Ben Davies warns of the danger that the practice of risk management will fail to help the achievement of project or business objectives, through a failure to focus on the actual management of risks.
The management of risk to business or project objectives is the key thing to be delivered from a risk management process. The phases of a risk process must work together to provide insight on risks and must incorporate explicit consideration of risk responses at each phase.
The 'management of risk'
Morris (1997) suggests that despite project management's long development as a discipline, its concepts, techniques, formal view and practices often prove to be inadequate to the task of successfully managing projects. He proposes that the subject be widened to that of the 'management of projects', incorporating traditional core project management topics such as scheduling and cost control, but also addressing newer topics, such as technology, strategy and politics.
The concept of the 'management of risk' is also a good basis on which to refocus the practice of risk management. Risk management often addresses new topics, as often that is where the risk lies. Risk management will examine risk associated with technology and strategy, so in a difference to the Morris argument, risk management needs to step back, look at the process as a whole and focus on its deliverables. The purpose of risk management is to help achieve project or business objectives through the systematic identification, assessment and management of risk. To do this, all stages of the process must work together with the explicit goal of the management of risk - actually doing something about the risks identified. After all, what is the point of identifying and assessing risk if you are then not going to do anything about it?
A great deal has been written on risk identification and assessment techniques, but with little focus on the deliverables from them and how important they are to the development of risk responses. David Hillson (1999) puts together a useful discussion on the subject, suggesting that consideration of risk responses are the weak part of the process. He states that the preceding stages need to be carried out satisfactorily to inform the development of risk responses.
This argument is strongly supported, but is felt to require more emphasis and clarification of 'satisfactorily'. The development of responses needs to be integral to each stage of the risk management process (RMP). The RMP must be seen as a whole rather than just a series of separate stages, or there is a danger they will be carried out in isolation.
Definition and scoping
If you asked your project team or business - What are we trying to do? What are our key objectives? Which are our most important objectives? - would they be able to give you an answer?
An understanding of key performance objectives is essential to the effective management of risk. In construction projects this has often been discussed in terms of the 'triangle of objectives' (Lock, 2003). However, this is often not used to explore the importance of each aspect relative to another and how trade offs can be made between them which can aid risk response development. The criticality of establishing objectives and the relative importance of them can be seen in the example of the Holyrood Inquiry. The consultant appointed by the Auditor General for Scotland and the Inquiry to provide construction expertise raised this issue, as noted in the report.
'The constraints of time, quality and cost are traditional considerations for most projects, and most clients profess that all three are equally important. It was important to identify whether one was more important that the others and to try and establish at the start what were the true aims and objectives'.
The report, set up to examine the huge overspend from an initial published figure of between £40m and £50m to its eventual £400m cost, notes in its conclusion that: 'Whenever there was a conflict between quality and cost, quality was preferred. Whenever there was a conflict between early completion and cost, completion was preferred, without in fact any significant acceleration being achieved.'
Table 1 outlines a structure which identifies sources of uncertainty which should be considered in the project definition process and explores the differing motives of the stakeholders. The conflicting agendas and objectives of various stakeholders are a major factor for the risk manager to consider.
A definition and identification of objectives stage forms part of the PRAM process, and the first stage of the IRM risk management standard, but little has been written on the importance of these phases to the management of risk.
The PRAM process also includes a specific focus phase, which sets out to define the scope and strategy for risk management in a given context. The focusing of risk management ensures detail is added to the process where required and increased importance placed on deliverables.
Risk identification
All RMPs have a risk identification stage. Chapman & Ward (2003) state in relation to the project life cycle that '... extensive early consideration of both risks and responses is the key to effective risk and opportunity management,' and suggest a number of benefits from the early consideration of responses:
- acting as a catalyst for the widespread search for options
- not overlooking key responses
- the identification of opportunities through the process of generating and reviewing responses.
More time and care are required in the identification and description of risks to help the development of responses. The way a risk is described can influence the type of response sought. An example in a risk register was noted as 'inability to recruit people with specialist skill x'. The response to this risk was to 'identify more people with skill x'. This response does not necessarily address the risk. The risk as described is an inability to recruit, implying that responses might be focused at reviewing the terms, conditions and packages offered. Other reasons should also be explored: perhaps the firm has a low profile for this sort of work and is not seen as an attractive proposition? With more careful thought, and by asking questions, a number of possible responses and areas on which further work might be carried out can quickly be identified. If the cause of this potential inability to recruit is a severe shortage of people with this skill and is described as such, a number of different responses may be more appropriate.
Risk structuring
The careful and explicit structuring of identified risks offers further benefits to the overall management of risk.
Grouping risks allows general and specific responses to be examined. General responses may go some way to responding to a number of risks and may offer benefits in terms of cost effective responses to risk. It is considered best to start with general responses which may be obvious or simple and add complexity and more specific responses in later iterations.
Risk ownership
Essential for the management of risk is identifying an owner (the person the risk impacts upon), and manager (the person best placed to manage the risk), for risks and responses as an explicit task. This is again often not considered in sufficient detail. Key failings associated with ownership may include:
- looking at the usual suspects, such as the immediate project team or internal stakeholders only
- not repeating this exercise as part of the iterative risk process to identify emerging stakeholders that can influence the achievement of objectives
- passing risk on without considering the incentive, experience, capacity, motivation and desire to manage the risk and its response.
If these issues are not considered, an inappropriate party may be allocated risks and responses, resulting in the failure of the management actions.
Risk assessment - estimation and the use of numbers
Poor scoping of a risk study can mean risk assessment does not offer additional insight and focus for management activities. Quantitative studies are commonly not well integrated in the risk process, and instead dominate it with the numbers becoming the key objective and output. Quantitative studies can offer benefits in terms of increased confidence in estimates and contingency allowances, but risk assessment is intended to help avoid time being spent on risks that are minor in terms of impact on objectives, and to focus on what is important (Chapman & Ward, 2003).
Unnecessary detail at this stage in early iterations is an uneconomic use of time and reduces the time available to be spent on response development for important risks. The development of contingency allowances is always considered to be an important but secondary objective.
Risk terminology - language confusion
'Risk' has many definitions and terminology issues continue when we look at ways of dealing with risk. 'Mitigation' is widely used as a generic or collective term for responses to risk. The term 'risk response' is preferred as 'mitigate' implies that risk is 'bad' and it does not take into account options such as changing the impact type (for example cost to time) or acceptance of the risk. 'Risk treatment' is also a widely used term, but again implies something bad that needs to be made better. Many types of response strategy are suggested and include avoid, transfer, mitigate and accept (Hillson, 2001) and optimising, transferring or retaining (IRM standard). Language issues can hinder the management of risk as the method of handling the risk is not fully understood. The list of response types identified by Chapman & Ward provides a comprehensive selection of responses for dealing with 'downside risk' (threats) and 'upside risks' (opportunities).
Risk responses
The selection of risk response types and development of actions draw on the insight and understanding developed from the previous risk management phases to actually do something about risk. The process moves from planning, searching for information and assessment, to control and action, identifying things to be done by stakeholders within timescales. This shift is not always recognised, with actions not incorporated into project or business plans and activities.
The large number of techniques being developed and practised to identify risks can also be used to develop responses. Why use them to only identify risks? Techniques such as pondering, brainstorming and HAZOP studies can be used to identify a wide range of risk responses. The SWOT framework can be used to assess responses, identifying strengths (low cost, effectiveness), weaknesses (only tackling impact, long term measure only), opportunities (is it a general response, does it open up efficiencies?) and threats (secondary risks arising from it, impacts on other tasks or responses).
The more formal presentation of responses by the use of risk/response diagrams (Chapman & Ward, 2003) may also help the development and explicit consideration of responses.
The structure of general and specific responses provides a very good way of thinking about responding to risks, but places added emphasis on the correct use of early risk management phases regarding the identification of sources of risk and their categorisation.
General responses can provide a cost-effective method of responding to many risks stemming from a common source, but additional layers of general or specific responses may need to be identified, developed and implemented to reach an acceptable level of risk. Secondary risks arising from the responses will also need to be identified and have responses developed for them.
Combinations of responses may be required but should be checked to ensure they are not mutually exclusive and do not have an impact on other business or project activities or objectives.
Conclusions
There is a danger that the practice of risk management will fail to help the achievement of project or business objectives through a failure to focus on the actual management of risks. To ensure this does not happen a number of recommendations have been suggested. The first is a refocus on the deliverables from each stage and how these inform the development of risk responses. Seeing the process as a whole and ensuring the process is undertaken with phases working together are essential. The second is the explicit consideration of risk responses at each stage. The use of identification techniques to search more widely for risk responses and more time and care on the development and then implementation of actions will ensure that the benefits of risk management are realised.
Ben Davies is corporate risk manager, Atkins, Tel: 01372 752815, Email: Benjamin.Davies@Fgould.com
References
AIRMIC, ALARM, IRM (2002) The Risk Management Standard
Chapman, C & Ward, S (2003) Project Risk Management Processes, Techniques and Insights. 2nd Edition. Chichester. John Wiley & Sons.
Hillson, D (1999) Developing Effective Risk Responses, Proceedings of the 30th Annual Project Management Institute 1999 Seminars and Symposium, Philadelphia, Pennsylvania, USA, Presented October 10-16 1999.
Hillson, D (2001) Effective Strategies for Exploiting Opportunities, Proceedings of the Project Management Institute Annual Seminars & Symposium, November 1-10 2001, Nashville, Tenn., USA.
Lock, D (2003) Project Management, Eighth Edition, Aldershot. Gower Publishing Ltd.
Morris, P.W.G (1997) The Management of Projects. London. Thomas Telford.
Simon, P; Hillson, D and Newland, K (1997) Project Risk Analysis and Management Guide (PRAM). High Wycombe. The Association for Project Management.
The Rt Hon Lord Fraser of Carmyllie QC (2004) The Holyrood Inquiry. Scottish Parliamentary Corporate Body, available from www.holyroodinquiry