Lee Merkhofer Consulting Priority Systems

Home

More Papers

Implementing project portfolio management
Terms of Use

Part 4:  Inattention to Risk
Printable versionPrintable version

The crises in financial markets, terrorism, political upheavals, weather-related disasters, court liability rulings, and other causes are forcing organizations to give risk management more attention. Yet, while nearly all organizations are focusing more on security, quality assurance, liquidity and insurance, when it comes to selecting projects many still don't adequately address risk. Inattention to risk is the fourth reason organizations choose the wrong projects.

Risk and Risk Management

There are important reasons why more attention to risk is needed. The increasingly competitive economic environment is putting ever more pressure on managers to produce results quickly. Meanwhile, projects are becoming more complex due, for example, to new technologies, more regulatory requirements, increased product liability, and the greater dependencies organizations have with multiple business partners. Finally, uncertainty in world markets and government interventions create external risks that can doom and otherwise sound project.

A 2010 survey of companies practicing project portfolio management identified building risk assessment into project decision making as the top strategy for managing project portfolios [1]. Organizations are being held to higher standards by shareholders, customers, regulators, and the public. Executives are much less tolerant of budget overruns and inferior project outcomes. A serious project mishap can seriously damage the reputation and profitability of the organization. Organizations need to better manage risk. Bringing individual projects in on time, on budget, and to project specifications is no longer good enough.

What is Risk?

The first step toward better addressing risk is to understand it. Risk, according to Webster, is "a possibility of loss" (I use a similar definition of risk). Risks arise from uncertainty, our inability to foresee the future. If an uncertainty creates the potential for loss, we refer to it as a risk.

The opportunity to quantify risk is provided by the language of probability. A probability distribution (sometimes called a risk profile) characterizes a risk by describing the range of possible consequences and their probabilities of occurrence (Figure 25).


Probability distribution

Figure 25:   Risk is quantified by providing a probability distribution over possible consequences.



Risk is not an additive property—the risk of a portfolio is not the sum or average of the risks of the individual projects within the portfolio. In the case of projects, like financial investments, portfolio risk is determined by the underlying statistical relationships among the uncertainties that contribute. If these underlying statistical relationships are identified and modeled, they can be exploited to find optimal risk-based tradeoffs. Conversely, if they are ignored, large risks may be masked and opportunities to avoid them missed.

Types of Risk

The most common project risks are:

  • Cost risk, typically escalation of project costs due to poor cost estimating accuracy and scope creep.
  • Schedule risk, the risk that activities will take longer than expected. Slippages in schedule typically increase costs and, also, delay the receipt of project benefits, with a possible loss of competitive advantage.
  • Performance risk, the risk that the project will fail to produce results consistent with project specifications.

There are many other types of risks of concern to projects. These risks can result in cost, schedule, or performance problems and create other types of adverse consequences for the organization. For example:

  • Governance risk relates to board and management performance with regard to ethics, community stewardship, and company reputation.
  • Strategic risks result from errors in strategy, such as choosing a technology that can't be made to work.
  • Operational risk includes risks from poor implementation and process problems such as procurement, production, and distribution.
  • Market risks include competition, foreign exchange, commodity markets, and interest rate risk, as well as liquidity and credit risks.
  • Legal risks arise from legal and regulatory obligations, including contract risks and litigation brought against the organization.
  • Risks associated with external hazards, including storms, floods, and earthquakes; vandalism, sabotage, and terrorism; labor strikes; and civil unrest.

As indicated by these examples, project risks include both internal risks associated with successfully completing each stage of the project, plus risks that are beyond the control of the project team. These latter types include external risks that arise from outside the organization but affect the ultimate value to be derived from the project. In all cases, the seriousness of the risk depends on the nature and magnitude of the possible end consequences and their probabilities.

In addition to project risk, project deferral risk can be important. Project deferral risk refers to the risks associated with failing to do a project. Like project risk, project deferral risk can arise from any of the bulleted risk sources listed above (the second list). Project deferral risk can also occur if there is only a limited window of opportunity for conducting a project—if the project is not conducted now, there may be a risk that it might never be possible to effectively do it later.

Oftentimes, external risks contribute more to portfolio risk because they impact multiple projects simultaneously. For example, a pharmaceutical company's R&D project is affected by the uncertain outcomes surrounding the specific compound involved, however many projects could be impacted by a change in regulations. Similarly, a petroleum firm's exploration project depends on uncertainty over whether oil is present at the given location, but uncertainties over the market price of oil affect many projects. Likewise, a construction company might have many projects threatened by the external risk of an increase in steel or commodity prices.

Project Risk Management

Project risk management, as defined by Max Wideman, is "an organized assessment and control of project risks." Figure 26 shows the general, 3-step approach to risk management. Step 1 is to identify the risk. Empirical data, recent events, and new regulations (which often signal regulator concern over new risks) are inputs to the risk identification process, and brainstorming and risk scenarios (see below) are examples of techniques that can be used to define and clarify risks. Step 2 is to analyze the risks, which means characterizing risk in terms of likelihood and consequences. Step 3 is to manage the risk, taking into account the resources available and the organization's willingness and ability to accept risk.


Risk management process

Figure 26:   The basic steps of risk management.



The appropriate level of detail required for risk management depends, obviously, on the level of risk. Riskier projects, such as new product launches, global initiatives, projects involving new technology, some major regulatory-driven projects, and so forth, tend to have complex interacting elements and involve high stakes. A poor track record on similar projects is an indicator or risk. Likewise, more attention to risk is required when there is project deferral risk. Such situations arise for organizations responsible for managing systems whose failure might produce serious, large-scale health, safety, environmental, or financial consequences (such as a large electric transmission network or an oil refinery). While sophisticated risk management is most needed for the most risky project environments, some level of project risk management must be provided in all cases.

An organization can practice risk management in several different contexts. Projects are proposed throughout the organization in response to perceived needs, threats, and opportunities. Sometimes, the identified need is reducing a risk. For example, an organization operating a hazardous facility may invest in projects to reduce health, safety, and environmental risks. In such cases, the project is itself an investment in risk management (in which case there may be project deferral risk). Regardless of the need or opportunity the project is intended to address, there are three main contexts for project risk management. As shown in Figure 27, these are project planning, project selection, and project execution.


Opportunities for risk management

Figure 27:   Project planning, project selection, and project execution are all opportunities for risk management.



Many organizations have instituted risk management processes within project planning and project execution. However, risk management in project selection is often little more than a yes/no answer to "Should we accept the risk?" Risk is often viewed as an "intangible" and described using qualitative terms such as "likely" versus "unlikely" and "significant" versus "insignificant." Such words are insufficiently precise and mean different things to different people. For example, a lower-level manager might have a very different notion of what qualifies as a significant risk compared to that of the CEO. Failure to describe and understand project risk and project deferral risk, coupled with project-by-project decision-making, creates problems for risk management.
footer
Lee Merkhofer Consulting. All rights reserved © 2002-2007.