Successful project
managers recognize that risk management is important, because achieving a
project’s goals depends on planning, preparation, results and evaluation that
contribute to achieving strategic goals. As a project manager, you often deal
with the unexpected events that impact your project objectives. Thus, to ensure
your project’s success, you have to define how you will handle potential risks
so you can identify, mitigate or avoid problems when you need to do.
As any other process in project management,
risk management has to be planned in order to forecast the total effort
required by the project team for developing the full scope of risk management.
The roles of the Project
Manager (PM) and the Risk Manager (RM) are critical for developing a realistic
implementation plan. In addition, before starting working with the Risk
Management Process, the PM and RM should ensure that important project data is
available. For example the project report, cost estimate, project plan, etc.
The
figure above explains the step of to create risk management plan. It is ideal to have the project charter for developing the risk
management plan, since in the charter it is possible to identify critical
information about the project like scope, conceptual cost estimate, delivery
milestones, conceptual risks, stakeholders, etc.
It is important to notice, that the risk
assessment is responsibility of the PM and the project team. Nevertheless, it
is recommended to use whenever is possible a RM. The RM is a neutral element of
the project team and can reduce the bias, which can seriously affect the
outcome of the risk management study.
The RM as a risk expert should be able to
lead, coordinate, educate, explain, convince, propose, monitor and evaluate the
entire process; plus he or she needs to be able to have experience in leading
teams from different backgrounds and coming from different functional units and
agencies. Some characteristics of the risk analysts, i.e.: creative thinkers,
confident, modest, thick-skinned, communicators, pragmatic, able to
conceptualize, curious, good at mathematics, a feel for numbers, finishers,
cynical, pedantic, careful, social and neutral (Vose, 2008). S/he should be a
good communicator, must have an analytical mind and needs to be able to think
outside the box. The skills of a risk manager are somehow related to the
project manager’s, in the sense of managing and controlling. However, the risk
manager needs to deal with risk assessment that in the quantitative arena
requires analytical modelling skills that the project manager is usually not
trained for.
Risk management has to be implemented for
projects or within projects, but this is only the first step. Risk management
means a change of doing business. Furthermore, risk management at the project
level is not good enough. The most effective risk-management processes go
beyond individual projects and take root at the portfolio level. For that
reason, the culture of implementing Risk management should be brought by the
executives and the company’s policies. Risk management has evolved into the
“Enterprise Risk Management (ERM)”
In enterprise level, like project managers,
directors and CEOs also face many challenges. They must focus their organizations
to capitalize on emerging opportunities. They must continually invest scarce
resources in the pursuit of promising – though uncertain – business activities.
They must manage the business in the face of constantly changing circumstances.
And as they do all of these things, they must simultaneously be in a position
to provide assurance to investors, directors and other stakeholders that their
organizations know how to protect and enhance enterprise value. Amid constantly
changing risk profiles, directors and CEOs need a higher level of performance
from every discipline within the organization, including risk management.
Most companies have implemented the risk
management approaches, however, most of them use traditional risk management
approaches. Under traditional risk management approaches, the process is
fragmented, risk is viewed as a negative (something to be avoided), reactive
and ad hoc behavior is accepted, and the risk management activity is
transaction- oriented (or cost based), narrowly focused and
functionally-driven. The traditional risk management model is focused on
managing uncertainties around physical and financial assets.
On the other hand, Enterprise Risk
Management (ERM), the process is integrated, risk is also viewed as a positive
(recognizing that successful companies must take on risks when seizing
opportunities), proactive behavior is expected, and the risk management
activity is strategic (or value-based), broadly focused and process-driven. ERM
is focused on the enterprise’s entire asset portfolio, including its intangible
assets such as its customer assets, its employee and supplier assets, and such
organizational assets as its differentiating strategies, distinctive brands,
innovative processes and proprietary systems.
ERM will help directors and CEOs meet these
challenges by establishing the oversight, control and discipline to drive
continuous improvement of an entity’s risk management capabilities in a
changing operating environment. ERM redefines the value proposition of risk
management by providing an organization with the processes and tools it needs
to become more anticipatory and effective at evaluating, embracing and managing
the uncertainties it faces as it creates sustainable value for stakeholders. By
continuously improving the risk management capabilities that really matter to
the successful execution of the business model, ERM elevates risk management to
a strategic level.
As ERM is deployed to advance the maturity
of the organization’s capabilities for managing the priority risks, it helps
management to successfully enhance as well as protect enterprise value in three
ways. First, ERM focuses on establishing sustainable competitive advantage.
Second, it optimizes the cost of managing risk. And third, it helps management
improve business performance. These contributions redefine the value
proposition of risk management to a business.
To know more why the ERM is highly
important to be implemented in your company, here is the story that we can
learn from their case.
Does JetBlue Airways need ERM?
Standard and Poor’s proposed a unique approach to ERM
in 2008. Instead of a specific formula or checklist, S&P believes managing
enterprise risk depends largely on the quality of management. Still, even a
high-quality management team can stumble if it does not use ERM. An Example
came on February 14, 2007, when New York City’s Kennedy Airport was hit by a
nasty ice storm. JetBlue Airways, the largest airline at Kenedy, used the
airport as the hub of its entire network. The company was not prepared such a
risk event. The result was thousands of passengers trapped in planes on runways
for up to eight hours. Aircraft ran out of food. Toilets overflowed. The
airline canceled more than 1,000 flights and required six days to get the
backlog cleared.
If JetBlue, implemented ERM, they could have some
options. First, they could arrange to have buses available for an emergency. It
could unload passengers stuck in planes sitting on the tarmac when all gates
are full. Second, it could provide additional personnel to solve problems,
handle luggage, and mitigate discomfort. The company headquarters was a short
distance from the airport. The company could train office staff on tasks needed
during a crisis. Third, the company could institute rapid-response capabilities
for weather or other crisis. Any approach used would be good risk management
compared to leaving passengers stuck on planes.
Before the incident, a Business Week magazine survey
ranked Jet Blue Airways fourth in the US in customer satisfaction. After the
incident, prior to the single event, the magazine pulled the ranking and
reported the failure in considerable detail.
Lesson Learned: An
ERM program with constant scanning and sharing of risks might have avoided
losses that exceeded $30 million.
References:
Hampton, J. Fundamentals of Enterprise Risk Management. Amacom. 2009.
Protiviti Independent Risk Consulting. Guide to Enterprise Risk Management.
Saches, P.M. Project and Enterprise Risk Management at California Department of
Transportation. Intech. 2012