Are alliances, joint ventures and outsourcing a means of risk mitigation - or a risk nightmare? asks Richard Anderson

Received wisdom says that outsourcing, joint ventures and entering into alliances are all excellent forms of risk mitigation. However, unless certain prerequisites are established, they are all too likely to result in risk nightmares.

Relevant developments

There have been many changes in the economic and political environment within which we work. Five are particularly relevant to this issue.

- SPEED OF CHANGE: the world is becoming faster, smaller, different.

The rate of change is increasing. This has enormous consequences for business.

If internal controls (risk responses) are based on what went wrong in your own or a neighbouring business, they will typically be addressing yesterday's problems, rather than tomorrow's.

- LACK OF HISTORY: the speed of change necessarily creates an increasing lack of trust within organisations. Turmoil, downsizing, mass redundancies, off-shoring and other measures mean that UK employees generally continue to register the lowest levels of morale ever recorded. The result is mobile workforces that have little or no allegiance to the organisations for which they work. They are effectively duplicating the lack of allegiance that organisations have shown to them. Employee turnover rates are consequently at an all time high. In the context of a rapidly changing world, with rapid staff turnover, who knows what about the organisation?

- INCREASING CONNECTIVITY: it used to be possible to define the boundaries of an organisation. This is no longer possible - boundaries are increasingly permeable. To take just one example: PPP/PFI contracts demand that complementary skills are drawn from different partners, either in a joint venture or some other alliance. Cost pressures are forcing outsourcing and off-shoring.

Takeovers, mergers, joint ventures, real and virtual are the norm. These all result in changes to the dynamics of control, leaving organisations to apply sticking plasters from previous experience, which, because of the changing nature of commercial history and business relationships, is no longer relevant.

- STAKEHOLDER INTEREST: social and political developments over the last decade have greatly heightened interest in the activities of all organisations, especially those that have a major impact on the environment. Where stakeholders used simply to be the management, shareholders and employees, it is now the case that an increasingly wide range, including customers, third world suppliers, government, NGOs and the public at large, expect to have a voice in the running of a business.

- REGULATION: privatisation heralded the era of large scale regulators.

This era has been embraced by the current UK government, which continues to build bigger and stronger regulatory environments. Older regulators, such as the Health and Safety Executive, talk about 'eliminating workplace injuries'. The Financial Services Authority has sweeping powers to license individuals and firms in the financial services industry, but is taking on ever increasing remits as it reviews the listing rules and monitors stock market activities.

All of these developments have come together in corporate catastrophes, such as Enron, WorldCom and Andersen in the US, and Maxwell, BCCI, Barings and Marconi in the UK. The list goes on.

How does risk management fit in?

Before looking at the role of risk management in joint ventures, it is worth considering just what is meant by the term. It is now generally accepted in business life that a risk is an event which might occur in the future, which, if it happens, will affect the ability of an organisation to achieve its objectives. To expand a little: the uncertainty of a risk may relate to its nature, its timing, its likelihood or its impact.

The importance of this definition is that it ties risk to the commercial objectives of the organisation and their achievement. Risk is therefore of prime importance to the manager, and risk management is about identifying, assessing, and responding to risks so that the gross exposure is reduced to an acceptable remaining net exposure.

Diagram 1 shows an example of how risk management is linked to the achievement of business objectives and Diagram 2 shows one illustrative path through the connections. The diagram shows risk in its traditional location, somewhere near the bottom of the organisation. In practice, risk management is exercised from the board down: what could go wrong with my five year plan? How do I ensure that the value drivers are achieved? What programmes do I require to drive value? One person's risk defines their subordinate's objectives.

One person's control is the next person's risk. Objectives, risks and controls create a fine mesh that is the DNA which defines the organisation.

In essence therefore, risk management is the task of ensuring that the linkages between value creation and risk responses are in place and are functioning.

This process is complicated even when looked at within the boundaries of an organisation - especially one facing a rapidly changing market place, where value drivers can change in real time and staff turnover is at an all time high. The efficiency of this process in a traditional economic unit - an enterprise - is dependent on the skills of management in fostering and managing the linkages.

However, where traditional boundaries become semi-permeable through alliances, joint ventures or outsourcing, the relationship between objective, risk and response is broken, with a third party taking on responsibility for a part of the chain. As Diagrams 3 and 4 show, the relationships become much more difficult to control once the internal linkages are broken.

It is often too easily assumed that outsourcing exports risk. Instead, outsourcing can frequently produce risk importing through risk dependency.

Where the linkages are broken and Company A is responsible for the objective, but Company B manages the likelihood and timing of achieving the objective (because it manages the risks or the risk responses), this gives rise to the dependency risk conundrum: who is managing what? For whom? And why? And how?

Exactly the same issues arise whether we are talking about alliances, joint ventures or outsourcing: the complicating factor is the number of parties to the relationship. The more there are, the harder it becomes to exercise control. So what is to be done with these extended enterprises?

Traditional responses, many of which remain valid, even in today's world of virtual and real joint ventures and alliances include:

- good definition of the scope of the joint venture, respective responsibilities, and appropriate management

- good legal documentation

- appropriate insurance cover.

But these all have shortcomings. The management route is more difficult by several orders of magnitude. Any lawyer will tell you that the legal documentation should only be relied upon as a last resort - where the objectives of a joint venture and its operation have broken down. And of course, insurance is a sticking plaster approach to management, in that it deals with the symptoms of problems, but not the root causes.

Consequently there are new approaches that you need to call on in order to ensure that the extended enterprise can work.

An intelligent partnership

Essentially, the answer is to create a risk intelligent partnership, which implies the creative collaboration of two or more risk intelligent organisations. A risk intelligent organisation is one which:

- has woven risk management into the DNA of the organisation

- is able to differentiate responses according to the type of risk

- is aware of the basis on which it engages with risks

- understands how to optimise the response to a given risk

- expects line managers to seek their own assurance

- builds risk management into the development of managers

- has a risk management perspective for all activities

- balances its attention to opportunities and risks

- deals with outsourced and inter-organisational risks

- is constantly conscious of its risk management performance.

Building trust, both internally and externally, and sharing risk management data between participants to the relationship are crucial in creating a partnership of risk intelligent organisations.

Being risk intelligent will include understanding which risks are day-to-day issues best left to those on the ground, which issues require specialist input, and which arise where new ground is being broken. It will also entail approaches to risk which are mature, balanced and above all compatible.

Risk maturity

Risk maturity is about four things.

- ATTITUDES - how do your people and those in your partner organisation feel about managing risk?

- KNOWLEDGE - how much do you, your people, and your partners' people know about the risks that they face?

- SKILLS - having recognised risks, what can you, your people and your partners' people do about those risks?

- SYSTEMS AND PROCESSES - do you and your partners have the necessary systems and processes in place to manage the risks?

By understanding your risk management maturity and that of your partner organisations you can:

- Understand your baseline risk management performance throughout the extended enterprise

- Develop an agreed perspective of the future of risk management within the joint venture, so that everyone involved knows what is involved in becoming a 'risk intelligent partnership'

- Know what steps you need to take to get better at risk management, how you will implement them and over what timescales

- Demonstrate your risk management performance to your joint clients, your partners and other interested stakeholders, so that they know how seriously you take risk management in the joint venture

- Demand compliance with your joint venture-wide 'risk intelligent' standards from essential non-joint venture partners, for example key suppliers.

Risk balance

To create and sustain long-term durability, extended enterprises must ensure that they leverage their risk culture, liberate the maximum amount of energy, and maximise their competitive advantage.

This is a fine balancing act. If you are too adventurous, the organisation may not be able to cope. On the other hand, if you are fearful of all the problems you might encounter, you will make no progress. If you overstretch your people, they may bend the rules, yet excessive corporate ethics can stop you moving because you are consulting tenuous stakeholder concerns.

To target success and hit the performance zone, the extended enterprise must manage these issues:

- The need for all members of the extended enterprise to take managed risk

- The need to avoid pitfalls

- The requirement for all organisations to create and sustain a performance culture

- The need to temper that with appropriate corporate ethics.

In each case, each partner organisation must be able to demonstrate these attributes to a sufficient, but not excessive amount, and preferably with similar profiles between partners. The issue is to be able to plot each major partner against these four attributes: it is where a particular partner is outside the acceptable parameters that problems will occur.

Compatibility

Delivery of success within a joint venture has to be supported by assurance that risks are managed in the optimum way. Once again, this is a fine balancing act. If risk management is too flexible and informal, the organisation may expose itself to unwanted hazards. Conversely, too inflexible and formalised risk management means the organisation runs the risk of being stifled. In the light of industry-specific regulation, you need to identify what degree of flexibility will allow the maximum amount of energy to be liberated in taking the business forward.

The organisation must manage across five major headings:

- STRATEGY: is the risk management task about reducing the likelihood of a risk crystallising, or limiting the impact when it does?

- PEOPLE: is it about organisation-wide responses to hazards, or about the behaviour of individuals?

- DETAIL: is it a specific problem that requires focus, or is it a general set of issues?

- TASKS: does the organisation collect information, set policy or ensure action is taken?

- DRIVERS: is the organisation subject to stringent regulation, or is it something that is driven by the management or the culture?

All partners in the extended enterprise should be able to identify the approach taken, not only at a high level, but right across the business operations of the partnership and between different functions. It is in the gaps between partner organisations where different approaches are adopted, that control is lost and organisations are most vulnerable.

The hallmarks

Historically joint ventures have often been used in the belief that risks are being mitigated. However, the world is littered with failed joint ventures. This is in part because managers are often blind to dependency risk and because they settle for a reactive approach to risk management.

The solution is to work towards risk intelligent partnerships. The hallmarks of a risk intelligent partnership are:

- Trust, both between partners and also between the joint venture and the customer

- Achievement of objectives

- Better satisfied customers.

The hallmarks of risk intelligence within each of the partners are shown in the table below:

Clients placing major contracts frequently demand that contractors enter into joint ventures. While the initial focus is rightly on winning the work, making the alliance work once the contract is won has to be based on a shared understanding of what it means to be a risk intelligent partnership.

Richard Anderson, is a director of consultancy Corporate Risk Group, E-mail r.anderson@co-risk.com