Where do risks (threats and opportunities) arise from?, presented by Lynn Stalker, 10th Oct 2016, APM North West branch conference
Where do risks (threats and
opportunities) arise from
Presenter: Lynn Stalker CMIRM
Does this sound familiar?
• It’s late …
• It wasn't supposed to do that ..
• It doesn’t work …
• It’s going to cost me how much more …
• Have you listened to a word I’ve said ..
• Oh, I see you’ve done it in that way, well ...
Late Delivery of Project / Over Budget?
This presentation is aiming to consider sources
of risk (though this is not exhaustive) and
where to use them.
• In all types of undertaking, there is a potential for events
that constitute opportunities for benefit (upside), threats to
success (downside) or an increased degree of uncertainty
• For all types of organisations, there is a need to
understand the risks being taken when seeking to achieve
objectives and attain the desired level of reward
– All projects have risks, whether that be a threat or an
opportunity, and these can come from a multitude of different
external and internal sources.
• The purpose of using a variety of sources is to ensure
that the extent of unknown unknowns is as small as
• The first stage in identifying risks is to understand where
the sources of risk can arise from.
– Asking the following questions:
• Who are the parties involved?
• What do the parties involved want to achieve?
• How is it to be done?
• What resources are required?
• When does it have to be done?
Risk Management Process Framework
What are the
What can we
do? What will
Define risk treatment strategy
Monitor and review
Define boundaries and
objectives for evaluation
Project Definition Risk
How are we doing?
Step 1 in the 5 step process, identification
is the first and most significant phase of
the risk management process.
What are the risks
Sources of risk
Likelihood / impact
Ranking / Prioritisation
Identify an devaluate options
Plan mitigation strategies
Monitor and review
Hierarchy of Risk Registers
Routine activities of any organisation, processes, maintenance,
asset care. Efficiency of operations, including disruption associated
with people, processes and products
Typically associated with projects (mitigators to programme /
strategic risks), mergers, acquisitions and product developments.
Effectiveness of processes, as well as significant risks to
improvement including management of projects
Sets out the long-term aims, missions and objectives of the
Example – Implementation of a new IT system
Internal Drivers / Sources
• Financial Risks
– Internal control
– Historical liabilities
– Capital expenditure decisions
– Liquidity and cash flow
• Marketplace Risks
• Research & development activities
• Intellectual property
• Contracts / commercial
• Infrastructure Risks
– People skills
– Health and safety
– It systems
• Reputational Risks
– Brand extensions
– Board composition
– Control environment
– Brand quality
– Contamination / activity release
Project Scope and Programme / Project Objectives
• Scope of work needs to be understood before risk identification
– Every project has goals that need to be clearly defined and
understood as to what is to be accomplished, to prevent a lack of
understanding, misinterpretation and getting off track
– The project needs to be fit for purpose and not a business wish list
(too many nice to have features)
Programme / Project Assumptions
• Circumstances or events that need to occur for the programme /
project to be successful, but are outside the total control of the
programme / project team
– If you have any reason to believe the assumption may be broken or
unstable, then you should include as a risk.
– If you have no reason to believe it will impact the scope, then no risk is
– It is necessary to understand and test assumptions for the project by
asking these questions:
1. Stability – Is the assumption accurate?
2. Sensitivity – What impact does the assumption have?
Assumption Example: “No contamination or unforeseen ground conditions found during
Risk Example: Whilst undertaking excavations historically important remains are
Or: Whilst undertaking excavations ground contamination is detected
Represent a major risk
factor because they
Uncertainty in the ongoing
support from external
stakeholders to proposed
approaches impacts on
Compliance with all
applicable rules and
regulations, especially in
highly regulated sectors, for
example Nuclear, Banking
The organisation breaches its
authorised discharge limits
The Branch breaches its
• Emergent risks are those that have not yet occurred but
are at an early stage of becoming known and/or coming
into being and expected to grow greatly in significance.
• They do not have the ‘track record’ of other better known,
non-emergent, risks and usually arise in the longer term.
– Low probability with catastrophic consequences
– Emergent risks cannot often be easily identified or anticipated
– These risks are more likely to have the major effect
• Sharing of learning from experience or other
• Subject Matter Experts
– Where the opportunity arises, individuals not
immediately involved in the project can be
brought in to risk workshops
• project managers,
• engineers or
• operations resources.
• Supply chain
– These individuals will be independent from the
project, but will be experienced and qualified.
• Drawings / diagrams
• Fault trees
• Process flow diagrams
• Plant or process walk downs
• Safety Workarounds
Key Points / Summary
• Risk Management is a continuous process and as such should be
owned and managed by the programme / project on a routine basis
• It is not a one size fits all process
• It is not possible to know if all possible sources of risk are ever
identified, there will always be some unknown unknowns
• Identifying risks will provide benefits to any organisation / programme
/ project by way of improvements in:
– Successful delivery of change and increased operational efficiency
– Reduced cost of capital
– Assurance to stakeholders regarding management of risk and improved
– Competitive advantage
– Enhanced political and community support
What information would I utilise at a risk
identification meeting / workshop?