The new risk management--organizational model and tools for project business

Introduction

The amount of project risk management literature is extensive. Many risk management books have been written recently, and project risk management topics appear frequently in contemporary conferences and journals. Project risk management has been a hot topic in the project management field for several decades. In recent years, many major project management associations have established special interest groups for risk management practitioners. Members of such special interest groups include thousands of individuals from industry and the academic world.

Project management standards of today represent the generic content of current project risk management. We mention here the ISO 10006 (1997) standard Quality Management—Guidelines to Quality in Project Management and Project Management Institute's (1996) A Guide to the Project Management Body of Knowledge (PMBOK^® Guide). The standards introduce the risk management content as a set of risk identification, quantification, and response development activities. Such activity sets are to be applied in the course of the project. The standards also include a control function guaranteeing that responses are conducted in an appropriate manner. Furthermore, new improvement suggestions to the standards include an early risk management planning activity that supplements project risk management. We appreciate the standards approach and the vast literature that it represents in a generic level. Indeed, the standards build a solid foundation for project risk management practices. The implicit suggestion in current project risk management literature and project management standards is that risk management processes would be applied in the execution of the project rather than related to phases of doing business with projects by say selling and delivering them with appropriate customer care. This paper builds the current risk management area further by going into such management aspects of the business as a whole.

Artto (1997) discusses the evolutionary perspective on risk management, Pitkänen (1999) reports advantageous modes of how different companies apply project risk management in different situations today, and Artto and Hawk (1999) introduce a perspective of trends and directions for future development of risk management in organizations. The motivation behind the historical review lies on the fact that understanding evolution and trends in a historical time span is essential to be able to draw conclusions of the current state and of future developments. In the following, we provide a brief summary of important directions for future development of risk management in organizations.

The development of the risk management field will continue with development of cooperation and networking models, and managing business processes related to projects. As many companies have adopted project-oriented working methods in their production and delivery side of business, a new paradigm concerning a project company and project business has developed. Finally, in the 21st century, a new concept and management discipline will arise that further contributes to the theory and management applications in project-oriented companies and project business. The importance of the management of the whole corporation in the project risk management field of the future emphasizes the role of organizational and individual learning schemes. They can be effectively supported by introducing risk management knowledge bases as corporate level vehicles for recording and disseminating knowledge across projects.

The rationale for this paper is to construct a concrete description of the business setting and risk management setting in a project-oriented corporation. The purpose of the description is to enable understanding of different levels and dimensions of risk management applications in corporations. The paper focuses on development of an organizational risk management model for project companies. Even though we define a project company as a company that sells and delivers projects to its customers, the model can be considered as applicable to any project-oriented organization that conducts at least some fraction of its internal or external operations in project form.

The paper constructs an organizational model for risk management that widely covers aspects of managing corporate business. The organizational model describes the overall area, which risk management in a project company should include and which aspects should be emphasized in risk management applications. By putting risk management in place in the organizational context, the paper simultaneously discusses the diverse more narrow well-known interpretations of risk management content and related applications in companies. The perspective on risk management is extended from the conventional project risk management area in many respects.

The new business-oriented model reported in this paper is derived from the PB-RISK research project. The PB-RISK research was started in 1998 and completed in 2000, with objectives to identify the current risk management status and to construct new models and tools for managing risks in project companies. The research was conducted at the Helsinki University of Technology (HUT), Finland, and at VTT Building Technology, Finland, in cooperation with eleven participating project companies from the Nordic countries. All participating companies were operating in international markets. As a background to the new model development, an empirical study on current risk management practices in eight project companies was conducted to provide an insight to today's project risk management practices (Pitkänen, 1999). The new organizational model introduced in this paper is based on another PB-RISK study, which is an ambitious attempt toward a paradigm shift in the project risk management field with detailed descriptions of corporate-specific risk management applications from a major telecommunication network supplier, a major pulp and paper industry supplier, and a major oil company (Artto et al., 2000). The three companies introduced each new ingredient to the critical consideration of the discrepancy between the generally accepted risk management definition and the fact of what project risk management is in today's industry.

In this paper, an organizational model for risk management is constructed that covers aspects of managing business in project companies. There are two reasons for adopting such a wide business-oriented perspective. First, risks inherent in projects cannot be separated from aspects of general business management. Second, because of the unique nature of projects, risk and uncertainty belong as a significant part to project business contexts.

The paper begins with an introduction of an extended project process that helps in demonstrating the important role of projects in the whole business context. Then, an organizational model of managing risks across organizational hierarchy and the related organizational model of risk management are elaborated.

Extended Project Process in a Project Company

The project management and project risk management literature introduces different application area specific project life cycles (for example, see PMI^®, 1996; Chapman & Ward, 1997). The reported life cycles are typically illustrated by project processes that range from project initiation to project closeout. The perspective is often limited to effective management of project execution only. Many project companies follow the well-known project execution context by choosing development of project execution related procedures as primary targets for project-oriented business development. Development of project execution and project management is often justified as development of core procedures for manufacturing the concrete final deliverable that is finally handed over to the customer. However, for a project company just mere development of project execution or project management does not suffice. The wider business-oriented perspective on project process development is discussed in the following.

Adopting wide business-oriented perspective on project process is essential for any project company. The wide—or extended—perspective on project process can be illustrated by a process context covering preproject phases related to project sales and marketing and postproject phases related to after-sales services (Artto et al., 1998). Exhibit 1 illustrates such extended project process that covers the project sales and marketing and after sales services related phases relevant for the business context. The exhibit also illustrates the project management process—as defined by current project management standards (ISO 10006, 1997; PMI, 1996)—positioned as a parallel management activity for the extended project process. The exhibit shows the widely accepted current interpretation of project management limiting itself to effective management of project execution only, excluding management of pre- or postproject phases associated with project sales and after-sales services.

Exhibit 1. Extended Project Process With Links to the Owner Unit

Exhibit 1 emphasizes the feature of linking the extended project process tightly to the management of the organization unit as the owner of the project process. This feature is essential for any project company or other multiproject environment where projects serve as vehicles for the organization's operations. The full or partial ownership of the project process in the organization unit requires that the organization unit applie management processes that support effective management and operations at the project level. Concerning this supportive and direction setting role subjected to the unit's project portfolio, recording experiences from project processes and learning become important issues. The exhibit illustrates in a simplified manner by arrows the dissemination of experiences from the project process to the organization unit for learning. However, the interrelation between the project process and the organization unit is not a one-way street only: The processes at the organization unit level must be designed to distribute experiences from previous or parallel projects back to the project process. Such distribution might occur in the form of company policies or instructions, guidelines, or suggestions of appropriate project procedures. In Exhibit 1, the experience arrows back to the project process from the organization unit illustrate the use of gathered experience at the project level.

In order to adopt a wide learning loop that enables dealing with issues related to the actual purpose of the project, the customer interface plays an important role. Linking of the project to customer's business is essential. The customer interface is better understood if the extended project process is adopted instead of using the traditional narrower project execution oriented definition for project life cycle. The extended project process includes the project sales and marketing and after-sales services phases. In these phases, considerations of the actual use of the purchased project product are the major issue. Thus, it is obvious that the most relevant considerations for learning purposes are available in the sales and after-sales phases of the project (or project product) where the project's purpose is almost entirely considered in terms of customer's business (and not in terms of how the project is executed).

Exhibit 2. Adopting a Wide Business Perspective

Using Extended Project Process for Adopting a Wide Business Perspective

Risk management associated with bidding provides an additional activity that can have an important relationship to the early preproject risk management phases. Bids represent potential or hypothetical projects that pose some probability of becoming a business contract.

As such, risk arises in two forms: there is a threshold risk associated with the likelihood of getting the order from the client, and then, if ordered by the client, there is the risk inherent in project execution. As is generally known, the probability of getting the contract can be easily increased, by lowering the bidding price and profit expectations, but this can also raise the probability of project failure in meeting financial and technical objectives. On the other hand, it is possible to find areas of potential cost savings due to new technologies and other innovations, which are theoretically encouraged in low bid strategies. Thus, the two apparently forms of risks are in fact closely tied to each other in the performance and execution of the project.

It is important to keep this connection in mind in the management of bidding activities, as there are also important relationships between contingencies, contingency strategies, and strategic decision-making, as it is associated with the bid becoming a profitable project. Project simulation and project models can be helpful tools to support risk management in the preproject phase.

Project simulation and project models are helpful supports to risk management in the bidding and preproject phases. The management of whole pool of bids in a systematic way requires recording of bids based on bidding databases that provide information reflective of profit and risk expectations, as well as the likelihood of getting the contract. An additional dimension is seen in bid-related considerations that arise from future business prospects with the customer in question. Such information can assist decisions regarding level of effort and types of measures appropriate to selling a project. This also helps decisions as to which resources are appropriately reserved for execution of future projects that currently have only a bid status.

Exhibit 3. Performance Pyramid

Finally, having a more comprehensive view of bidding and risk in the very early phases of a project requires considering the feasibility of a single project in light of the potential for future business. Exhibit 2 illustrates the project as viewed in a wider business-oriented context starting from pre-bid considerations. The important message in the figure is on emphasizing bidding in general and pre-bid phases as those relevant points in project sales and marketing. It should also be noted that this helps in consideration of the potential in a project's contribution to future business as a whole. We should be reminded that only success with customers on the long run can guarantee a chance for successful project deliveries in the future. This takes us to the importance of finding an appropriate attitude for postproject—or after-sales—phases, where continuous customer care plays an important role. Appropriate customer care and good references from customers bring in new opportunities for future project delivery orders. It is often helpful for project companies to adopt the principle that customers are being managed instead of just projects.

Managing Risks Across Organizational Hierarchy

Issues for Objectives and Measures

Risk management relates to management of the company as a whole. The purpose of the following discussion is to enable an analysis that can easily be linked to existing organizational levels and responsibilities in companies. For this purpose, we start our analysis—to be continued in the following sections—by referring to performance pyramid illustrated by Lynch and Cross (1991). The performance pyramid is shown in Exhibit 3. The four-level pyramid links strategy and operations by translating strategic objectives from the top down—based on customer priorities—and measures from the bottom up. At the top, senior management articulates a vision for the business. At the second level, objectives for each business unit are defined in market and financial terms. The pyramid illustrates the principal relationships between lower-level objectives to marketing and financial goals of business units at the second level: market measures are supported by both customer satisfaction and flexibility, and financial objectives are supported by flexibility and productivity. At the lowest base level of the pyramid, objectives are converted into specific operational criteria of quality, delivery, cycle time, and waste for each department. An operational control system of business operation systems must be based on tightly defined linkage between their objectives and measurements at the local operational level. The elements of this linkage are found in the four principal local operating performance criteria of quality, delivery, cycle time, and waste.

Exhibit 4. Extension of the Organizational Structure by Projects

Kaplan and Norton (1996) provide the Balanced Scorecard management framework where the process starts in an analogous manner with the senior executive management team working together to translate its business unit's vision and strategy into specific strategic objectives. The Balanced Scorecard framework objectives and measures view organizational performance from four perspectives: financial, customer, internal business process, and learning and growth. Referring to AICPA (1994), Kaplan and Norton (1996, pp. 39–40) recommend that companies should adopt a more balanced, risk management oriented, and forward-looking approach:

“To meet users’ changing needs, business reporting must:

• Provide more information about plans, opportunities, risks and uncertainties

• Focus more on the factors that create longer-term value

• Better align information reported externally with the information reported internally…”

Kaplan and Norton (1996, pp. 50–51) continue with the following comments on risk management: “…businesses should balance expected returns with the management and control of risk. Thus, many businesses include an objective in their financial perspective that addresses the risk dimension of their strategy—for example, diversifying revenue sources away from a narrow set of customers, one or two lines of business, or particular geographical regions. In general, risk management is an overlay, an additional objective that should complement whatever expected return strategy the business unit has chosen.”

Exhibit 5. Organizational Model for Risk Management

Extending the Organizational Structure by Projects

Exhibit 4 illustrates the performance pyramid in parallel with hierarchical organization structure. The performance pyramid shows the relevant management—and risk management—issues for each level of the organization. The organizational hierarchy is further extended by project processes. The basic message of the exhibit is to provide a view on which risks (or what kind of risks) are to be managed at which levels.

Organization units own external delivery projects and other projects. The ownership of projects is marked in Exhibit 4 by vertical arrows that link the project process to the organization unit. The arrows indicate the organization unit where the project belongs. The arrows also indicate simultaneously the organization unit where the profit of an external delivery project is accumulated. Note that it is not necessary that the whole project be owned by one single organization unit. Project item ownership can be defined at sub-project level, or at even lower levels. The ownership of a project can be shared, e.g., by two organization units—say the other being responsible for the civil works subproject and the other for the electrification subproject. In such case the sales income invoiced from the customer should be shared and recorded internally at least down to the subproject level. This way, sales income is accumulated in both subprojects, and balances the cost incurred in the subprojects, enabling that both subprojects are profitable. The profits from both subprojects are then summed up both to owner organization units of their own. However, in any case, the project remains as one entity, of which the project manager is responsible for. The arrangement to share the responsibility and profit as described above, will remain as a company internal scheme only; The external customer will see only one well coordinated delivery project, not two internal construction and electrification subprojects delivered by two internal suppliers.

Artto (1998) develops the management accounting framework of a project company further; In the framework, projects being the basic structural building blocks for recording both costs and sales income, company and business unit specific income statements can be derived by aggregating project income and cost information to organization units.

Organizational Model for Risk Management

The Organizational Model

Exhibit 5 shows the organizational model with the purpose of explaining positioning different risk management disciplines and related practices to different organizational levels. Responsibilities associated with risk management activities are marked by ellipses. Exhibit 5 develops further Exhibit 4 that already reflected typical management issues at different organizational levels.

Exhibit 5 explains that viewing the project process at the lowest operational level of the hierarchy implies a single project perspective, whereas the appropriate view of considering projects at higher organization unit levels requires that project portfolio perspective is adopted. Business risk management covers risk management activities in all levels of the organization. The small ellipses put different specific risk management disciplines and activities in place as responsibilities in the organizational management level hierarchy. The content of the exhibit and related responsibility and activity placements (ellipses) are explained in more detail in the following sections.

Risk Management Process and Project Risk Management

Project management literature and standards define the risk management process that could be thought of being situated at the operational project process level of the organizational hierarchy in Exhibit 5.

The generic simple risk management process provided by, for example ISO 10006 (1997) and the PMBOK^® Guide (1996), corresponds to the following three phases supplemented by a risk management control process for follow-up and control: risk identification, risk estimation, and risk response execution. Recent developments in the field have not only enabled better understanding of the overall risk management concept by introducing risk management processes of nine (Caño & Cruz, 1998), or eight (Chapman & Ward, 1997), or six (Kähkönen, 1998) phases instead of the three phases introduced above, but they have also gone into a more detailed level in defining the processes in order to allow overlapping and interaction between identifying, estimating, and responding phases.

Although the generic risk management processes could be used at any situation at any organizational level, the generally accepted implicit limitations in the project management literature are:

• Risk management processes are discussed in terms of how applicable they are for project execution. The discussion excludes sales (or preproject) and after-sales (or postproject) phase aspects in the extended project process.

• Risk management processes concentrate only on business risk type of risks that usually can be affected by means of project management in the execution phase.

The literature on project risk management does not suggest such a wide framework of risk management as introduced in Exhibit 5. In general, the literature does not provide the wide organizational management level perspective from the viewpoint of the whole corporation either. However, one line of development reported in recent literature is to implement hierarchical control mechanism in projects. For example, Jordanger (1998) reports a three-level structure for transferring control information from one level in the project organization to the next. Analogously, Turner (1993) introduces three levels of management in a project: integrative, strategic or administrative, and tactical or operational levels.

Financing, Damage Control, Country Risks, Technical System Reliability

Risk management responsibilities are often organized in corporations in the well-established disciplines of financing, damage control, country and geographical area considerations, and technical system analysis and reliability engineering. These areas are put in Exhibit 5 as responsibility assignments at certain organizational levels. In general, the current project risk management literature has excluded discussion about these specific specialty areas related to financing, damage control, country risks, and functionality of technical systems. Financing arrangements are often responsibility of manager of finance at the top of the organization; Financing is an umbrella function that covers the activities in the company as a whole. Damage control and hedging against pure risks such as accidents, losses and damages by applying appropriate insurance policies is often a responsibility area of a risk manager belonging to the staff at the top of the organization, too. Country risk considerations and considerations concerning geographical areas are often conducted at company or business unit levels by responsible business managers; country risks should be considered in relation to business strategy. Mostly the country risks relate to political area specific implications on project portfolios in that area. Technical reliability engineering related considerations are often conducted by the technical project staff that is responsible for features of the project deliverable. Thus, such technical system related risk management is focused to the product delivered by the project, which is reflected in Exhibit 5 by positioning technical system related risk responsibility down at the operational project process level.

Business Risks

By the traditional definition, business risks can usually be managed by company management or project management procedures and can only seldom be insured at reasonable premiums in insurance companies. Business risk in the project context refers to ordinary problems related to the project work. It is worth noting that technical solution related risks can be interpreted to contribute to business risks. This means that different specific methodologies such as technical system probabilistic risk assessment can be applied solely to evaluate technical risks and end-product performance related risks. From the project point of view, the technical risks turn out to appear as problems in project execution. This way they can be interpreted as business risk type of risks that affect project scope, time, and cost. In an analogous manner, the risks related to financing, damage control, or political and country risks may cover many risks of business risk type, or they may cause business risk type direct or indirect implications.

The large circle in Exhibit 5 indicates that business risk management covers risk management activities at all levels of the organization. Thus, business risk management should not be limited only to business risk type of risks only. Instead, besides managing business risk type of risks, business risk management could be thought of to cover also the above discussed narrow risk management specialty areas related to financing, damage control, country risks, and functionality of technical systems.

Project Portfolios

Risk management discussion related to project contexts has mostly focused on managing risks in single projects. As there are an increasing number of organizations—project companies—with several projects in their production lines, widening of the risk management perspective to concern such a multiproject environment, is important in the future. Managing projects in a multiproject environment automatically refers to management of project portfolios—and not just management of single projects separately.

There are not many studies on risk management developments associated with project portfolio risk aspects in the company. This is due to the fact that project risk management discipline concentrates on successful execution of single projects. Another reason is the fact that project business and management of project companies is a new area, and there are only few publications in this area.

As far as the risk management associated with project portfolios is concerned, there might be several aspects in analyzing and making strategic choices associated with projects at the company or business unit level. For example, for a project company operating in international markets, the country and area specific local risks are important to take into account. The country risks affect not only one single project in the specific country or area, but the whole portfolio of bids and projects in that area. There are many country and area specific risk reviews issued in regular intervals. For example, for analyzing local creditworthiness of different project portfolio areas of a project company, Institutional Investor (see Shapiro, 1997) provides global country credit ratings and analysis for ca. 135 countries, and separate ratings for North America, Eastern Europe, Western Europe, Africa, Middle East, Asia-Pacific, and Latin America.

In addition to particular geographical regions, also customers, product types, lines of business, or other important aspects may serve as criteria against which project portfolio risk should be considered. For example, Kaplan and Norton (1996, p. 60) provide an example of Metro Bank that turned its business towards a new product area. The bank increased fee-based services in its new portfolio of business cases and products. It chose a financial objective to increase the share of income arising from fee-based services not only for its revenue growth potential, but also to reduce its current heavy reliance on income from core deposit and transaction-based products. Thus, an objective to broaden revenue sources may serves both an opportunity for growth and risk management objective.

Conclusions

The new business-oriented model reported in this paper was developed in the Finnish PB-RISK research project. The objectives of the PB-RISK were to identify the current risk management status and to construct new models and tools for managing risks in project companies. The research was conducted in cooperation with eleven participating project companies from the Nordic countries. The new organizational model introduced in this paper is based on an empirical study on current risk management practices in eight project companies, and a more in-depth study on corporate-specific risk management applications with a major telecommunication network supplier, a major pulp and paper industry supplier, and a major oil company. The three companies introduced each new critical consideration of the discrepancy between the generally accepted risk management definition and the fact of what project risk management is in today's industry.

The implicit suggestion in current project risk management literature and project management standards is that risk management processes would be applied in the execution of the project rather than related to phases of doing business with projects by selling and delivering them with appropriate customer care. Widening of the risk management perspective to concern a multiproject environment is important in the future. This automatically refers to management of project portfolios in an organizational context—and not just management of single projects separately. Future trends in the field of project risk management relate cooperation and networking approaches, and managing the whole corporate business processes related to projects.

The paper constructed and introduced an organizational model for risk management. It extends the perspective of conventional project risk management area in many respects. In general, the novelty of the discussion in the paper lies in the new construct of the organizational framework where organizational levels above projects and preproject sales and postproject after sales phases play an important role. Current project management literature and standards do not define similar extended project processes with sales and after-sales aspects in order to emphasize the important business management context inherent in projects. Furthermore, the current project management literature has excluded discussion of analogous placement of the risk management specialty areas to the organization of a project-oriented company.

The organizational model introduced here puts different risk management specialty areas and related responsibility areas in place to different organizational levels. The model reflects in an integrative manner what appropriate issues at different organizational levels there are for company management and related risk management related to financing, damage control, country risks, and functionality of technical systems to the management context as a whole.

For development of project business in a project company, it is essential to adopt a wider perspective where both the organizational context of the company organization is considered, and the project process is extended to include all project phases relevant for selling and delivering projects to customers. Concerning project company's activities, bids represent potential or hypothetical projects with some probability of them turning into a contract. Thus, the risk associated with a bid is present in two ways: there is a threshold risk associated with the likelihood of getting the order from the client, and then, if ordered by the client, there is the risk inherent in project execution itself. Since success with customers in the long run is essential for successful business operations, any project supplier should pay attention to customer care also after project completion, i.e., in the customer's operations phase. The attitude should be to manage customers rather than just that of managing mere projects.