Management is like " Eureka7"

Risk Management



Introduction

All projects and enterprises are fraught with uncertainty, arising from a multitude of sources related to technical, management, project and commercial issues, and the need for major projects to assess risk early in the programme has been recognised for some time. An increasing number of organisations are beginning to reap the benefits of the proactive management of uncertainty.

Risk management involves balancing risks and rewards. It is therefore vital for any successful organisation to undertake detailed risk assessments early in the life of any project as the implementation of identified risk reduction measures are likely to be less costly than future remedial action. The subsequent management of risk through the life of a project aims to maximise the chances that equipment will be delivered within the planned time, cost and performance goals, and maximise the opportunity for increased financial rewards.
Risk management has a key role to play in the effective evaluation of technical options, cost/benefit trade off analyses, in the submission and evaluation of bids, as a basis for commercial negotiations and in the assessment of the impact of change proposals. As a result, risk management is a key to the success of all endeavours and should be embedded throughout any organisation that wishes to succeed in today’s competitive environment.
There is a growing demand for assistance in the development of effective processes to help in the identification, assessment and management of risk at both the project and business level. The purpose of this paper is to identify why, for any organisation, “Risk Management is Your Business”. A mechanism for assessing the effectiveness of any organisations current approach to risk management will be presented together with mechanisms for selecting the most appropriate future implementation. Finally, a brief introduction will be given as to how risk management can be introduced at all levels of an organisation, from a strategic overview of total business risk down to detailed assessments of the risk associated with individual projects.

Background

The essential aim of risk management is to improve decision making by reducing uncertainty and minimising its effect. It also makes clear the relationship between risk management and project success, since risks are measured by their potential effect on the achievement of project objectives. Failure to manage risks effectively will lead to problems meeting some or all of these objectives.

Effective risk management involves a comprehensive identification of all sources of risk, an objective assessment of their significance, planning of responses to reduce the risks, and management of the responses in order to achieve the desired outcome for the project. The overall aim is to ensure effective proactive management as opposed to waiting for risks to occur and fighting the resultant fires.

There are a number of proven techniques for risk identification and assessment, at a variety of degrees of sophistication. The analysis of identified risks may purely be qualitative, making an assessment of probability and impact together with determining owners and responses. The next stage may be to use quantitative analysis in order to assess the combined effect of the risks, using powerful simulation tools to predict potential outcomes in terms of schedule, cost or performance. Whatever depth of analysis is chosen it is essential that the risk process moves on to plan responses that results in actual management action to deal with the risks.

There is a clear link between risk management and the success of projects. Risk management must form part of the project culture and be an essential item in the project managers toolkit. The effective tackling of risk will distinguish between an effectively managed project and one that stumbles between crises. Project management must always be forward looking, constantly identifying issues that pose a potential threat to success and focusing attention on reducing, avoiding or controlling risk exposure before it has a chance to effect the project.

Having identified how risk management can be applied, the next step for any organisation is to identify whether its existing processes are adequate and what can be done to ensure that its current chosen methods of identifying and managing risk compare favourably with best practice or that of any direct competitors.

Assessment of Risk Management Capability

The Risk Maturity Model (RMM) has been developed to met these needs. This model, first developed at HVR Consulting Services (Dr D A Hillson, International Journal of Project and Business Risk Management, Spring 1997, and others), has been used by a number of organisations to benchmark their risk processes and to identify the means to enhance their risk capability. It has also been used as a means of assisting organisations with the introduction of risk management in-house, as the RMM provides a measure for the effectiveness of the changes made.

It provides a clear understanding of the current approach to risk management as well as a guide to the intended destination. Any organisation must be able to benchmark its present maturity and capability in managing risk and define progress towards achieving increasing risk maturity. The RMM provides clear guidance to organisations wishing to define, develop or improve their current level of risk management maturity, identifying realistic targets for improvement and helping to develop action plans for increasing risk capability.


The RMM describes four levels of increasing risk capability, from Naive through Novice, Normalised and, eventually, Natural. The aim is to provide a structured path to excellence with identifiable milestones along the way against which organisations can be measured.




• The Naïve risk organisation is probably unaware of the need for the management of risk and has no structured approach to dealing with uncertainty. Management processes may be repetitive and reactive, with little or no attempt to learn from the past or to prepare for future threats or uncertainties.

• The Novice organisation may have begun to experiment with risk management, perhaps through the drive of interested individuals, but has no formal or structured process for risk management in place. At this level the organisation may be aware of the potential benefits of risk management, but without systematic implementation of processes and tools, are not gaining the full benefits.

• The Normalised organisation is the level to which most probably aspire. The management of risk is established within normal business processes and risk management is conducted on most projects. Risk processes are defined and in use at all levels of the organisation although there may be shortfalls in some areas.

• The final level in the RMM is defined as Natural. At this stage the organisation is risk aware with a proactive approach to risk management at all levels of the business. The information generated by the risk process is actively used to improve the business and gain competitive advantage over rivals.

The brief descriptions of each RMM level indicate where an organisation stands in terms of the relative maturity of its risk processes, but a more detailed diagnosis is required for consistent and objective assessments of standing. Therefore each level within the RMM is further defined in terms of four attributes, namely Culture, Process, Experience and Application. These allow an organisation to assess its current risk processes against agreed criteria, set targets for improvement and demonstrate progress towards enhanced risk capability.

• For the Naive organisation the attributes are probably at the lowest level, the culture is resistant to change and the need for change is not recognised. There may be no risk processes, no experience of using risk management and no application within the business.

• The culture of the Novice organisation may not be fully convinced of the benefits of risk management and tends to see it as a necessary overhead. Processes are probably not well defined and their effectiveness is dependent upon the limited experience of a number of key individuals. The application of risk management is likely to be inconsistent.

• The Normalised organisation will have a culture that recognises risk and expects to realise benefits from its management. Formal processes are in place, resources are available and staff have experience in undertaking effective risk management. Its application is routine and consistent across all projects.

• The Natural organisation is a risk aware culture that operates proactive risk management and that strives to gain the full benefits. Best practices process are implemented at all levels of the business with regular updating and active learning from previous projects. All staff are experienced in using risk processes and the application of risk management is across all spheres of the business.




It is recognised that some organisations may cross the boundaries between successive RMM levels, but the granularity between levels is such that there should be a clear distinction in most cases, and it should prove possible to allocate most organisations unambiguously to a single level. The assessed RMM level can be used in a number of ways. For example, organisations may wish to enhance their level of risk capability, devising strategies to ensure more effective management of risk. Alternatively they may want to rate themselves against key competitors in order to gain a business advantage.

Once risk maturity is assessed, steps can be taken to develop action plans for moving towards the next level. Given the increasing profile of risk management, and the growing awareness of the business benefits that can be gained, many organisations are seeking to implement formal risk processes. It should be noted that there are different barriers faced by organisations at each of the RMM levels which must be overcome if progress is to be made to the next level of risk maturity.

The implementation of risk management into an organisation is not a minor challenge and cannot be undertaken in a short period of time. It is also not a simple process of identifying techniques, sending staff off on training courses, buying software and getting on with it. Use of the RMM will enable those who offer support to organisations to diagnose the current position and will aid in the development of specific strategies for progressing the implementation effectively. Used jointly with an organisation, the RMM can help managers to recognise their current position with respect to risk management, identify their current strengths and weaknesses and focus attention on the key attributes for change.

Assessment and Implementation

The next stage is to identify how the RMM can, and has been, applied in practice by discussing in some detail how risk management capability can be transferred to an organisation. This discussion will be related to real ‘technology transfer’ projects that have been undertaken by HVR-CSL for a number of major clients.

Companies striving to set up, or enhance, their own risk management ‘centres of excellence’ often use external consultants in order for them to achieve their goals. This work can involve reviewing the particular requirements of the organisation, helping to establish and custom suitable risk management processes, carrying out their implementation and conducting the training of staff. Subsequent involvement can be through periodic reviews of the process to ensure quality is maintained and any shortfalls identified and rectified.

A four stage process is required for any successful assessment and implementation of risk management within an organisation, namely
• Definition
• Diagnosis
• Demonstration/Validation
• Delivery

However, before any work can begin in earnest, strong direction, leadership, commitment and a champion from senior management are required. Ideally a risk management co-ordinator should be appointed from within the organisation to act as the focus for the direction of the implementation and its subsequent control.

However, before any work can begin in earnest, strong direction, leadership, commitment and a champion from senior management are required. Ideally a risk management co-ordinator should be appointed from within the organisation to act as the focus for the direction of the implementation and its subsequent control.

• The purpose of the Definition phase should be to agree the scope and objectives of the transfer process, how risk management is to be applied effectively to the company business. At this stage it is essential that the commitment of senior management is obtained and that the changes to be introduced are seen at all levels to be essential for the future success of the company.

• The Diagnosis phase should be used to assess the current position and approach to risk management. It should incorporate a review of existing processes, if any, for project and risk management and it should result in the identification of any changes and improvements necessary.

• Demonstration/Validation will involve the selection of pilot projects to demonstrate and validate the revised approach. This will prove the process, methods and tools and will allow the eventual delivery and roll out to be effectively tailored and customised to meet the specific needs of the organisation.

However, before any work can begin in earnest, strong direction, leadership, commitment and a champion from senior management are required. Ideally a risk management co-ordinator should be appointed from within the organisation to act as the focus for the direction of the implementation and its subsequent control.

• The purpose of the Definition phase should be to agree the scope and objectives of the transfer process, how risk management is to be applied effectively to the company business. At this stage it is essential that the commitment of senior management is obtained and that the changes to be introduced are seen at all levels to be essential for the future success of the company.

• The Diagnosis phase should be used to assess the current position and approach to risk management. It should incorporate a review of existing processes, if any, for project and risk management and it should result in the identification of any changes and improvements necessary.

Demonstration/Validation will involve the selection of pilot projects to demonstrate and validate the revised approach. This will prove the process, methods and tools and will allow the eventual delivery and roll out to be effectively tailored and customised to meet the specific needs of the organisation.

• The final Delivery of the technology transfer process will result in the development and delivery of formal risk management processes and tools, staff training on the revised techniques, a planned and phased roll out across all aspects of the organisation and the provision of on-going support.

The RMM has proved invaluable for use throughout the four phases. It has assisted in the setting of objectives for the technology transfer process by objectively diagnosing the current capabilities of the organisation with respect to risk management. In practice the model can be used independently by both the organisation management and the external consultants to arrive at a consensus view of the current position. It is then used in assisting with the definition of the changes required to existing procedures, processes and tools in order to achieve the required risk management capability and, finally, it is used again during Delivery to monitor progress against the original objectives.

Tools and Techniques

The actual implementation of risk management into an organisation will clearly call for the application of specific tools and techniques. Any tool must be relevant to the manner in which it is to be used, must be relatively straight forward in use, not impose an unnecessary burden on staff, and must produce tangible benefits.

Traditionally, the use of tools in Project risk Management has centred around two approaches. The first has been the use of a Risk Management Database, often referred to as a Risk Register, (although strictly speaking this is a database output) for recording of risks identified, for qualitative assessment of these risks in term of probability of occurrence and scale of potential impact, and for the definition and monitoring of actions necessary to control the risks.

The second revolves around the use of sophisticated software tools that allow quantitative risk analysis to be undertaken. These allow the combined effect of all identified risks on the project schedules, budgets and technical performance requirements to be modelled and the range of potential project outturns identified.

Whilst these tools are essential components in the successful risk management of any one multi million pound project, they are clearly not applicable to all situations. They require detailed expenditure in time and resources and do not assist, without significant investment, in assessing the overall level of risk inherent in the total business at any one time. Similarly for a manufacturing organisation that may, at any one time, be running with many tens of small to medium sized projects, detailed risk assessment of every project is neither appropriate or affordable.

Having recognised this current shortfall, and the need for organisations to assess risk in total across the business, HVR-CSL have produced the Top Down Risk Model (TDRM) in an attempt to address the situation.