Project Risk Management
Most large complex projects and programmes fail to meet their planned objectives, either failing to deliver what was promised, sliding their timeframes or exceeding the budget or all three. Most organisations are undertaking one or more aggressive, must do programmes at any point in time. These programmes may fundamentally change the way the company conducts its business and failure to meet objectives on time may lead to a catastrophic loss of business.
What can be done?
Large projects and programmes are often chaotic. Objectives are unclear and often evolve and plans and priorities are constantly changing. There is a temptation to accept this chaos as a necessary nature of the beast and effectively resort to crisis management. This is a very wasteful, painful and ultimately unsuccessful way to operate. To restore order, it is essential to get the basics of project management established by making sure that both objectives and plans are clear and communicated. The objectives may change but enormous benefit will be gained from having a clear direction set, even if it is only for a short term.
Clear objective and plans are only the first step – they can, and will, go wrong if they are not pro-actively managed.
ABCD is fully scaleable – it can be used on everything from small projects to large scale programmes and full business enterprises. Most importantly, ABCD is a true enterprise risk management approach in that it handles all the hierarchies and escalation profiles that traditional methods normally fail to address and therefore ensures that management can “see the wood from the trees”.
Obviously, you cannot foresee and manage all risks. However, most projects fail due to lack of effective communication between the participants. In other words the projects are impacted by risks that were foreseen in the minds of key individuals, but were not communicated at the right time and therefore not managed by the project team. If a way could be found of unlocking the collective knowledge and viewpoints of all the key stakeholders around the project/programme, then a valuable insight into the true risks to the objectives would result. The ABCD risk management methodology provides this insight to the risks and the means to effectively mitigate them.
What are the challenges?
Few organisations have implemented ERM effectively why is this?
- Quantification is difficult/impossible some risks (eg financial, contractual) are easy to quantify whilst others are virtually impossible (eg quality, reputational). Therefore when organisations attempt to quantify the total risk to the business they tend mix good quality data with poor quality data and therefore dilute the value of the conclusions.
- Prioritising enterprise risks is difficult when it comes to comparing risks from different parts of the organisation, it can be like comparing apples with oranges. This is because objectives are often not clear or prioritised across the enterprise.
- Risk processes are not consistent across teams leading to differing focus, analysis, prioritisation and management approaches. Again this makes it impossible to build a consistent picture of risks across the enterprise
- Risk tools are not supported by effective process very often, software tools are the first attempt by an organisation to provide some consistency. If these are not backed up by an effective risk process, the effect can be one of GIGO – Garbage In Garbage Out as poor quality data is captured, analysed and then held up as a high quality result
ERM – The Quantitative Model
It will never be possible to achieve high quality quantification across all types of business risk. However, where it is necessary to calculate total risk exposure, a simple model that will allow quantified risks to be combined is shown below.
Risks that can be readily quantified include all types of financial risks eg credit risk, interest rate risk, market risk etc. Indeed, this is the extent of “enterprise” risk management for many organisations. Even in these areas of risk, there can be enormous uncertainty surrounding the data. However, it is important to remember that you don’t need to quantify risk in order to manage it – but you do need to measure risks in order to prioritise appropriately and this can be done qualitatively.
ERM – the Qualitative Model
This is a simplification of the Total RM framework with the financial risk element removed. This is not to suggest that financial risk should be ignored – far from it -but it is meant to imply that that financial risks should continue to be identified, quantified and managed using established processes and tools. All other risks should be evaluated qualitatively and only quantified on an exception basis i.e. where this can be justified by the quality of the available data and there is a clear need to have a quantified result.
The elements of the ERM model are:
Strategic Risk Management – There is no point delivering products and projects on time and budget if the market no longer wants them. Thus it is imperative to identify strategic assumptions and risks as the highest priority. The prerequisite of identifying strategic risk is that the strategy of the business is captured and communicated around all senior stakeholders.
Operational Risk Management – These are the risks to the ongoing processes in the business (eg the risk that a production line will stop). Often operational risks are relatively easy to identify as the processes are well established and staffed by experienced personnel. Many organisations include their projects under “Operational risk” but this is often not a good idea.
Programme/Project Risk Management – These are the risks that a project will fail to deliver (eg a new product/over budget/late etc). Project risks are more difficult to identify than operational risks as projects are, by definition, trying to introduce something new to the organisation. Risks within major change programmes are the most difficult of all to identify/prioritise/manage due to the programme complexity which makes it difficult to “see the wood from the trees”.
Transformation Risk Management – Projects and programmes that result in significant change (such as new product development, mergers and acquisitions will “transform” the current business. This is often when the business is exposed to most risk as the pressures increase the risk to both the current operations and the projects trying to transform them. For organisational purposes, Transformation Risk is often treated as part of the Programme/Project Risk
Contingency Planning – Strictly speaking, this is not “risk management” ie risk management is about stopping risks occurring (pro-active) whereas contingency planning relates to what to do if the risk impacts (re-active). However, this is an essential part of any ERM system as business continuity is paramount for any organisation.
The ABCD risk management process can be used for all elements of the ERM process ie all risk assessment is based on capturing and analysing key assumptions.
The ABCD Quality Based Costing technique can be used to make quantitative analysis as accurate as possible ie by weighting “good quality” data more than “poor quality” data.
The Assure web-based toolset is the most effective way of embedding the ERM process into the business. Assure is the only toolset commercially available that has built-in prioritisation and escalation rules that ensure true enterprise risk management.