16
CASE STUDY 3
Development of Risk Registers at Corporate, Strategic Business Unit and Project Levels and a Risk Statement

16.1 INTRODUCTION

The following provides a description of a generic risk management process for the identification of risks within a typical hierarchical organisational structure of corporate, strategic business unit and project/functional levels, along with preliminary risk assessment necessary for the initial sanctioning of a project.
A project opportunity scenario is presented along with fictitious company profile and products/projects to satisfy the requirement.
Risk registers are provided, identifying project related risks to the fictitious scenario, along with cumulative cash flow diagram and other supporting information.
Finally, a risk statement is demonstrated, in a format suitable for the high-level decisions related to the sanctioning of a project by corporate, shareholder and financiers, including a tornado diagram to provide a visual overview of the project’s risks and associated cost.

16.2 LEVELS OF RISK ASSESSMENT

Risk assessments are carried out at each level in an organisation. Typically the ‘big picture’ risks are identified at corporate level and more detailed assessment at SBU level associated with the characteristics of the relevant market. At project level more data are usually available to allow a more detailed assessment and to consider project specific activities and their associated risks.
* Reproduced by permission of A. Merna.

16.2.1 Corporate Risk Assessment

At the corporate level, issues related to each of the below areas would be identified and recorded for further assessment and processing by the specific SBU responsible for the undertaking:
• reputation (brand image)
• ethical risk (animal testing, green, military)
• market/demand
• health and safety (directors’ liability insurance may be sought)
• creating/maintaining competitive advantage
• alignment of SBU undertakings with corporate strategy plan (CSP)
• SBU’s ability to finance the undertaking and gain returns on capital employed
• synergy with and potential involvement for other SBUs
• compliance with legal and regulatory issues
• country risk (tax, political, war, currency)
• political and environmental issues
• contract strategy.
Table 16.1 illustrates the identification techniques used at each level.

16.2.2 Strategic Business Unit Risk Assessment

The strategic business unit ultimately responsible for the undertaking identified the following risks to be considered at this level. In some cases risks initially identified at corporate level will be assessed in greater detail and be more specific to the SBU market.
• stakeholder satisfaction
• long-term goals
• demands of customers and end-users
Table 16.1 Risk management technique at each level
102
• market conditions/trends
• product specific issues (design, production)
• customer’s ability to pay
• ability to finance the undertaking and gain returns on capital employed
• compliance with legal and regulatory issues
• customer satisfaction
• availability of resources (human, raw, technical)
• future opportunities
• contract strategy
• maintaining/increasing market share
• compliance with corporate strategy and business strategy
• synergy with current and future commitments
• synergy with other strategic business undertakings
• knock-on effects from other SBU risks
• country risk (contract law, political conditions, climate, telecommunication, infrastructure)

16.2.3 Project Level Risk Assessment

Project level risk assessment will normally be the remit of the project manager ultimately responsible for the undertaking and may be governed by the risk management plan (RMP) resulting from the corporate and SBU risk strategy.
Here initial focus would tend to be at the lowest level of project delivery, with concerns for typical project management constraints of cost, time and quality being the most prevalent along with anxiety with regards to adequate resources for the specific project (time, materials, labour/technical skills etc.).
Other main areas of uncertainty may be:
• requirements
• solution: such as fit for purpose, bespoke, off-the-shelf
• raw materials
• key human resources: desired versus available, location, culture, skillsets
• time/schedule: desired versus achievable, conflicts for implementation periods such as holidays or working restrictions
• customer organisation: environment, culture, working hours, synergy
• end-users: involvement in project, acceptance, level of education, language, culture
• implementation environment/location: accommodation, access, language, security, weather, working conditions (site, ground conditions, water level), travel, labour, safety, logistics
• technical concerns: interfaces, communication medium, known issues with existing technology or unknown technology.

16.3 AMALGAMATION AND ANALYSIS OF RISKS IDENTIFIED

Upon completion of initial risk identification activities by each organisational level and subsequent documentation, specifically risk registers, SBU resources (or appointed risk manager) would then be responsible for further processing and amalgamation of results, such as:
• assessment of true impact-probability weighting in line with corporate and strategic policy
• further analysis (qualitative and/or quantitative) of time and cost variations to the project
• determination of possible responses (avoidance, reduction, transfer or retention) identification of appropriate risks owner.
An appropriate technique for gauging the intensity of individual risk is the probability-impact grid depicted in Figure 16.3.
To facilitate this, within each of the risk registers utilised in the previous stages, fields are provided for the scoring of both probability and impact as perceived by the document authors. This not only provides a starting point for the analysis tasks of the risk manager, but also gives insight into the deemed sensitivity of the project, the specific risk (in contrast with other risks identified) and also possibly an idea of the risk tolerance of the group which authored the register. This is shown in Figure 16.1.
This score or criticality value relates to the weighting factors described in the associated key displayed in Figure 16.2.
Figure 16.1 Risk register criticality value
Risk Value
Probability60%
Impact9
Score = P * I 5.4
Figure 16.2 Impact weighting factors for PIG analysis
KEY:
VL<≈1
L2
M4
H5
VH>≈6.5
An appropriate technique for gauging of intensity of individual risk is the probability-impact grid depicted in Figure 16.3.
Kerzner (2003) provides a set of risk definitions which are appropriate for use in risk analysis using the PIG as depicted in Figure 16.3.
High risk – substantial impact on cost, schedule, or technical. Substantial action required to alleviate issue. High priority management attention is required.
Moderate risk – some impact on cost, schedule, or technical. Special action may be required to alleviate issue. Additional management attention may be needed.
Low risk – minimal impact on cost, schedule, or technical. Normal management oversight is sufficient.
Figure 16.3 Probability – impact grid
103
Kerzner also advises of the importance of using agreed-upon definitions (such as the definitions above) and procedures for estimating risk levels, rather than subjectively assigning them.
Those risks deemed as high or very high by the risk manager would be candidates for further analysis, in order to determine time and/or cost variations to the project.
Results of all risks would at this stage be amalgamated into a separate database, spreadsheet or other facility and made available within the organisation for all stakeholders to access. Additionally, those risks deemed critical during this process would be extracted for project sanctioning purposes and inclusion within a risk statement for the attention of lenders and shareholders.
The risk statement is expected to be an executive summary of high-level content, with the intention of providing anon-subjective description of visible risks for a proposal to the corporate board, stakeholder and lender representatives, approval of which would need to be obtained before commitment of further resources for any subsequential risk analysis or possibly the initiation of the project undertaking.
The following points should be considered when the undertaking is sanctioned.
• Initially it is expected that further risk analysis would be performed on the more critical of risks (both qualitative and quantitative).
• Risk registers would be published such that all stakeholders have controlled access and may assist with the address of any risks.
• Stakeholder feedback would be encouraged throughout all project and risk management phases via brainstorming, interviews and access to risk registers.
• Risk registers would be continuously updated throughout all further stages of the project undertakings.
• Budget for risk would in most cases be allocated to the project for contingency of identified risks.
• Purpose of the project and benefits of the outcome also need to be kept in mind throughout all stages of a project, as scope creep due to change of requirements is all too often ignored upon project sanctioning.

16.4 THE PROJECT: BAGGAGE HANDLING FACILITY

The following risk registers are developed at each level of the organisation for the baggage handling project. It is intended that this project will be undertaken in a developing country.

16.4.1 Corporate Level

Figure 16.4 Risk register at corporat level
104
105

16.4.2 Strategic business Unit Level

Figure 16.5 Risk register at strategie business level
106

16.4.3 Project Level

Figure 16.6 Risk register at project level
107

16.5 RISK STATEMENT

A risk statement is a document that identifies all those risks identified at each level of the organisation which can be examined by the lenders and shareholders. In most cases the risks identified in the risk statement will be those risks identified as high in each risk register and those that must be retained by the organisation, typically those that cannot be mitigated.
A risk statement, as described above, associated with every potential project or investment considered by the organisation provides a simple yet useful tool to lenders and shareholders when considering which projects or investments should be sanctioned in relation to the risk and uncertainty surrounding them.
Figures 16.4, 16.5 and 16.6 illustrate the risks and their probability /impact for each level. Figure 16.7 illustrates the risk classified as high due to their probability and impact which will form the basis of the risk statement.

16.6 SUMMARY

Risk management is not an exact science and each undertaking will have different risks to previous and following opportunities. Risks are also individual to the organisation performing the task; hence risk management also needs to be subjective to the organisation. However, contrary to implying that risk management is undertaken in an ad-hoc manner, this stresses the importance of proactive risk identification and the management thereof, which must be planned for and ingrained within the establishment.
Processes and procedures for risk management need to be established and continually revised as lessons are learnt and standards and regulations change. Risk management efforts without control and guidance will be patchy and inconsistent throughout the undertaking as different stakeholders (and differing hierarchical levels of involvement) attempt to address different risks and opportunities. Furthermore, this may lead to the creation of additional risks brought about through ignorance and assumption that risks are under control.
Risk management which occurs as an afterthought, upon initiation of a project, may be too late to prevent negative implications. Risk management processes and procedures must be initiated before sanctioning of a project, such that identification of external and inherent risks can be identified, addressed and recorded for the attention of all stakeholders, so that proactive mitigation can occur.
Figure 16.7 Risk register for risk statement
108
Risk management must be balanced, controlled, consistent and most importantly cyclical.
Risk registers and risk statements should be seen as simple methods of illustrating the potential risk at individual level and a tool for decision making respectively.
The authors wish to thank Mr Darren Burnside and Dr Anthony Merna for allowing them to use this amended version of their paper.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.104.98