Using risk management for strategic advantage
Risk management is recognised as an essential tool to tackle the inevitable uncertainty associated with business at all levels. Its use is however often restricted to the technical or operational field, addressing threats to processes, performance or people. Recent developments in risk management seek to broaden its scope to include strategic risks to the business, and to address upside opportunities alongside threats. Such a holistic approach positions risk management as an essential bridge between strategic and tactical levels. This paper explores the critical success factors for expanding risk management to deliver strategic advantage while retaining its use as a tactical tool.
Strategy, Tactics and Risk
Businesses exist to create benefits for their stakeholders, and the corporate vision or mission statement defines the scope and extent of those benefits, as shown in the left-hand side of Exhibit 1. However vision alone does not create business benefits, and many organisations use projects as the change vehicle to deliver the capability which leads to the required benefits, perhaps managing related projects through higher-level programmes (see right-hand side of Exhibit 1). Defining the vision and business benefits is the realm of strategy, whereas projects, programmes and their deliverables describe the tactics by which the strategy is achieved. Project (and programme) objectives sit between the strategic and tactical levels, since they are defined in relation to the strategic vision, and they in turn define the requirement for projects (top arrow in Exhibit 1). Objectives are also used to measure the value of project deliverables (bottom arrow in Exhibit 1). Many projects fail because of a disconnect between strategic vision and tactical project deliverables, often as a result of poorly defined project/programme objectives. This space between the two levels of strategy and tactics requires careful and proactive management if projects are to succeed in delivering the required benefits to the business. Yet it is precisely in this area occupied by project/programme objectives that businesses are most at risk.
Exhibit 1 : Strategy-Vision-Benefits and Tactics-Project-Deliverables
All business activity is undertaken in an environment of uncertainty, arising from a range of sources (Hillson, 1999). These include technical issues, commercial constraints, management issues and external dependencies. Successful businesses however do not seek to avoid uncertainty, because they recognise the relationship between risk and reward. The “zero risk” enterprise or project does not exist, and indeed is not desirable, since the available benefits are determined to a large extent by the degree of risk an organisation is prepared to confront.
Risk is however not the same as uncertainty. Risk arises when uncertainty has the potential to affect objectives, and can be defined as “Any uncertain event or set of circumstances that, should it occur, would have an effect on one or more objectives” (Simon et al., 1997). There are uncertainties that cannot affect objectives, and which are therefore not risks. It is this relationship between risk, uncertainty and objectives that makes risk management such an important contributor to both project success and business benefits.
Project objectives provide the link between the overall vision and the projects, which are established to implement that vision (Exhibit 1, top arrow). They also define the acceptance criteria for project deliverables, which provide the capability to realise business benefits (Exhibit 1, bottom arrow). Project objectives are however affected by the uncertain environment within which projects and business are undertaken, resulting in a level of risk exposure. Risk management exists to address this risk exposure, leading to an acceptable and manageable level of risk (Hillson, 2003a). This increases the chance of meeting project objectives, which in turn maximises the likelihood of achieving the required business benefits. As a result, there is a clear link between risk management and business performance: effective risk management should lead to realised business benefits, as illustrated in Exhibit 2 (Newland, 1997; Hillson, 1999).
Exhibit 2 : Link between Risk Management and Business Benefits
Current Risk Management Scope
Risk management has developed over many years into a mature discipline with its own processes, tools and techniques, and with consensus over the main concepts and practices (for example compare Institution of Civil Engineers, 1997; Simon et al., 1997; Australian/New Zealand Standard AS/NZS4360, 1999; Project Management Institute, 2000; UK Office of Government Commerce, 2002; Institute of Risk Management, 2002). Nevertheless projects still fail to meet their objectives and businesses are deprived of the expected and needed benefits, despite the theoretical principle that risk management should contribute to project and business success. Why is risk management failing to live up to its potential? (Charette, 2002)
At least part of the problem lies in the scope with which risk management is commonly applied, where two key limitations exist:
- Firstly, in most cases, the risk process concentrates on risks to projects, processes, performance and people, either addressing risks relating to technical functionality, or tackling issues of health & safety. The focus is almost entirely tactical, and does not consider strategic sources of risk which might affect either the project or the wider business.
- The second limitation in the way in which risk management is typically implemented is to restrict scope to dealing only with uncertainties that have a potentially adverse affect, i.e. threats. This ignores the existence of upside risk, or opportunity, which can be defined as risk with positive impact. Many organisations are beginning to extend the risk process to deal equally with both opportunity and threat, seeking to maximise the benefits as well as to minimise the downside.
The current scope of risk management to deal only with tactical threats in the project arena reduces its ability to tackle the strategy/tactics gap outlined above, since the risk process only considers one side of the equation, i.e. tactics. This has a number of negative consequences, which include reinforcing the disconnect between projects and their strategic roots, resulting in projects being focused entirely on their deliverables instead of on the intended benefits. There are many recent examples of projects which successfully delivered on time, within budget and to performance, i.e. meeting their deliverables, but which failed to realise the expected benefits to the organisation.
The one-sided focus on threats also denies organisations the chance of exploiting opportunities through the risk process, and results in a one-way street where the only option is project failure to a greater or lesser extent. Including both threats and opportunities within the risk process increases the chance of meeting project targets on the “swings-and-roundabouts” (or “unders-and-overs”) principle (Ruskin 2000).
For risk management to achieve its potential of bridging the gap between strategic vision and tactical project delivery, two modifications are proposed to the scope of the typical risk process in order to broaden the existing focus on tactical threats alone. The first change is to include strategic elements, and the second is to include opportunities.
Strategic Risk Management
Extending the existing risk management approach to cover strategic risk is a simple task of building on what is currently in place. The typical risk management process (for example Project Management Institute 2000, 127-146) has the following steps, which are undertaken iteratively throughout the project lifecycle :
- Risk management planning: defining the scope and objectives of the risk process, describing the techniques and tools to be used, stating the thresholds of acceptable risk to various stakeholders, detailing roles and responsibilities etc.
- Risk identification: exposing and recording all foreseeable risks which could affect objectives, together with information on their cause(s) and possible effect(s).
- Risk assessment/analysis: estimating the probability of occurrence and severity of impact for each identified risk and prioritising risks for further attention, grouping risks into categories to identify hot-spots of risk exposure or common causes, and analysing the combined effect of risks on objectives using statistical models.
- Risk response development: considering how to respond to each individual risk and to the overall risk exposure, selecting a strategy which is appropriate, achievable and affordable, allocating each response to an owner.
- Risk monitoring: ensuring that agreed actions are implemented effectively, monitoring the effect on risk exposure, and communicating risk information to stakeholders with appropriate detail and frequency.
- Risk review: updating the risk process to assess the status of existing risks, determine the effectiveness of agreed responses, identify new risks, and review the overall risk process.
This process can be simply extended to address strategic risk in addition to the tactical area simply by focusing on uncertainties which might affect strategic objectives (Hillson, 2003b). If a risk is defined as “an uncertainty, which if it occurs, would affect one or more objectives”, it becomes possible to define various types of risk by reference to the different objectives affected. So tactical risks are uncertainties that could affect tactical objectives, and strategic risks are uncertainties that could affect strategic objectives. The same is true of risks to reputation, environment, safety, projects, programmes etc. The primary requirement for implementing strategic risk management is therefore to identify those strategic objectives which might be affected by uncertainty, for example the benefits defined in the business case, or stakeholder needs, or corporate goals.
The other required change to the tactical risk process to enable it to be used for strategic risk management is identification of roles and responsibilities at an appropriate level. Where tactical risks might be managed by the project manager or a functional manager, strategic risks are the responsibility of senior management. It is therefore necessary to consider who is suitable to be the risk process owner as well as individual risk owners at the strategic level.
With these modifications, the standard risk process can be applied at a strategic level, allowing identification, assessment and management of strategic risks.
If such a broadened approach is adopted however, it is important to ensure a clear relationship between the different levels of the risk process. This requires use of shared language and definitions for risk, a common risk process framework (including compatible tools, templates, report formats etc), a supportive risk-aware culture, and staff at all levels who are committed, competent and professional in their approach to risk management. These are the characteristics of a “risk-mature” organisation; able to handle risk effectively at all levels (Hillson, 1997; Hulett, 2001).
The definition of a risk as “an uncertainty which if it occurs would affect one or more objectives” also allows inclusion of opportunities as well as threats within the risk process, since an opportunity is simply an uncertainty with a positive effect on an objective. In the same way that the typical tactical risk process can be extended to deal with strategic risks by focusing on strategic objectives (Hillson, 2003b), the threat-based process can also be modified to address opportunities by including upside risk (Hillson, 2002a, 2003c, 2003d).
The standard process steps outlined above can be applied equally to proactive management of opportunities, including risk management planning, risk identification, risk assessment/analysis, risk response development, risk monitoring, and risk review. Some process modifications might be appropriate to encourage opportunity identification alongside threats (e.g. using SWOT Analysis, or constraints analysis, or force field analysis), and different response strategies (Hillson, 2001) are required for opportunities (e.g. exploit/share/enhance instead of avoid/transfer/reduce).
It only requires a small process change to include upside opportunities in the typical risk process, although a more significant change may be required in the attitudes and habits of the people involved, who often find it hard to escape the threat-focused mentality associated with traditional approaches to risk management (Hillson, 2002b).
This change to include opportunity within the definition of risk, and by implication to include opportunity management as part of the risk process, is increasingly being adopted across the risk practitioner community and in various industries (Hillson, 2002c), and is being reflected in various risk management standard documents published by national and international organisations as well as relevant professional bodies (reviewed in Hillson, 2003c), although it is not universally accepted by all risk practitioners (see debate in Hulett, et al., 2002).
Integrated Risk Management
The evident disconnect which often occurs between strategic vision and tactical project deliverables typically arises from poorly defined project objectives and an inadequate attention to the proactive management of risks that could affect those objectives. On the risk management side, one of the main failings in the traditional approach arises from a narrow focus on tactical threats. This can be overcome by widening the scope of risk management to encompass both strategic risks and upside opportunities, creating an integrated approach which can bridge the gap between strategy and tactics.
Integrated risk management addresses risks across a variety of levels in the organisation, including strategy and tactics, and covering both opportunity and threat. Effective implementation of integrated risk management can produce a number of benefits to the organisation which are not available from the typical limited-scope risk process. These include:
- Bridging the strategy/tactics gap to ensure that project delivery is tied to organisational needs and vision.
- Focusing projects on the benefits they exist to support, rather than simply on producing a set of deliverables.
- Identifying risks at the strategic level which could have a significant effect on the overall organisation, and enabling these to be managed proactively.
- Enabling opportunities to be managed proactively as an inbuilt part of business processes at both strategic and tactical levels, rather than reacting too little and too late as often happens.
- Providing useful information to decision-makers when the environment is uncertain, to support the best possible decisions at all levels.
- Creating space to manage uncertainty in advance, with planned responses to known risks, increasing both efficiency and effectiveness, and reducing waste and stress.
- Minimising threats and maximising opportunities, and so increasing the likelihood of achieving both strategic and tactical objectives.
- Allowing an appropriate level of risk to be taken intelligently by the organisation and its projects, with full awareness of the degree of uncertainty and its potential effects on objectives, opening the way to achieving the increased rewards which are associated with safe risk-taking.
- Development of a risk-mature culture within the organisation, recognising that risk exists in all levels of the enterprise, but that risk can and should be managed proactively in order to deliver benefits.
Strategy and tactics are connected through project objectives, which are both affected by uncertainty, leading to risk at both strategic and tactical levels. An integrated approach to risk management can create significant strategic advantage by bridging the strategy/tactics gap, and dealing with both threats and opportunities, to enable both successful project delivery and increased realisation of business benefits.
Australian/New Zealand Standard AS/NZS 4360:1999 (1999) Risk management. Homebush NSW 2140, Australia/Wellington 6001, New Zealand: Standards Australia/Standards New Zealand
Charette, R. N. (2002) The state of risk management 2002 : Hype or reality? Arlington, MA, US: Cutter Information Corp.
Hillson, D. A. (1997) Towards a Risk Maturity Model. Int J Project & Business Risk Mgt, 1 (1), 35-45. [“The Risk Maturity Model was a concept of, and was originally developed by, HVR Consulting Services Limited in 1997. All rights in the Risk Maturity Model belong to HVR Consulting Services Limited.”]
Hillson, D. A. (1999, June/July) Business uncertainty: threat or opportunity? ETHOS magazine, 13, 14-17
Hillson, D. A. (2001, November) Effective strategies for exploiting opportunities. Proceedings of the 32nd Annual Project Management Institute Seminars & Symposium, Nashville, TN, United States.
Hillson, D. A. (2002a) Extending the risk process to manage opportunities. Int J Project Management, 20 (3), 235-240
Hillson, D. A. (2002b, November) Critical success factors for effective risk management Part 4: Risk Culture. Project Management Review, 23
Hillson, D. A. (2002c, February) What is risk? Results from a survey exploring definitions. [Report at www.risk-doctor.com/pdf-files/def0202.pdf]
Hillson, D. A. (2003a) A little risk is a good thing. Project Manager Today, 15 (3), 23
Hillson, D. A. (2003b, June) Gaining strategic advantage. Strategic Risk, 27-28
Hillson, D. A. (2003c) Extending risk management to address opportunities. Business Risk Management Bulletin, July 2003. London, UK: GEE Publishing
Hillson, D. A. (2003d) Effective opportunity management for projects: Exploiting positive risk. New York, US: Marcel Dekker
Hulett, D. T. (2001, November) Key characteristics of a mature project risk organisation. Proceedings of the 32nd Annual Project Management Institute Seminars & Symposium (PMI 2001), Nashville, TN, United States.
Hulett, D. T., Hillson, D. A. & Kohl, R. (2002) Defining Risk: A Debate. Cutter IT Journal, 15 (2), 4-10
Institute of Risk Management (IRM) (2002) A Risk Management Standard. London, UK: AIRMIC/ALARM/IRM
Institution of Civil Engineers (1997) Risk Analysis & Management for Projects (RAMP). London, UK: Thomas Telford
Newland, K. E. (1997) Benefits of project risk management to an organisation. Int J Project & Business Risk Mgt, 1 (1), 1-14
Project Management Institute. (2000) A guide to the project management body of knowledge (PMBOK®) (2000 ed.). Newtown Square, PA, US: Project Management Institute
Ruskin, A. M. (2000) Using unders to offset overs. PM Network, 14 (2), 31-37
Simon, P. W., Hillson, D. A. & Newland, K. E. (eds). (1997) Project Risk Analysis & Management (PRAM) Guide. High Wycombe, Buckinghamshire, UK: APM Group
UK Office of Government Commerce (OGC) (2002) Management of Risk – Guidance for Practitioners. London, UK: The Stationery Office
Dr David Hillson PMP FAPM FIRM MCMI is an international risk management consultant, and the Founding Partner of Risk Doctor & Partners (www.risk-doctor.com). His speciality is risk technology transfer, assisting organisations to develop in-house risk processes, and he is a popular conference speaker and author on risk, winning several awards for his papers. He is recognised internationally as a leading thinker and practitioner in risk management, and his recent emphasis has been the inclusion of proactive opportunity management within the risk process, which is the topic of his latest book “Effective opportunity management : Exploiting positive risk”, published in 2003 by Dekker of New York.
David is an active member of the global Project Management Institute (PMI®) and was a founder member of its Risk Management Specific Interest Group. He received the 2002 PMI Distinguished Contribution Award for his work in developing risk management over many years. He is also a Fellow of the UK Association for Project Management (APM), and a Fellow of the UK Institute of Risk Management (IRM), as well as being a member of the Chartered Management Institute.
David can be contacted at firstname.lastname@example.org.
Proceedings of PMI® Global Congress 2003 – North America
Baltimore, Maryland, USA • 20-23 September 2003