10
Risk Management at Corporate, Strategic Business and Project Levels
10.1 INTRODUCTION
The previous chapters have discussed risk management tools and techniques, stakeholders’ involvement and the structure of corporate organisations. This chapter presents a model illustrating the sequencing of risk assessment, risk management techniques and shareholder involvement at corporate, strategic business and project levels.
10.2 RISK MANAGEMENT
Figure 10.1 illustrates the levels of a typical organisational structure which allows risk management to be focused at each level. By classifying and categorising risk within these levels it is possible to drill down or roll up to any level of the organisational structure. This should establish which risks the project investment is most sensitive to so that appropriate risk response strategies may be devised and implemented to benefit all stakeholders.
Risk management is seen to be inherent to each level, although the flow of information from level to level is not necessarily on a top-down or bottom-up basis (Merna 2003). The risks identified at each level are dependent on the information available at the time of the investment and each risk may be covered in more detail as more information becomes available.
In many cases decisions will be made solely on qualitative assessments. In other cases decisions will be made after a quantitative assessment on the basis of computed metrics such as IRR and NPV.
10.3 THE RISK MANAGEMENT PROCESS
Figure 10.2 conceptualises the risk management process. Risk management looks at risk and the management of risk from each organisational perspective, namely strategic, tactical and operational perspectives. The level within an organisation responsible for each organisational perspective can perform the necessary analysis.
Figure 10.1 Levels within a typical corporate organisation
Organisations have different levels with different objectives. Typically the risk management process separates the business processes into many levels which make up an organisation (typically the three levels previously identified). Risks specific to each level are identified using risk identification techniques (discussed in Chapter 4) and then logged on a risk register. Each level within the organisation will then analyse the identified risks and responses and contingencies can be made.
The risks identified at each level are consolidated and controlled by a single department within the organisation. Within this department the risk management analysis can be made either on a standalone basis or for bundles of projects (portfolios).
Risk management should be a continuous process over the whole life cycle of the investment.
Many project management procedures place considerable stress on the quantification of risk. However, at the strategic business and corporate levels a significant proportion of the risks are not quantifiable and thus favour less formal risk management. The emphasis placed on the quantification processes often leads to a failure at the corporate and strategic business levels to prompt a manager to take account of other types of risk more difficult or impossible to quantify.
All stakeholder requirements must be acknowledged and aligned and a consensus must be found. This is often not easy because stakeholders have conflicting interests. It is important that the positions of the stakeholders are continuously analysed and their expectations met as far as possible.
10.4 COMMON APPROACHES TO RISK MANAGEMENT BY ORGANISATIONS
Risk management may follow a top-down approach, originating at the corporate level, consolidated at the strategic business level and implemented at the project level as shown in
Figure 10.3.
Figure 10.3 Downward approach to risk management (Merna 2003)
In the situation shown in
Figure 10.3 risk management in terms of identification, analysis and response is first carried out at the corporate level. This is often a qualitative analysis. Information is then passed down to the strategic business level where a more detailed risk analysis takes place and information from the corporate level is further explored. This information is then passed on to the project level of the organisation. Again further information is gathered and analysed. This process allows a complete risk assessment to take place as information moves down through the organisation.
This process, however, does not allow the results of risk assessments and information to flow through to the strategic business and corporate levels. Disadvantages of this model include communication difficulties from level to level, difficulty knowing what risk assessment each level within the organisation is carrying out, difficulty updating the model because it is not a continuous process, and ambiguities found at strategic business and project levels are not passed to the corporate level because there is no procedure in place to do so.
Figure 10.4 illustrates an upward approach to risk management. In this situation the risk management begins at the project level, but here the assessment at the project level is much more detailed. This assessment is then passed to the strategic business level in the organisation, and then to the corporate level. As the assessment is passed up through the organisation a more detailed risk assessment specific to either the strategic business or corporate level is carried out.
Again this process does not allow the information and risk assessments to flow down through the organisation, causing the same disadvantages as the downward approach to risk management.
Figure 10.4 Upward approach to risk management (Merna 2003)
Both the increasing downward and increasing upward models may result in a risk register being developed at each level but do not provide an overall risk register to be managed at one level.
The authors believe that although less detailed risk assessment takes place at the corporate level, the influence at the corporate level in terms of risks is far more important than risk assessments at strategic business and project levels. Many of the risks identified at the corporate level are global or uncontrollable risks, often associated with political, legislative, regulatory, economic and environmental factors. If any of these risks are considered too great, then a project may not be sanctioned for further risk assessment at strategic business or project levels.
10.5 MODEL FOR RISK MANAGEMENT AT CORPORATE, STRATEGIC BUSINESS AND PROJECT LEVELS
Within any organisation performing risk management, tools and techniques must be used at each level. The use of these tools and techniques allows the identification and analysis of risks and forms the basis for investment appraisal. Stakeholders are also identified at each level, and are allowed to contribute to the risk management process. These stakeholders must be identified and their requirements recorded as well as their relative significance. In order to assess the risks at each level, various tools and techniques may be applied. These techniques may generally be applied at each level in the process, but some will be more applicable to a particular level than others.
Figure 10.5 illustrates the levels and required input at each level in the risk management mechanism. The tools and techniques used at each level will be determined by the risk analyst and related to the type of assessment undertaken at those levels.
Figure 10.5 divides the organisation into corporate, strategic business and project levels. At each level risk management tools and techniques are used and stakeholder requirements are taken into consideration. This process forms a basis for the risk management mechanism.
Figure 10.6 illustrates the risk management cycle, which includes the identification, analysis and control of risks to be applied at corporate, strategic business and project levels. The risk management cycle is dynamic and must be continuous over the project investment life cycle.
Figure 10.7 Risk assessment for all levels of an organisation
This risk management mechanism, proposed by the authors and illustrated in
Figure 10.7 below, incorporates the risk management cycle shown in
Figure 10.6 and is utilised at each organisational level with the purpose of identifying, analysing and responding to risks specific to that level within the organisation. The process illustrated in
Figure 10.6 should be a dynamic process carried out in a continuous loop throughout the whole investment life cycle.
Figure 10.7 illustrates the processes that the authors suggest should be undertaken at each level of an organisation, the stakeholders and risk management tools and techniques being involved as and when appropriate.
The first step of risk management is investment appraisal at the corporate level where the overall investment objectives are determined. It is imperative that the investment and derived objectives are identified and clearly understood at the strategic business level and by the project team. At this stage each level of the organisation should define what the investment implications are at this level, for example business or project requirements, client specification, work breakdown structure, cost estimates, project programme, cost and type of finance, and project implementation plan. This is often performed through the use of historical data, organisational specific knowledge and from infor-mation specific to the project in hand and the organisation’s overall goals.
The process of identifying risks is carried out through the use of a variety of techniques suited to the type of project and the resources available. The allocation of risk to owners is undertaken during this stage, which aims to place ownership of risk with the individual best placed to control and manage it. Identified risks and risk owners are recorded on the risk register, which later will become a database at the SBU level.
The information gathered at the identification stage is then analysed. Risk analysis tools and techniques, either qualitative or quantitative, are now employed to provide a thorough analysis of the risks specific to the project at each level within the organisation. Analysis may include defining the probabilities and impacts of risk and the sensitivity of the identified risks at each level.
After completion of the identification and analysis processes, the response to these risks can be carried out. This part of the process is exercised through the use of risk response methods and techniques. If the decision is to mitigate the risks the costs of mitigation must be assessed and budgeted for accordingly. Retained risks at each level will be identified in the risk register and be constantly reviewed.
Within this model stakeholders are of particular importance. Stakeholders are involved at each level and will have an input at each stage in the risk assessment process (identification, analysis and response). The model allows information from each stage to flow backwards and forwards through the organisation, where it can then be continually monitored, evaluated and controlled.
Once all the information has been processed through the model, a risk management plan is constructed and implemented. The plan should form an integral part of project execution and should give consideration to resources, roles and responsibilities, tools and techniques, and deliverables. This plan will include a review of the risk register, monitoring progress against risk actions and reporting. The final output of the model is a risk register at corporate, strategic business and project levels.
Feedback is a key vehicle used in this proposed model so that the organisation can learn from both its successes and mistakes, internally or externally. It provides continuous improvement at both SBU and project levels, and risk management itself. Feedback is a continual process of gathering data from known and unforeseen events. Information is held at the SBU level and disseminated throughout the organisation.
These risk assessments and risk registers at corporate, strategic business and project levels will be made available to each level within the organisation. These levels of an organisation are discussed in Chapters 7, 8 and 9 respectively. An overall risk register, incorporating the risk registers developed at corporate, strategic business and project levels, will be further developed at the strategic business level and continually updated as the project develops. It is important that the risk assessments carried out for the projects at the strategic business level are of the same format, thus providing a database for all projects. This will allow the database to be interrogated and inform future projects, strategic business and corporate decision making.
The authors suggest that risk assessments at corporate, strategic business and project levels should run concurrently. At any time during the assessments, risks can be flagged up from any level that may result in the project or investment being sanctioned or temporarily put on hold.
The proposed risk management assessment system will:
• identify and manage risks against defined objectives
• support decision making under uncertainty
• adjust strategy to respond to risk
• maximise chances through a proactive approach
• increase chances of project and business success
• enhance communication and team spirit
• focus management attention on the key drivers of change.
Figure 10.8 illustrates the risk management model and the interaction of each level within the organisation. Information regarding risk assessment and risk registers is passed freely through the organisation.
Within this model the strategic business level will act as a conduit between corporate and project levels. A risk officer will be designated at the strategic business level with responsibility for ensuring that risks managed at corporate, strategic business and project levels are registered and that any further risks identified will be incorporated in the risk register held by the risk officer. All the information gathered from corporate, strategic business and project levels will be collated and passed on to the risk officer. The risk officer will be in direct contact with risk facilitators at both corporate and project levels. This model will ensure that all levels of the organisation will have an input into the overall risk register.
Managers and owners of risks retained and mitigated will be in the corporate, strategic business or project level within the organisation depending on where the risk originates. For example, a risk originating at the project level will be managed and owned by the project manager. The risk assessments and risk registers held by the project manager will be passed to the risk officer, at the strategic business level. The risk officer will review the overall register and inform both corporate and strategic levels of any changes in risk assessment as the project proceeds.
The advantages of the strategic business level of an organisation holding a risk register as a conduit from both corporate and project levels are as follows:
• The strategic business level is immediate to both corporate and project levels.
• One risk officer is responsible for the risk database.
• If any information is required about risk specific to a project, both project and corporate levels have access to this information.
• Both project and corporate levels will have access to all risk management systems and information.
• Stakeholders will have easy access as to how risks are managed at all levels of the organisation.
• Risk management throughout the organisation is co-ordinated and centralised.
However, in order for the model to work regular reviews and audits need to take place together with risk workshops at corporate, strategic business and project levels facilitated by the risk officer.
New risks, the cost of managing such risks and the status of all existing risks identified at each level will be addressed in the overall risk register database.
10.6 SUMMARY
This chapter identified the corporate, strategic business and project levels in a typical organisation. Each level is responsible for managing the risks identified and ensuring that information on such risks is available to the other levels.
In most cases risks are specific to each level. Corporate risks are typically difficult to quantify and manage. These risks include the political, legal, environmental and financial elements of an investment. Many of these risks can be assessed in greater detail at the strategic business level as more information becomes available.
Project risk management often entails risks being assessed in even greater detail as they become more specific to the project rather than higher level risk considered at strategic business and corporate levels. To ensure that all risks at all levels are managed it is paramount that an overall risk management system is implemented and risks identified at all levels are managed over the life cycle of the investment.
The risk register held by the risk officer at the strategic business level forms a database for all levels of the organisation. This risk register should be accessible to stakeholders, particularly shareholders investing in a project.
The continual cycle of risk management is fundamental to the risk management model illustrated in
Figure 10.8.