David Hillson explores the critical success factors for using risk management...

David Hillson explores the critical success factors for using risk management for strategic advantage while retaining its use as a tactical tool

Risk management is an essential tool for tackling the inevitable uncertainty associated with business at all levels. However, its use is often restricted to the technical or operational field, addressing threats to processes, performance or people. Recent developments seek to broaden risk management's scope to include strategic risks to the business, and to address upside opportunities as well as threats. Such a holistic approach positions risk management as an essential bridge between strategic and tactical levels.

Strategy, tactics and risk
Businesses exist to create benefits for their stakeholders, and the corporate vision or mission statement defines the scope and extent of those benefits. However, vision alone does not create business benefits. Many organisations use projects as the change vehicle to deliver the capability which leads to the required benefits, perhaps managing related projects through higher-level programmes.

Defining the vision and business benefits is the realm of strategy, whereas projects, programmes and their deliverables describe the tactics by which the strategy is achieved. Project objectives sit between the strategic and tactical levels, since they are defined in relation to the strategic vision, but they in turn define the requirement for projects. Many projects fail because of a disconnection between strategic vision and tactical project deliverables, often as a result of poorly defined project objectives. This space between the two levels of strategy and tactics requires careful and proactive management if projects are to succeed in delivering the required benefits to the business. Yet it is precisely in this area occupied by project objectives that businesses are most at risk.

All business activity is undertaken in an environment of uncertainty, which arises from a range of sources. These include technical issues, commercial constraints, management issues and external dependencies. Successful businesses, however, do not seek to avoid uncertainty, but recognise the relationship between risk and reward. The zero risk enterprise or project does not exist. Indeed, it is not desirable, since the available benefits are determined to a large extent by the degree of risk an organisation is prepared to confront.

But risk is not the same as uncertainty. Risk arises when uncertainty has the potential to affect objectives, and can be defined as 'any uncertain event or set of circumstances that, should it occur, would have an effect on one or more objectives'. There are uncertainties that cannot affect objectives, and which are therefore not risks. It is this relationship between risk, uncertainty and objectives that makes risk management such an important contributor to both project success and business benefits.

Project objectives provide the link between the overall vision and the projects established to implement that vision. They also define the acceptance criteria for project deliverables which provide the capability to realise business benefits. Project objectives are, however, affected by uncertainty, resulting in a level of risk exposure. Risk management exists to address this risk exposure, leading to an acceptable and manageable level of risk. This increases the chance of meeting project objectives, which in turn maximises the likelihood of achieving the required business benefits. As a result, there is a clear link between risk management and business performance: effective risk management should lead to realised business benefits.

Current scope
Risk management is a mature discipline with its own processes, tools and techniques, and with consensus about its main concepts and practices. Nevertheless, projects still fail to meet their objectives, and businesses are deprived of the benefits, despite the theory that risk management should contribute to business success. Why is risk management failing to live up to its potential?

At least part of the problem lies in the scope with which risk management is commonly applied. In most cases, the risk process concentrates on risks to projects, processes, performance and people, either addressing risks relating to technical functionality, or tackling issues of health and safety. The focus is almost entirely tactical, and does not consider strategic sources of risk which might affect either the project or the wider business.

The second limitation is that risk management commonly restricts its scope to dealing only with uncertainties that have a potentially adverse affect, in other words threats. This ignores upside risk, or opportunity, which can be viewed as risk with positive impact. Many organisations are beginning to extend the risk process to deal equally with both opportunity and threat, seeking to maximise the benefits as well as to minimise the downside.

The current tendency of risk management to deal only with tactical threats in the project arena reduces its ability to tackle the strategy/tactics gap outlined above, since the risk process only considers one side of the equation. This has a number of negative consequences, which include reinforcing the disconnection between projects and their strategic roots. This results in projects being focused entirely on their deliverables instead of on the intended benefits. There are many examples of projects which are successfully delivered on time, within budget and to performance, (thus meeting their deliverables), but which fail to realise the expected benefits to the organisation.

The one-sided focus on threats also denies organisations the chance of exploiting opportunities through the risk process, and results in a one-way street, where the only option is project failure to a greater or lesser extent. Including both threats and opportunities within the risk process increases the chance of meeting project targets on the swings and roundabouts principle.

For risk management to bridge the gap between strategic vision and tactical project delivery, two modifications are required to the scope of the typical risk process. The first change is to include strategic elements, and the second is to include opportunities.Strategic risk management
Extending the existing risk management approach to cover strategic risk is a simple task of building on what is currently in place. The typical risk management process has the following steps:

  • Risk management planning: defining the scope and objectives of the risk process; describing the techniques and tools to be used; stating the thresholds of acceptable risk to various stakeholders; detailing roles and responsibilities
  • Risk identification: exposing and recording all foreseeable risks which could affect objectives, together with information on their cause(s) and possible effect(s)
  • Risk assessment: estimating the probability of occurrence and severity of impact for each identified risk and prioritising risks for further attention; grouping risks into categories to identify hot-spots of risk exposure or common causes, and analysing the combined effect of risks on objectives using statistical models
  • Risk response development: considering how to respond to each individual risk and to the overall risk exposure; selecting a strategy which is appropriate, achievable and affordable; allocating each response to an owner
  • Risk monitoring: ensuring that actions are implemented; monitoring the effect on risk exposure, and communicating risk information to stakeholders with appropriate detail and frequency
  • Risk review: updating the risk process to assess the status of existing risks; determining the effectiveness of agreed responses; identifying new risks; reviewing the overall risk process.

    This process can be extended to address strategic risk in addition to the tactical area, simply by focusing on uncertainties which might affect strategic objectives. If a risk is defined as 'an uncertainty which, if it occurs, would affect one or more objectives', it becomes possible to define various types of risk by reference to the different objectives affected. So tactical risks are uncertainties that could affect tactical objectives, and strategic risks are uncertainties that could affect strategic objectives. The same is true of risks to reputation, environment, safety, projects or programmes. The primary requirement for implementing strategic risk management is therefore to identify those strategic objectives which might be affected by uncertainty.

    The other change to the tactical risk process to enable it to be used for strategic risk management is identification of roles and responsibilities at an appropriate level. Where tactical risks might be managed by the project manager, strategic risks are the responsibility of senior management. It is therefore necessary to consider who will own the risk process and the individual risks at the strategic level.

    With these modifications, the standard risk process can be applied at a strategic level.

    If such a broadened approach is adopted however, it is important to ensure a clear relationship between the different levels of the risk process. This requires use of shared language and definitions for risk, a common risk process framework, a supportive risk-aware culture, and staff at all levels who are committed, competent and professional in their approach to risk management. These are the characteristics of a 'risk-mature' organisation, able to handle risk effectively at all levels.

    Including opportunities
    The definition of risk used above allows the inclusion of opportunities in the risk process, since an opportunity is simply an uncertainty with a positive effect on an objective. In the same way that the typical tactical threat-based risk process can be extended to deal with strategic risks by focusing on strategic objectives, the process can be modified to address opportunities by including upside risk.

    The standard steps outlined above can be applied equally to proactive management of opportunities, including planning, identification, assessment, response development, monitoring, and review. Some process modifications might be appropriate to encourage opportunity identification, and different response strategies are required.

    It only requires a small process change to include upside opportunities in the typical risk process, although a more significant change may be required in the attitudes and habits of the people involved, who often find it hard to escape the threat-focused mentality.

    This change to include opportunity within the definition of risk, and, by implication, to include opportunity management as part of the risk process, is increasingly being adopted across the risk practitioner community, and is reflected in the various risk management standard documents published by national and international organisations as well as relevant professional bodies.

    Integrated risk management
    The disconnection which often occurs between strategic vision and tactical project deliverables arises from poorly defined project objectives and inadequate attention to proactive management of risks. On the risk management side, the main failure is the narrow focus on tactical threats. This can be overcome by widening the scope of risk management to encompass both strategic risks and upside opportunities, creating an integrated approach to bridge the gap between strategy and tactics.

    Integrated risk management addresses risks across a variety of levels in the organisation, including strategy and tactics, and covering both opportunity and threat. It can create significant strategic advantage by bridging the strategy/tactics gap, enabling successful project delivery and realisation of business benefits.

    Dr David Hillson is a director of Project Management Professional Solutions Limited (PMProfessional). e-mail: dhillson@PMProfessional.com, www.PMProfessional.com

    Benefits of an integrated approach
    Effective implementation of integrated risk management can produce a number of benefits to the organisation, which are not available from the typical limited-scope risk process. These include:

  • Bridging the strategy/tactics gap to ensure that project delivery is tied to organisational needs and vision
  • Focusing projects on the benefits they exist to support, rather than simply on producing a set of deliverables
  • Identifying risks at the strategic level which could have a significant effect on the organisation, and enabling these to be managed proactively
  • Enabling opportunities to be managed proactively as an inbuilt part of business processes at both strategic and tactical levels, rather than reacting too little and too late as often happens
  • Providing useful information to decision-makers when the environment is uncertain, to support the best possible decisions at all levels
  • Creating space to manage uncertainty in advance, with planned responses to known risks, increasing both efficiency and effectiveness
  • Minimising threats and maximising opportunities, and so increasing the likelihood of achieving both strategic and tactical objectives
  • Allowing an appropriate level of risk to be taken intelligently by the organisation and its projects, with full awareness of the degree of uncertainty and its potential effects on objectives, opening the way to achieving the increased rewards which are associated with safe risk-taking
  • Development of a risk-mature culture within the organisation, recognising that risk exists in all levels of the enterprise, but that it can and should be managed proactively in order to deliver benefits.