A friend of mine (we'll call him Al) was out looking at daycare centers with his wife. Their two year old daughter was ready to expand her horizons and learn the intricacies of social behavior and all the risks inherent in her new world. To Al's dismay, no daycare center met the standards of control he would have expected in a daycare. This new world was fraught with risk. Doors weren't locked and children could escape. Gates were not on the stairwell and children could fall and injure themselves. Peanut butter was in the fridge and children could access it. Al wasn't willing to run the risk of introducing his daughter to this environment. Oddly enough, Al didn't have similar controls in his own house. No childproof door locks, no stair gates, and peanut butter in his fridge - sometimes on the counter!!
It was clear to me that a person will hold an unknown environment to a higher level of scrutiny than a person who is familiar with the same environment. It also became clear that a person's experience will determine the amount of risk they are willing to tolerate. For example, if I put three people in Al's deficient daycare and put a jar of peanut butter on the counter, the first person with no children may shrug their shoulders. The second person with a child may say, "Maybe we should remove the jar of peanut butter." While the third person who has a child with a peanut allergy may say, "I need a peanut free environment for my child. This is unacceptable." This dependency on individual experience and individual risk tolerance becomes a greater issue to organizations. When trying to ascertain the level of risk inherent in a project portfolio at an enterprise level, it is difficult to compare like with like without a risk management process and model that will represent the enterprise's willingness to accept risk.
The Problem
Risks that are not identified cannot be assessed. While an organization is dependent on a project manager to identify risks associated with a point in time project, there is no clear way to determine inherent risks to the organization. Organizations that have made the move to portfolio management have been successful at time management, resource management and time and budget status reporting at the portfolio level. While each of these advancements is a major achievement on its own, an organization that makes decisions on this data does so without a sense of risk associated with the performance of the portfolio. Decisions get made and risks are reacted to. Many issues are created due to unforeseen risks.
So what is wrong with this picture? After all, risk is an accepted part of business and life for pretty much everyone.
Risk is inherently a function of value and as such the more value at stake the more risk one is exposed to. Therefore, the notion that risk is a negative situation to be entirely avoided is a flawed argument, as this can only be guaranteed if/when an organization invests in cash cow initiatives where high value can be attained with no risk. We all know that cash cow initiatives are not sustainable and are the exception, not the rule.
The ultimate argument is found in the financial market where stocks and bonds are valued by level of risk tolerance. Bonds are considered safer bets and therefore yield lower returns while stocks are considered risky investments and are expected to yield higher returns. Over the past 100 years the financial market has designed numerous mechanisms to manage the dynamics of risk and reward with continued lessons learned along the way.
Independent of industry, size and source of funding (i.e. capital market, private equity, tax dollars), organizations must be well versed in balancing risk and reward if they are to survive and succeed in the competitive and volatile economy of the 21st century.
With Risk Comes Opportunity
The old saying that "the apple does not fall far from the tree" rings true when one takes a moment to reflect on why risk management practices are at such an elementary level. The answer lies in what organizations have come to believe to be good project management.
So what happens to managing risk? Risks become issues, issues become actions, and actions get managed using the same project management processes designed to manage the value line. The problem is that project management practices designed to deliver value are based on nomenclatures such as deliverables, milestones, performance indicators, quality, timeline, budget, approval, benefit realization, etc. These notions work perfectly for the value line where the lingo describes value-based characteristics.
To manage risks, organizations need to invest in elevating their risk management practices to the project portfolio level, to attain the same level of maturity as project management practices. Otherwise, risk management will continue to be at the mercy of an individual project manager's experience and will be managed well by a few and missed by most. This key concept drives the requirement for organizations to baseline their risk tolerance and provide their project management team with a consistent set of risk management standards and practices. Absence of risk management standards and practices will result in an environment of inconsistent risk tolerance and management, since project managers' personal tolerance for risk will driver their approach for managing project risk. The danger of such a notion is that some project managers will have high tolerance for project risks while some will have lower tolerance, which might or might not be applicable to the priorities of the organization.
We have all come to appreciate the necessities of standardized project management tools and methodology, and there are very few organizations that allow a project manager to use his/her own favorite project management tool and methodology. Risk management is no different, and organizations need to invest the same level of diligence in their risk management practices as they do in project management practices.
The Framework
The identification of potential risks within a project portfolio is of major importance to a proactive risk assessment process. It provides the opportunities, indicators, and information that allows for identifying all risks, major and/or minor, before they adversely impact an organization. An aggregate view of project risks within a portfolio will provide organizations with a holistic assessment of all risks, provided that the risk identification
framework at the project level is comprehensive.
The first step in risk assessment is to clearly and concisely express the risk in the form of a risk statement. A risk statement can be defined in the following terms:
o The risk assessment statement outlines a state of affairs or attributes known as conditions that the
project members feel may adversely impact the project.
o The risk assessment statement also articulates the possibility of negative consequences resulting from
the undesirable attribute or state of affairs.
o This two-part formulation process for risk assessment statements has the advantage of coupling the
idea of risk consequences with observable (and potentially controllable) risk conditions.
When formulating a risk assessment statement, it is helpful to categorize the risk statement within categories that best reflect the priorities of the organization. The project portfolio Risk Registry (Table 1) outlines the risk statement associated with "strategy" risk category. The project portfolio Risk Registry will have most value when customized to reflect organization risk categories and corresponding risk statements.
Once the project portfolio Risk Registry is vetted to reflect business priorities and challenges, the risk statements need to be evaluated against the probability and impact of actualization. The variable chosen to measure probability and impact of risk actualization reflects an organization language, as it is critical that baseline assessment is understood internally and represents organizational risk and exposure.
A quadrant analysis of risk category actualization in terms of probability and impact provides the organization with transparent disclosure of risk at the project and portfolio level. This assessment enables an organization to attain a baseline understanding of project portfolio risk based on the organization's own internal knowledge and experience.
The risk analysis model is designed to expand and normalize project management judgment, used in the risk assessment model, and apply a consistent baseline for the probability and impact of all risk categories. It is composed of the following steps:
1. Industry sources are used to establish a complete repository of threats that are applicable to the organizations.
2. Industry sources are used to determine the organization's vulnerability to industry threats. Then, the organization uses internal knowledge to narrow the list of vulnerabilities to those most applicable to the organization.
3. To further validate the applicability and relevance of threats and vulnerabilities, a processes of "so what" analysis is conducted where the probability and impact of identified threats and vulnerabilities are further validated. The "so what" analysis utilizes metrics similar to the probability and impact metrics used in the risk assessment model.
4. COBIT control statements are used to determine the level of controls that an organization has in place or could have in place in order to effectively manage the risk associated with outlined threats and vulnerabilities. Although COBIT controls are mostly designed for IT, indepth testing has revealed that COBIT controls are applicable to both IT and non-IT threats and vulnerabilities.
The outcome of the analysis phase is a repository of threats, vulnerabilities and controls assessed and validated through a series of workshops, where project and portfolio managers input is given the same weight as industry best practices. This ensures that the analysis result is applicable to the organization rather than a hypothetical environment.
An organization's risk tolerance is directly influenced by its ability and desire to invest in controls designed to adjust risk tolerance. The action model provides the framework to operationalize risk assessment and risk analysis findings based on the implementation of controls that provide the best level of risk mitigation for project portfolio priorities.
The action model leverages "so what" analysis to determine which controls provide the optimal mitigation results for threats/vulnerabilities with the highest probability of actualization and/or most implications. Furthermore, the action model provides the ability to assess the utility of existing controls in order to determine portability/reusability opportunities.
The action model also enhances the reliability of the quadrant report produced in the risk assessment and risk analysis phases, and specifically identifies the value of investment in controls as a means to mitigate threat probability and vulnerability impact.
In conclusion, the action model enables organizations to improve the effectiveness of processes used to deliver projects through investment in controls. The action model also develops roles, responsibilities and processes required to operationalize the risk assessment and risk analysis models in the form of specific actions. Roles such as Risk Manager and Risk Analyst are defined and incorporated into the business process. Each role in the risk management process has responsibility and accountability, and specific tasks within the risk assessment, risk analysis and risk action model. Finally, the action model enables organizations to establish pragmatic risk management processes.
Summary
Organizations are expected to manage risks and deliver high value capital projects. Anything else is considered sub-optimal performance. Delivering high-value projects requires a project management workforce with significant talent for effectively managing both the value line and risk line.
Managing project risk is no different than managing investment risk. In both cases, the "customer" who provides the capital demands that the investment is managed by professionals who understand and leverage risks to maximize return on investment. Failing to do so ends in the "customer" finding other alternatives, as capital investment is a precious commodity.
Tools designed to automate risk management become extremely valuable once organizations have understood and implemented the appropriate level of management processes for risk management. Unfortunately, many organizations fall into trap of buying pieces of technology, without having an in-depth understanding of the requirements and processes to use the technology.
Organizations have the technology and talent to deliver high value projects through effective and transparent management of risks and need to establish the supporting risk management processes. Start with a framework designed to build an enabling risk management process to manage project portfolio risk relative to organizational requirements. If we can all agree on the tenants of risk in our respective organizations, we won't have to suffer through miscalculation and mismanagement of risk.
After my friend Al communicated his concerns to his wife, they together created a framework to identify acceptable risk for a daycare provider. They discussed why they didn't hold their own home (the primary daycare) to the same standard. They determined how much they were willing to spend to mitigate certain risks and the likelihood of acceptable risk they were willing to bare. In the end, Al and his wife were able to select a daycare provider that provided the most reasonably safe environment for their child. In addition, they were able to develop a clear picture of some of the deficiencies in their own home environment and addressed them accordingly. The framework was critical in defining the conversation and providing them with a basis for discussion that ultimately enabled them to make an important choice. If only all organizations were run that way.
Will O'Brien is a partner in the Manta Group, a management consulting firm that focuses on IT Governance solutions encompassing Project Portfolio Management, Service Management, Risk and Compliance. His solid business acumen, coupled with extensive experience in consulting, management, sales and business development at senior levels in regional and international arenas has created a dynamic thought leader. Throughout his career, he has achieved success through strong communication skills, understanding of business principles and ability to align IT investments with business priorities.
It was clear to me that a person will hold an unknown environment to a higher level of scrutiny than a person who is familiar with the same environment. It also became clear that a person's experience will determine the amount of risk they are willing to tolerate. For example, if I put three people in Al's deficient daycare and put a jar of peanut butter on the counter, the first person with no children may shrug their shoulders. The second person with a child may say, "Maybe we should remove the jar of peanut butter." While the third person who has a child with a peanut allergy may say, "I need a peanut free environment for my child. This is unacceptable." This dependency on individual experience and individual risk tolerance becomes a greater issue to organizations. When trying to ascertain the level of risk inherent in a project portfolio at an enterprise level, it is difficult to compare like with like without a risk management process and model that will represent the enterprise's willingness to accept risk.
The Problem
Risks that are not identified cannot be assessed. While an organization is dependent on a project manager to identify risks associated with a point in time project, there is no clear way to determine inherent risks to the organization. Organizations that have made the move to portfolio management have been successful at time management, resource management and time and budget status reporting at the portfolio level. While each of these advancements is a major achievement on its own, an organization that makes decisions on this data does so without a sense of risk associated with the performance of the portfolio. Decisions get made and risks are reacted to. Many issues are created due to unforeseen risks.
So what is wrong with this picture? After all, risk is an accepted part of business and life for pretty much everyone.
Risk is inherently a function of value and as such the more value at stake the more risk one is exposed to. Therefore, the notion that risk is a negative situation to be entirely avoided is a flawed argument, as this can only be guaranteed if/when an organization invests in cash cow initiatives where high value can be attained with no risk. We all know that cash cow initiatives are not sustainable and are the exception, not the rule.
The ultimate argument is found in the financial market where stocks and bonds are valued by level of risk tolerance. Bonds are considered safer bets and therefore yield lower returns while stocks are considered risky investments and are expected to yield higher returns. Over the past 100 years the financial market has designed numerous mechanisms to manage the dynamics of risk and reward with continued lessons learned along the way.
Independent of industry, size and source of funding (i.e. capital market, private equity, tax dollars), organizations must be well versed in balancing risk and reward if they are to survive and succeed in the competitive and volatile economy of the 21st century.
With Risk Comes Opportunity
The old saying that "the apple does not fall far from the tree" rings true when one takes a moment to reflect on why risk management practices are at such an elementary level. The answer lies in what organizations have come to believe to be good project management.
So what happens to managing risk? Risks become issues, issues become actions, and actions get managed using the same project management processes designed to manage the value line. The problem is that project management practices designed to deliver value are based on nomenclatures such as deliverables, milestones, performance indicators, quality, timeline, budget, approval, benefit realization, etc. These notions work perfectly for the value line where the lingo describes value-based characteristics.
To manage risks, organizations need to invest in elevating their risk management practices to the project portfolio level, to attain the same level of maturity as project management practices. Otherwise, risk management will continue to be at the mercy of an individual project manager's experience and will be managed well by a few and missed by most. This key concept drives the requirement for organizations to baseline their risk tolerance and provide their project management team with a consistent set of risk management standards and practices. Absence of risk management standards and practices will result in an environment of inconsistent risk tolerance and management, since project managers' personal tolerance for risk will driver their approach for managing project risk. The danger of such a notion is that some project managers will have high tolerance for project risks while some will have lower tolerance, which might or might not be applicable to the priorities of the organization.
We have all come to appreciate the necessities of standardized project management tools and methodology, and there are very few organizations that allow a project manager to use his/her own favorite project management tool and methodology. Risk management is no different, and organizations need to invest the same level of diligence in their risk management practices as they do in project management practices.
The Framework
The identification of potential risks within a project portfolio is of major importance to a proactive risk assessment process. It provides the opportunities, indicators, and information that allows for identifying all risks, major and/or minor, before they adversely impact an organization. An aggregate view of project risks within a portfolio will provide organizations with a holistic assessment of all risks, provided that the risk identification
framework at the project level is comprehensive.
The first step in risk assessment is to clearly and concisely express the risk in the form of a risk statement. A risk statement can be defined in the following terms:
o The risk assessment statement outlines a state of affairs or attributes known as conditions that the
project members feel may adversely impact the project.
o The risk assessment statement also articulates the possibility of negative consequences resulting from
the undesirable attribute or state of affairs.
o This two-part formulation process for risk assessment statements has the advantage of coupling the
idea of risk consequences with observable (and potentially controllable) risk conditions.
When formulating a risk assessment statement, it is helpful to categorize the risk statement within categories that best reflect the priorities of the organization. The project portfolio Risk Registry (Table 1) outlines the risk statement associated with "strategy" risk category. The project portfolio Risk Registry will have most value when customized to reflect organization risk categories and corresponding risk statements.
Once the project portfolio Risk Registry is vetted to reflect business priorities and challenges, the risk statements need to be evaluated against the probability and impact of actualization. The variable chosen to measure probability and impact of risk actualization reflects an organization language, as it is critical that baseline assessment is understood internally and represents organizational risk and exposure.
A quadrant analysis of risk category actualization in terms of probability and impact provides the organization with transparent disclosure of risk at the project and portfolio level. This assessment enables an organization to attain a baseline understanding of project portfolio risk based on the organization's own internal knowledge and experience.
The risk analysis model is designed to expand and normalize project management judgment, used in the risk assessment model, and apply a consistent baseline for the probability and impact of all risk categories. It is composed of the following steps:
1. Industry sources are used to establish a complete repository of threats that are applicable to the organizations.
2. Industry sources are used to determine the organization's vulnerability to industry threats. Then, the organization uses internal knowledge to narrow the list of vulnerabilities to those most applicable to the organization.
3. To further validate the applicability and relevance of threats and vulnerabilities, a processes of "so what" analysis is conducted where the probability and impact of identified threats and vulnerabilities are further validated. The "so what" analysis utilizes metrics similar to the probability and impact metrics used in the risk assessment model.
4. COBIT control statements are used to determine the level of controls that an organization has in place or could have in place in order to effectively manage the risk associated with outlined threats and vulnerabilities. Although COBIT controls are mostly designed for IT, indepth testing has revealed that COBIT controls are applicable to both IT and non-IT threats and vulnerabilities.
The outcome of the analysis phase is a repository of threats, vulnerabilities and controls assessed and validated through a series of workshops, where project and portfolio managers input is given the same weight as industry best practices. This ensures that the analysis result is applicable to the organization rather than a hypothetical environment.
An organization's risk tolerance is directly influenced by its ability and desire to invest in controls designed to adjust risk tolerance. The action model provides the framework to operationalize risk assessment and risk analysis findings based on the implementation of controls that provide the best level of risk mitigation for project portfolio priorities.
The action model leverages "so what" analysis to determine which controls provide the optimal mitigation results for threats/vulnerabilities with the highest probability of actualization and/or most implications. Furthermore, the action model provides the ability to assess the utility of existing controls in order to determine portability/reusability opportunities.
The action model also enhances the reliability of the quadrant report produced in the risk assessment and risk analysis phases, and specifically identifies the value of investment in controls as a means to mitigate threat probability and vulnerability impact.
In conclusion, the action model enables organizations to improve the effectiveness of processes used to deliver projects through investment in controls. The action model also develops roles, responsibilities and processes required to operationalize the risk assessment and risk analysis models in the form of specific actions. Roles such as Risk Manager and Risk Analyst are defined and incorporated into the business process. Each role in the risk management process has responsibility and accountability, and specific tasks within the risk assessment, risk analysis and risk action model. Finally, the action model enables organizations to establish pragmatic risk management processes.
Summary
Organizations are expected to manage risks and deliver high value capital projects. Anything else is considered sub-optimal performance. Delivering high-value projects requires a project management workforce with significant talent for effectively managing both the value line and risk line.
Managing project risk is no different than managing investment risk. In both cases, the "customer" who provides the capital demands that the investment is managed by professionals who understand and leverage risks to maximize return on investment. Failing to do so ends in the "customer" finding other alternatives, as capital investment is a precious commodity.
Tools designed to automate risk management become extremely valuable once organizations have understood and implemented the appropriate level of management processes for risk management. Unfortunately, many organizations fall into trap of buying pieces of technology, without having an in-depth understanding of the requirements and processes to use the technology.
Organizations have the technology and talent to deliver high value projects through effective and transparent management of risks and need to establish the supporting risk management processes. Start with a framework designed to build an enabling risk management process to manage project portfolio risk relative to organizational requirements. If we can all agree on the tenants of risk in our respective organizations, we won't have to suffer through miscalculation and mismanagement of risk.
After my friend Al communicated his concerns to his wife, they together created a framework to identify acceptable risk for a daycare provider. They discussed why they didn't hold their own home (the primary daycare) to the same standard. They determined how much they were willing to spend to mitigate certain risks and the likelihood of acceptable risk they were willing to bare. In the end, Al and his wife were able to select a daycare provider that provided the most reasonably safe environment for their child. In addition, they were able to develop a clear picture of some of the deficiencies in their own home environment and addressed them accordingly. The framework was critical in defining the conversation and providing them with a basis for discussion that ultimately enabled them to make an important choice. If only all organizations were run that way.
Will O'Brien is a partner in the Manta Group, a management consulting firm that focuses on IT Governance solutions encompassing Project Portfolio Management, Service Management, Risk and Compliance. His solid business acumen, coupled with extensive experience in consulting, management, sales and business development at senior levels in regional and international arenas has created a dynamic thought leader. Throughout his career, he has achieved success through strong communication skills, understanding of business principles and ability to align IT investments with business priorities.
No comments:
Post a Comment