A Synopsis of the Risk Assessment/Management Journey

This is the last in the series of 10 articles on risk assessment and management (RA/M).  Just like implementation of a RA/M process in any organization, this series of short diatribes has been a journey.  Of course, it is impractical to attempt to encapsulate the details of each previous article in his last one, but it is entirely feasible to attempt to here relate the highlights of the journey.  Below I have organized the synopsis into sections on organizational/cultural issues, technical aspects, risk management, and recommendations for successful implementation of RA/M.

Just some of the organizational/cultural stuff

To the uninitiated, it might seem as though RA/M is all about measuring threats and opportunities (i.e., risks) and implementing processes to mitigate (threats), capture (opportunities), and manage risks.  While measurement and management are secondary tenets of any RA/M scheme, it is really all bout changing behaviors - of organizations and of individuals.

With regard to implementing a RA/M process in any organization, the statement: "We get rewarded for successfully launching a project and not necessarily for launching a successful project" captures and encapsulates both the essence of the challenge and the basis for remedy.  Articles 1 and 2 primarily addressed these issues.

After describing a risk as: "A pertinent event - threat or opportunity - that has a textual description" and further asserting that a risk has at least an associated probability and consequence, I suggested that "proving" the benefit of RA/M was most easily done when RA/M is applied to a portfolio of relatively short-term projects.  It also was proposed that a project-team member's feeling of personal success and security has to be separated from the success of the project if objective RA/M is to be realized.  Proposed was the "assembly-line worker" analogy. This model envisions creation of a work force composed of individuals who are interested in creating the best portfolio of projects rather than tying their sense of security to a specific project.  Reorganizing the workforce into discipline-specific central units was recommended.   Members of these units would be seconded to multiple projects as a means of breaking the tie between a worker's perceived sense of security and the success of a particular project.

In the third article it was stressed that communication is key.  Myriad disciplines will view, discuss, and measure risk in colloquial ways.  I suggested that it is folly to attempt to change the language employed by any discipline but, rather, it should be agreed that a common set of terms and definitions will be utilized by all disciplines when communicating with one another, or, "up" or "down" the chain of command (the "High German" model).  

Just some of the technical stuff

The crux of articles 4 and 5 was the idea that the various disciplines that contribute to successful execution of a project (legal, security, health & safety, environmental, commercial, financial, logistics, political, engineering, etc.) will not only communicate uniquely about risk, but each will measure risk in a colloquial manner and will express risk in a fashion that best expresses their measurements and communication mode.  Risk registers, traffic lights, tornado diagrams, cumulative frequency plots, PIG (Probability/Impact Grid) plots, colored-box matrix, text, and a host of other risk-presentation methods will rightfully be employed.  

It is the job of the Risk Proponent (RP) to ensure that these various measurements and expressions of risk are integrated and the holistic impacts of these risks are reflected in the perceived value of the project.  The risk monetization process is the recommended method for integrating the impact of threats and opportunities and for reflecting that consequence in perceived project value. The risk monetization process is essential for sorting the threats and opportunities in the risk register so that only those risks are addressed that will enhance value.

Just some of the risk management stuff

Articles 6, 7,and 8 focused on risk management and I began by espousing that the impediments to risk management are primarily behavioral, cultural, and organizational.  Recommended risk-identification workshops - held early in the project lifecycle - will identify risks that might occur "down the road" and "on the watch" of individuals and groups different than those who have control of the project at the time of risk identification.  One of the main changes to the reward system centers on encouraging project-team members -  that are in control the project when the "down the road" risks are identified - to take an active (and usually expensive) interest in implementing steps to mitigate threats and to capture opportunities.  Many threats and opportunities typically are projected to occur in later segments of the project lifecycle when the contemporary project-team members have long since relinquished control and responsibility.  Cultural, organizational, and, mainly, reward-system modifications usually are necessary.

It is pointed out in these articles that the RP should be ready to deal with the erroneous criticism that risk-identification workshops focus on threats and give less emphasis to opportunity identification.  This perception stems from the long litany of threats and relatively short list of opportunities that result from such workshops.  The disparity in the magnitude of the number of threats and opportunities is a consequence of the tendency of project teams to have accounted for almost all opportunities in their "base case" leaving few opportunities to be identified.  Threats, however, are mainly ignored when creating the base case and, therefore, the list of potential threats not accounted for can be relatively lengthy.  It is the job of the RP to attempt to ensure that, in the end, the impacts of all pertinent threats and opportunities are reflected in the perceived project value.

Yet another aspect of risk management is to attempt to ensure that "soft" risks are taken into account.  A thing such as political risk is rarely a line item in a project economic evaluation.  However, it can be things like political risk that have the greatest impact on the project.

One of the last major risk management points in articles 6, 7, and 8 is that of how upper management perceives the RA/M process.  It is communicated in these articles that it is essential to have upper-management "pull" for the RA/M process (and members of upper management have to understand RA/M and mean what they say!), but that too much "pull" can be disastrous.  For example, if upper management were to suddenly become imbued with the spirit of RA/M and issued an edict to the organization that "We will now do RA/M," the issuance of such an edict can easily come before the RA/M support materials, educational classes, personnel, etc. are in place. Such a situation can result in the organization seeking "outside" RA/M assistance - most of which will not be of a caliber or of a philosophical posture that is satisfactory.  Beware of what you ask for!

Just some of the "road to success" stuff

In article 9, I attempted to consolidate many of the steps that might be taken to ensure a successful RA/M implementation.  I addressed the upper-management "getting it," communication, and reward system issues in detail - aspects of RA/M to which I had previously alluded.   However, in article 9 I described in some detail the areas of education and of surveying the risk landscape.

I suggest that timely education be offered at (at least) three levels.  Separate educational efforts should be designed for Upper Management, for Business Unit Management, and for those personnel who will actually run/use the risk-based applications.  Unless folks at these three levels truly understand RA/M and the impact it will have on them, on the organization, and on the fortunes of the company, it is likely that compliance with RA/M practices will lax.

A last point made was to be sure to survey the existing RA/M landscape of the organization before you attempt to foist upon them a new and different RA/M scheme.  Tremendous resistance can be mustered from entities that, right or wrong, feel as though they already employ a RA/M process that a adequately addresses their needs.  Identifying such processes and "folding them into" your new RA/M proposal can be most advantageous.

So, I hope you have enjoyed reading these 10 articles as much as I have enjoyed bringing them to you.  All of the information conveyed, and much more, is described in detail in the books referenced below.  Please feel free to contact me regarding any risk issues you might have, and thanks again for your time and patience.

By:  Glenn R. Koller

References:
Koller, G.R., Modern Corporate Risk Management - A Blueprint for Positive Change and Effectiveness, J. Ross Publishing, Ft. Lauderdale, FL, 2007.

Koller, G. R., Risk Assessment and Decision Making in Business and Industry, A Practical Guide:  2nd Edition, Chapman & Hall/CRC Press, Boca Raton, FL, 2005.

Koller, G. R., Risk Modeling for Determining Value and Decision Making, Chapman & Hall/CRC Press, Boca Raton, FL, 2000.

Comments

Member Login