If you are interested in developing your risk management practices in general or need to carry out a focussed exercise on a specific project or business venture, you will find a few pointers here. No one could set down one set of guidelines that would suit every need, but Broadleaf has sufficient experience of a wide range of applications to be able to point out common pitfalls and identify issues you need to take into account.
Don't assume this is a comprehensive set of instructions. It is simply intended as an indication of the factors you should be thinking about. We would be happy to discuss particular requirements in detail if you get in touch. If you are interested in developing an in-house risk management capability or you have already started on this path, we can help you develop, refine and optimise that capability.
Like most processes, risk management can be applied at various levels of sophistication. In its simplest form it focuses on identifying and describing risks and then establishing priorities among them. Just being able to describe the risks you face and be clear on which are the most important can be a big step forward. Exactly how you go about achieving this will depend on the business you are in and the culture of your organisation. Here are a few points to bear in mind.
Understand the context
Both in our own work and as part of our contribution to the Australian/New Zealand Standard for Risk Management AS/NZS 4630 and the international Standard ISO 31000, we have found it imperative to understand the context in which risks are to be managed. This might seem so obvious that it doesn't need to be mentioned but if you fail to ensure that everyone involved has a common view of what will constitute success and how you can measure the impacts of risks on that success then the whole process can fall apart.
The way the context is described will depend on the circumstances of a particular implementation but it will generally take in at least:
- The scope and objectives of the project or operation you are concerned with
- A description of the stakeholders you need to take into account
- Criteria for measuring the impacts of risks.
All of this might not be trivial but it is straight forward if you have a clear plan for what your project or business is trying to achieve. Often risk management runs into trouble because the plans for the business are informal or even absent. If you find yourself in this situation, start thinking about risks to your overall business represented by the processes you operate. Your problems may be deeper than you had feared.
Plan risk identification and assessment
Risk identification and assessment are often given a lot less attention than they need to make the process cost-effective. To be successful, they will usually involve a group of people for something between a few hours and a few days, a substantial investment of effort. This investment can pay off many times over but without adequate preparation and planning there is a danger of it being wasted.
Identification and assessment will not just happen by themselves. It is important to choose methods that suit your organisation and personnel, and plan how they are implemented as a small but significant project with well defined deliverables.
Close the loop with actions and monitoring
Many risk assessments end in a report that sits on a shelf gathering dust. To avoid the assessment going to waste it is essential to include action planning in the process and include regular reviews in its longer term operation. Once again you might think this is so obvious it need not be mentioned but many well meaning implementations miss these vital steps.
It is not always necessary to use quantitative methods to understand risks but they can be extremely valuable when you need to:
- Make a realistic evaluation of the nature of a complex individual risk, particularly technical and engineering matters
- Arrive at an aggregate view of the overall risk that a project or business initiative represents to your operations as a whole, and set realistic targets and contingencies for managing it.
Risk modelling is often thought to be mysterious and complicated. However, it can be addressed methodically in just the same way as modelling anything else:
- Define the whole thing you want to understand
- Break it into parts you can describe more easily
- Define the characteristics of each part - its parameter values and the uncertainty associated with them
- Aggregate the characteristics of the parts into a representation of the whole using a suitable model.
We generally use Monte Carlo simulation to aggregate the uncertainty in components of a project or business plan into a view of the uncertainty in the whole project or business. The majority of our quantitative analysis is carried out using Palisade's @RISK add-in for Excel.
You will find more on quantitative modelling in our books.
Here are some general points to bear in mind about quantitative modelling.
Model the risk rather than add risk to existing models
A common approach when people first start in this field is to take existing schedules, budgets and other models and simply add uncertainty into them. This usually results in complicated models that are difficult to understand. Some risk modelling tools encourage this type of behaviour by giving you the opportunity, at the touch of a button, to put +/-10% variation on all the numbers in your plans and run a Monte Carlo simulation on them. In addition to bypassing the critical thought processes that should be at work here and making assumptions about the level of uncertainty you face in each area of your operations, quick fix solutions like this ignore dependencies or correlations between uncertain values, often a key factor determining the risk you face.
A more effective approach is to use existing structures to develop a fresh model that is specifically designed to represent the uncertainty and risk in your schedules and budgets. This is more likely to expose the real relationship between detailed risks and the total risk to your operation as a whole.
Keep it simple
If you or the people you need to convince can not see the relationship between the inputs and outputs of your model, or at least trace them through enough to be satisfied that the model is sound, all your efforts can be wasted. It only takes one critic to raise a serious doubt that you can not refute quickly about a model for it to lose credibility. If you make sure it is only as complex as it really needs to be then the chances of this happening are very much reduced.
We deal with inherently complex situations using sets of linked models, each one being small enough to understand. You have to be able to convince anyone asked to make decisions based on your model that the information you are providing is well founded. To do that should take little more effort than understanding a conventional financial estimate or project plan.
Many organisations can point to isolated examples of good risk management but to work reliably in the long term, or even to survive against the critics, it has to be integrated with the general processes at work in your organisation. This is not complicated but if you ignore the integration, risk management will absorb more effort and operate less effectively than it could.
Business processes and the way they interact are very specific to an organisation. There are some general issues to consider in any setting though.
Top down support
If there is no effective support from the top of the business, or at least the top of the section in which you are operating, risk management is unlikely to become an integral part of the way you do business. This means more than just having senior management say that they support the process. Real support means senior management demanding, using and visibly acting on risk management information.
Risk management overlaps with many well established processes like planning, budget setting, performance monitoring and even salary reviews in organisations operating performance related pay systems. These established processes have well defined terminologies, at least within a single organisation, and so does risk management, but the two are rarely the same.
The terms you use to talk about a process might seem to be a simple matter but if they are not coordinated between interacting processes, the mismatch can generate enough resentment and targets for snipers to undermine the whole exercise. The trick is to find a common set of terms that retains the integrity of all the affected processes. The core concepts of risk management are not complicated but they do need to be adhered to rigorously. The language you use will go a long way towards making that happen or, if you get it wrong, undermine the whole venture.
Dealing with objections
Risk and uncertainty are uncomfortable for a lot of people and they will do a lot to avoid confronting the matter. This can include actively working against moves to introduce formal risk management practices. Being forced to describe the uncertainties you face and the risks your work imposes on your organisation can be a daunting prospect. It is common for sceptics to talk about risk management as an extra burden on their time and something that stops them getting on with the 'real work'.
As business and public sector operations come under increasing pressure to raise performance and cut costs, risk will become more important to organisations and to individuals. Here are a few points you might like to bear in mind when dealing with objections.
Formalising risk management, not introducing it
Any successful professional organisation will be facing and managing risks already, otherwise it would not be successful. This means that what might at first be described as the introduction of risk management can be presented as formalising something you already do. An emphasis on making risk management more cost-effective and communicating the conclusions well usually gets a better response than suggesting that it is a completely new technique, with the implication that up till now something has been missing.
Clarify the requirement and the outcomes
Early attempts to get organisations to take on risk management as something more than a one-off exercise were often put forward on the basis that it was obviously a "good thing to do". This form of motivation will only work for a short while and has more to do with fads and fashions than real business requirements.
It is important for everyone affected by the process to feel that there is a valid need for it at the organisational level. It takes more work to convince them that they need it personally but when planning and control systems are fully integrated through the levels of an organisation there are levers you can use to make this point.
Use external forces
The pressure for formal risk management often comes from customers who need to be assured that what you are offering will be delivered, or regulators who require evidence of prudent management in either the public or private sector. These external forces are harder to argue with than your own management and can be used as part of the rationale for changing the way people work.