3
The Evolution of Risk Management and the Risk Management Process

3.1 INTRODUCTION

This chapter briefly describes the evolution of risk management. It illustrates the major stages of the risk management process, namely identification, analysis and response. The beneficiaries of risk management are outlined along with how risk management can be embedded into an organisation. A generic risk management plan (RMP) which forms the basis for all risk management actions and further risk activities for corporate, strategic business and project levels is discussed.

3.2 THE EVOLUTION OF RISK MANAGEMENT

Archibald and Lichtenberg (1992) state that risk is now openly acknowledged as part of real management life. Risk management is now considered to be one of the more exciting and important parts of planning and managing investments, assets and liabilities at corporate, strategic business and project levels, and is a function to be taken seriously.

3.2.1 The Birth of Risk Management

The idea of chance and fortune has existed in the most primitive of cultures. Playing games involving dice can be traced back at least 2000 years.
Probably the first insurance against misfortune was within a policy to cover the loss of cargo by shipwreck that had its origin in the Hummurabi Code. In the framework of that code the ship owner could obtain a loan to finance the freight, but it was not necessary to pay back the loan if the ship was wrecked.
The eighteenth century saw the rise of insurance companies as we currently know them. In 1752 Benjamin Franklin founded, in the USA, a fire insurance company called First American. The Society of Lloyd’s in London was established in 1771 when several English businessmen combined their resources to insure potential losses of their clients involved in sea transportation, now known as marine insurance.
The twentieth century witnessed the development of probability in ‘management science’ and the birth of formal risk management. This method was further developed by Chapman (1998) and applied by Chapman and others (Jia and Jobbling 1998).

3.2.2 Risk Management in the 1970s – Early Beginnings

Until the advent of project risk management in the 1970s, risk was something that was little discussed and its effects on businesses and projects were either ignored, because they were not recognised, or possibly concealed if they were. Before and shortly after this advent both risk and uncertainty were treated as a necessary evil that should be avoided (Archibald and Lichtenberg 1992).
Project risk management developed rapidly throughout the 1970s, firstly in relation to quantitative assessment and then to methodologies and processes. At the end of the decade project management academics and professionals saw the need for a project management function devoted to risk analysis and management, and several authors published papers on the subject.

3.2.3 Risk Management in the 1980s – Quantitative Analysis Predominates

In the early 1980s risk management was commonly acknowledged as a specific topic in the project management literature (Artto 1997). The scope of risk identification, estimation and response was generally well known (Lifson and Shaifer 1982, Chapman 1998). Discussions on risk management emphasised quantitative analysis, some of which referred to the PERT (Programme Evaluation and Review Technique) type of triple estimates, and optimistic, mean, pessimistic and other more advanced new concepts.
The main project risk management applications were essentially focused on time and cost objectives, and also on project evaluation (feasibility). Software using probability distributions to analyse cost and time risk was frequently used on large projects. Significant use of risk analysis and management was made on large process plant projects. Companies like BP and Norwegian Petroleum Consultants pioneered project risk management methods in that decade, in both the development and application of risk management methodology and of risk analysis techniques. BP developed the CATRAP (Cost and Time Risk Analysis Program) software for internal use. It allowed risk modelling with several subjective probability distributions and was used on offshore oil platform projects in the North Sea. Norwegian Petroleum Consultants developed NPC for the same types of project. NPC, like CATRAP, allowed risk quantification and modelling using subjective probability distributions. It also had the capacity to calculate objective distributions from real-life cost and time data and included the ability to combine subjective and objective distributions. NPC was also able to integrate cost and time risk in its modelling. In the late 1980s CASPAR (Computer-Aided Software for Project Risk Appraisal) was further developed at UMIST to provide risk analysis outputs for businesses as well as projects (Jia and Jobbling 1998).
The use of methods based on risk and response diagrams began in the 1980s. These methods are based on the notion that it is not possible to model a risk situation realistically without taking into account the possible responses. There are four reasons why risk response should be considered as part of risk analysis:
1. Estimation of the remaining risk is normally different in different response scenarios.
2. Responses need time and money; hence readjustments to the corresponding schedule and cost estimates are required.
3. A correct quantitative risk analysis model needs to include both risks and responses because without these elements the view of the situation may be distorted.
4. A specific response to a risk may bring secondary risks that will not exist in other cases.
Thus to make the best choice between several alternative responses, if they exist, to a risk situation, both the responses and their effects must be included in the model. Quantifying the results obtained will provide information which can be a valuable aid to the analysis.
The end of the 1980s was also the starting point for the use of influence diagrams combined with probability theory and for the first applications of systems dynamics. These techniques have been developed to a higher level and today there is commercial software available for both methods.

3.2.4 Risk Management in the 1990s – Emphasis on Methodology and Processes

Most of the risk management methodologies used today are based on methods developed in the 1980s. However, the use of questionnaires and checklists was greatly developed in the 1990s, and further development has led to the concept of knowledge-based systems.
Some important principles established in the 1980s in relation to the contractual allocation of risk have continued in the 1990s. The foundations of partnering and ‘alliancing’ strategies have been laid to avoid traditional contractual rivalry and promote a risk and reward sharing approach, particularly in the case of capital projects.
It is important to note that there has been a shift from a concentration on quantitative risk analysis to the current emphasis on understanding and improving risk management processes. Whereas in the 1980s project risk management software was used as an analysis tool, today the trend is to use risk quantification and modelling as a tool to promote communication and response planning teamwork rather than simply for analysis (capture and response). Currently risk quantification and modelling techniques are seen as a way to increase both insight and knowledge about a project and as a way to communicate that information to the project team members and interested parties (stakeholders).
The period since 1990 has seen a variety of proposals for risk management processes, all of which include a prescriptive approach, such as:
• the simple generic risk management process – identification, assessment, response and documentation
• the five-phase generic process – process scope, team, analysis and quantification, successive breakdown and quantification, andresul ts. quantification, successive breakdown and quantification, and results.
Risk management is undoubtedly an important part of prudent project and business management, but may not always be easy to justify. The benefits which it generates are often unseen, while the costs are all too visible. To sell it successfully, it is important to focus on the benefits it will bring, quoting from real life where possible, and satisfying a genuine need within the organisation (Wightman 1998).
Historically, many organisations have looked at risk management in a somewhat fragmented way. However, for a growing number of organisations, this no longer makes sense and they are adopting a much more holistic approach. For example, organisations at the forefront of risk management now have risk committees, which are often chaired by a main board member or a risk facilitator and which have overall responsibility for risk management across their organisation. The point is that a fragmented approach no longer works. In addition, risk management has clearly moved up the agenda for the board or management committee.
Risk management continues to evolve in many ways:
• ‘Threat’ focus becomes ‘opportunity’ focus with a view to taking more risk to improve profit expectations and to support the organisation.
• Multiple pass process emphasis leads to the development of simple first pass approaches to size risk prior to deciding whether or not further action is required.
• Separation of projects/investments from associated corporate/SBU strategy is increasingly seen as unhelpful.
• Building proactive risk management into capital investment appraisal, bidding and contract design is increasingly seen as fundamental.
• Good risk management cannot be achieved by simply adopting any simple off-the-shelf techniques. It needs careful thought, effort and recognition of key issues in each individual case.
• Non-monetary appraisals are now seen to be an important part of risk management, and include:
• Environmental – a key element in most large projects considering impacts and mitigations measures on the environment during implementation or operation. An example is the control of pollution from process and waste plants.
• Health and safety – general responsibilities under statute such as Hands at Work Act and under contract law construction, design and management (CDM) regulations place restrictions on designers to ensure safe methods of construction.
• Ethical – as international and multi-cultural working become more common the need for ethical awareness is increasing. Contractors are often selected because they are not involved with arms trade, child labour, tobacco or drugs.
• People – unmotivated staff, poor teaming, organisational structure, responsibility for decision making, distribution of work and workloads.
• Cost – labour overruns, material overruns, supply overruns, monetary penalties.
• Schedule – missed deliverables, missed market window, missed critical path activities, unrealistic schedules or programmes.
• Quality – poor workmanship, unfinished details, legal infractions, untested technology, operation and maintenance of products or projects.

3.3 RISK MANAGEMENT

Risk management can be defined as any set of actions taken by individuals or corporations in an effort to alter the risk arising from their business (Merna and Smith 1996).
Meulbroek (2002) identifies that the goal of risk management is to:
Maximise shareholder value.
Handy (1999) summarises risk management as:
Risk management is not a separate activity from management, it is management. . . predicting and planning allow prevention. . . reaction is a symptom of poor management.
Risk management deals both with insurable as well as uninsurable risks and is an approach which involves a formal orderly process for systematically identifying, analysing and responding to risk events throughout the life of a project to obtain the optimum or acceptable degree of risk elimination or control.
Smith (1995) states that risk management is an essential part of the project and business planning cycle which:
• requires acceptance that uncertainty exists
• generates a structured response to risk in terms of alternative plans, solutions and contingencies
• is a thinking process requiring imagination and ingenuity
• generates a realistic attitude in an investment for staff by preparing them for risk events rather than being taken by surprise when they arrive.
At its most fundamental level, risk management involves identifying risks, predicting how probable they are and how serious they might become, deciding what to do about them and implementing these decisions.

3.4 THE RISK MANAGEMENT PROCESS - IDENTIFICATION, ANALYSIS AND RESPONSE

In the project management literature, a rather more prescriptive interpretation of risk management is expounded. To develop the concept as a management tool, authors have tended to describe the processes by which risk management is undertaken.
According to Smith (1995), the process of risk management involves:
• identification of risks/uncertainties
• analysis of implications
• response to minimise risk
• allocation of appropriate contingencies.
Risk management is a continuous loop rather than a linear process so that, as an investment or project progresses, a cycle of identification, analysis, control and reporting of risks is continuously undertaken.
Risk analysis and risk management have been carried out in many fields for a number of decades and are being increasingly used as integral parts of the overall business management approach and on most major projects; in some cases they have become a mandatory requirement for financial planning and regulatory approval. Many client organisations now require contractors to identify potential risks in an investment and to state how these risks would be managed should they occur.
Despite risk analysis being a growing element of major projects, there is no standard to which reference may be made for techniques, factors and approaches. To overcome this a number of organisations and research authorities have identified ways to describe the risk management process. Typically there are a number of phases associated with this process. Merna (2002) took three processes, namely risk identification, analysis and response, and implemented a 15-step sequence to account for risk management. However, four processes had been identified by Boswick’s 1987 paper (PMBOK 1996), Eloff et al. (1995) and the British Standard BS 8444 (BSI, 1996). The Project Management Institute’s (PMIs) Guide to the Project Management Body of Knowledge (PMBOK 1996) also identifies four processes associated with project risk management.
Chapman and Ward (1997) believe that there are eight phases in the risk management process. Each phase is associated with broadly defined deliverables (may be targets not achieved initially), and each deliverable is discussed in terms of its purpose and the tasks required to produce it. Below is a summary of these phases and deliverable structures:
Define. The purpose of this phase is to consolidate any relevant existing information about the project, and to fill in any gaps uncovered in the consolidation process.
Focus. The purpose of this phase is to look for and develop a strategic plan for the risk management process, and to plan the risk management process at an operational level. A clear, unambiguous, shared understanding of all relevant aspects of the risk management process, documented, verified and reported should result from this.
Identify. The purpose of this phase is to identify where risk may arise, to identify what might be done about the risk in proactive and reactive terms, and to identify what might go wrong with the responses. Here, all key risks and responses should be identified, with threats and opportunities classified, characterised, documented, verified and reported.
Structure. The purpose of this phase is to test the simplified assumptions, and to provide a more complex structure when appropriate. Benefits here include a clear understanding of the implications of any important simplifying assumptions about relationships between risks, responses and base plan activities.
Ownership. At this phase client/contractor allocation of ownership and management of risk and responses occur, such as the allocation of client risks to named individuals, and the approval of contractor allocations. Here, clear ownership and allocations arise; the allocations are effectively and efficiently defined and legally enforceable in practice where appropriate.
Estimate. This phase identifies areas of clear significant uncertainty and areas of possible significant uncertainty. This acts as a basis for understanding which risks and responses are important.
Evaluate. At this stage synthesis and evaluation of the results of the estimation phase occurs. At this stage, diagnosis of all important difficulties and comparative analysis of the implications of responses to these difficulties should take place, together with specific deliverables like a prioritised list of risks or a comparison of the base plan and contingency plans with possible difficulties and revised plans.
Plan. At this phase the project plan is ready for implementation. Deliverables here include:
• Base plans in activity terms at the detailed level required for implementation, with timing, precedence, ownership and associated resource usage/contractual terms where appropriate clearly specified, including milestones initiating payments, other events or processes defining expenditure and an associated base plan expenditure profile.
• Risk assessment in terms of threats and opportunities. Risks are assessed in terms of impact given no response, along with assessment of alternative potential reactive and proactive responses.
• Recommended proactive and reactive contingency plans in activity terms, with timing, precedence, ownership and associated resource usage/contractual terms where appropriate clearly specified, including trigger points initiating reactive contingency responses and impact assessment.
• A management phase that includes monitoring, controlling and developing plans for immediate implementation. This stage allows revisiting earlier plans and the initiation of further planning where appropriate. Also exceptions (change) can be reported after significant events and associated further planning.
Corporate and strategic business elements should also be included in the process outlined by Chapman and Ward, since risks identified at these levels need to be addressed before a project is sanctioned.
For the purpose of outlining the risk management process, the PMBOK (1996) system has been used to give a brief description of the necessary processes, namely:
• risk identification
• risk quantification and analysis
• risk response.
PMBOK (1996) states that project risk management includes the processes concerned with identifying, analysing and responding to project risk. It also includes maximising the results of positive events and minimising the consequences of adverse events. The main processes involved in project risk management are discussed below.

3.4.1 Risk Identification

Risk identification consists of determining which risks are likely to affect the project and documenting the characteristics of each one. Risk identification should address both the internal and the external risks. The primary sources of risk which have the potential to cause a major effect on the project should also be determined and classified according to their impact on project cost, time schedules and project objectives.
The identification of risks using both historical and current information is a necessary step in the early stage of project appraisal and should occur before detailed analysis and allocation of risks can take place. It is also essential for risk analysis to be performed on a regular basis throughout all stages of the project. Risk identification should be carried out in a similar manner at both corporate and strategic business levels.

3.4.1.1 Inputs and Outputs of the Risk Identification Process

In order to investigate what the risk identification process entails, consideration should be given to its input requirements and the outputs or deliverables expected from it. Risk identification consists of determining which risks are likely to affect the project and documenting the characteristics of each one. Inputs to risk identification are given as:
• product or service description
• other planning outputs, for example work breakdown structure, cost and time estimates, specification requirements
• historical information.
Outputs are:
• sources of risk
• potential risk events
• risk symptoms
• inputs to other processes.
After identification:
• risks should be ‘validated’ – for instance, the information on which they are based and the accuracy of the description of their characteristics should be checked.
• risk response options should be considered.
The purpose of risk identification is:
• to identify and capture the most significant participants (stakeholders) in risk management and to provide the basis for subsequent management
• to stabilise the groundwork by providing all the necessary information to conduct risk analysis
• to identify the project or service components
• to identify the inherent risks in the project or service.

3.4.1.2 Participants in the Risk Management Process

Developing the above points further, before risk identification can commence the responsibility for undertaking the risk management process must be assigned. Whatever the organisational structure within which the risk management process is undertaken, it must be supported or ‘championed’ by the highest levels of management or it will not have access to the requisite information, neither will the organisation be likely to benefit from the implementation of its recommendations. This is often addressed in a similar way to the value management process by appointing a strong experienced facilitator to chair meetings where potential risks are identified and addressed. Participants in the identification will normally include individuals responsible for carrying out the project and those having a firm grasp of the business and technical aspects of the project and the risks confronting it from within and outside the organisation.

3.4.1.3 Information Gathering and Project Definition

The risk identification process is dependent on information, which may or may not be readily available. This may take the form of processed historical data, often risk registers from previous projects and operations or information from external sources. The better the informational foundation of the risk management process, the more accurate its results. Therefore determination of what information is required, where and how it may be collected and when it is needed is central to risk identification. This involves:
• gathering existing information about the project including its scope, objectives and strategy
• filling in gaps in the existing information to achieve a clear, unambiguous, shared understanding of the project.

3.4.1.4 Risk Identification Process Outputs

Primarily, a register of risks likely to affect the project should result from the process. A full and validated description of each risk as well as initial response options to each risk should be developed. The key deliverable is a clear common understanding of threats and opportunities facing the project.
Figure 3.1 illustrates the risk identification process with its outputs leading to the inputs in Figure 3.2 for risk analysis. The outputs of Figure 3.2 are then input into Figure 3.3 for risk response.
Figure 3.1 The risk identification process
009

3.4.2 Risk Quantification and Analysis

Risk quantification and analysis involves evaluating risks and risk interactions to assess the range of possible outcomes. It is primarily concerned with determining which risk events warrant a response. A number of tools and techniques are available for the use of risk analysis/quantification and the analysis process. These are explained in Chapter 4.
The major output from risk quantification and analysis is a list of opportunities that should be pursued and threats that require attention. The risk quantification and analysis process should also document the sources of risk and risk events that the management team has consciously decided to accept or ignore, as well as the individual who made the decision to do so.
Dawson et al. (1995) believe that objectives in risk management are an important part of risk analysis. The purpose of risk management is to determine the balance which exists between risk and opportunities in order to assist management responses to tilt the balance in favour of the opportunities and away from risks. These risks and opportunities might appear different when viewed from a company perspective as opposed to the more usual ‘project’ perspective. The identification of risks and opportunities for a project should be based on the objectives for undertaking the venture, and for a company should be based on the objectives of the company. These two sets of objectives are different but inextricably linked; the objectives of a company might include, in the short term, more experience in a particular type of work, whilst the risks to a project enabling this to happen might be seen to affect the profitability of the project and the esteem in which the manager is held. Hence, in order to perform risk management the objectives must be clearly defined at each level of an organisation.
There are mainly two types of methods used in the risk quantification and analysis process. These are qualitative risk analysis and quantitative risk analysis.
Qualitative risk analysis consists of compiling a list of risks and a description of their likely outcomes. Qualitative risk analysis involves evaluations that do not result in a numerical value. Instead, this analysis describes the nature of the risk and helps to improve the understanding of the risk. In this way, analysts are able to concentrate their time and efforts on areas that are most sensitive to the risk.
Quantitative risk analysis often involves the use of computer models employing statistical data to conduct risk analysis. Qualitative and quantitative techniques are discussed in Chapter 4.
Figure 3.2 illustrates the risk quantification and analysis process.

3.4.3 Risk Response

Risk response involves defining enhancement steps for opportunities and responses to threats. Responses to threats generally fall into one of the following categories.
Figure 3.2 The risk quantification and analysis process
010

3.4.3.1 Risk Avoidance

Risk avoidance involves the removal of a particular threat. This may be either by eliminating the source of the risk within a project or by avoiding projects or business entities which have exposure to the risk.
Al-Bahar and Crandell (1990) illustrate the latter avoidance option with the example of a contractor wishing to avoid the potential liability losses associated with asbestos, and so never acquiring any project that involves operations with this material. The same scenario, but this time considered from the client’s perspective, also lends itself as an example of eliminating a source of risk within a project if the risk is avoided by redesigning the facility so that it uses an alternative material to asbestos.

3.4.3.2 Risk Reduction

Since the significance of a risk is related to both its probability of occurrence and its effect on the project outcome if it does occur, risk reduction may involve either lowering its probability or lessening its impact (or both). The severity of injuries from falling objects on a building site, for example, may be reduced by the compulsory wearing of hard hats, while the adoption of safer working practices can lessen the likelihood of objects falling.

3.4.3.3 Risk Transfer

Projects may be seen as investment packages with associated risks and returns. Since a typical project or business involves numerous stakeholders, it follows that each should ‘own’ a proportion of the risk available in order to elicit a return. For instance, if a project involves the construction of a facility, some risks associated with that construction should be transferred from the client organisation to the contractor undertaking the work; for example, the project is completed within a specified time frame. In consideration of this risk, the contractor will expect a reward. Contractual risk allocation will not be dealt with in detail here but the fundamental considerations are the same for all risk transfers regardless of the vehicle by which transfers are facilitated.
The example of the time frame in a construction contract can illustrate this. The party with the greatest control over the completion date is the contractor and, as such, is in the best position to manage this risk. The client stands to lose revenue if the facility is not built by a certain date and, to mitigate any such loss, includes a liquidated damages clause in the contract so that, if construction overruns this date, the contractor compensates the client for the loss. The contractor will consider this risk in its tender and can expect that the contract price will be higher than it would be in the absence of the clause; that is, the transferee imposes a premium on accepting the risk. However, if the revenue loss is likely to be too great for the contractor to compensate for, there is little sense in transferring the risk in this way.
Insurance is a popular technique for risk transfer in which only the potential financial consequences of a risk are transferred and not the responsibility for managing the risk.
Financial markets provide numerous instruments for risk transfer in the form of ‘hedging’. This is best illustrated by way of example: the fluctuation in the price of an input may be ‘hedged’ through the purchase of futures options so that in the event of a future price rise, the (lower than current market value) options soften the effect. Consequently, the benefits of a price decrease are lessened by the cost of the futures options. Options, futures, futures options, swaps, caps, collars and floors are only some of the instruments available to cover such risk.
Basically, risk transfer is the process of transferring risk to another participant in the project. Transferring risk does not eliminate or reduce the criticality of the risk, but merely leaves it for others to bear the risk. Flanagan and Norman (1993) state:
Transferring risk does not reduce the criticality of the source of the risk, it just removes it to another party. In some cases, transfer can significantly increase risk because the party to whom it is being transferred may not be aware of the risk because the party to whom it is being tranferred may not be be aware of the risk they are being asked to absorb.
Therefore, several factors have to be considered when making the decision to transfer risks. Who can best handle the risks if they materialise? What is the cost/benefit of transferring risk as opposed to managing the risk internally?

3.4.3.4 Risk Retention

Risks may be retained intentionally or unintentionally. The latter occurs as a result of failure of either or both of the first two phases of the risk management process, these being risk identification and risk analysis. If a risk is not identified or if its potential consequences are underestimated, then the organisation is unlikely to avoid or reduce it consciously or transfer it adequately.
In the case of planned risk retention, this involves the complete or partial assumption of the potential impact of a risk. As suggested above, a relationship between risk and return exists such that, with no risk exposure, an enterprise cannot expect reward. Ideally, retained risk should be that with which the organisation’s core value-adding activities are associated (risk which the organisation is most able to manage) as well as those risks which may be dealt with more costeffectively by the organisation than external entities (since risk transfer and avoidance must necessarily come at a premium). Finally, risk reduction may only be cost effective up to a point, thereafter becoming more costly than beneficial.

3.4.4 Selection of Risk Response Options

At this stage of the risk management process, alternative risk response options will have been explored for the more significant risks. Either risk finance provisions or risk control measures (or both) for each risk now require consideration and implementation.

3.4.5 Outputs from the Risk Response Process

Each significant risk should be considered in terms of which project party should ‘own’ it and which risk response options are suitable for dealing with it. The most appropriate response option or options in accordance with the corporate risk management policy and, consequently, the response strategy or strategies must then be selected. Figure 3.3 illustrates the risk response process.

3.4.6 Risk Management within the Project Life Cycle

Risk management is not a discrete single activity but a dynamic process, which becomes continuously more refined through its repetition during a project’s life cycle. PMBOK (1996) suggests that each of the major processes of risk management will occur at least once in every phase of the project. (Projects are divided into several phases which are collectively referred to as the project life cycle.) Thompson and Perry (1992) and Simon et al. (1997) support the continuous application of risk management throughout the project life cycle, though the former observe that it is ‘most valuable early in a project proposal, while there is still the flexibility in design and planning to consider how the serious risks may be avoided’.
Chapman (1998) also addresses the issue of the application of a risk management process earlier or later in the project life cycle. He suggests that while earlier implementation will yield greater benefits, the lack of a project definition at this stage will make implementing a risk management process more difficult, less quantitative, less formal, less tactical and more strategic. Conversely, at a stage of more accurate project definition, where implementation is easier, it is less beneficial.
Figure 3.3 The risk response process
011
In light of the above, this initial implementation of the risk management process should not only facilitate appraisal decision making, but also be seen as the first cycle of the risk management process within the project life cycle.

3.4.7 The Tasks and Benefits of Risk Management

The task of risk management is not to create a project or business that is totally free of risks (no undertaking regardless of size and complexity is without risk), but to make the stakeholders aware of the risks, both negative and positive, help them to take well-calculated risks and to manage risks efficiently. As this is necessary in every project phase from identification to implementation and operation, risk management should be used in each of these phases.
Chapman and Ward ( 1997) believe risk management has the following benefits:
• The risks associated with the project or business are defined clearly and in advance of the start.
• Management decisions are supported by thorough analysis of the data available. Estimates can be made with greater confidence.
• Improvement of project or business planning by answering ‘what if’ questions with imaginative scenarios.
• The definition and structure of the project or business are continually and objectively monitored.
• Provision of alternative plans and appropriate contingencies and consideration concerning their management as part of a risk response.
• The generation of imaginative responses to risks.
• The building up of a statistical profile of historical risk which allows improved modelling for future projects.
The benefits of risk management can also be expressed as follows:
• Project or business issues are clarified, understood and allowed from the start of a project.
• Decisions are supported by thorough analysis of the data available.
• The structure and definition of the project or business are continually and objectively monitored.
• Contingency planning allows prompt, controlled and previously evaluated responses to risks that may materialise.
• Clearer definitions of specific risks are associated with a project or business.
• Building up a statistical profile of historical risk to allow better modelling for future projects and investments.
Risk management requires the acceptance that uncertainty exists, a thinking process with ingenuity and imagination, and also a realistic attitude of the management in the evaluation of possible risks. As risk analysis is part of risk management it helps the project or commercial manager to anticipate and thus control future events (with risk response) and not be taken by surprise by the occurrence of already identified risks. It must be stressed that realistic base data (realistic assumptions) concerning cost, revenue, duration and quality are an essential prerequisite for risk analysis. If the risk analysis is based on unrealistic base data (often the base data in feasibility studies are too optimistic) the results are not only unrealistic economic parameters but also can mislead investors and both project and commercial managers by giving the (unrealistic) base data a sort of scientific approval.

3.4.8 The Beneficiaries of Risk Management

In 1991 the Association for Project Management (APM) set up a special interest group (SIG) on risk management to conduct a survey of practitioners to identify the beneficiaries of implementing risk management. The results were published in its mini-guide on PRAM (Project Risk Analysis and Management) in March 1992. The beneficiaries are:
• an organisation (corporate and SBU) and its senior management for whom a knowledge of the risks attached to proposed projects is important when considering the sanction of capital expenditure and capital budgets
• clients, both internal and external, as they are more likely to get what they want, when they want it and for the cost they can afford
• project managers who want to improve the quality of their work, such as bring their projects within cost, on time and to the required performance.
The beneficiaries of risk management would be not only at the project level, but also at corporate and strategic business levels, as well as the stakeholders.
The potential benefits of implementing risk management can be categorised into two types:
1. ‘hard benefits’ – contingencies, decisions, control, statistics and the like
2. ‘soft benefits’ – people issues.
Table 3.1 The hard and soft benefits of risk management (Adapted from Newland 1992, Simister 1994)
Hard benefits
Enables better informed and more believable plans, schedules and budgets
Increases the likelihood of a project adhering to its plans
Leads to the use of the most suitable type of contract
Allows a more meaningful assessment of contingencies
Discourages the acceptance of financially unsound projects
Contributes to the build up of statistical information to assist in better management of future projects
Enables a more objective comparison of alternatives
Identifies, and allocates responsibility to, the best risk owner
Soft benefits
Improves corporate experience and general communication
Leads to a common understanding and improved team spirit
Assists in the distinction between good luck/good management and bad luck/bad management.
Helps develop the ability of staff to assess risks
Focuses project management attention on the real and most important issues
Facilitates greater risk taking thus increasing the benefits gained
Demonstrates a responsible approach to customers
Provides a fresh view of the personnel issues in a project
These are listed in Table 3.1.
Table 3.2 illustrates the differing views of academics and practising managers with respect to risk and risk management. Typically risk has been considered as a threat to industry whereas the academic view is that risk can have both threats and opportunities and should be considered in greater detail from which strategies can be developed and risk management constantly applied.
Any organisation that is complacent about managing the significant risks it faces will surely fail. The Turnbull Report (1999) is a reminder of this and is also an opportunity to review what an organisation has in place and to make the appropriate changes. Risk management can be considered as the sustainability of a business within its particular environment. In the past large corporate failures have occurred because risk assessment has been wrong or never even considered. Reichmann (1999) states:
One of the most important lessons I have ever learnt, and I didn’t learn it early enough, is that risk management is probably the most important part of business leadership.
Table 3.2 The views of academics and practitioners regarding risk and risk management
Academic viewView of practising managers
Risk is defined in terms of possible outcomes and variabilityRisk defined as the downside potential of a course of action
Risk can be calculated and factored in the expected outcome of a course of actionExperience and intuition are more highly regarded than mathematical models and ‘expected outcomes’
Risk is a key element of strategic managementNot adequately considered generally in management practice
Risk management assumed to be consistently appliedDifferent risk strategies applied in business areas depending on strategic importance
Risk is an objective measureRisk factors are subject to interpretation and gut feeling. The eventual outcome is likely to determine the quality of a decision; a bad outcome was a mistake in the first place
However, organisations do need to be pragmatic. Risk is needed in order to gain reward. This is clearly addressed in the Turnbull Report (1999) which states that ‘risk management is about mitigating, not eliminating risk’. By endorsing the Turnbull Report and complying with the Companies Act the board of directors of an SBU have overall responsibility and ownership of risks.
To manage risk effectively organisations need to have prevention and response strategies in place. Prevention strategies are there to help organisations understand the significant risks that they may face and to manage these risks down to acceptable levels. Response strategies need to be developed to enable organisations to respond, despite their efforts, to any risks that do crystallise, so as to reduce their impact as far as possible.

3.5 EMBEDDING RISK MANAGEMENT INTO YOUR ORGANISATION

Risk management cannot simply be introduced to an organisation overnight. The Turnbull Report (1999) lists the following series of events that need to take place to embed risk management into the culture of an organisation:
Risk identification. Identify on a regular basis the risks that face an organisation. This may be done through workshops, interviews or questionnaires. The method is not important, but actually carrying out this stage is critical.
Risk assessment/measurement. Once risks have been identified it is important to gain an understanding of their size. This is often done on a semi-quantitative basis. Again, the method is not important, but organisations should measure the likelihood of occurrence and the impact in terms of both image and reputation and financial impact.
Understand how the risks are currently being managed. It is important to profile how the risks are currently being managed and to determine whether or not this meets an organisation’s risk management strategy.
Report the risks. Setting up reporting protocols and ensuring that people adhere to such protocols are critical to the process.
Monitor the risks. Risks should be monitored to ensure that the critical ones are managed in the most effective way and the less critical ones do not become critical.
Maintain the risk profile. It is necessary to maintain an up-to-date profile in an organisation to ensure that decisions are made on the basis of complete information.

3.6 RISK MANAGEMENT PLAN

A risk management plan (RMP) forms the basis of all risk management actions and further risk activities for corporate, strategic business and project levels. Based on the findings reported in a recent questionnaire (Merna 2002) the contents of such a plan might be:
• assignment of risk management responsibility
• the corporate risk management policy
• risk identification documentation – risk register, initial response options
• risk analysis outputs – risk exposure distribution within the project, most significant risks, variation of project outcome values with risk occurrences, probability distributions of project outcome values
• selected risk response options – risk allocation among project parties, provisions, procurement and contractual arrangements concerning risk, contingency plans, insurance and other transfer arrangements
• monitoring and controlling – comparison of actual with anticipated risk occurrences, control of the project with regard to the RMP
• maintenance of the risk management system – measures to update and maintain the RMP continuously and refine it
• evaluation – recording risk information for further RMP cycles within the project and for future projects.
Fraser (2003) highlights some key recommendations that are fundamental for the development of a successful risk management system (RMS):
• Executive level sponsorship and leadership for the programme is required.
• An RMS requires cultural and behavioural change.
• The operating management and business owners must take ownership of and be committed to the programme.
• There must be a formal structure and framework in place – the approach has to be transparent and when risks are identified and prioritised, information has to be shared across the board.

3.7 EXECUTIVE RESPONSIBILITY AND RISK

Risk management itself is fraught with risk. Any company that adopts an inappropriate approach to risk runs the danger of seriously damaging its business. It is important that companies understand that risk management is not an add-on but an integral part of the business. Often risk management forms part of an integrated management system along with quality management, planning, health and safety management, and change management. In a competitive economy, profits are the result of successful risk taking. If you are not taking much risk, you’re not going to get much reward. Against this background, the Turnbull Report (1999) on companies’ internal control and risk management, endorsed by the London Stock Exchange in the same year, strives not to be a burden on the corporate sector, but rather to reflect good business practice. The present authors suggest that by accepting ‘best practice’ at each organisational level many of the risks emanating from poor practice will be alleviated. Companies should implement any necessary changes in a way that reflects the needs of their business and takes account of their market. As and when companies make those changes, they should discover that they are improving their risk management and, consequently, get a benefit that justifies any cost.
The Turnbull Report is not just about avoidance of risk. It is about effective risk management: determining the appropriate level of risk, being conscious of the risks you are taking and then deciding how you need to manage them. Risk is both positive and negative in nature. Effective risk management is as much about looking to make sure that you are not missing opportunities as it is about ensuring that you are not taking inappropriate risks. Some companies will seek to be more risk averse than others. However, all should be seeking to achieve a balance between encouraging entrepreneurialism within their business and managing risks effectively.
In order for a company to be able to identify what risks it is taking and those it is not prepared to take, it must first identify its long-term objectives. Some companies have been much better than others in identifying in a concise but operational way what their business is about. Having identified their objectives, companies should not seek to identify, say, 1001 risks. Boards of directors at both corporate and strategic business levels should focus on what they believe to be their main business risks. The authors believe a reasonable number to manage and concern yourself about is 15-25. These risks will depend on the industry and the particular circumstances of the company and its projects at any given time.
When assessing the risks an organisation faces it is important to have the full support of the relevant board and that they appreciate the importance and understand the benefits of risk management. The board should receive regular reports from management so that they are fully conversant with the risks identified and those which appear as more information becomes more apparent. There is a danger that if risk is not addressed in a holistic manner by the board, larger risks which are hard to define, such as corporate reputation, will not be properly addressed. They may be partially considered in each of the organisation’s decisions, but gaps will be left, or they may not be addressed at all. Recent evidence (Merna 2002) shows that in the past some companies viewed risk management in too narrow a way. Then risk management simply meant ‘insurance’. However, companies should stop and ask themselves:
• Have we got an integrated approach to risk management?
• How are the risks covered – by insurance, by internal audit, or simply at a loose end?
As with any process, the output is only as good as the input. Unless organisations have effective systems for identifying and prioritising risks, there is a danger that they will build their controls on very shaky foundations. Having an effective system means that people at all levels, in different parts of the organisation, are involved in determining its main risks. Unless this is done, the danger arises that the organisation’s RMS will be no more than a bottom-up process where lots of people work independently, resulting in aggregated ideas adding very little input. At the other end of the scale, the opposite may occur. If the identification and prioritisation of risk is done at the top by one person, or by a group of people, they could miss some very important strategic business, project and operational risks. Ultimately it should not be about choosing a bottom-up or top-down approach. There needs to be a mixture of both.
The authors suggest that there are a number of benefits to project professionals of building a simple decision-making support package and integrating risk assessment into the frameworks or standards they need to adhere to in their respective industries, which include:
• provides an easy and flexible structure to manage data and associated software
• promotes earlier management buy-in to a project
• prompts users to challenge and validate that data used are suitable, thus reducing risk
• provides a simple yet effective framework for decision making (as risk management is part of the decision-making process) and data storage
• provides a basis for identification and interrogation of subjective decisions and their associated risks
• decisions can be structured on the basis of confidence to proceed to the next decision
• reduction of risk associated with incorrect or out-of-date data
• provides quality assurance by allowing users to validate or challenge decisions
• all data, players and decision logic can be revisited
• decisions can be made in parallel and retraced
• decisions can be deferred due to insufficient data, unsuitable software or non-availability of decision-makers
• ensures that all stakeholders with input are involved in decision making
• decisions can be made in advance, if beneficial to do so, in the knowledge that all necessary data are available
• the system can be continually updated to accommodate new data and software
• can be accessed by any project team member at any stage of the project life cycle
• can be easily integrated into a project organisation.

3.8 SUMMARY

Risk management involves identifying risks, predicting how probable they are and how serious they might become, deciding what to do about them, and implementing these decisions. Despite the apparent widespread uptake of risk management, the extent to which risk processes are actually applied is somewhat variable. Many organisations adopt a minimalist approach, doing only what is necessary to meet mandatory requirements, or going through the motions of a risk process with no commitment to using the results to influence current or future strategy.
This chapter has discussed risk management, not only at the project level but at corporate and SBU levels. To ensure that risks are assessed effectively at all these levels it is paramount that a risk management process is developed so that all stakeholders are made aware of the risks associated with an investment.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.95.7