Read an Excerpt

CHAPTER 1

Business Level Risk

You are an exceptional risk manager. Every day you make numerous decisions that require an analysis of the likelihood and impact of different possible results, and your actions are driven in part by the outcome of that analysis. Our education and training are geared around trying to make these analyses automatic in favor of the conservative option — not crossing the street unless there is a Walk sign, not accelerating at a yellow light, leaving home in time to ensure that we aren't late arriving at work, etc., but the decision is still ours to make. If we want to leave home late, accelerate through every light as it is changing, and then dodge traffic jaywalking between the parking lot and the office, we have the ability to make the decision to do so, with the understanding that the risk of a negative outcome is higher than if we were to leave home a few minutes earlier and take a more conservative approach.

Your environment will also impact the decisions that you make — it offers additional input into the risk analysis. For example, you will drive slower on a snowy night than you will on the same road on a sunny day. Finally, your motivations will impact your risk analysis — it's easier to resist the ice cream sundae when you are feeling energetic and positive than it is at the end of a bad day when nothing seemed to go right.

When you spend a few minutes thinking about it, there are literally hundreds of decisions a day that involve some degree of risk analysis, and yet few of those analyses are taken consciously. The risks are simply processed alongside everything else, and you either hit the brake pedal or the gas pedal when you see the light start to change, depending on the outcome of all those calculations. There is minimal, if any, conscious effort put into the calculations.

The same is true in organizations. Virtually every decision that the executives of an organization make will require some degree of risk analysis, but in most cases, it's not a formal process unless the decision is considered to be major. Instead, it's just part of the job, one of the many variables that go into the responsibilities of an executive. In fact, if we think back to the concepts we explored in the introduction, we said that to be considered a risk there had to be the potential to impact objectives, and even CEOs of Fortune 500 companies make their share of fairly innocuous decisions. There may be degrees of uncertainty associated with those less critical decisions, but if things don't go according to plan, the impact won't affect the company's ability to achieve its objectives.

External Risk Environment

How can an executive be sure whether their decisions are insignificant or potentially business destroying? They need to understand the risk environment within which they operate, just like you need to understand the risk environment within which you operate when you are driving that car and deciding what to do at the changing traffic signal.

For organizations, that environment consists of a number of variables outside its direct control but that still have the potential for dramatic impact. Some of these categories are related to the company's own internal risks, and some are completely independent. In most cases, there are opportunities to influence and control some of these external risk categories, but that's risk management and we're getting ahead of ourselves.

The major categories of external risks are shown in Table 1.1. You can see from that list that they collectively cover virtually everything around the company — its physical locations, its relationships with all external stakeholders, and its markets. That's not coincidental. Organizations don't exist in a vacuum, and the way that they interact with their environments will create new risks and influence existing ones.

In many cases these risks are fairly slow moving — changes to regulatory frameworks tend to be planned months or years ahead. Governments change generally only every few years, and even then tend to evolve rather than revolutionize; economic growth or contraction usually has warning signs ahead of the main impacts. This often results in a degree of organizational complacency when considering these risks. If there's no upcoming election then political risks get ignored. If the latest round of regulatory reporting improvements happened last year then the assumption is that they will be stable for the next couple of years at least.

Similarly, elements of these risk categories are considered too insignificant to worry about — for example, a location in an area of seismic activity. This is a geographic risk that exists, but it is often completely ignored from a risk management perspective simply because the likelihood of anything more than a minor inconvenience occurring is considered extremely remote. That's fair enough, but even if there is only a 1 in 100 chance of a devastating earthquake in any given year, it's still a possibility, and the impact will be severe. If the company has ten such 1 in 100 risks, the law of averages says that one of them will occur every 10 years. Now we are starting to play dangerous games if we ignore them.

Of all of the environmental risk factors identified above, the only one that consistently gets active risk management attention is the area of competitive risks. Even here the management is frequently reactive rather than proactive. Organizations don't drive internal initiatives based on the possibility of a competitor taking certain actions; rather, they wait for a competitor to announce that they have the feature (or at least for rumors of it to emerge), and then they respond. Technically this is now an internal risk, and we'll look at those next. This approach can be a devastating strategy for the organization, and we don't have to look far for two recent examples.

In the 1980s and 1990s, Sony dominated the portable music market with the Walkman and then the CD Walkman. The name became synonymous with the product, and competitors struggled to gain a tiny share of the market. However, Sony didn't consider the risks of competition; they didn't see Apple coming, and when the iPod launched in 2001, Sony was virtually wiped off of the portable music player map. For Kodak, the situation was even worse. The company went from dominating film photography to bankruptcy because it failed to recognize how digital photography would change its market — despite being part of the invention of digital imaging.

We'll look at risk management approaches in much more detail later in the book, but I have no issues with organizations adopting a strategy of risk acceptance for most external risks — the conscious decision not to invest in active risk management because the return on the investment is not there. Consider the traffic signal example again — you can't influence when it changes, so why would you try?

However, that doesn't mean that the risks should be ignored because the impact will still be real, and you need to understand the consequences if the risk triggers — develop contingency plans, potentially alter business decisions to avoid exposing the organization to some of the risks, etc. This is where many organizations fall down, particularly on the less obvious risks. It's fairly easy to stay abreast of economic risks because the economy is an integral part of the information that we are exposed to every day as human beings, but what if a competitor is expanding in one of the cities that you have a manufacturing plant in? How confident are you that you will know that in time to plan for the potential loss of resources? If you do find out, will it be because of a conscious strategy to stay aware of your environment or through someone overhearing something or through reading an article by chance?

Generally speaking, organizations have considerable room for improvement when it comes to understanding and reacting to their external risk environment.

Internal Risks

In addition to the risk environment within which the organization operates, there are the more direct categories of risk that are driven internally. These categories of risk are affected by the organization's own actions and as a result are the ones that tend to get the most focus. These risks will likely be more familiar to you, and as is so often the case, they are almost exclusively considered in a negative sense. However, all of these can have opportunities (positive risks) as well as threats (negative risks).

Traditionally four categories of these business risks are identified: compliance, financial, operational, and strategic. Table 1.2 provides an overview of those categories along with an additional category that I have added — technological. The risks that an organization faces from within — the risks associated with operating the business — will fall into one or more of these categories. While each individual risk may not be categorized into one of these buckets, it's important to understand the areas that drive risk within the organization. This will provide the organization with an appreciation for where it is exposed to threats and/or has opportunities that it may be able to exploit. However, we can't simply consider each of these as isolated factors; they combine to define the organization's overall risk profile.

The risk profile is simply a summary of the risks faced by the organization. It is not a risk management tool. It doesn't have enough detail for that, but it is a simple way to view the organization's risk exposure that can be used as an input to the corporate decision-making processes to ensure that decisions are taken with a complete, accurate, and current set of information. If we think of the risk exposure to all of the factors discussed as data elements in the process then the organizational risk profile is the tool that processes that data into actionable management information.

Later on in this section we'll look in more depth at the theories behind a risk profile, and we'll explore some practical tools for creating and maintaining the profile.

Risk Inevitability

Before we leave this overview and start delving deeper into specific risk elements, let's look briefly at the reality of risks. If we go back to our driving analogy, the only way to avoid the risk of having to deal with a changing traffic signal is to never drive anywhere with traffic signals. Most of us would agree that as a strategy that approach has a significant downside. In the vast majority of scenarios, we have to accept that the risk exists and that we may need to deal with it. If we eliminate the risk entirely (don't drive near traffic signals) then we may not be able to complete our functions as people — getting to work, running errands, socializing, etc., or we will subject ourselves to other risks — driving on more rural roads that are less well lit, have inferior road surfaces, fewer signs, or a greater chance for wildlife in the road. For most of us it simply is not practical to eliminate the risks presented by traffic signals.

The same is true for organizations; risk is not only inevitable, it is necessary. Those of you who have studied risk in the context of project management will probably have learned that risk elimination is a legitimate risk management strategy, and it is; however, it can only be used in some situations. You simply cannot eliminate all project risks without also eliminating the project itself.

At the organizational level, it is no different. Accepting a decision means accepting the risks that are associated with it. Elimination of one group of risks will result in additional or increased risk exposure elsewhere, likely with minimal impact on the overall risk picture. If the risks can't be accepted then the decision can't be made, but that is still only a transfer of risk elsewhere. For example, if an organization has $100 million to invest into the project portfolio in the next 12 months, then the expectation is that the $100 million will be invested. If a $20 million project is rejected because the risk/return calculation is unacceptable, then that $20 million needs to be allocated to other projects and the risks that are associated with them, or not invested at all with the risks associated with not being able to get the same level of potential return.

A commercial organization exists to make money and to do that it needs to make investment decisions that strive to maximize opportunities while minimizing threats — and that requires strong organizational risk management. Public sector organizations may not have the same profit driven goals, but they are still expected to deliver their services as efficiently as possible — doing the most for the lowest cost. That requires maximizing opportunities and minimizing threats — risk management.

In this first section of the book, we are going to focus on the foundations of risk management, culminating in the development of an organizational risk profile that will summarize the organization's risk capacity and risk tolerance. However, before we get there, we are going to need to understand a few risk-related concepts.

Risk Relationships

In the previous chapter, we looked at the different categories of risk from both inside and outside the organization. This gives us foundation knowledge, a basic understanding of the risk source, and potential impact on the organization. However, this understanding is still far too basic to be able to effectively manage the risks with any expectation of success. Effective risk management requires a detailed understanding of how the risks relate to one another; how they will respond to different management approaches; and how much time, effort, and money will need to be invested before a meaningful impact on the risk is achieved.

The first step is to understand how each individual risk and risk category interacts with others — the relationships between risks. As an example, think about a change that occurs within an organization — say the retirement of an executive. That single act will have a lot of impact — maybe a new executive will be brought in from outside who will want to bring some people with him or her and that will cause moves and changes. They may decide to reorganize, which will drive some other changes. Some of their staff may not like the changes and leave, creating openings for others to be promoted and in turn for someone to be hired to fill their old position. That one single act — the retirement of a senior individual — can create a cascading impact that ultimately results in the hiring of someone new in the mail room.

The same situation occurs with risks. A change in one risk can have a wide-ranging effect elsewhere in the organization, and if we don't understand that those relationships exist and the potential impact they may cause, then we will never be able to develop an effective risk management strategy. There are two types of relationship between risks that we need to consider:

1. Risk driven relationships. In these cases the risk itself is driving associated risks. As one risk changes its profile, it drives change in associated risks.

2. Action driven relationships. In these cases, the actions that we take to try and control the risk drive changes to related risks. This effectively requires a compromise in our risk control activities.

Of course, both situations may exist for the same risk. In fact the risks that have the most risk driven relationships are often the most serious. Therefore, they are the ones that are in the most need of actions being taken, even if those actions themselves drive additional risk exposure. Consider also that the relationships are not always negative. By taking actions to manage one risk we may be creating or increasing an opportunity (positive risk) elsewhere, or we may be mitigating a related threat (negative risk).

Risk Driven Relationships

Let's start with an example of this type of relationship to help us recognize it. Suppose that an organization is having problems with a systems upgrade that will deliver new regulatory reporting — the system is failing quality assurance, and the schedule is being delayed. As a result there is a high likelihood that the organization will fail to make the deadline for the new reporting requirements (increased compliance risk). The regulator will then have the option to impose fines on the company for noncompliance (increased financial risk), lower the company's rating (reputational risk), and subject the company to increased monitoring and audit requirements (increased regulatory risk).

---

Excerpted from "Risk Management for Project Driven Organizations"
by .
Copyright © 2013 Roffensian Consulting Inc..
Excerpted by permission of J. Ross Publishing, Inc..
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---