What Is at Risk?
Risk is defined as the possibility of suffering harm or loss. The higher the risk, the higher the danger or probability of harm or loss occurring. The things that can be harmed or “at risk” are first and foremost those that define the success of the business. This is the set of results that we are trying to accomplish as a result of the process change initiative itself. The work in the Business Context phase of the framework defines the future state of the “Organization-in-Focus” in terms of its vision, objectives, goals, and performance targets. It also defines the nature of the relationships that we feel we must have with our customers and other stakeholders to survive and thrive. The Vision phase defines the results of value that must be delivered to the stakeholders of the specific process within the scope of the initiative. The results of these phases tell us what to watch for to determine if a risk is truly at hand. The evaluation criteria they give us for decision making and prioritization throughout are developed based on stakeholder expectations and performance. They are the same criteria to be used in the risk evaluation process.
Although there’s clearly risk to all stakeholder relationships, some will be more critical than others will. Typically, the ones to start with are those affecting the customer and owner relationships. I will examine these first.
Customer-Based Risk
We all know the importance of delivering a quality product or service. No one tries to do a bad job, and everyone says that they want to provide a quality service. Nonetheless, poor results often show up in the form of unwanted products, non-responsive processes, or unsatisfactory service performance for customers. This is the quality component of risk. If the results are unsuitable for the customer, by definition, they are of poor quality and will incur higher business risk.
The product or service might be deemed poor for several reasons. The product or service might be declared sub-standard because of its inappropriate nature, its lack of reliability or availability, or its failure to meet commitments or promises (whether perceived or real). Poor quality can also result from inadequate human capability or capacity, technological shortcomings, and myriad other possibilities.
Having acceptable quality is generally defined as meeting all the requirements of a product, service, or process that in some way affects its customers’ satisfaction. Sometimes these requirements are explicit but often they aren’t completely stated. Consequently, meeting documented standards alone usually won’t suffice. Customers must be involved in the process of evaluating quality. This helps a business realize that it can’t just deal with the objective factors. It must also deal with the subjective ones, such as how customers feel about what they are getting and how they are getting it. These more subjective needs should be incorporated in the stakeholder expectations so that the business can assess the risk of satisfying stakeholders.
Owner Perspective of Risk
While customers have a concern about product and service quality, owners and managers have additional concerns about other outcomes. To them, risk is associated with uncertainty. It may be uncertainty regarding the viability or customer acceptability of the products, services, or processes that will be introduced. It might be risk associated with the attention that might be paid by regulatory bodies, regarding a service that stretches the boundaries of existing practice. It might be risk due to the likelihood of labor conflict due to changed working conditions.
The starting point for all risk analysis, then, is in trying to eliminate poor quality in the outcomes to customers. Such poor quality implies that there’s a lack of fit to customer need, which is our definition of quality in the first place. The certainties of poor quality and the uncertainties of risk will become a reality if an initiative fails to deliver the results expected. Subsequently, every other stakeholders’ perspective must be taken to find all other potential areas of lack of fit. Any of these could have a direct impact on the organization’s strategic intent. The possibilities are endless, but possible factors to watch out for are set out in Table 7.1, adapted from Robert Thomsett’s list of risk types.
| Type of Risk | Effect |
|---|---|
| Commercial | The organization faces loss of market share or competitive advantage. |
| Strategic | The organization’s strategic plan is compromised. |
| Financial | The investment in the project is lost, and the benefits aren’t accrued. |
| Technical | Key technology platforms are compromised. |
| Legal | The organization is exposed to legal procedures, including prosecution. |
| Political | The organization violates government requirements. |
| Fraud | The organization is exposed to fraud and security violations. |
| To image | The organization faces loss of public image. |
| To capability | The organization can’t retain or acquire the human skills and competencies to deliver or won’t change its beliefs and behaviors. |
| To scalability | The organization won’t be able to handle an increase in market share. |
[3] Thomsett, Robert. “The Indiana Jones School of Risk Management.” American Programmer, Volume 5 No. 7, (September 1992) pages 10–18
These risks should be evaluated in direct relationship to the project’s objectives and their fit to the business vision as defined through the customers’ and other stakeholders’ expectations. The stakeholders’ criteria provide the standards to judge whether the results of delivery have a greater or lesser chance of being met. This results-oriented aspect of risk management explains why risk management and quality management are counterparts and should be administered together in change initiatives.
Management should also be concerned about the risk in the program or project of change. They should pay attention to both the end and the means because “risky means” won’t deliver a “risk-free” end. This second type of risk is affected by poor project execution. Both results-oriented and project risks must be addressed repeatedly as knowledge is gained by performing the work defined by the Process Management Framework.