Risk management has been recognized for some time as a formal discipline in its own right, and there is growing consensus on the elements which comprise best practice. However, the risk management field has not fully matured and there are a number of areas requiring further development.
This article outlines current best practice, then presents three areas in which risk management might develop in the short to medium term: integration of risk management with overall management and corporate culture; increased depth of analysis and breadth of application; and inclusion of behavioral aspects in the risk process.
Risk management has developed in recent years into an accepted discipline, with its own language, techniques and tools. Many management textbooks include sections on risk management, and there is a growing library of reference texts specifically devoted to the subject in its own right. The value of a proactive formal structured approach to managing uncertainty has been widely recognized, and many organizations are seeking to introduce risk processes in order to gain the promised benefits.
But although it appears that risk management is a mature discipline, it is still developing, and there is some way to go before its full potential is realized. A number of initiatives are under way to extend the boundaries of the subject, and there is a danger that risk management could dissipate and lose coherence if some sense of overall direction is not maintained. There is an accepted core understanding of risk management, but new directions are constantly being explored, as seen for example by the breadth of topics covered in the literature.
There are at least three areas where active development is needed in the short to medium term if risk management is to fulfil its promise as a significant contributor to project and business success. These include:
- integration of risk management with overall management and corporate culture
- increased depth of analysis and breadth of application
- inclusion of behavioural aspects in the risk process
These three areas are briefly considered in turn below, after a short discussion of what constitutes current best practice in risk management.
Current best practice in project risk management
There are many guidelines and standards defining different approaches to risk management (for example IRM 2002; APM 2004; ISO 2009; UK OGC 2010; PMI 2013). These cover different levels of risk management from corporate governance, through strategic portfolio management, to projects and tasks. While there are some common elements in these so-called “standards”, each one takes a slightly different approach, so in fact there is no single commonly-accepted risk management standard for best practice. However, all risk processes follow the same basic steps (although terminology differs between them), with the following stages (see Hillson 2009, and Hillson & Simon 2012, for more details):
- First is a definition or initiation phase, ensuring that objectives are agreed and understood by all stakeholders, and determining the scope and level of detail required for the risk process, driven by the riskiness and strategic importance of the project or situation at risk. Typically the output from this phase is captured in a Risk Management Plan.
- After definition is risk identification, using techniques such as brainstorms, workshops, checklists, prompt lists, interviews, questionnaires etc. A range of techniques may be used to ensure that as many risks as possible are identified. Care is needed to distinguish between risks and related non-risks (e.g. problems, issues, causes, effects, etc.). Risk identification should also address both threats and opportunities, since both are included in the definition of a risk as “Any uncertainty which, if it occurs, will affect achievement of one or more objectives.” During this phase the preliminary Risk Register is produced, with more detail added as the process continues.
- The significance of identified risks needs to be assessed, prioritizing key risks for further attention and action. Assessment can be qualitative (describing characteristics of each risk in sufficient detail to allow them to be understood), or quantitative (using mathematical models to simulate the effect of risks on outcomes). Qualitative methods include plotting risks on a two-dimensional grid showing probability and impact (the P-I Matrix) allowing risks to be prioritized, and use of a Risk Breakdown Structure (RBS) to group risks by source. Quantitative methods include sensitivity analysis, decision trees, or Monte Carlo simulation, to expose key risk drivers and guide response planning.
- Next comes response planning, when strategies and actions are determined to deal with risks in a way that is appropriate, achievable and affordable. Each action should be agreed with project stakeholders, and allocated to an owner, then its effectiveness should be assessed. Responses for threats include avoidance, transfer, or reduction. Opportunity responses include exploiting, sharing or enhancement. Residual risks should be actively accepted, with appropriate use of contingency and fallback plans
- Planning must lead to action, so it is important to implement planned actions, monitor effectiveness, and report results to stakeholders. During this implementation phase, risk exposure is actually modified as a result of taking suitable action. The effectiveness of the risk process is also assessed so that adjustments can be made where necessary.
- Lastly, any risk process must include review and update. Risk is always changing so the process must be iterative, regularly reviewing risk exposure, identifying and assessing new risks, and ensuring appropriate responses.
This best practice process is not inherently difficult to implement, since it represents structured common sense. Indeed this is one way to define “best practice”: it is not “what everyone currently does” (this is merely “general practice”), but “what everyone should do”.
Three areas for future improvement
Although risk management best practice is well defined and widely accepted, there are still some areas where risk management as practiced could develop to make it more effective, and maximise the benefits available to those organizations implementing it. The following paragraphs summarize three areas which are likely to emerge in the coming years, and which deserve attention as potentially advantageous developments.
1. Integration of Risk Management
Risk management is often perceived as a specialist activity undertaken by experts using dedicated tools and techniques. In order to the overall organization to gain the full benefits from implementing the risk process, it is important that risk management should become fully integrated at both operational and strategic levels. Without such integration, there is a danger that the results of risk management may not be used appropriately (or at all), and that project and business strategy may not take proper account of any risk assessment.
True integration requires a number of changes, including recognition of the existence of uncertainty as an inherent part of being in business, together with proper interfaces to business processes and tools. In addition, there is a need to develop strategic risk-based thinking within organizational culture. The denial of risk is common at senior management levels, and much of the value of implementing risk management can be diluted or lost if decision-makers do not properly take account of risk. Risk management must be seen as an integral part of doing business, and must become “built-in not bolt-on”, a natural feature of all project and business processes, rather than being conducted as an optional additional activity.
2. Increased Depth and Breadth
There is general consensus about the current risk management process. Further development is however required to improve its effectiveness, both in functionality and scope. These two dimensions of improvement are termed depth of analysis and breadth of application.
The current level of risk analysis is often driven by the capabilities of the available tools and techniques. The depth of analysis could be improved by:
- Development of better tools and techniques, with improved functionality, better attention to the user interface, and improved integration with other parts of the toolset.
- Use of advanced information technology capabilities to enable effective knowledge management and learning from experience, for example using artificial intelligence, expert systems or knowledge-based systems to permit new types of analysis.
- Development of existing techniques from other disciplines for application within the risk arena, for example from value management, system dynamics, safety and hazard analysis, financial trading etc.
The current scope of risk management is fairly limited, tending to concentrate on timescales and cost targets. While these are undeniably important, there are a number of other areas which should be covered by the risk process. The breadth of application could be enhanced by:
- Inclusion of opportunity within the definition of “risk”, and ensuring that the risk process covers both threats and opportunities (see Hillson 2003).
- Measurement of impact against all types of objectives, including performance, quality, compliance, environmental or regulatory, “soft” objectives such as human factors issues, and the business benefits.
- Expansion of the scope of risk processes to include program risk management (addressing risks to portfolios of projects, considering inter-project issues) and business risk assessment (taking account of business drivers).
3. Behavioural Aspects
There is general agreement on the importance of human behavior in determining performance (Hillson & Murray-Webster, 2007). Future developments in risk management must take more account of these issues, both in generating input data for the risk process, and in interpreting outputs. This should include the area of heuristics, to identify the unconscious rules used when making judgments under conditions of uncertainty. It should also consider risk attitudes and their effect on the validity of the risk process. A reliable means of measuring risk attitudes needs to be developed, to identify and counter potential bias among participants in the risk process. The impact of risk attitude on perception of uncertainty should be explored to allow the effects to be understood and managed.
This would also permit building of risk-mature and emotionally-literate teams of people who can understand and modify their risk attitude as appropriate between taking risks and being cautious, in order to ensure that risks are taken safely.
The short history of risk management has been a success story to date, with widespread application across many industries, and development of a core best practice with a strong supporting infrastructure. Although risk management has matured into a recognized discipline, it has not yet reached its peak and could still develop further.
There are several areas where progress is required. Development in these areas would have a significant effect on risk management, by producing:
- A set of risk management tools and techniques which are fully integrated with project and business processes, with the existence of uncertainty being recognized and accepted at all levels (via integration of risk management).
- Improved analysis of the effects of risk on project and business performance, addressing its impact on issues wider than time and cost (via increased depth of analysis and breadth of application), and covering both threats and opportunities.
- Proper account being taken of human factors in the risk process, using assessment of risk attitudes to counter systematic bias and build risk-balanced teams (via behavioural aspects).
Attention to these areas will ensure that risk management continues to develop. Risk management must not remain static if it is to fulfil its potential as a significant contributor to project and business success, and if it is to take its place as an indispensable and effective management tool.
Posted by Dr. David Hilson, Founder and Director of The Risk Doctor Partnership, July 26th 2016