Building Resilience Through Strategic Risk Management

July 2023

Enterprise risk management is a strategic function that requires the attention of C-suite executives and Boards. The extensive global research on this topic reveals no shortage of grim scenarios to consider. For example, the World Economic Forum Global Risks Report 2023 identified risks spanning from the impact of the rising cost of living and inflation to failure to mitigate climate change.

The steep rise of the adoption of artificial intelligence (AI), fueled by the November 2022 release of ChatGPT, brings another set of global risks dominated by the risk of business disruption. This new technology is expected to impact a significant number of jobs, lead to increased cybersecurity threats and endanger the reputations of organizations that do not use proper frameworks for the use of generative AI, according to a recent Forbes article.

Given the overall increase in the speed of change enabled by multiple factors, such as global hyper-connectivity and the increased adoption of technology, we can’t expect the risk landscape to simplify. Quite the contrary: the complexity of risk management is steadily increasing.

But while technology, such as AI, big data, cloud and advanced analytics, offers new possibilities in risk monitoring, prediction and mitigation, people are the critical element in enterprise risk decision-making. Risks are fluid in nature; they pose both threats and opportunities. Examining risks from both angles requires a risk-embracing culture instead of the more traditional view of risks – a list of situations we aim to avoid.

Covid, global supply chain disruption caused by the Ukraine Crisis, ChatGPT – all of these are wake-up calls that are forcing organizations to rethink their risk strategies and act. Agility in enterprise project execution plays a critical role in an organization’s ability to course-correct in a fast and informed way. To foster this ability, organizations must connect strategic risk management and risk management functions, enabled by a strong risk culture that is characterized by diversity at the discussion table, a mindset of embracing risk fluidity, and an obsession with data.

Risk management is a critical part of any organization’s strategy to help identify and prepare for disruptions. Today, however, companies face more complex and volatile forces than ever. PMI identified several megatrends — including technological change, economic and demographic shifts and climate and diversity initiatives — that are driving the need for a broader approach to risk management. For example, four out of five executives in PwC’s 2022 Global Risk Survey report facing significant challenges in keeping up with the speed of digital and other transformations.

How can organizations respond to these forces, while continuing to pursue the growth and innovation that will keep them competitive?

Organizations with strong risk management practices are twice as likely to anticipate significant revenue growth and five times more confident in their ability to deliver on outcomes, according to PwC’s research. These organizations also perform better, as confirmed by a 2020 academic review in the IAA Journal of Applied Science.

These companies have a strong risk culture. Individuals, teams and departments across the organization — not just in isolated risk functions — have the skills to recognize and evaluate risks to see not only threats and restrictions, but opportunities and accelerators for growth. They have a common understanding of both the organization’s strategy and its risk appetite and use technology and data to support effective decision-making.

"Organizations should have a dynamic and flexible mindset toward risk management...This would help them be more agile and responsive amid an unpredictable future."

Arun Prakash Sharma, PMI-RMP, PMP
Senior operations manager at Ayu Health
Bengaluru, India

Knowing which threats are most likely to emerge can help companies adapt their project portfolios and help project professionals manage and mitigate risks on initiatives. Here are the issues generating the most concerns for CEOs — now and in the future:

_{Source: Allianz Risk Barometer, 2023}

Strategic risk management is a way to strengthen organizational resilience and ensure long-term growth.

As organizations prioritize environmental, social and governance (ESG) initiatives, these issues are raising the most concerns:

Risk management isn’t just about being on the lookout for potential problems. With a strong risk culture, it is easier to identify risks, establish triggers and develop mitigation plans that enable organizations to see not only the threats but also the opportunities in a situation. For example, during the COVID-19 pandemic, project teams helped their organizations take advantage of new or expanded markets: grocers rolling out delivery services for immunocompromised shoppers or apparel marketers developing new athleisure lines for remote workers.

At Adidas, efforts for strategic risk management start at the top. The company created a supervisory board to continually assess risks and opportunities and share insights biannually with an executive board. The benefits? C-suite members can balance probability against potential financial impact — then signal to risk owners how they can mitigate appropriately.

Carlos Carnelós, Americas delivery IT transformation executive at IBM Technology Lifecycle Services, Campinas, São Paulo, Brazil, says project leaders should redefine risk as “scenarios with uncertain outcomes that could also bring desirable results.” Thinking about risk this way can help “promote a growth mindset and foster a rich discussion to uncover both sides of this coin,” he says. “Engaging a diverse group of stakeholders on this exercise can also help explore the ‘what if’ of scenarios.”

That includes a concerted effort to elevate a variety of voices and bring in fresh perspectives on problems — and solutions. According to the 2022 PwC survey, 70% of executives prioritize diversity in risk teams. When Carnelós schedules periodic risk brainstorming and collaboration meetings, he establishes clear guidelines for each session to ensure feedback is inclusive.

“Taking different people’s perspectives with respect and appreciation fosters the willingness to participate and share,” says Carnelós. “It must have a specific place on everyone’s agenda to gather inputs, process and come out with actions and decisions.”

Carlos Carnelós
Americas delivery IT transformation executive at IBM Technology Lifecycle Services
Campinas, São Paulo, Brazil

Having myriad viewpoints on a particular risk can bring to light mitigation and action plans that might not otherwise have been identified.

“You may start discussing a threat and uncover a hidden gem that you’d like to invest in,” Carnelós says. “This type of mindset is fostered by leaders using different strategies such as ‘what-if’ analysis and brainstorming or even the simplest whiteboard or sticky notes. Taking a positive approach will identify possible outcomes, and the team will be able to continue investigating those that have merit.”

How AI Tools Can Sharpen Risk Management

Young believes that analyzing previous lessons learned is much more difficult and time-consuming without automated risk management tools in place. By tapping into AI and ML to collect data from multiple sources and projects, leaders can more efficiently compare, analyze and optimize information — then turn it into strategic insights for the entire project ecosystem.

Project estimates performed by a human can be very biased because they rely on historical business data that might be in different formats. AI and ML can be great equalizers: They can analyze large amounts of data to find patterns that deliver more accurate estimates.

“If the impact can be quantified and trended with predictive analytics, the probabilities for positive outcomes will be greatly improved,” she says. “With the capabilities to review several types of projects and results, we are better able to execute successful projects and reduce risk by more easily identifying mitigating factors based on the past.” 

Of course, teams can’t hand off all risk management to AI, but strategically tapping into technology can speed up the risk management process, freeing up time and headspace for project leaders.

“Project leaders have an enormous number of areas on which to focus,” Young says. Using AI and ML can help companies more accurately predict risk, giving project leaders “more time to analyze the results to improve predictive success.” 

Technology is not only fueling new ways of working but also helping identify and mitigate risk.

_{Source: 2022 Global Risk Survey, PwC}

Strategic risk management starts with an enterprise-wide risk strategy, but it must reach down into individual departments and teams as well. Armed with a clear understanding of how the company’s risk appetite aligns with its strategic vision, project managers can weave the right risk mindset into the fabric of their team’s ways of working. Rather than looking at risks within the narrow view of the project alone, they can bring a broader view by looking at the project within the context of the entire organization’s needs and objectives.

In this way, project professionals can serve as a critical link between the C-suite’s risk approach and day-to-day risk management practices. That responsibility starts with emphasizing risk review and assessment in each status meeting, says Marzikmal Omar, PMI-RMP, PMP, head of IT, e-services and telco portfolio, group PMO at Dagang NeXchange Berhad in Kuala Lumpur, Malaysia.

“Risk management is the first agenda item to be discussed and updated, as this will determine the status of the project and the next action to be taken,” he says. “By doing this, the team members will start to think how important it is to have a risk-awareness mentality in a project.”

Each project then goes through a risk management process that involves securing feedback from all relevant stakeholders. “We have dedicated risk management personnel in the project team that ensures each risk is closely monitored and updated accordingly,” he says.

It’s up to project management leaders to train and empower teams to explore different scenarios and evaluate options, adds Carnelós. By framing risk in new ways, he says, teams will be better prepared to respond with agility.

At IBM, project leaders are expected to plan and lead risk management activities with team members and stakeholders to build a shared understanding and create a culture of risk awareness. Empowering team members and stakeholders to actively participate in the risk management process promotes a cohesive team dynamic that will ultimately help yield better results at a project level.

“The higher the impact of the risk, the more detail you’ll need to gather and be able to prioritize the finite resources in support of the desired response or result,” Carnelós says.

Uncertain events can emerge from a dizzying array of sources — whether they’re global health events, geopolitical conflicts, industry pivots or socioeconomic shifts. Here are four ways to stay ahead of unknown risks, according to Vlad Siniavin, PMP, VP global delivery at Ciklum in London, England:

1. Watch out for ripples in the ecosystem. Staying on top of current events — through social media, trend reports or news sites — will help project leaders identify possible risks and trends in real time. Spotting those first ripples will ensure teams can better position themselves to ride the waves, rather than get wiped out by them.
2. Turn data into strategy. There’s a wealth of analytics tools that track information — everything from economic indicators to customer sentiment. But it’s up to project leaders to use that data to align decisions to the company’s risk appetite.
3. Ask the experts. Engage with a variety of stakeholders and specialists to determine which activities and trends merit attention. Project leaders can capture such insights and analyses by talking to analysts and researchers or participating in industry-specific groups and forums.
4. Map it out. Conduct scenario planning to understand how trends and developments might impact an organization and its initiatives. A clear vision of the potential risks and rewards will help organizations reprioritize projects and empower teams to anticipate the need to pivot.

A strong risk culture enables organizations to address risks most effectively and manage their impact, seeing both the positive and negative sides of risk and making effective decisions that align with the organization’s risk strategy. This contributes to resilient organizations that not only withstand the rapidly changing and complex challenges of today’s business environment but anticipate and capitalize on them to help drive growth and positive outcomes. 

Continue the Risk and Resilience Journey

Learn more about risk management and resilient organizational culture through the following resources from PMI:

• PMI Risk Management Professional (PMI-RMP)^® Certification
• The Standard for Risk Management in Portfolios, Programs, and Projects
• PM Network^® Article: Rethinking Risk Management
• Projectified^® Podcast: Managing Risk

Acknowledgments

PMI would like to thank the following contributors who provided their insights and actionable recommendations on strengthening organizational resilience and ensuring long-term growth presented in this report:

• N. Christine Aykac, PMP, PMI-RMP, PMI-ACP, Project Coach & Learning Strategist, Wareness, Canada
• Ciro Casimiro, Program Manager, KPMG, USA
• Seun Olaniyonu, Senior Business Analyst, Government of Saskatchewan, Canada
• Syed Ahsan Mustaqeem PE, PMP, Senior Engineer, Pakistan Petroleum Limited, Pakistan
• Jaka Borstnar, Director of the Project Portfolio and Change Management, Triglav Group, Slovenia
• Carlos Carnelós, Americas Delivery IT Transformation Executive, IBM Technology Lifecycle Services, Brazil
• Marzikmal Omar, PMI-RMP, PMP, Head of IT, E-Services and Telco Portfolio, Group PMO, Dagang NeXchange Berhad, Malaysia
• Arun Prakash Sharma, PMI-RMP, PMP, Senior Operations Manager, Ayu Health, India
• Vlad Siniavin, PMP, VP Global Delivery, Ciklum, England
• Pamela Young, PMI-RMP, PMP, Senior Global Customer Solutions Manager, Amazon Web Services, USA