ABSTRACT: Risk management is a capability organisations can develop which enables them to better respond to the unexpected. This article discusses an approach to developing that capability. It covers why it might be considered organisationally important, what is required for the capability to take root and be successfully achieved, and some of the specific considerations of how to strengthen process, increase uptake by staff, and shift culture of the organisation for the capability to be embedded.

For a growing number of organisations, developing capability in managing risk is recognised as vital to viable survival and prosperity. It is one thing to manage risk at the individual project level. It is another thing altogether to grapple with risk at an organisational level and manage it consistently across all activities. Some reasons why organisations consider developing capability in risk management include:

• preparedness, whether in the sense of business continuity/disaster recovery or in terms of project and operational activities
• soundness and consistency in organisational practices across all endeavours
• responsiveness to risk events to reduce losses and enhance potential gains
• reduce vulnerability to unexpected and unwanted threats
• developing awareness and responsibility for appropriately managing risk so it is managed as a standard, ongoing practice
• compliance, particularly in the governmental sector
• cultural adjustment in corporate and individual risk taking within appropriate boundaries

Planning Capability Development

The Risk Management Planning sub process of the PMBOK® Guide (2000 Edition) clearly highlights how important it is to plan the management of risk for a specific, individual project. This is equally valid and important at the organisational level. Successfully establishing risk management as a discipline across an organisation requires:

• Understanding the organisation's values related to risk
• Identifying and monitoring changes in the tolerances of various stakeholder groups
• Detailing the roles, responsibilities and accountabilities of various groups and individuals
• Formally defining the specific approaches to be followed in managing risk

Development of risk management capability requires commitment, clarity of purpose, vision, systems-centred management, investment at appropriate levels, teamwork, involvement of staff, and a process orientation, among other things. It is vital that first there is clarity about why capability development is important. Ensure that there is a clear purpose, vision and mission for the initiative. The level of cultural change needs to be recognised, typically as significant, and the changes supported through clear leadership. The level of change and the effect it has upon the organisation depends on previous levels of change within the organisation, robustness of the organisation to change, the history of success/failure of change initiatives, and the levels of trust that staff have in management.

Be clear about what the focus for capability development will be. Focus could be at the strategic level down through the portfolio, program, and project levels, and may also apply to operational activities. Depending on the specific focus, the level of effort, commitment, change and investment will vary markedly. It is often useful to start with projects, and establish a methodology and approach that works at the project level, before embarking on the ambitious goal of implementing risk management across an organisation. Consider the project level as a pilot for establishing processes and practices, and testing them, before committing at the organisational level.

Clear, visible, consistent and powerful management commitment and support is essential. Without this, the endeavour is on shaky ground. Clear governance is required to provide leadership and direction, establish policy, make key decisions, communicate effectively with stakeholders, establish goals and objectives, monitor against these, and address issues as they arise. It is common to establish a steering team comprised of senior management (seniority dependent on the scope of the developments activities).

A sound communication strategy is important to ensure that stakeholders are informed of intent, approach and are provided with an opportunity to submit ideas and feedback. It is part of the total involvement philosophy that wins support and strengthens uptake. Extend the communication strategy to suppliers and clients. It can strengthen the relationships. Risk management effects contracting relationships. It determines how risks are shared between parties, terms and conditions in the contract, and the mechanisms for initiating projects etc. Timing of messages is crucial, hence the need for it to be a communication strategy rather than a haphazard and unconsidered set of messages.

Implementation Considerations

The key areas to address for a successful capability development activity include:

Risk management disciplines Framework and methodology Training and support Technology and infrastructure Organisational environment Integration with business as usual (BAU) Let's address these areas in more detail, one by one.

Risk Management Disciplines

Key disciplines that your organisation will need to address and ultimately exhibit as your risk management capability is established and matured include:

• Risk management process standardisation, measurement, control and improvement as a part of normal, ongoing business activity
• Project risks will be identified and assessed, and appropriate response strategies developed, implemented, with the success of these monitored and corrective actions taken as needed
• Audits of projects and other organisational activities will be conducted, with the intent of assessing current practice and determining lessons learned to improve future implementations and to update and improve the methodology.
• Lessons learned will be captured, stored and made readily accessible to the organisation so that past failures may be avoided and successes replicated. Significant lessons may be encapsulated as updates to the organisational methodology.
• Risk taking will be encouraged within the organisation, with the sponsors and teams of such activities empowered to do so. They will be willing to take risk and own the results. The culture of the organisation is supportive of mistakes and failure when risks are taken within prescribed parameters.
• Projects are selected, initiated, and proceed beyond stage-gates based on their risk profile and estimated return against business objectives. Go/No Go decisions are made based on risk evaluations developed in a consistent manner.
• Inter-project risks are managed at the program and portfolio levels

Framework and Methodology

The framework and methodology that an organisation chooses to put in place is its encapsulation of what it considers to be suitable practice for managing risk within whatever sphere it operates. I find the following standards most useful in this area:

• A Guide to the Project Management Body of Knowledge (PMBOK®)
• Organizational Project Management Maturity Model (OPM3)
• Australian and New Zealand AS/NZS 4360:1999 Risk Management standard

The PMBOK® guide provides a framework that addresses generic projects. OPM3 identifies best practices, capabilities and outcomes required for project, program and portfolio management. The AS/NZS 4360 standard treats risk management as an organisation wide activity, from the highest strategic level down to the day-to-day operational activities, and in projects.

• The framework adopted by an organisation will define the processes and tools to be used in managing risk. The general process is consistent across the organisation. Typically included in the framework are such things as:
• Methodology: Description of the philosophy, process and approach to be followed in performing risk management within the context the framework applies to.
• Templates: Boilerplate forms with standardised formats that require unique aspects to be filled in, reducing time for creating a specific document. Examples include: risk register, risk response strategy form, status reports, issues register, and the generic risk management plan.
• Guidelines: Brief instructions, with examples of how to follow the process and use the templates
• Checklists: Lists of items to check at various points within the process. Examples include: Impact Criteria Establishment Checklist, Risk Identification Checklist, Risk Source Checklist

A methodology is easier said than done. It is true many are available for purchase. However, the customisation effort to adapt it to your specific organisation and conditions should not be underestimated, nor the training required to gain the full value and advantage from what the selected one offers. There are easy ways of acquiring a methodology. There is no easy way to implement and use one effectively.

Training and Support

The need for basic and consistent training for all staff is a given. Risk management is ‘common sense’ to those of us who are versed with the discipline. It is easy to underestimate the cultural shift required of people who must learn these skills and then apply them in their work. Other support options to consider include:

• Coaching/Mentoring: Provide access to an expert skilled in the process of managing risk so the individual has a sounding board to test their ideas against and gain specific feedback on their application of risk management practices.
• Specialist Training: Specific training that focuses on specifics of organisational methodology and the resources available that support risk management.
• Regular seminars: Maintain interest and awareness through regular informational updates and training sessions, building in opportunity for participants to surface and discuss issues they are facing.
• Facilitated Workshops: Bring in skilled facilitators who can lead your staff through the process of risk management, working directly on their projects. This provides a safety cushion for staff as they work on key initiatives with new skills. They are able to have someone experienced work with them in developing risk management plans, increasing their confidence that they will do a good job, and at the same time they can observe skills they have been taught being applied in a real situation.

Technology and Infrastructure

Technology can support the risk management processes in a number of ways. Examples include:

• Intranet for publishing the framework/methodology, and providing easy access to the latest versions of templates and checklists etc.
• Specific tools that support risk management activities. E.g. Monte Carlo simulation software, databases for risk registers, tracking etc (automating the process)
• Online lessons learned database

Organisational Environment

Cultural change is a significant and long-term activity. Clearly define individual and group responsibilities essential for an effective environment. Escalation procedures, reporting requirements, issues and change management processes, and access to and use of reserves are some of the areas that may be covered when formally defining responsibilities. Processes for performing these would be reflected in the methodology; key performance indicators that demonstrate application would appear in job descriptions and performance appraisals. Appropriate performance measures must be applied at the lowest applicable level within the hierarchy through to the very top of the organisation. It is essential to send the clear message that the whole organisation is committed to the new approach, and that it is not something just for lower echelons.

Compensation, incentives, bonuses etc may also be examined as part of establishing a culture that is focused on risk management.

Integration With Business As Usual (BAU)

With risk management being applicable to both project and operational environments, it can be fully integrated throughout the enterprise. By treating risk management as a fundamental skill it will, over time, become second nature. As an integral part of business activity, visible with every decision made, everyone becomes consciously competent in the skill. Formal processes for escalating and reporting of risks and issues is one way to strengthen this integration. In rising through the organisation the thresholds for escalating and reporting to the next level grow more significant. The criteria for escalating across levels are a good basis for defining the more critical levels of an impact assessment table.

Conclusion

Benefits related to prudent risk taking will be realised as you develop risk management capability within projects and across the organisation. Your organisation will have a heightened awareness of the importance of taking time to prepare for the future rather than being in a permanent state of crisis. Stress levels will decrease. Staff will feel less threatened by mistakes and failure because the culture supports learning. Less time will be spent diverting attention from problems and casting blame onto others. By spending time and energy developing risk management as a discipline, your organisation will become more focused, better disciplined, deliberate and safer place to be.

References

• A guide to the Project Management Body of Knowledge. Pennsylvania, USA: Project Management Institute (2000 Edition). (2000).
• AS/NZS 4360:1999 risk management. Australia: Standards Australia. (1999).
• Organizational project management maturity model (OPM3) knowledge foundation. Pennsylvania, USA: Project Management Institute. (2003).

Stephen Harrison, PMP
© Harrison International Ltd, 2004. All rights reserved.

This article was published as an interview in Projects & Profits, April 2004, Volume 13, No. 4

“PMI®” is a trade and service mark registered in the United States and other nations; “PMP” is a registered certification mark in the United States and other nations; and “PMBOK” is a trademark of Project Management Institute, Inc.