Employing opportunities
What do we mean by opportunities? In an existing project a calculation is made of the amount of work needed to arrive at the deliverable that is agreed upon. Based on this calculation human resources are hired to perform the work. A risk (threat) is identified: Because of the complexity and the many work hours the work might be delivered late causing an essential delivery date to be compromised. This risk is accepted and monitored.
After a couple of weeks the scope of the project changes because of commercial reasons. Priorities are re-shuffled causing the original target to be impossible if the current procedures are being maintained. Forced by these circumstances the team looks at alternatives and thinks of automating the work by means of (to be developed) software. This idea is put to action and later in the project it appears that it has contributed to a huge time saving and, in addition, the developed software also constitutes a magnificent tool to manage the system. The original threat was transformed into an opportunity (budget for the alternative became available) and it benefited the project and the system administration department.
In our view a project is in control when targets are in focus and both threats and opportunities are being considered, managed and employed. In our opinion specifically the employing of opportunities does not get the necessary attention.
Risk management therefore can be a much stronger tool to get projects in control if, besides threats also opportunities are analysed and measures are conceived to employ those opportunities. This requires a relationship between ordering party and contractor (business executive and project manager) which we will address later in this article.
Project focus
As well on basis of external pressure, as described above, we perceive that risk management in projects has been implemented in some way. Many projects even implement a complete separate risk management system and some project controllers create risk logs in MSExcel and measure the influence of risk on cost calculation and planning. Even in (public) tenders more and more explicit risk analysis are enforced to spread risk over the contract parties.
In itself this is OK, but too often we find that risk management is focused internal (project). A project exists only within and contributing to the goals of, an organisation or the program to which it belongs. To have control of the projects they need to be aligned with these goals and the ‘risk appetite’ of that organisation; i.e. the risk the organisation is willing to take within existing corporate control (net risk).
Business is taking risks. It could be that organisations accept certain risks, however big, without any control. The moment an organisation defines a corporate ‘risk appetite’ (accepted risk profile), this provides an outline in which choices about risk can be made. Risk management in projects is much more powerful when it is part of, and aligned with, a corporate risk process.
Corporate
In many organisations risk management has been implemented in many different ways. What’s important therefore is to make use of the knowledge, know-how and experience in that field and to align as much as possible to the existing processes within the organisation. The project saves time and effort in defining new formats and/or methods. By aligning the project risk management to existing communication and reporting structures, everyone in the organisation can appreciate the information coming from the project. Risk management in the project then is not stand-alone but contributes and aligns with the corporate risk portfolio.
Risk management abides by the existing hierarchy so that risks are addressed on the appropriate level. Many risks in projects are exogenous. They cannot be influenced by the project (team) and are not the responsibility of the project (manager). By aligning to the corporate risk management reporting there is a stage to discuss these risks. In addition, the responsibility for mitigating these risks can be put on the people in the organisation that can influence those risks. The information from the project risk analysis can then be measured against the organisational goals and targets.
Integrated part
Of course it is important to focus the risk analysis in a way that it aligns with the corporate goals of the organisation. Project risk management has then become an integrated part of the corporate risk management which must be implemented both top-down as bottom-up. The focus is decided top-down after which the risk analysis delivers bottom-up information that, when prioritised, ends-up on the right level within the organisation. Typical project risks are controlled within the project, while more strategic and exogenous risks are controlled in the line organisation.
The necessity to centralise assessing the risks is also a conclusion in the report of the General Accounting office of the Dutch government concerning the risk control in the HSL-South project. Because this HSL-South project was put out by means of a complicated set of contracts combined with integral management, it makes managing of risk and set-backs at building and operation more difficult.
Connecting with corporate risk management initiatives can also improve the quality of risk management in terms of content. The thoroughness of the analysis and the quality of the controls can be optimised for example by having a corporate risk manager join the project risk analysis sessions. His fresh view will prevent project blindness. His knowledge and experience of the organisation and it’s programs and projects will import risks and controls that have already been tested in other areas of the organisation. This enhances the learning effect in the organisation and increases the effectiveness of the project and corporate risk management.
The program ‘Ruimte voor de Rivier (Space for the River)’, that consists of about forty measures (projects) to improve protection of the Dutch delta against floods, has adopted this way of risk management. By using the same risk methodology at program and project level it is able to focus on the most important risks. Decidedly, in this way exogenous risks for projects are captured and weighed by the program board at an integral level. Also specific project knowledge on risks can be shared with the other projects ascertaining an early and pro-active response. All this of course, can only function in an open and transparent environment in which communication about risks occurs in an atmosphere of mutual trust.