David Hillson explores the critical success factors for using risk management for strategic advantage while retaining its use as a tactical tool
Risk management is an essential tool for tackling the inevitable uncertainty associated with business at all levels. However, its use is often restricted to the technical or operational field, addressing threats to processes, performance or people. Recent developments seek to broaden risk management's scope to include strategic risks to the business, and to address upside opportunities as well as threats. Such a holistic approach positions risk management as an essential bridge between strategic and tactical levels.
Strategy, tactics and risk
Businesses exist to create benefits for their stakeholders, and the corporate vision or mission statement defines the scope and extent of those benefits. However, vision alone does not create business benefits. Many organisations use projects as the change vehicle to deliver the capability which leads to the required benefits, perhaps managing related projects through higher-level programmes.
Defining the vision and business benefits is the realm of strategy, whereas projects, programmes and their deliverables describe the tactics by which the strategy is achieved. Project objectives sit between the strategic and tactical levels, since they are defined in relation to the strategic vision, but they in turn define the requirement for projects. Many projects fail because of a disconnection between strategic vision and tactical project deliverables, often as a result of poorly defined project objectives. This space between the two levels of strategy and tactics requires careful and proactive management if projects are to succeed in delivering the required benefits to the business. Yet it is precisely in this area occupied by project objectives that businesses are most at risk.
All business activity is undertaken in an environment of uncertainty, which arises from a range of sources. These include technical issues, commercial constraints, management issues and external dependencies. Successful businesses, however, do not seek to avoid uncertainty, but recognise the relationship between risk and reward. The zero risk enterprise or project does not exist. Indeed, it is not desirable, since the available benefits are determined to a large extent by the degree of risk an organisation is prepared to confront.
But risk is not the same as uncertainty. Risk arises when uncertainty has the potential to affect objectives, and can be defined as 'any uncertain event or set of circumstances that, should it occur, would have an effect on one or more objectives'. There are uncertainties that cannot affect objectives, and which are therefore not risks. It is this relationship between risk, uncertainty and objectives that makes risk management such an important contributor to both project success and business benefits.
Project objectives provide the link between the overall vision and the projects established to implement that vision. They also define the acceptance criteria for project deliverables which provide the capability to realise business benefits. Project objectives are, however, affected by uncertainty, resulting in a level of risk exposure. Risk management exists to address this risk exposure, leading to an acceptable and manageable level of risk. This increases the chance of meeting project objectives, which in turn maximises the likelihood of achieving the required business benefits. As a result, there is a clear link between risk management and business performance: effective risk management should lead to realised business benefits.
Risk management is a mature discipline with its own processes, tools and techniques, and with consensus about its main concepts and practices. Nevertheless, projects still fail to meet their objectives, and businesses are deprived of the benefits, despite the theory that risk management should contribute to business success. Why is risk management failing to live up to its potential?
At least part of the problem lies in the scope with which risk management is commonly applied. In most cases, the risk process concentrates on risks to projects, processes, performance and people, either addressing risks relating to technical functionality, or tackling issues of health and safety. The focus is almost entirely tactical, and does not consider strategic sources of risk which might affect either the project or the wider business.
The second limitation is that risk management commonly restricts its scope to dealing only with uncertainties that have a potentially adverse affect, in other words threats. This ignores upside risk, or opportunity, which can be viewed as risk with positive impact. Many organisations are beginning to extend the risk process to deal equally with both opportunity and threat, seeking to maximise the benefits as well as to minimise the downside.
The current tendency of risk management to deal only with tactical threats in the project arena reduces its ability to tackle the strategy/tactics gap outlined above, since the risk process only considers one side of the equation. This has a number of negative consequences, which include reinforcing the disconnection between projects and their strategic roots. This results in projects being focused entirely on their deliverables instead of on the intended benefits. There are many examples of projects which are successfully delivered on time, within budget and to performance, (thus meeting their deliverables), but which fail to realise the expected benefits to the organisation.
The one-sided focus on threats also denies organisations the chance of exploiting opportunities through the risk process, and results in a one-way street, where the only option is project failure to a greater or lesser extent. Including both threats and opportunities within the risk process increases the chance of meeting project targets on the swings and roundabouts principle.
For risk management to bridge the gap between strategic vision and tactical project delivery, two modifications are required to the scope of the typical risk process. The first change is to include strategic elements, and the second is to include opportunities.Strategic risk management
Extending the existing risk management approach to cover strategic risk is a simple task of building on what is currently in place. The typical risk management process has the following steps:
This process can be extended to address strategic risk in addition to the tactical area, simply by focusing on uncertainties which might affect strategic objectives. If a risk is defined as 'an uncertainty which, if it occurs, would affect one or more objectives', it becomes possible to define various types of risk by reference to the different objectives affected. So tactical risks are uncertainties that could affect tactical objectives, and strategic risks are uncertainties that could affect strategic objectives. The same is true of risks to reputation, environment, safety, projects or programmes. The primary requirement for implementing strategic risk management is therefore to identify those strategic objectives which might be affected by uncertainty.
The other change to the tactical risk process to enable it to be used for strategic risk management is identification of roles and responsibilities at an appropriate level. Where tactical risks might be managed by the project manager, strategic risks are the responsibility of senior management. It is therefore necessary to consider who will own the risk process and the individual risks at the strategic level.
With these modifications, the standard risk process can be applied at a strategic level.
If such a broadened approach is adopted however, it is important to ensure a clear relationship between the different levels of the risk process. This requires use of shared language and definitions for risk, a common risk process framework, a supportive risk-aware culture, and staff at all levels who are committed, competent and professional in their approach to risk management. These are the characteristics of a 'risk-mature' organisation, able to handle risk effectively at all levels.
The definition of risk used above allows the inclusion of opportunities in the risk process, since an opportunity is simply an uncertainty with a positive effect on an objective. In the same way that the typical tactical threat-based risk process can be extended to deal with strategic risks by focusing on strategic objectives, the process can be modified to address opportunities by including upside risk.
The standard steps outlined above can be applied equally to proactive management of opportunities, including planning, identification, assessment, response development, monitoring, and review. Some process modifications might be appropriate to encourage opportunity identification, and different response strategies are required.
It only requires a small process change to include upside opportunities in the typical risk process, although a more significant change may be required in the attitudes and habits of the people involved, who often find it hard to escape the threat-focused mentality.
This change to include opportunity within the definition of risk, and, by implication, to include opportunity management as part of the risk process, is increasingly being adopted across the risk practitioner community, and is reflected in the various risk management standard documents published by national and international organisations as well as relevant professional bodies.
Integrated risk management
The disconnection which often occurs between strategic vision and tactical project deliverables arises from poorly defined project objectives and inadequate attention to proactive management of risks. On the risk management side, the main failure is the narrow focus on tactical threats. This can be overcome by widening the scope of risk management to encompass both strategic risks and upside opportunities, creating an integrated approach to bridge the gap between strategy and tactics.
Integrated risk management addresses risks across a variety of levels in the organisation, including strategy and tactics, and covering both opportunity and threat. It can create significant strategic advantage by bridging the strategy/tactics gap, enabling successful project delivery and realisation of business benefits.
Dr David Hillson is a director of Project Management Professional Solutions Limited (PMProfessional). e-mail: dhillson@PMProfessional.com, www.PMProfessional.com
Benefits of an integrated approach
Effective implementation of integrated risk management can produce a number of benefits to the organisation, which are not available from the typical limited-scope risk process. These include: