Risks within the boundaries of organizations
Copyright (c), Micro-Touch & Consult (TM), 2015
Managing Risk in Projects - Oxford
Keywords
Sources of Risks - Risk Factors - Types of Risks - Personal Attitude Towards Risks - Risk Management - Risk Management Planning - Risk Identification - Qualitative and Quantitative Risk Analysis - Risk Models - Risk Methodologies - Ranking and Calculating Risks - Managing Risks - Risk Response Planning
Produced by: Micro-Touch & Consult, 2015
Sources of Risks
It is not uncommon to classify or categorize risks based on their source (Jeynes, 2002). Well known classifications often include internal and external risks which can be related to exogenous and endogenous risks. A shared characteristic of external or exogenous risks is that they are risks coming from outside, whereas internal and endogenous risks are more internally based (Jeynes, 2002; Chong & Brown, 2000).
Another characteristic of exogenous or external risks is that they often are more difficult to change than endogenous or internal risks because the external risks are in many cases outside the sphere of influence where the internal risks reside inside this sphere (Cule, et al., 1998).
It can be useful to have common ground in defining the possible areas where risks can occur, like the ten principles described by Jeynes (2002) in the book Risk Management: 10 principles. What she does is identifying internal and external risks and relates them to the “…ten elements of operation that represent the main risk areas to the success of a business”, as she calls it. Although very useful, it is just one possible way of presenting the risks where for example Heldman (2005), Gibson (2011) and Kendrick (2003) use different categorizations.
Risk factors
Risk factors are often related to sources of risks or can be categorized based on them and ranked accordingly (Jeynes, 2002; Alarm, et al., 2002; Research, 1989; Buch, et al., 2014; Team, 2014). It is during risk analysis that these risk factors are exposed or investigated (Alarm, et al., 2002; Jeynes, 2002). Risk evaluation can be used to check if the factors were proper defined, ranked and analyzed (Alarm, 2002; Research, 1989; Jeynes, 2002).
Possible risk factors could be maturity, complexity, commercial, performance and cost factors (Team, 2014). But again, different writers use different categories or use a mix of them. Defined risk factors are often ranked to predict their impact when they arise (Gibson, 2011; McManus, 2004)
Types of Risks
There are many types of risks. Different sources mention mutual inclusive or the same types of risks within similar categories. Often described are - social risks related to customers or other individuals and - technological risks like equipment breakdown during execution or - risks from non-achievement of process requirements. There are enterprise environmental risks related to business risks and competitive risks related to non-availability of the right resources, licenses or other quality standards. One way or the other, there is a basic set of types of risks and their categories and although named differently, they do seem to have similar characteristics (Jeynes, 2002; Buch, et al., 2014; Heldman, 2005; Jeynes, 2002).
Several other writers mention different types of risks usually associated with risk management like product, company, project, credit, market or operational risks but these are just some of the possible types used (Chong, 2004; Charrel & Galarreta, 2007).
Which types eventually are used depends largely on the project and its surroundings. What Jeynes (2002) and Heldman (2005) have in common, is explaining the differences between small, medium and large organizations when describing types of risks and their impact. Both see the quality of risk management related to types of risks increasing when the organization becomes bigger.
Personal Attitude Towards Risks
Objective observation of risks is important to measure the risks correctly without emotional bias. It is important to know someone’s behavior towards risks to decrease this emotional bias and correct the behavior when needed (McManus, 2004; Raftery, 1994).
There are some main categories of behavior towards risks which are often used when analyzing stakeholders or risk managers. People tend to fall into one of these three categories: risk averse, risk seeking and risk neutral, although most people are risk avoiders (Hubbard, 2009; Pickett, 2006).
For risk management planning it is important to analyze under which category an organization can best be placed, because often this behavior is reflected in the way the organization does its business. It is good to know if the organizational behavior stems from risk seeking, to be better able to make adjustments when needed, or to put some fire in it when there is latency coming from too much risk avoidance behavior (Kendrick, 2003).
Risk Management
There are many different views on risk management and what it is or how it should be implemented. Risk management is a vast growing discipline with different views and descriptions. It should be part of the organizations strategically management plan. A useful risk management plan must address risks that are attached to activities related to the goals of the organization (Alarm, 2002).
For some reasons risk management is often ignored and the format and depth of it depends largely on the type of organization (Jeynes, 2002). Risk management is about identifying, analyzing and responding to risk (Picket, 2006). This is done throughout the project lifecycle and must help to meet project objectives. Risk management is about the whole package of all the activities needed and related to the identification, measurement and control of risks (Research, 1989).
Risk Management Planning
Risk management planning is done to identify potential risks. It is about detecting and analyzing risks to determine which risks are the most important ones for the organization and the probability that they will occur. Risk management planning can help in making the right decisions when allocating risks among the different stakeholders of a project (Jeynes, 2002; Heldman, 2005, Raftery, 1994). The size of the organization will be of influence on the risk management planning needed (Jeynes, 2002; Heldman, 2005).
The primary objective of project risk management planning is to increase the chance that a project meets its objectives by minimizing the risks that could jeopardize this goal. It is about defining a solid foundation where upon it can be made visible if a project can succeed or has a high chance of failure. Furthermore this planning also helps in setting goals and priorities for allocating resources and putting actions and processes in place to reduce the possible risks for achieving the project objectives (Kendrick, 2003; Cooper. Et al., 2005). Not having the proper planning in place is asking for failure.
Risk Identification
Identifying risks has everything to do with finding all the risks that possibly will have some influence on the project. It is also important to clarify their nature and source. These identified risks can then be documented and written down in different types of reports (Chong & Brown, 2000; Heldman, 2005).
In some aspects risk identification is similar to identifying threats and vulnerabilities because that is where risks exist or arise (Gibson, 2011). Risks are also identified by reviewing historical documents, checklists, reports and risk mitigation plans (Heldman, 2005; Jeynes, 2002; Kendrick, 2003). It is also important to know how an organization reacted to risks in the past and what the organizational risk culture is (Gibson, 2011; Chong & Brown; Heldman, 2005; Jeynes, 2002).
Qualitative and Quantitative Risk Analysis
There are two main types of risk analysis and they are Qualitative and Quantitative. This can be compared with Qualitative and Quantitative research, where there is also the difference between subjective and objective analysis. Qualitative risk analysis is subjective in nature and often based on the expertise of domain experts. Relative, nominal or descriptive values are key elements in this type of analysis and they are easier to apply and require less effort. (Gibson, 2011; Heldman, 2005; Team, 2014; Kendrick, 2003).
Quantitative risk analysis is more statistical and mathematical where methods used are aimed at achieving greater precision to obtain a detailed insight about each risk. This method does require often more work but do offer in the end a more specific categorized overview of the risks involved. (Kendrick, 2003). Although finer in granularity, even the quantitative and often highly mathematical risk analysis does not prevent a project for the variations that can exist in the risks eventually arising (Leitch, 2008). It is not uncommon that the results of quantitative analysis in the end are overkill in detail, which also emphasizes its main weakness (Hubbard, 2009).
Risk Models
Risk models try to connect the risks to the organizational project and process parameters. These models form the bridge between the mental models of risks and the formal or scientific representation of them. Risk models make risk management more successful (Hubbard, 2009; Hillson, 2009; Pandian, 2007)
Different kind of risks demands different models. Although some risks can be found and shared among these different models, it is the approach that primarily defines the model and its content (Team, 2014). Structuring the model follows this principle and especially the differentiation between qualitative and quantitative risk analysis direct how the risk model is classified and completed (Ch Pflug & Romisch, 2007; team, 2014; Chong & Brown, 2000).
Risk Methodologies
The methodologies themselves can often be related to one another. Like the HAZOP (Hazard & Operability Studies) somewhat to the FMEA (Failure Mode & Effect) analysis and BPEST (Political, Economic, Social and Technological) in some ways to the PESTLE (Political, Economic, Social, Technical, Legal and Environmental) analysis.
Others like the SWOT (Strengths, Weakness, Opportunities and Threats) analysis stand more on their own. What they all have in common is the approach of risk analysis following roughly the path of risk identification, description, estimation and ranking, evaluation, reporting, decision formulation, treatment and monitoring (Alarm, et al., 2002; Pandian, 2007; Hubbard, 2009; Kendrick, 2003; Jeynes, 2002)
Ranking and Calculating Risks
To be able to assign values to risks they must be ranked before calculation can be done (McManus, 2004). When ranking schemes are made, different structures are used for quantitative and qualitative risks, where the first fit more into mathematical and statistical registers and the latter in more emotional based and coarser grained overviews. Less work is needed for qualitative ranking compared to the quantitative analysis and categorization, although quantitative offer finer grained results in most cases. This knowledge should help steer the choice which ranking and calculating system to choose (Kendrick, 2003; Hubbard, 2009).
Managing Risks
The main purpose of risk management is about identifying and the treatment of risks. Not only is it a process that should be done during the whole project life cycle, but it must also be a process under development, constantly changing and adapting to the current situation and state of the organization (Alarm, et al., 2002).
Good risk management increases the chance of success when it is integrated in all parts of the project where possible risks can be identified. It must be addressed constantly throughout the organization with a proactive behavior to anticipate the ever changing risks and potential project failure (Dey, 2009; Team, 2014). Smart risk management is concerned about identifying all the known and visible risks and to create time and space for the yet unknown risks (Geneca, 2006).
Risk Response Planning
Several risk behaviors are possible and should be integrated into a response strategy. The main behaviors for negative risks are avoidance (try not to let it happen), risk acceptance (accept it will happen and prepare), risk transfer (lead it to other directions or possibilities) and risk mitigation (make the best out of and be sure it will happen) and they are often used in response planning (Research, 1989; Taylor, 2009). There are other possible behaviors like risk prevention and risk prediction for example (Pandian, 2007).
For positive risks or opportunities the main response is accepting and exploiting, but behavior change when the maturity of the risk culture increases within an organization. This changing behavior through maturing risk culture is applicable for negative and positive risks and it seems to have a profound influence on risk management planning techniques throughout the project lifecycle (Pandian, 2007). Research shows that maturity in risk analysis can have a strong influence on the health and competitive position of an organization (Hubbard, 2009).
Conclusion
Why do so many organizations do not have a proper risk management strategy in place? While it is being well formulated by Cooper et al. (2005), what risk management should be when they write “The purpose of project risk management is to minimize the risks of not achieving the objectives of the project and the stakeholders with an interest in it, and to identify and take Project risk management guidelines advantage of opportunities”, it does still not have the right position in many organizations.
When there is no well-defined risk management strategy in place and risks are not properly detected and mostly unforeseen and unknown, it is like running in the dark blindfolded and trying to avoid trees while being in a dense forest. Anticipating risks in such cases will be as difficult as previous sentence sounded.
Therefore it is imperative that every self-respecting organization takes risks seriously and approach them with care and a clear strategy. This can be done by defining and implementing a well thought risk management strategy, where defining, detecting and planning are key elements as described in this research. When organizations fail to implement even the most basic risk management strategy, than that is the beginning of the end.
It is not uncommon to classify or categorize risks based on their source (Jeynes, 2002). Well known classifications often include internal and external risks which can be related to exogenous and endogenous risks. A shared characteristic of external or exogenous risks is that they are risks coming from outside, whereas internal and endogenous risks are more internally based (Jeynes, 2002; Chong & Brown, 2000).
Another characteristic of exogenous or external risks is that they often are more difficult to change than endogenous or internal risks because the external risks are in many cases outside the sphere of influence where the internal risks reside inside this sphere (Cule, et al., 1998).
It can be useful to have common ground in defining the possible areas where risks can occur, like the ten principles described by Jeynes (2002) in the book Risk Management: 10 principles. What she does is identifying internal and external risks and relates them to the “…ten elements of operation that represent the main risk areas to the success of a business”, as she calls it. Although very useful, it is just one possible way of presenting the risks where for example Heldman (2005), Gibson (2011) and Kendrick (2003) use different categorizations.
Risk factors
Risk factors are often related to sources of risks or can be categorized based on them and ranked accordingly (Jeynes, 2002; Alarm, et al., 2002; Research, 1989; Buch, et al., 2014; Team, 2014). It is during risk analysis that these risk factors are exposed or investigated (Alarm, et al., 2002; Jeynes, 2002). Risk evaluation can be used to check if the factors were proper defined, ranked and analyzed (Alarm, 2002; Research, 1989; Jeynes, 2002).
Possible risk factors could be maturity, complexity, commercial, performance and cost factors (Team, 2014). But again, different writers use different categories or use a mix of them. Defined risk factors are often ranked to predict their impact when they arise (Gibson, 2011; McManus, 2004)
Types of Risks
There are many types of risks. Different sources mention mutual inclusive or the same types of risks within similar categories. Often described are - social risks related to customers or other individuals and - technological risks like equipment breakdown during execution or - risks from non-achievement of process requirements. There are enterprise environmental risks related to business risks and competitive risks related to non-availability of the right resources, licenses or other quality standards. One way or the other, there is a basic set of types of risks and their categories and although named differently, they do seem to have similar characteristics (Jeynes, 2002; Buch, et al., 2014; Heldman, 2005; Jeynes, 2002).
Several other writers mention different types of risks usually associated with risk management like product, company, project, credit, market or operational risks but these are just some of the possible types used (Chong, 2004; Charrel & Galarreta, 2007).
Which types eventually are used depends largely on the project and its surroundings. What Jeynes (2002) and Heldman (2005) have in common, is explaining the differences between small, medium and large organizations when describing types of risks and their impact. Both see the quality of risk management related to types of risks increasing when the organization becomes bigger.
Personal Attitude Towards Risks
Objective observation of risks is important to measure the risks correctly without emotional bias. It is important to know someone’s behavior towards risks to decrease this emotional bias and correct the behavior when needed (McManus, 2004; Raftery, 1994).
There are some main categories of behavior towards risks which are often used when analyzing stakeholders or risk managers. People tend to fall into one of these three categories: risk averse, risk seeking and risk neutral, although most people are risk avoiders (Hubbard, 2009; Pickett, 2006).
For risk management planning it is important to analyze under which category an organization can best be placed, because often this behavior is reflected in the way the organization does its business. It is good to know if the organizational behavior stems from risk seeking, to be better able to make adjustments when needed, or to put some fire in it when there is latency coming from too much risk avoidance behavior (Kendrick, 2003).
Risk Management
There are many different views on risk management and what it is or how it should be implemented. Risk management is a vast growing discipline with different views and descriptions. It should be part of the organizations strategically management plan. A useful risk management plan must address risks that are attached to activities related to the goals of the organization (Alarm, 2002).
For some reasons risk management is often ignored and the format and depth of it depends largely on the type of organization (Jeynes, 2002). Risk management is about identifying, analyzing and responding to risk (Picket, 2006). This is done throughout the project lifecycle and must help to meet project objectives. Risk management is about the whole package of all the activities needed and related to the identification, measurement and control of risks (Research, 1989).
Risk Management Planning
Risk management planning is done to identify potential risks. It is about detecting and analyzing risks to determine which risks are the most important ones for the organization and the probability that they will occur. Risk management planning can help in making the right decisions when allocating risks among the different stakeholders of a project (Jeynes, 2002; Heldman, 2005, Raftery, 1994). The size of the organization will be of influence on the risk management planning needed (Jeynes, 2002; Heldman, 2005).
The primary objective of project risk management planning is to increase the chance that a project meets its objectives by minimizing the risks that could jeopardize this goal. It is about defining a solid foundation where upon it can be made visible if a project can succeed or has a high chance of failure. Furthermore this planning also helps in setting goals and priorities for allocating resources and putting actions and processes in place to reduce the possible risks for achieving the project objectives (Kendrick, 2003; Cooper. Et al., 2005). Not having the proper planning in place is asking for failure.
Risk Identification
Identifying risks has everything to do with finding all the risks that possibly will have some influence on the project. It is also important to clarify their nature and source. These identified risks can then be documented and written down in different types of reports (Chong & Brown, 2000; Heldman, 2005).
In some aspects risk identification is similar to identifying threats and vulnerabilities because that is where risks exist or arise (Gibson, 2011). Risks are also identified by reviewing historical documents, checklists, reports and risk mitigation plans (Heldman, 2005; Jeynes, 2002; Kendrick, 2003). It is also important to know how an organization reacted to risks in the past and what the organizational risk culture is (Gibson, 2011; Chong & Brown; Heldman, 2005; Jeynes, 2002).
Qualitative and Quantitative Risk Analysis
There are two main types of risk analysis and they are Qualitative and Quantitative. This can be compared with Qualitative and Quantitative research, where there is also the difference between subjective and objective analysis. Qualitative risk analysis is subjective in nature and often based on the expertise of domain experts. Relative, nominal or descriptive values are key elements in this type of analysis and they are easier to apply and require less effort. (Gibson, 2011; Heldman, 2005; Team, 2014; Kendrick, 2003).
Quantitative risk analysis is more statistical and mathematical where methods used are aimed at achieving greater precision to obtain a detailed insight about each risk. This method does require often more work but do offer in the end a more specific categorized overview of the risks involved. (Kendrick, 2003). Although finer in granularity, even the quantitative and often highly mathematical risk analysis does not prevent a project for the variations that can exist in the risks eventually arising (Leitch, 2008). It is not uncommon that the results of quantitative analysis in the end are overkill in detail, which also emphasizes its main weakness (Hubbard, 2009).
Risk Models
Risk models try to connect the risks to the organizational project and process parameters. These models form the bridge between the mental models of risks and the formal or scientific representation of them. Risk models make risk management more successful (Hubbard, 2009; Hillson, 2009; Pandian, 2007)
Different kind of risks demands different models. Although some risks can be found and shared among these different models, it is the approach that primarily defines the model and its content (Team, 2014). Structuring the model follows this principle and especially the differentiation between qualitative and quantitative risk analysis direct how the risk model is classified and completed (Ch Pflug & Romisch, 2007; team, 2014; Chong & Brown, 2000).
Risk Methodologies
The methodologies themselves can often be related to one another. Like the HAZOP (Hazard & Operability Studies) somewhat to the FMEA (Failure Mode & Effect) analysis and BPEST (Political, Economic, Social and Technological) in some ways to the PESTLE (Political, Economic, Social, Technical, Legal and Environmental) analysis.
Others like the SWOT (Strengths, Weakness, Opportunities and Threats) analysis stand more on their own. What they all have in common is the approach of risk analysis following roughly the path of risk identification, description, estimation and ranking, evaluation, reporting, decision formulation, treatment and monitoring (Alarm, et al., 2002; Pandian, 2007; Hubbard, 2009; Kendrick, 2003; Jeynes, 2002)
Ranking and Calculating Risks
To be able to assign values to risks they must be ranked before calculation can be done (McManus, 2004). When ranking schemes are made, different structures are used for quantitative and qualitative risks, where the first fit more into mathematical and statistical registers and the latter in more emotional based and coarser grained overviews. Less work is needed for qualitative ranking compared to the quantitative analysis and categorization, although quantitative offer finer grained results in most cases. This knowledge should help steer the choice which ranking and calculating system to choose (Kendrick, 2003; Hubbard, 2009).
Managing Risks
The main purpose of risk management is about identifying and the treatment of risks. Not only is it a process that should be done during the whole project life cycle, but it must also be a process under development, constantly changing and adapting to the current situation and state of the organization (Alarm, et al., 2002).
Good risk management increases the chance of success when it is integrated in all parts of the project where possible risks can be identified. It must be addressed constantly throughout the organization with a proactive behavior to anticipate the ever changing risks and potential project failure (Dey, 2009; Team, 2014). Smart risk management is concerned about identifying all the known and visible risks and to create time and space for the yet unknown risks (Geneca, 2006).
Risk Response Planning
Several risk behaviors are possible and should be integrated into a response strategy. The main behaviors for negative risks are avoidance (try not to let it happen), risk acceptance (accept it will happen and prepare), risk transfer (lead it to other directions or possibilities) and risk mitigation (make the best out of and be sure it will happen) and they are often used in response planning (Research, 1989; Taylor, 2009). There are other possible behaviors like risk prevention and risk prediction for example (Pandian, 2007).
For positive risks or opportunities the main response is accepting and exploiting, but behavior change when the maturity of the risk culture increases within an organization. This changing behavior through maturing risk culture is applicable for negative and positive risks and it seems to have a profound influence on risk management planning techniques throughout the project lifecycle (Pandian, 2007). Research shows that maturity in risk analysis can have a strong influence on the health and competitive position of an organization (Hubbard, 2009).
Conclusion
Why do so many organizations do not have a proper risk management strategy in place? While it is being well formulated by Cooper et al. (2005), what risk management should be when they write “The purpose of project risk management is to minimize the risks of not achieving the objectives of the project and the stakeholders with an interest in it, and to identify and take Project risk management guidelines advantage of opportunities”, it does still not have the right position in many organizations.
When there is no well-defined risk management strategy in place and risks are not properly detected and mostly unforeseen and unknown, it is like running in the dark blindfolded and trying to avoid trees while being in a dense forest. Anticipating risks in such cases will be as difficult as previous sentence sounded.
Therefore it is imperative that every self-respecting organization takes risks seriously and approach them with care and a clear strategy. This can be done by defining and implementing a well thought risk management strategy, where defining, detecting and planning are key elements as described in this research. When organizations fail to implement even the most basic risk management strategy, than that is the beginning of the end.