Risk Management for Project Driven Organizations
eBook - ePub

Risk Management for Project Driven Organizations

A Strategic Guide to Portfolio, Program and PMO Success

  1. 360 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Risk Management for Project Driven Organizations

A Strategic Guide to Portfolio, Program and PMO Success

Book details
Book preview
Table of contents
Citations

About This Book

Organizations invest a lot of time, money, and energy into developing and utilizing risk management practices as part of their project management disciplines. Yet, when you move beyond the project to the program, portfolio, PMO and even organizational level, that same level of risk command and control rarely exists. With this in mind, well-known subject matter expert and author Andy Jordan starts where most leave off. He explores risk management in detail at the portfolio, program, and PMO levels. Using an engaging and easy-to-read writing style, Mr. Jordan takes readers from concepts to a process model, and then to the application of that customizable model in the user's unique environment, helping dramatically improve their risk command and control at the organizational level. He also provides a detailed discussion of some of the challenges involved in this process. Risk Management for Project Driven Organizations is designed to aid strategic C-level decision makers and those involved in the project, program, portfolio, and PMO levels of an organization.

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Risk Management for Project Driven Organizations by Andy Jordan in PDF and/or ePUB format, as well as other popular books in Business & Project Management. We have over one million books available in our catalogue for you to explore.

Information

Publisher
J. Ross Publishing
Year
2013
ISBN
9781604277388
Edition
1
Topic
Business
Subtopic
Project Management
Index
Business
SECTION 1
Business Level Risk
You are an exceptional risk manager. Every day you make numerous decisions that require an analysis of the likelihood and impact of different possible results, and your actions are driven in part by the outcome of that analysis. Our education and training are geared around trying to make these analyses automatic in favor of the conservative option—not crossing the street unless there is a Walk sign, not accelerating at a yellow light, leaving home in time to ensure that we aren’t late arriving at work, etc., but the decision is still ours to make. If we want to leave home late, accelerate through every light as it is changing, and then dodge traffic jaywalking between the parking lot and the office, we have the ability to make the decision to do so, with the understanding that the risk of a negative outcome is higher than if we were to leave home a few minutes earlier and take a more conservative approach.
Your environment will also impact the decisions that you make—it offers additional input into the risk analysis. For example, you will drive slower on a snowy night than you will on the same road on a sunny day. Finally, your motivations will impact your risk analysis—it’s easier to resist the ice cream sundae when you are feeling energetic and positive than it is at the end of a bad day when nothing seemed to go right.
When you spend a few minutes thinking about it, there are literally hundreds of decisions a day that involve some degree of risk analysis, and yet few of those analyses are taken consciously. The risks are simply processed alongside everything else, and you either hit the brake pedal or the gas pedal when you see the light start to change, depending on the outcome of all those calculations. There is minimal, if any, conscious effort put into the calculations.
The same is true in organizations. Virtually every decision that the executives of an organization make will require some degree of risk analysis, but in most cases, it’s not a formal process unless the decision is considered to be major. Instead, it’s just part of the job, one of the many variables that go into the responsibilities of an executive. In fact, if we think back to the concepts we explored in the introduction, we said that to be considered a risk there had to be the potential to impact objectives, and even CEOs of Fortune 500 companies make their share of fairly innocuous decisions. There may be degrees of uncertainty associated with those less critical decisions, but if things don’t go according to plan, the impact won’t affect the company’s ability to achieve its objectives.
External Risk Environment
How can an executive be sure whether their decisions are insignificant or potentially business destroying? They need to understand the risk environment within which they operate, just like you need to understand the risk environment within which you operate when you are driving that car and deciding what to do at the changing traffic signal.
For organizations, that environment consists of a number of variables outside its direct control but that still have the potential for dramatic impact. Some of these categories are related to the company’s own internal risks, and some are completely independent. In most cases, there are opportunities to influence and control some of these external risk categories, but that’s risk management and we’re getting ahead of ourselves.
The major categories of external risks are shown in Table 1.1. You can see from that list that they collectively cover virtually everything around the company—its physical locations, its relationships with all external stakeholders, and its markets. That’s not coincidental. Organizations don’t exist in a vacuum, and the way that they interact with their environments will create new risks and influence existing ones.
In many cases these risks are fairly slow moving—changes to regulatory frameworks tend to be planned months or years ahead. Governments change generally only every few years, and even then tend to evolve rather than revolutionize; economic growth or contraction usually has warning signs ahead of the main impacts. This often results in a degree of organizational complacency when considering these risks. If there’s no upcoming election then political risks get ignored. If the latest round of regulatory reporting improvements happened last year then the assumption is that they will be stable for the next couple of years at least.
Table 1.1 External risk categories and descriptions
Similarly, elements of these risk categories are considered too insignificant to worry about—for example, a location in an area of seismic activity. This is a geographic risk that exists, but it is often completely ignored from a risk management perspective simply because the likelihood of anything more than a minor inconvenience occurring is considered extremely remote. That’s fair enough, but even if there is only a 1 in 100 chance of a devastating earthquake in any given year, it’s still a possibility, and the impact will be severe. If the company has ten such 1 in 100 risks, the law of averages says that one of them will occur every 10 years. Now we are starting to play dangerous games if we ignore them.
Of all of the environmental risk factors identified above, the only one that consistently gets active risk management attention is the area of competitive risks. Even here the management is frequently reactive rather than proactive. Organizations don’t drive internal initiatives based on the possibility of a competitor taking certain actions; rather, they wait for a competitor to announce that they have the feature (or at least for rumors of it to emerge), and then they respond. Technically this is now an internal risk, and we’ll look at those next. This approach can be a devastating strategy for the organization, and we don’t have to look far for two recent examples.
In the 1980s and 1990s, Sony dominated the portable music market with the Walkman and then the CD Walkman. The name became synonymous with the product, and competitors struggled to gain a tiny share of the market. However, Sony didn’t consider the risks of competition; they didn’t see Apple coming, and when the iPod launched in 2001, Sony was virtually wiped off of the portable music player map. For Kodak, the situation was even worse. The company went from dominating film photography to bankruptcy because it failed to recognize how digital photography would change its market—despite being part of the invention of digital imaging.
We’ll look at risk management approaches in much more detail later in the book, but I have no issues with organizations adopting a strategy of risk acceptance for most external risks—the conscious decision not to invest in active risk management because the return on the investment is not there. Consider the traffic signal example again—you can’t influence when it changes, so why would you try?
However, that doesn’t mean that the risks should be ignored because the impact will still be real, and you need to understand the consequences if the risk triggers—develop contingency plans, potentially alter business decisions to avoid exposing the organization to some of the risks, etc. This is where many organizations fall down, particularly on the less obvious risks. It’s fairly easy to stay abreast of economic risks because the economy is an integral part of the information that we are exposed to every day as human beings, but what if a competitor is expanding in one of the cities that you have a manufacturing plant in? How confident are you that you will know that in time to plan for the potential loss of resources? If you do find out, will it be because of a conscious strategy to stay aware of your environment or through someone overhearing something or through reading an article by chance?
Generally speaking, organizations have considerable room for improvement when it comes to understanding and reacting to their external risk environment.
Internal Risks
In addition to the risk environment within which the organization operates, there are the more direct categories of risk that are driven internally. These categories of risk are affected by the organization’s own actions and as a result are the ones that tend to get the most focus. These risks will likely be more familiar to you, and as is so often the case, they are almost exclusively considered in a negative sense. However, all of these can have opportunities (positive risks) as well as threats (negative risks).
Traditionally four categories of these business risks are identified: compliance, financial, operational, and strategic. Table 1.2 provides an overview of those categories along with an additional category that I have added—technological. The risks that an organization faces from within—the risks associated with operating the business—will fall into one or more of these categories. While each individual risk may not be categorized into one of these buckets, it’s important to understand the areas that drive risk within the organization. This will provide the organization with an appreciation for where it is exposed to threats and/or has opportunities that it may be able to exploit. However, we can’t simply consider each of these as isolated factors; they combine to define the organization’s overall risk profile.
Table 1.2 Internal risk categories and descriptions
The risk profile is simply a summary of the risks faced by the organization. It is not a risk management tool. It doesn’t have enough detail for that, but it is a simple way to view the organization’s risk exposure that can be used as an input to the corporate decision-making processes to ensure that decisions are taken with a complete, accurate, and current set of information. If we think of the risk exposure to all of the factors discussed as data elements in the process then the organizational risk profile is the tool that processes that data into actionable management information.
Later on in this section we’ll look in more depth at the theories behind a risk profile, and we’ll explore some practical tools for creating and maintaining the profile.
Risk Inevitability
Before we leave this overview and start delving deeper into specific risk elements, let’s look briefly at the reality of risks. If we go back to our driving analogy, the only way to avoid the risk of having to deal with a changing traffic signal is to never drive anywhere with traffic signals. Most of us would agree that as a strategy that approach has a significant downside. In the vast majority of scenarios, we have to accept that the risk exists and that we may need to deal with it. If we eliminate the risk entirely (don’t drive near traffic signals) then we may not be able to complete our functions as people—getting to work, running errands, socializing, etc., or we will subject ourselves to other risks—driving on more rural roads that are less well lit, have inferior road surfaces, fewer signs, or a greater chance for wildlife in the road. For most of us it simply is not practical to eliminate the risks presented by traffic signals.
The same is true for organizations; risk is not only inevitable, it is necessary. Those of you who have studied risk in the context of project management will probably have learned that risk elimination is a legitimate risk management strategy, and it is; however, it can only be used in some situations. You simply cannot eliminate all project risks without also eliminating the project itself.
At the organizational level, it is no different. Accepting a decision means accepting the risks that are associated with it. Elimination of one group of risks will result in additional or increased risk exposure elsewhere, likely with minimal impact on the overall risk picture. If the risks can’t be accepted then the decision can’t be made, but that is still only a transfer of risk elsewhere. For example, if an organization has $100 million to invest into the project portfolio in the next 12 months, then the expectation is that the $100 million will be invested. If a $20 million project is rejected because the risk/return calculation is unacceptable, then that $20 million needs to be allocated to other projects and the risks that are associated with them, or not invested at all with the risks associated with not being able to get the same level of potential return.
A commercial organization exists to make money and to do that it needs to make investment decisions that strive to maximize opportunities while minimizing threats—and that requires strong organizational risk management. Public sector organizations may not have the same profit driven goals, but they are still expected to deliver their services as efficiently as possible—doing the most for the lowest cost. That requires maximizing opportunities and minimizing threats—risk management.
In this first section of the book, we are going to focus on the foundations of risk management, culminating in the development of an organizational risk profile that will summarize the organization’s risk capacity and risk tolerance. However, before we get there, we are going to need to understand a few risk-related concepts.
Risk Relationships
In the previous chapter, we looked at the different categories of risk from both inside and outside the organization. This gives us foundation knowledge, a basic understanding of the risk source, and potential impact on the organization. However, this understanding is still far too basic to be able to effectively manage the risks with any expectation of success. Effective risk management requires a detailed understanding of how the risks relate to one another; how they will respond to different management approaches; and how much time, effort, and money will need to be invested before a meaningful impact on the risk is achieved.
The first step is to understand how each individual risk and risk category interacts with others—the relationships between risks. As an example, think about a change that occurs within an organization—say the retirement of an executive. That single act will have a lot of impact—maybe a new executive will be brought in from outside who will want to bring some people with him or her and that will cause moves and changes. They may decide to reorganize, which will drive some other changes. Some of their staff may not like the changes and leave, creating openings for others to be promoted and in t...

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. Dedication
  5. Contents
  6. Preface
  7. Acknowledgments
  8. About the Author
  9. Introduction
  10. Web Added Value™
  11. SECTION 1
  12. SECTION 2
  13. SECTION 3