then held accountable for producing results.
Used as a key driver for all major decision points, including supplier and partner decision, IT infrastructure issues, research and development issues, and reengineering initiatives, risk assessment information can be mined to evaluate each proposed solution and the overall organizational impact.
RISK MANAGEMENT MUST be recognized as an ongoing, end-to-end component of an organization's overall program management methodology. Failure to articulate this vision will undermine senior management buy-in, stymieing the resource allocation critical to drive organizational improvement. ■
Kelvin Murray is an operations manager with Robbins-Gioia Inc., a program management firm based in Alexandria, Va. He has been responsible for risk management programs for the Royal Air Force, London; IBM, Thailand; as well as for a wide variety of programs with Robbins-Gioia. He is a member of the risk management special interest group of the Association for Project Management in the U.K.
Reader Service Number 5097
PM Network • June 1998