The Benefits of Choosing a Career in Risk Management

What is risk management:
Risk management is the process of identification, assessment and treatment of risks that seeks to minimise, control and monitor the impact of risk occurrence through the cost effective utilisation of resources.

Where does risk management apply
Risks occur in every walk of life, in every industry and in every service delivery enterprise, both private and public sectors. The severity of risks occurring depends upon many factors. In order to quantify such severities most organisations traditionally employ some sort of risk processes to assess the likelihood of risks occurring and their perceived or calculated impact. This enables risks to be prioritised and resources applied to meet the overall best interests of the organisation and its internal and external stakeholders.

Risks, great and small
In today’s connected and integrated world risks and their impacts can and do translate across international boundaries. No longer are they confined to departments and within individual companies. Economic boundaries and geographical structures are such that companies now need to assess risks in a world where a volcano in Iceland can cause the closure of a manufacturing plant in Japan.

Equally at the individual organisation level the importance of undertaking health and safety risk assessments in order to protect the health, safety and welfare of it’s employees is a legal obligation for many companies. Product manufactures will undertake design risk assessments in order to ensure that the ultimate users are protected from any safety related design hazard.

Local authorities are required to ensure that they provide safe highways and passage for the general public. For example, they will need to assess the amount of sand and grit they will need to ensure they can cope with the pressures of harsh winter weather to protect the individual motorists and the unsuspecting pensioner on an icy pavement.

All of the above and in many more private and public sector industries and services there is the basic requirement for someone or some persons to identify a potential risk, to evaluate the likelihood of the risk occurring and to calculate the impact or consequence of the risk in order to best minimise its impact.

Risk management – does it work?
Armed with the knowledge that risk is everywhere but that there are robust systems and processes to manage them is it safe to say that such systems and processes work?

Certainly there are many examples of where risk management has worked. If the available systems and processes didn’t work then they simply wouldn’t be used. Risk departments and risk mangers would be unlikely to exist and an irresponsible attitude to risk would likely be prevalent.

Risk management however does not work in all cases. It’s impossible not to be tempted to assert that the BP oil well catastrophe in the Gulf of Mexico could have been prevented if the risks had been fully evaluated. Similarly the lack of controls to adherence of risk processes that has resulted in global financial problems has been laid at the doors of some of the worlds largest financial institution and banks.

Another dimension to risk management
With the proliferation of risk management tools, the use of highly complex modelling techniques and experts and specialists in their fields of expertise, why is it that risks of the magnitude and scale noted above, to the trip hazard on the local pavement, to the vulnerability of the child in a local authorities occur?

It is simply that risk management is not just about rules and regulations. Successful risk management needs a culture and a set of values that ensures that it becomes part of an organisations DNA. If corporate culture is perceived as resentful towards those who raise risks then any risk process is useless. People will hope that the problems just go away. The culture must allow for honesty and openness that allows for maximum benefits to arise from the tools and modelling techniques.

Why choose a career in risk management?
Risk managers and people whose job it is to minimise the occurrence of risks are experts in their field. Their value contribution to any organisation is immense. Qualifications in risk management for some specialised industries – for example insurance – is sometimes necessary and will certainly add to an individuals self marketing capability. However a large number of active risk management individuals do not consciously set out on a career path of risk management. They some how stumble in to it. At this point there is a choice. Do you stick with the tools and techniques or do you grasp the risk agenda and take it forward? The emergence of enterprise risk management aligned to systems thinking; the inescapable link between successful risk intelligent organisations and culture; the in depth knowledge of an organisation and its independencies are immeasurable assets in a world where some have developed a low tolerance to risk. A career in risk management can be as dull as it can be exciting. The choice is yours.

But remember, risk is about taking the opportunity to grow, expand and compete more effectively. Without risk, there is no reward – for the organisation or for the individual.

Posted in Uncategorized | Comments Off

Improving Risk Management

Previously I have written about management and its risks and how best to categorise it through your business to ensure your risk management system is thorough and relevant to requirements of the business. Risk Management is all about what risks the business owner or management will take into the business, which of these will be insured against, and which risks will be managed or eliminated. Underpinning sound risk management systems is the willingness to embrace a positive and open attitude to asking (or being asked) tough and confronting questions. To assist with this process I have put together some ways you can assess or improve your internal systems.

Management risk is a value add
It is not a separate process – Integrate it into your decision making processes
It is a tool to help implement your business strategies
Ask what you need to get right to successfully manage your business and achieve your goals

Establish your business and personal priorities

Set the risk thresholds for your corporate and operational strategies
Clear priorities mould your organisation’s culture and its attitude towards the business stakeholders
Incorporate measurement of the businesses risk profile at regular Director / Senior Management meetings
Decide you your business risk appetite

Establish the type and level of risk your business will carry
Communicate this to the relevant senior management within the business
Reconsider the Company’s risk appetite in conjunction with changes in the business environment
Ask questions constantly

Probe Company management regarding business performance and management in conjunction with each other
Questioning highlights the desire to be proactive towards risk management
Be open minded when asking questions and receiving the responses
Integration of risk management

High business performance and good risk management to have same emphasis
Consider risk management implications to current and new business activities
Management reports to include risk management report as well as all other activity and performance reports
Use all information sources

Get all levels of the workforce to provide information on potential risks
Talk to external stakeholders such as auditors, financiers, key customers and suppliers
Robust risk assessment can also uncover hidden opportunities to improve your business
Allocation priorities to identified risks

Identify major risks and work on these first (e.g. WHSE&T, excess debt)
Accept that you cannot manage all risks facing the business at one time
Understand the risk management processes for each of the major risks and report regularly
Risk benchmarks and indicators

Use the Company audit reports (internal and / or external reports)
Indicator information come from financial data, customer / supplier communication and scanning the business environment
Align the reporting process to the agreed indicators
Use lead and lag indicators
Use software tools to assist in risk identification, management, reporting and review

Risk management structure

Match the structure to business size and complexity
Appoint one person or small group of people to be responsible for structure, operations, effectiveness, reporting and review
Challenge management, management activities and Director activity
Have a clear agenda and policy for risk management.

Posted in Uncategorized | Comments Off

Risk Management on Projects

Project Risk Management

How does project risk management differ from any other type of risk management? Well in most regards it doesn’t. However, as this is a project focused activity it helps simplify the overall focus by looking only at the core project fundamentals of scope – which are cost, quality and time. Remember that, I may test you later!

There are a number of good training videos available on YouTube that cover this principal. I’ve added a couple below to help bring home the point of this article. I find watching a presentation often easier to take in than reading some else’s thoughts.

Project Risk Management

So what is project Risk Management is all about? In an earlier article I talk about what risk and risk management are about. If you are still confused about what risks are and what risk management is about then read this article, it should bring you into the picture. On projects we talk about risk as any event that could cause an unplanned change to the projects scope – i.e. impact the project costs, timeline or quality of the deliverables, or any combination of the three.

What isn’t always obvious when talking about project risk management is that we also need to consider the positive impact a risk may have on a project – i.e. reduce costs, decrease the time line or increase the quality of deliverables. In reality it’s not very often that project risks present positive opportunities. Never the less, as project managers we have a responsibility to recognize and act on these risks positive or negative. That’s Project Risk Management.

David Hinde wrote a good article back in 2009 about using the Prince 2 Risk Management technique. Without getting imbedded in any particular methodology, the general approach to project risk management should follow a similar framework and this is as good as any for the purpose of this article:

David talks through a Seven Step process,

Step 1: Having a Risk Management Strategy

This means setting up a process and procedure and getting full buy-in from stake holders in how the organization will manage risk management for the project.

Step 2: Risk Management Identification Techniques

Where do you start in the identification of risks around a project? There are many risk management techniques and David suggests a few which are excellent. However, I like to take a step back and make a list of all the critical elements of a project on the basis of “if this task doesn’t happen will it be a show stopper?”. This helps be build a prioritized list of critical tasks against which I can then consider the risks – what could go wrong to impact this task.

Here’s my thought process on risk identification outlined:

List out critical deliverables
List out, against each deliverable, dependent tasks
List out against all dependent tasks and critical deliverables “any” potential event that could delay or stop the delivery to plan.
Grab a template risk analysis matrix and complete the first pass of assessment – probability v impact for each risk.
Take it to a project meeting and use it as the baseline for brainstorming.

Step 3: Risk Management Early Warning Indicators

Don’t rely on basic performance of the project as an indicator that everything is going well. Status reports showing a steady completion of tasks could be hiding a potential risk.

In risk management a number of other factors need to be on the project managers radar on daily basis. Things that I always look for are delivery dates from vendors – how confirmed are they, is there a movement in delivery dates (you’ll only see this if you regularly ask for confirmation updates from the vendor), resource issues – key individuals taking sick leave or personal leave more often than normal.

Delays in getting certain approvals signed-off by the steering committee or other governance bodies – will this impact orders going out or decisions being made on critical tasks? Getting qualified people in for inspections and certification (new buildings for example require a lot of local regulatory inspections). These are just a few of the daily challenges a Project Manager will face and all can be indicators of trouble to come.

As you gain more experience in risk management you start to instinctively recognize the early warning signs and challenge the culprits earlier in the process. You’ll also finds the a good project manager will build-in mitigation for the common project ailments at the very start, sometimes seeing the tell-tale signs when selecting vendors or suppliers will be enough to select better alternatives and this is what I call dynamic risk management at work.

Also keep an eye on the world around you – economic or geological events elsewhere can have a dramatic impact on local suppliers and supplies of key project materials. For example, flooding in Thailand has impacted the delivery of various computer components that are manufactured there, causing impact in both supply lines and pricing. (Yes, I work in Asia so see this type of impact first hand..)

Step 4: Assessing the Overall Risk Exposure in Risk Management

Taken directly from David’s article as he says this quite clearly – “PRINCE2 2009 gives an approach to show the overall risk situation of a project. Each risk is given a likelihood in percentage terms and an impact should it occur in monetary terms. By multiplying one by the other an expected value can be calculated. Totaling the expected values of all the risks gives a monetary figure that easily shows the exposure of the whole project to risk.”

There are many similar ways I’ve seen risk calculated in organizations variations on risk management. Â As long as there is a common approach for showing all risks, prioritization and impact on a project then risk management will work and add value in protecting the investment in the project. Each project and each organization will have their own requirements in terms of how they want to see risks analysed and presented. By and large it doesn’t matter how this is done, as long as it IS doesn’t and it makes sense in the context of the project and organization. There are risk management tools to help organise and manage this.

In another article I’ll talk more about the Risk Management matrix and show a few examples. In my mind the only wrong way to do this is to not do it at all.

Step 5: Considering the Effect of Time on a Risk and Risk Management

The effect of time when analyzing risks is that the more imminent a risk the higher priority it may take. I say “may” as it may be that a very low priority risk with low impact may be about to happen where as a higher priority risk may be weeks or months away. How do you manage this?

Common sense (of which there is no such thing) would suggest that if the higher priority risks are still a long time away then the imminent lower priority risks should be dealt with first, as a higher priority..? Perhaps?

You’ll have to take a pragmatic view on this, every situation needs to be taken on its merits and in risk management, not being an exact science, you’ll be expected to make judgment calls and discuss options with your client and project board or steering committee. After all, the governance board of a project has a responsibility to steer such decisions so the role of a good project manager should be to collate the facts and present the data with recommendations. Let the higher paid guys make the big decisions.

Step 6: Giving a Clearer Approach to Help Define Risks in Risk Management

David gives an example in his article which I’m struggling to relate to the world of projects as I know them. I think essentially what this focuses on is the “mechanics” of the risks in such a way as to help us understand and look at the cause and effect of scenarios that could lead to the risk happening.

In this way we can focus on the lowest common denominator(s) that will generate the risk and mitigate those items. Is that a little confusing? The principal is, I believe to nip the problem in the bud by recognizing what or where the bud is. Don’t get hung up on this, I would say this is something you’d tend to do naturally as you gain experience in reviewing risks and dealing with risk mitigation (prevention).

Step 7: Focus on Opportunities in Risk Management

Finally – and last but not least, where can we make or recognize risks as opportunities. An example David talks about suggests that, for example, a new release of a software product that would offer major benefits if included in the project would be a possible “positive” risk.

This I can relate to more, with the experience of being asked to change the specification on a traders dealing system half way through a major project because the manufacturer had released a major systems improvement, a completely new model, that the bank saw as a strategic advantage.

The analysis of this risk covered the obvious change in costs, the new system was more expensive, the implementation was zero impact compared to the older system however there was a large element of re-training the trading staff and proving the system for the bank before go live. This became the biggest challenge once the cost differential had been signed-off by the project board.

The additional training time required was squeezed into evenings and weekends so the final project delivery schedule was not impacted – but getting vendor and project resources to support the additional work and making sure the system was fully functional and supported operationally when the new facility went live, added cost and stress that hadn’t been anticipated. This is where risk management and change management overlap – a topic for another article.

Posted in Uncategorized | Comments Off