Improving the application of risk management


Published on

Paper on risk management culture change and improving the aplication of Risk Managemenrm

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Improving the application of risk management

  1. 1. Improving the Application of Risk Management: Moving from a ‘Name and Blame’ to ‘Name and Gain’ Culture Karl Davey CEng MIEE Head of Risk Management Strategic Thought Limited The Old Town Hall, 4 Queens Road London, England SW19 8YA Risk management is not just about processes and INTRODUCTION methodologies. It is also about people and their involvement in the objectives of having such systems. This paper explores why risk management It is a fact that all projects and business endeavours often fails to deliver against defined performance face uncertainty. The need to address these sources criteria and looks at methods of improving the buy- of uncertainty and increase the likelihood of success in and commitment to making risk management is not only common sense but also good business work as promoted. practice. To this end many organizations seek management techniques to address these issues and, as a result, see risk management as the answer to FOREWORD this problem. Recent history is full of high profile and news worthy project/business failures. In many of these Today, risk management is widely publicised as a cases the quality of risk management has been process which seeks to give organizations an edge in questioned and blamed as a contributing factor. Of today’s uncertain and competitive environment. It is more significance, where project and business risk also generally accepted that the benefits of risk were identified, the lack of effective mitigation management provide, for example: rendered the value of risk and opportunity identification meaningless • greater understanding of project or business objects or goals; But why does this happen? Many organizations involved in failures claim to undertake risk • more realistic business and project planning; management and have developed processes based • improved management of project and business on widely published best practice guides or costs; and, international standards. A common conclusion that can be drawn from the lessons learned, however, is • more effective communication within an that having a risk process and system in place is organization. only part of the solution. If commitment and understanding, as to why risk management is It is therefore fundamental that a collaborative risk important to all participants’ goals, is lacking and a culture be developed to allow an organization to team has not bought into the full risk process, effectively address the problems and opportunities including mitigation actions, the risk management they may face. Unfortunately the farthest many process will fail. organizations travel in creating a positive risk-aware culture is in developing detailed risk management processes, publishing them on their websites and TABLE OF CONTENTS mandating their organization or teams to “just do INTRODUCTION……………………………….…1 it”. PROMOTING BUY-IN TO THE RISK PROCESS…..3 TECHNIQUES TO GAIN INVOLVEMENT………...5 SUMMARY…………………………………........61 0-7803-9546-8/06/$20.00© 2006 IEEE 11 IEEEAC paper #1001, Version 6, Updated Oct, 28 2005
  2. 2. However, all too commonly, an often overlooked From understanding how individuals perceive andarea of the risk process is the human element. For react to the risk process we can see where processesrisk management to be truly effective, individuals go wrong.from all levels of the enterprise must be involvedthroughout the process and ideally from the outsetof the endeavour. This means involving people andtheir opinions and perceptions. After all, isn’t risk entmanagement just another part of good people and mitmproject management? Com NoMany organizations spend valuable resourcesdeveloping what, on paper, appears to be an ctiveeffective risk management process. But when In-effe ementexposed to their employees the process never Pooperates as intended. Why is this? Surely the Manag Ident or ificatprocess couldn’t have been that wrong to start with? ion ks k RisThe problem is a combination of people, the riskprocess and its shortfalls. The solution is simple inconcept. Those involved within the organization just Weadon’t see the value of the process and why it isnecessary. Are people’s performance measured upontheir involvement in the process? Most of the time Where the risk management process goes wrongthe answer is no. And these busy people have enoughto do without having to also think about how to solvedifficult problems! One major cause for poor perception of risk management relates to risk management being considered a “black art”. Granted, risk managementAs a risk consultant, often called in to address these does sometimes appear subjective. So we need toissues and address why the process is not working understand how to verify or input data and interpretas intended, the feedback from interviews with staff the results more consistently and objectively. Also,can be very enlightening and forms a basis for the since we are dealing with uncertain events, whichconsiderations management should consider when may or may not happen, we need to be able toimplementing a risk aware culture. Similar measure the effectiveness of our process. Andcomments come up often, regardless of the industry another major issue relates to the view that riskor size of company. These comments generally management is a complex and specialistshare a theme that relates to understanding why the management technique that needs to be performedprocess is not important to them: by expert risk managers. With all of these perceptions, the result can be a gradual withdrawal from a process that was designed to help, not hurt,• I’m too busy running the project. the business.• We manage risk anyway. Therefore, we must ensure that our processes• What’s in it for me? encourage understanding, buy-in and commitment to in• Risk always focuses on the negatives. order to achieve shared objectives from the offset. If we fail to do this, the risk process will spiral into• It’s a paper exercise. disrepute and become untenable.• It’s of no real value; it’s just maths and statistics.• It doesn’t solve real problems.1 0-7803-9546-8/06/$20.00© 2006 IEEE 21 IEEEAC paper #1001, Version 6, Updated Oct, 28 2005
  3. 3. PROMOTING BUY-IN TO THE RISK PROCESS Asking individuals to contribute at early stages of an endeavour demonstrates that their involvement and opinions are valued and is a key part of a riskThe key to successful risk management (and in fact manager’s role.any management process) is a shared desire tosucceed because this brings both personal and teamsatisfaction. From this flows a willingness to learn, Evaluation – “Simple”, “sensible” andcomply and contribute. So it is necessary to ensure “comprehendible” are keywords at this stage of the riskwe develop (or enhance) a risk management process process. As mentioned earlier, some risk processes arethat encourages contribution from all parties over complicated by organizations and can lead to ainvolved in the project or business endeavour. lack of understanding, of the meaning and substance of results, by those involved in the project. This loss of understanding can lead to increased costs, time andWe must take a number of carefully considered steps effort trying explaining the risk process rather thanand develop an internal risk environment that gains the actually managing the risks that have been identified.contribution of those in our business. If we look at anystandard risk process from the simplest perspective, To develop a sensible understanding of the risk issuesthen we can identify and simply some improvement within the organization, simple-to-use techniquesareas to make increased buy-in more achievable. should be applied. Risk weighting factors and scoring/assessment criteria need to be developed andIdentification – This is the first key step of the risk agreed upon by the key stakeholders of an endeavour.process. Undoubtedly, we will have identified risksfrom our documentation, assumptions, business plan or V High -25 -24 -23 -22 -18 5 11 18 19 21 25tender response. However, we should also talk to those 5 2people who are, or will be, actively involved in the High -21 -20 -17 -16 -15 4 10 14 20 24project or business organization/enterprise: those that Probability Medneed to make things happen. -19 -14 -13 -12 -9 3 8 13 17 19 23 9 7 Low -11 -10 -8 -7 -6 2 7 12 16 22 Shareholders Shareholders V Low -5 -4 -3 -2 -1 1 6 9 15 17 18 25 Board Board Customers Customers V High High Med Low V Low | V Low Low Med High V High Risk Level Probability Impact Diagram (Opportunity and Threat)Management Risk Risk SuppliersManagement Suppliers System System These then need to be consistently applied across an organization and customized only to reflect projects or business endeavours which differ in terms of duration, Staff Staff Regulators Regulators budget or scope. Auditors Auditors Risk Lifecycle – It is often all too easy to purely focus on the big risks: those that sit at the top of the risk list. Risk management stakeholders But are we missing something? Are there risks thatWe, therefore, need to include all key stakeholders demand immediate attention that may not be at the topfrom all levels of the organization. History and lessons of the risk register? By also understanding when thelearned from previous projects provide an extensive risks we face will occur, we can make better use of oursource of risk information. The experiences of resources.individuals in our organizations offer a living, Significant value can be delivered by listing both thebreathing knowledgebase that can identify possible big risks that occur in the next 6 months and therisks from experience and possible strategies to address smaller risks which can be cost-effectively managedthem. It only takes one individual to identify an within a specific time frame.opportunity to benefit from a risk mitigating action inanother part of the business for the real value ofintegrated risk management to be made. Management – The key to successful risk management has always been MANAGEMENT! For1 0-7803-9546-8/06/$20.00© 2006 IEEE 31 IEEEAC paper #1001, Version 6, Updated Oct, 28 2005
  4. 4. risk management to succeed we must do something Risk Management Lifecycle Timeframesabout the risks we have identified and evaluated. This Trigger Expiryrequires us to involve people in the process; and their Date Datecontribution will be crucial to the success of our Resolution Date Impact Periodendeavour. To gain full and effective buy-in at this Mitigationstage, it is important that we develop appropriatemanagement actions. By appropriate I mean a real Time Control/ Fallback Planningaction that is neither too detailed nor too general to be Management Periodof value. A management or risk mitigation action has Plan Start Date Plan End Dateto be a real task that is both measurable and realistic Planning the lifecycle of a riskto achieve. Often known as “SMART” riskmanagement, a mitigation action must be specific tothe issue we seek to address, measurable in terms ofthe perceived goal, achievable and realistic to achieve, TECHNIQUES TO GAIN INVOLVEMENTand have tangible results. Finally, the action must be As well as having a process that closely involvestimed, a predefined window of opportunity in which people from the outset, there are a number of other softthe risk can be addressed. techniques which we should use to further encourage involvement and continuous contribution throughoutThere are also risks that we will choose to not to an endeavour’s lifecycle.manage and those that will occur no matter what wedo. It is important that we plan for the worst: develop Involvement – Encouraging involvement within thecontingency and recovery plans. These fallback plans risk process needs to penetrate all levels of anneed to be treated like normal actions and regularly organization. Highlighting the benefits of participationreviewed to ensure that they remain valid and have not and involvement is core to this process. This visibilitybeen superseded by other events. means that such things as naming successful individuals in board meetings, management team reviews and in dispatches emphasizes the importance WHAT ABOUT THE POSITIVE ASPECTS OF of the activity. Leading from the top is very important. RISK? The board needs to be involved in this process especially considering recent corporate governance andAnother reason why individuals groan at the sight of internal control requirements, which state than thethe risk team is that, unfortunately, risk management is board must be aware of the risks to their business.often perceived as only being negative: riskmanagement generally concentrates on the need to find Another method of increasing involvement is to rewardpotential problems. In this case, risk management is positive input to the risk process. Many companiesseen in a pessimistic light and the risk team then can already reward individuals who identify ways ofalways be seen as the bearers of bad news. increasing productivity or realize cost savings. There is no reason why this should not be expanded to riskBut risks can also contain positives. A risk could either management because, through risk management, anbe a threat to our endeavour or it could present us with organization may avoid massive potential costan opportunity to increase business value. By increases, realise savings and identify opportunities toattempting to identify both the threats AND significantly improve how a business is managed.opportunities, risk management can be seen as helpingto realise benefits – not just as a tool used to identify Champions – Although this article has said that riskproblems. By actively seeking benefits the process can management should be pursued by all, it is essential tobe seen to add even more value, the risk team as more have key sponsors and employees that have thepositive contributors (not negative) and this will help necessary authority and budget to initiate and manageproduce a much more positive risk culture at all levels change. Ideally, the sponsors should also include aof an organization. board member and a director whose responsibilities include risk management and has the authority to operate across operating divisions. If employees are aware that risk is taken seriously by senior management then they themselves will see it is in their best interest to participate in and contribute to the risk process.1 0-7803-9546-8/06/$20.00© 2006 IEEE 41 IEEEAC paper #1001, Version 6, Updated Oct, 28 2005
  5. 5. Visibility – The visibility of risk management within an importance that the organization places on riskorganization is extremely important to promoting a risk management from day one. Another couple methods toaware culture. The profile and importance of risk improve risk management commitment andmanagement within an organization has to be contribution is to introduce brief risk awarenessdemonstrated. This can be achieved in a number of lunchtime seminars and/or formal training for keyways. For example, a statement on risk could be project members.included in an organization’s dispatches, intranet ornewsletters. Statements that highlight the importance New Technologies – Use of web-based technologiesof risk management and provide examples of its and company intranets are also becoming commonsuccess in the organization increase awareness. In the practice. They may be used to effectively providepast we have seen vast improvement in risk awareness information on risk management best practice, and theon many projects and organizations by encouraging the benefits and progress achieved to date acrossplacement of risk posters around an office. distributed geographical environments. Some elements can include details of management techniques,These posters should be simple: they should list the top contribution areas to allow feedback to be quicklyrisks (threats and opportunities) for a set period, communicated back to the risk team, and lessonshighlight ownership and propose management’s learned from risk management in other business areas.activities to mitigate the risks. This can act as aconstant reminder to the potential issues that could The risk manger’s toolkit needs to support and usedrive a project or organization off-track. Also included technologies that add value. The use of web-based riskon the poster should be the successes achieved to date. management tools allow all stakeholders to viewThese successes such as risks avoided, opportunities information that is relevant to their level, understandrealised and management activities completed should the relevant risks they face now and in the future, andbe highlighted as they positively communicate how a share that information across all levels of theteam is succeeding with their collective objectives. organization.Finally, people obtain satisfaction from positivepromotion of their value to the business. So, if theyhave contributed positively to help resolve an issuethey should also publicly receive the credit.Communication – Providing a framework for effectivecommunication is essential for any business process.This is especially true for risk management, whichrequires an environment that is open and provides aninformation-aware blame-free culture. To this end it isimportant that we assertively communicate about risksand issues by letting colleagues know of any risks thathave been successfully addressed. In other wordssuccesses should be highlighted to show the processworks. Likewise, if things go wrong, the failures ormissed deadline should be openly discussed and thereasons for failure learned. Defensive behaviour by anyteam member should be actively discouraged andmanaged with positive encouragement, action andbehaviour. Web-based, risk management systemTraining and Education – Lack of understandingwithin an organization or team is often a reason forineffective process adoption. Understanding can beincreased through education and training on riskmanagement processes – whether on an in-house orformal training course. Many organizations runtraining courses for new employees on companyprocedures. A section of this training that included riskmanagement awareness would emphasize the1 0-7803-9546-8/06/$20.00© 2006 IEEE 51 IEEEAC paper #1001, Version 6, Updated Oct, 28 2005
  6. 6. complex to be effective and has been working with a SUMMARY number of major companies to develop and champion risk processes which encourages contribution from allIn summary, when attempting to gain contribution to a stakeholders.process, the people cannot be overlooked. Acombination of soft techniques and a formal process Karl has also been responsible for developing the riskmust be adopted to engage and demonstrate the management chapter for the Association of Projectimportance of individuals to this critical function. Managers (APM) Project Pathways publication and was involved in developing the ‘Implementation ofAiding the creation of a risk-aware culture can be Risk Management’ Chapter for the new APM Projectachieved by the sensible use of briefings, workshops Risk guide.and including a risk management discussion inprogress meetings. Leaving risk management as thelast agenda item during a meeting often means that itnever get discussed. This sends a message to the teamthat it is not important; so serious consideration to thisshould be taken into account when meeting agendasare set.Encouragement should be given to the team to bringideas forward even if they are outside of their areas ofresponsibility. And a team ideally should include allstakeholders in the endeavour: suppliers, customers,partners, subcontractors, regulatory authorities, etc.A change in culture may be required. An organizationneeds to establish a blame-free environment that allowsand encourages the airing of potential issues. Managersat all levels need to demonstrate that risk identificationis extremely valuable to the business and somethingthat needs to be embraced by all.Finally, it must always be remembered that the key torisk management is management! The process will failif management and end-user commitment/contributionis lacking, and risks are not efficiently identified,assessed, managed and pursued to their acceptableconclusion. BIOGRAPHYKarl Davey CEng MIEE of Strategic Thought Ltd isthe Head of Risk Management and leads the ActiveRisk Manager Consultancy Team. Karl has over 12years of in-depth and practical experience in theapplication of proactive risk management acrossorganizations and on major projects – both in theDefense and commercial sectors. Karl regularlylectures on risk management and has provided provenrisk management training for universities and clients inthe UK, North America, Australia, New Zealand andJapan.Karl believes that risk management does not have to be1 0-7803-9546-8/06/$20.00© 2006 IEEE 61 IEEEAC paper #1001, Version 6, Updated Oct, 28 2005