Micro Touch & Consult
Microsoft Consult
  • Home
  • Main Menu
    • Rectangle
    • Leadership >
      • Leadership
      • Organizational Culture
      • Innovation and Change
      • Strategy
    • Projectmanagement >
      • Risks within organizations
      • Procurement & Supply Chain
      • Operations Management
      • Case Loud & Clear
    • Software Development
    • Computer History
  • Contact
  • SCRUMARA

Risks within the boundaries of organizations


Picture
Copyright (c), Micro-Touch & Consult (TM), 2015

Managing Risk in Projects - Oxford


Keywords

Sources of Risks - Risk Factors - Types of Risks - Personal Attitude Towards Risks - Risk Management - Risk Management Planning - Risk Identification - Qualitative and Quantitative Risk Analysis - Risk Models - Risk Methodologies - Ranking and Calculating Risks  - Managing Risks - Risk Response Planning

Produced by: Micro-Touch & Consult, 2015
Sources of Risks
It is not uncommon to classify or categorize risks based on their source (Jeynes, 2002). Well known classifications often include internal and external risks which can be related to exogenous and endogenous risks. A shared characteristic of external or exogenous risks is that they are risks coming from outside, whereas internal and endogenous risks are more internally based (Jeynes, 2002; Chong & Brown, 2000).  

Another characteristic of exogenous or external risks is that they often are more difficult to  change  than  endogenous  or  internal risks  because  the  external  risks  are  in  many cases outside the sphere of influence where the internal risks reside inside this sphere (Cule, et al., 1998).  

It can be useful to have common ground in defining the possible areas where risks can occur, like the ten principles described by Jeynes (2002) in the book Risk Management: 10 principles. What she does is identifying internal and external risks and relates them to the “…ten elements of operation that represent the main risk areas to the success of a  business”,  as  she  calls  it. Although very  useful,  it  is  just  one  possible  way  of presenting the risks where for example Heldman (2005), Gibson (2011) and Kendrick (2003) use different categorizations.  

Risk factors
Risk factors are often related to sources of risks or can be categorized based on them and ranked accordingly  (Jeynes, 2002; Alarm, et al., 2002; Research, 1989; Buch, et al., 2014; Team, 2014). It is during risk analysis that these risk factors are exposed or investigated (Alarm, et al., 2002; Jeynes, 2002). Risk evaluation can be used to check if the factors were proper defined, ranked and analyzed (Alarm, 2002; Research, 1989; Jeynes, 2002).  

Possible risk factors could be maturity, complexity, commercial, performance and cost factors (Team, 2014). But again, different writers use different categories or use a mix of them.  Defined  risk  factors  are  often  ranked  to  predict  their  impact  when  they arise (Gibson, 2011; McManus, 2004) 

Types of Risks
There are many types of risks. Different sources mention mutual inclusive or the same types  of  risks  within  similar  categories. Often  described  are  -  social  risks  related  to customers  or  other  individuals  and  -  technological  risks  like  equipment breakdown during execution or - risks from non-achievement of process requirements.  There are enterprise environmental risks related to business risks and competitive risks related to non-availability of the right resources, licenses or other quality standards. One way or the other, there is a basic set of types of risks and their categories and although named differently, they do seem to have similar characteristics (Jeynes, 2002; Buch, et al., 2014; Heldman, 2005; Jeynes, 2002).  

Several  other  writers  mention  different  types  of  risks  usually  associated  with  risk management  like  product,  company, project,  credit,  market  or  operational  risks  but these  are  just  some  of  the  possible  types  used  (Chong,  2004;  Charrel  & Galarreta, 2007).  

Which types eventually are used depends largely on the project and its surroundings. What Jeynes (2002) and Heldman (2005) have in common, is explaining the differences between small, medium and large organizations when describing types of risks and their impact.  Both  see  the  quality  of  risk  management  related  to  types  of  risks  increasing when the organization becomes bigger. 

Personal Attitude Towards Risks
Objective  observation  of  risks  is  important  to  measure  the  risks  correctly  without emotional bias. It is important to know someone’s behavior towards risks to decrease this emotional bias  and  correct  the  behavior  when  needed  (McManus,  2004; Raftery, 1994).  

There are some main categories of behavior towards risks which are often used when analyzing  stakeholders  or  risk  managers. People  tend  to  fall  into  one  of  these  three categories:  risk  averse,  risk  seeking  and  risk  neutral,  although  most  people  are risk avoiders (Hubbard, 2009; Pickett, 2006).  

For  risk  management  planning  it  is  important  to  analyze  under  which  category  an organization can best be placed, because often this behavior is reflected in the way the organization does its business. It is good to know if the organizational behavior stems from risk seeking, to be better able to make adjustments when needed, or to put some fire in it when there is latency coming from too much risk avoidance behavior (Kendrick, 2003). 

Risk Management
There are many different views on risk management and what it is or how it should be implemented.  Risk  management  is  a  vast growing  discipline  with  different  views  and descriptions.  It  should  be  part  of  the  organizations  strategically  management plan.  A useful risk management plan must address risks that are attached to activities related to the goals of the organization (Alarm, 2002).  

For  some  reasons  risk  management  is  often  ignored  and  the  format  and  depth  of  it depends largely on the type of organization (Jeynes, 2002). Risk management is about identifying, analyzing and responding to risk (Picket, 2006). This is done throughout the project lifecycle and must help to meet project objectives. Risk management is about the  whole  package  of  all  the activities  needed  and  related  to  the  identification, measurement and control of risks (Research, 1989). 

Risk Management Planning
Risk management planning is done to identify potential risks. It is about detecting and analyzing  risks  to  determine  which  risks are  the  most  important  ones  for  the organization  and  the  probability  that  they  will  occur.  Risk  management  planning can help  in  making  the  right  decisions  when  allocating  risks  among  the  different stakeholders of a project (Jeynes, 2002; Heldman, 2005, Raftery, 1994). The size of the organization  will  be  of  influence  on  the  risk  management  planning  needed  (Jeynes, 2002; Heldman, 2005).  

The  primary  objective  of  project  risk management  planning  is to  increase  the  chance that a project meets its objectives by minimizing the risks that could jeopardize this goal. It is about defining a solid foundation where upon it can be made visible if a project can succeed or has a high chance of failure. Furthermore this planning also helps in setting goals and priorities for allocating resources and putting actions and processes in place to  reduce  the  possible  risks  for  achieving  the  project  objectives (Kendrick,  2003; Cooper. Et al., 2005). Not having the proper planning in place is asking for failure. 

Risk Identification
Identifying  risks  has  everything  to  do  with  finding  all  the  risks  that  possibly  will  have some  influence  on  the  project.  It  is also  important  to  clarify  their  nature  and  source. These identified risks can then be documented and written down  in different types of reports (Chong & Brown, 2000; Heldman, 2005).  

In  some  aspects  risk  identification  is  similar  to  identifying  threats  and  vulnerabilities because that is where risks exist or arise (Gibson, 2011). Risks are also identified by reviewing historical documents, checklists, reports and risk mitigation plans (Heldman, 2005; Jeynes, 2002; Kendrick, 2003). It is also important to know how an organization reacted to risks in the past and what the organizational risk culture is (Gibson, 2011; Chong & Brown; Heldman, 2005; Jeynes, 2002). 

Qualitative and Quantitative Risk Analysis
There are two main types of risk analysis and they are Qualitative and Quantitative. This can  be  compared  with  Qualitative  and Quantitative  research,  where  there  is  also  the difference  between  subjective  and  objective  analysis.  Qualitative  risk  analysis is subjective  in  nature  and  often  based  on  the  expertise  of  domain  experts.  Relative, nominal  or  descriptive  values  are  key elements  in  this  type  of  analysis  and  they  are easier  to  apply  and  require  less  effort.    (Gibson,  2011;  Heldman,  2005; Team,  2014; Kendrick, 2003). 

Quantitative risk analysis is more statistical and mathematical where methods used are aimed at achieving greater precision to obtain a detailed insight about each risk.  This method  does  require  often  more  work  but  do  offer  in  the  end  a  more specific categorized overview of the risks involved. (Kendrick, 2003).  Although  finer  in  granularity,  even  the  quantitative  and often highly  mathematical  risk analysis  does  not  prevent  a  project  for  the  variations  that  can exist  in  the  risks eventually arising (Leitch,  2008).  It  is  not  uncommon  that  the  results  of  quantitative analysis  in  the  end  are  overkill  in  detail,  which also emphasizes  its  main  weakness (Hubbard, 2009). 

Risk Models
Risk  models  try  to  connect  the  risks  to  the  organizational  project  and  process parameters. These models form the bridge between the mental models of risks and the formal or scientific representation of them. Risk models make risk management more successful (Hubbard, 2009; Hillson, 2009; Pandian, 2007) 

Different kind of risks demands different models. Although some risks can be found and shared among these different models, it is the approach that primarily defines the model and its content (Team, 2014). Structuring the model follows this principle and especially the differentiation between qualitative and quantitative risk analysis direct how the risk model is classified and completed (Ch Pflug & Romisch, 2007; team, 2014; Chong & Brown, 2000).  

Risk Methodologies
The methodologies themselves can often be related to one another. Like the HAZOP (Hazard & Operability Studies) somewhat to the FMEA (Failure Mode & Effect) analysis and  BPEST  (Political,  Economic,  Social  and  Technological)  in  some  ways  to the PESTLE (Political, Economic, Social, Technical, Legal and Environmental) analysis.  

Others like the SWOT (Strengths, Weakness, Opportunities and Threats) analysis stand more  on  their  own.  What  they  all  have in  common  is  the  approach  of  risk  analysis following  roughly  the  path  of  risk  identification,  description,  estimation  and ranking, evaluation,  reporting,  decision  formulation,  treatment  and  monitoring  (Alarm,  et  al., 2002; Pandian, 2007; Hubbard, 2009; Kendrick, 2003; Jeynes, 2002) 

Ranking and Calculating Risks
To be able to assign values to risks they must be ranked before calculation can be done (McManus, 2004). When ranking schemes are made, different structures are used for quantitative  and  qualitative  risks,  where  the  first  fit  more  into  mathematical and statistical  registers  and  the  latter  in  more  emotional  based  and  coarser  grained overviews.  Less  work  is  needed  for qualitative  ranking  compared  to  the  quantitative analysis  and  categorization,  although  quantitative  offer  finer  grained results  in  most cases.  This  knowledge  should  help  steer  the  choice  which  ranking  and  calculating system to choose (Kendrick, 2003; Hubbard, 2009).  

Managing Risks
The main purpose of risk management is about identifying and  the treatment of risks. Not only is it a process that should be done during the whole  project life cycle, but it must also be a process under development, constantly changing  and adapting to the current situation and state of the organization (Alarm, et al., 2002).  

Good  risk  management  increases  the  chance  of  success  when  it  is  integrated  in  all parts  of  the  project  where  possible risks  can  be  identified.  It  must  be  addressed constantly throughout the organization with a proactive behavior to anticipate the ever changing  risks  and  potential  project  failure  (Dey,  2009;  Team,  2014).  Smart  risk management is concerned about identifying all the known and visible risks and to create time and space for the yet unknown risks (Geneca, 2006). 

Risk Response Planning
Several risk behaviors are possible and should be integrated into a response strategy. The  main  behaviors  for  negative  risks  are avoidance  (try  not  to  let  it  happen),  risk acceptance (accept it will happen and prepare), risk transfer (lead it to other directions or possibilities) and risk mitigation (make the best out of and be sure it will happen) and they  are  often  used  in response  planning  (Research,  1989;  Taylor,  2009).  There  are other possible behaviors like risk prevention and risk prediction for example (Pandian, 2007).  

For  positive  risks  or  opportunities  the  main  response  is  accepting  and  exploiting,  but behavior change when the maturity of the risk culture increases within an organization. This  changing  behavior  through  maturing  risk  culture  is  applicable  for negative  and positive risks and it seems to have a profound influence on risk management planning techniques  throughout  the project  lifecycle  (Pandian,  2007).  Research  shows  that maturity  in  risk  analysis  can  have  a  strong  influence  on  the  health and  competitive position of an organization (Hubbard, 2009). 

Conclusion
Why  do  so  many  organizations  do  not  have  a  proper  risk  management  strategy  in place? While it is being well formulated by Cooper et al. (2005), what risk management should be when they write “The purpose of project risk management is to minimize the risks of not achieving the objectives of the project and the stakeholders with an interest in  it,  and  to  identify  and  take Project risk  management  guidelines  advantage  of opportunities”, it does still not have the right position in many organizations.  

When  there  is  no  well-defined  risk  management  strategy  in  place  and  risks  are  not properly  detected  and  mostly unforeseen  and  unknown,  it  is  like  running  in  the  dark blindfolded and trying to avoid trees while being in a dense forest. Anticipating risks in such cases will be as difficult as previous sentence sounded. 

Therefore  it  is  imperative  that  every  self-respecting  organization  takes  risks  seriously and approach them with care and a clear strategy. This can be done by defining and implementing a well thought risk management strategy, where defining, detecting and planning  are  key  elements  as  described  in  this  research.  When  organizations  fail  to implement even the most basic risk management strategy, than that is the beginning of the end. 

Picture