Embracing Uncertainty: Navigating the Landscape of Risk Management

Risk management as it is practiced today is a relatively new phenomenon, originating post-1960s. Due to the increasing complexity of organizational structures, globalization, high rates of technical change, and increased specialization of labor, the consequences of poor decisions have become more severe. To survive and thrive in this environment, organizations have had to become more systematic and reliable in their methods of managing risks.

Organizations - be they private, government, non-government, or not-for-profit - need to manage risks to:

- Identify events that could negatively impact their projects or offer positive opportunities. As businesses grow, they experience rapid changes in nearly every aspect of their operations, including marketing, distribution, production, and human resources. Such rapid growth exposes the business to increased risk.

- Avoid the increased costs associated with litigation and other consequences of poor risk management.

- Comply with legislative and governance requirements, such as Occupational Health & Safety (OH&S) legislation.

- Survive and prosper in highly competitive international business environments. The downfall of Kodak serves as a lesson on what can happen to a business that fails to manage its risks.

In its early development, risk management was seen as a stand-alone process in organizations. As it has become better understood and established, organizations have integrated it into their consolidated planning practices.

The rapid rate of change in the modern world has made it necessary for organizations to adopt a conscious process to periodically assess and monitor new or changing risks. This is because the rate of change adds risk, and organizations need to be prepared for the potential impact of these risks. Some of the current risks faced by organizations and projects include the global financial crisis, carbon tax, rising prices, government controls and legislation aimed at protecting the environment and land rights, taxation issues and changes, aging workforce and acquiring the skill mix needed, superannuation and more people remaining in the workforce, technology and the broadband network, new science, and wifi.

In his book "The Rational Optimist," Matt Ridley explains that while the division of labor has created our affluence, it has also led to increasing complexity within organizations. Therefore, it is crucial for organizations to stay informed and take a proactive approach to risk management in order to ensure their continued success.

David Hillton's book 'Exploiting the Future: Creating Value from Risk' delves into the topic of risk management in organizations in a comprehensive manner. Hillton defines four 'Universal Laws of Risk Management' that can serve as guidelines for organizations to manage risks better. 

The first law states that risk is always uncertain, which means that it is impossible to predict all possible outcomes of a particular risk. This means that organizations must take steps to prepare for the worst-case scenario.

The second law emphasizes the importance of risk management. It is essential for organizations to recognize the importance of risk and take the necessary steps to manage it effectively.

The third law highlights the need to use a structured risk management process. This involves identifying risks, assessing their potential impact, and developing strategies to mitigate them.

Finally, the fourth law emphasizes the role of people in managing risk. Hillton argues that it is people who ultimately manage risks, and thus it is essential for organizations to have the right people with the necessary skills and knowledge to manage risks effectively.

Overall, Hillton's book provides a useful framework for organizations to assess and manage risks effectively, which can help them create value from risk.

From Chaos to Clarity: Conquering Uncertainty and Embracing Risk

When undertaking a project, there are various risks that can arise from multiple sources. Risks are generally composed of two parts: the likelihood of an event occurring and the impact it would have. The nature of projects makes it more complex to handle risks, as they are temporary and unique in their own way. Being temporary, they have a definite start and end date, while being unique means that the products or services are different from other similar ones. Both of these aspects add to the uncertainty surrounding project risks. 

While some believe that risks can be managed by identifying, analyzing, and developing treatments, there is a conflicting view that uncertainty is an event or situation that was not expected, regardless of whether it could have been anticipated in advance. Managing uncertainty requires reflective learning and sense-making as enablers of flexibility and rapid decision-making regarding the choice of alternative actions in response to the situation. This approach is recommended to maximize the outcome of project risk management practices.

According to a study, it was found that one-third of all software projects were terminated before completion, while more than half of the projects cost almost double the estimated amount. Practitioners surveyed attributed IT project failure to lack of top management involvement, weak business case, and inadequate risk management. Risk management was the highest-ranked factor for project failure.

Managing risks in projects is a crucial aspect that requires careful consideration at every stage of the project. Each phase of a project involves different types of risks that must be dealt with effectively to ensure its success.

During the initiation phase, strategic risks are evaluated, which are associated with the organization's decision to undertake the project or not. These risks are critical as they have a significant impact on the project's feasibility and overall success.

In the design or development phase, a detailed planning process is undertaken, which involves identifying, analyzing, and establishing treatment plans for the risks. The risks in this phase are mainly operational and are associated with completing the project on time and within the scope, quality, and budget requirements.

During the implementation phase, the focus shifts towards monitoring the treatment plans and controls put in place. Any new risks that may arise are identified and dealt with accordingly. Finally, in the commissioning and handover phase, most of the risks no longer exist, and any remaining risks are transferred to the client or organization. 

Effective risk management at each stage of the project is crucial for ensuring that the project is delivered on time, within budget, and to the required quality standards.

Embracing the Unexpected: Navigating Uncertainty with Enterprise Risk Management

Enterprise Risk Management (ERM) has become a crucial part of modern organizations. ERM helps companies understand the diverse range of risks that they face and ensure that they are managed effectively. The concept of enterprise risk management encourages consistent risk awareness and prevention programs on a company-wide basis.

ERM is an integrated risk management system that aims to create a culture where everyone is responsible for recognizing and managing risks. It leverages localized knowledge and makes each area manager responsible for documenting and evaluating risks in their area. This approach ensures that people closest to each business unit's activities are better able to identify risks, collect data, and manage controls and treatments.

ERM helps organizations identify areas with inadequate control measures so that action plans can be initiated to resolve problems. It monitors the progress of outstanding action plans, describes who is responsible for those actions, and sets the expected time for resolution. By pushing responsibility and control down to the level where risk can be best managed, managers become empowered to understand the impact of their roles on corporate results.

ERM involves a framework for risk management that typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress.

By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including project managers, employees, customers, regulators, and the broader society. ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of strategic planning, operations management, and internal control. Business risk management, holistic risk management, and strategic risk management are synonyms.

Embarking on the Journey of Enterprise Risk Management

It seems that risk management practices in organizations follow a progression. If an organization or project manager has not previously applied risk management, individual staff members may start using some project management tools when faced with a threat or a situation that exposes their organization to risk (Step 1 in the diagram below: Ad-hoc Approach). Over time, individual project managers will recognize the need to manage their risks better, often due to their training and education, and attempt to adopt a more proactive approach by anticipating risks. Alternatively, departments or sections may develop their own methodologies and processes to meet their specific needs and manage the risks of their department.

The Risk Management Maturity Model outlines the various stages of risk management adoption within an organization. Starting from Step 1, which is Ad hoc Risk management, where the organization manages risks on a reactive basis, such as in the case of Occupational Health and Safety or Financial Risk.

As the organization realizes the benefits of a systematic approach to risk management, it moves up the maturity model to Step 2, which is the Formal Application of Risk Policy and Process. At this stage, the organization formalizes its approach to risk management and implements policies and processes to manage risks.

Step 3 is the Organization-wide Risk Systems and Process, where the organization adopts systematic risk practices throughout all levels of the organization. The organization develops custom templates and software systems to ensure consistency in its risk management approach. A Risk Policy/Framework is introduced, and a Risk Manager is appointed during this step.

As the organization progresses to Step 4, Adoption in Practice, it successfully implements an integrated risk management system across the organization. At this stage, risk management training is implemented across the organization, and risk management is included in the organization's intranet.

Finally, at Step 5, Embedded Enterprise Risk Management, the organization has created a culture of understanding around risk to support the risk process. All employees understand their responsibilities and role in risk management, and it becomes a part of the organization's DNA. This stage is called Sustained Enterprise Risk Management.