Lee Merkhofer Consulting Priority Systems
Implementing project portfolio management

Part 5:  Inattention to Risk


Economic uncertainties, terrorism, political upheavals, labor unrest, weather-related disasters, court liability rulings–On and on. Modern realities are forcing organizations to pay more attention to risk. Yet, while nearly all organizations are focusing more on security, quality assurance, liquidity, and insurance, when it comes to selecting projects many still don't consider the implications of risk. Bringing individual projects in on time, on budget, and to project specifications is no longer good enough. Inattention to risk is the fourth reason organizations choose the wrong projects.

Risk and Risk Management

There are important reasons why more attention to the risks of the project portfolio is needed. First, nearly all organizations are being held to higher standards by shareholders, customers, regulators, and the public. Executives are much less tolerant of undesired, unexpected project outcomes.

Meanwhile, larger projects are becoming more complex due, for example, to new technologies, more regulatory requirements, increased product liability, financing challenges, and the greater dependencies organizations have with multiple business partners. Uncertainty in world markets and government interventions create external risks that can doom an otherwise sound project

As projects are becoming riskier, studies show that organizations are increasingly biasing their project portfolios toward smaller, low-risk, short duration projects. The increasingly competitive business environment is putting ever more pressure on managers to produce results quickly. But, many organizations are still struggling to get by after staff reductions following the 2008 recession. Given the pressures for achieving greater efficiency, taking on big-gamble projects with unfamiliar risks is the last thing most project managers want to do. Managers who've made bad risk decisions in the past, particularly if they've resulted in reputation damage, are unlikely to make subsequent decisions that take on more risk.

Yet, to quote Alan Greenspan, "Risk-taking is indeed a necessary condition for the creation of wealth" [1]. Successful organizations deliberately take risks when it is to their advantage. According to Suzanne Labarge, Vice Chairman of the Royal Bank of Canada, "Risk in itself is not bad. What is bad is risk that is mismanaged, misunderstood, mis-priced, or unintended" [2]. Failure to recognize, understand and accept risks when justified leads to project portfolios that favor low-risk projects with little upside potential.

A 2010 survey of companies practicing project portfolio management identified building risk assessment into project decisions the top strategy for managing project portfolios [3]. The desire to expand portfolio management to include risk management is not surprising. A serious project mishap can create significant unforeseen costs, operational failures, regulatory non-compliance with potential penalties, customer dissatisfaction, and loss of competitive advantage and market share. Such outcomes may irreversibly damage the reputation and profitability of the business. At the same time, choosing to do only low-risk projects is not a strategy for long-term organizational success.

What is Risk?

The first step toward better addressing risk is to better understand it. Risk, according to Webster, is "a possibility of loss." Risks arise from uncertainty, our inability to foresee the future. If an uncertainty creates the potential for loss, we refer to it as a risk. Some distinguish a risk with no chance of an upside gain (e.g., a fire risk) as a pure risk. A risk that includes a chance for gain (e.g., investment risk) may be called a speculative risk. Obviously, organizations should seek to minimize pure risks, but may want to undertake some speculative risks.

Risk can be described in qualitative terms, such as "low," "moderate," or "high," but more clarity is provided by separately indicating the likelihood of loss and the magnitude of the loss should it occur, for example, "low-probability, high-consequence risk." The most clarity is provided by quantifying risk. The opportunity to quantify risk is provided by the language of probability. A probability distribution (sometimes called a risk profile) is a table, equation, or graphic plot that characterizes a risk by indicating the range of possible consequences (expressed using some appropriate unit of measurement or scale) and their probabilities of occurrence.

Probability distribution

Figure 25:   Risk may be quantified by providing a probability distribution over possible outcomes.

Risk is not an additive property—the risk of a portfolio is not the sum or average of the risks of the individual projects within the portfolio. In the case of projects, like financial investments, portfolio risk is determined by the underlying statistical relationships (correlations) among the uncertainties that contribute. If these underlying statistical relationships are identified and modeled, they can be exploited to find optimal risk-based tradeoffs. Conversely, if they are ignored, large risks may be masked and opportunities to avoid them missed.

Types of Risk

The most common concerns for project managers are:

  • Cost risk, typically escalation of project costs due to poor cost estimating accuracy and scope creep.
  • Schedule risk, the risk that activities will take longer than expected. Slippages in schedule typically increase costs and, also, delay the receipt of project benefits, with a possible loss of competitive advantage.
  • Performance risk, the risk that the project will fail to produce results consistent with project specifications.

There are many other types of risks of concern to project portfolio managers. These risks can result in cost, schedule, or performance problems and create other types of adverse consequences for the organization. For example:

  • Governance risk relates to board and management performance with regard to ethics, community stewardship, and company reputation.
  • Strategic risks result from errors in strategy, such as choosing a technology that can't be made to work.
  • Operational risk includes risks from poor implementation and process problems such as procurement, production, and distribution.
  • Market risks include competition, foreign exchange, commodity markets, and interest rate risk, as well as liquidity and credit risks.
  • Legal risks arise from legal and regulatory obligations, including contract risks and litigation brought against the organization.
  • Risks associated with external hazards, including storms, floods and earthquakes; vandalism, sabotage and terrorism; labor strikes; and civil unrest.

The lists demonstrate one of the confusions for understanding risk. A risk can be specified by naming the source of the risk or by specifying a consequence of the risk. In the second list the entry names indicate different sources of risk. With the first list, in contrast, the names identify consequences of particular concern to project managers. As for the sources of risk, the lists make it clear that risk can originate both internally as a problem for successfully completing some stage of the project, or externally from some source entirely beyond the control of the project team. In all cases, of course, the seriousness of a risk depends on the nature and magnitude of the possible end consequences and their probabilities.

Characterizing Risks with the Objectives Hierarchy

Extending the logic of the first list above, risks can be consistently characterized in terms of the specific organizational objectives that they threaten. Part 3 of this paper argued that the organization's objectives should be identified and structured into an objectives hierarchy. Figure 26 provides an example. If there is a risk, for example, that could result in damage to the reputation of the organization, it can be referred to as an organizational image risk. Likewise, if a risk could lead to unexpected poor performance against a public health and safety objective, that risk can be characterized as a public health and safety risk.

Objectives impacted by risk

Figure 26:   (Sub)-objectives (relevant to value creation) that may be impacted by risk.

Characterizing Risks by Defining the Risk Chain

To better understand a risk and avoid the confusion over the terms used to identify the risk, it is useful to define the risk chain. The risk chain is the sequence of causes and effects that may result in adverse impacts to one or more objectives. Oftentimes, a risk involves a source or root cause (e.g., a hazard), a mechanism by which people or the things of value might be exposed to or experience the hazard, and some level and type of potential adverse consequences.

For example, in the context of a project to develop an airbag passive restraint system for automobiles, the risk source is vehicles traveling at speed on roadways (kinetic energy), people get exposed when collisions occur, and injuries and fatalities are the consequences of concern. Airbag systems don't affect the rate of accidents or the trauma caused by an individual hitting a hard object at a specified speed. However, they do provide a buffer that reduces the individual's velocity relative to the vehicle as well as a cushion that helps to protect people when contacting the steering wheel, dashboard, front glass and other hard objects in the vehicle's interior.

Objectives impacted by risk

Figure 27:   A model of the vehicle crash risk chain with a passive airbag system.

Scenario Building

One of the simplest tools for exploring risk is scenario building (Figure 28), a technique originated by the military. Scenario building involves hypothesizing plausible events or futures that significantly impact the value or success of a project or set of projects. Envisioning the scenarios as "mental movies" helps to stimulate thinking. Not only does scenario building help uncover real possibilities, it encourages managers to come up with ways of avoiding potential disasters and ensuring that things turn out reasonably well regardless of which future scenario actually takes place.

Scenario building

Figure 28:   Scenario building.

Large oil companies have long been users of scenario building. The popularity is often attributed to one early success. In the 1970's, a planning group at Shell Oil generated scenarios that could affect the price of oil, an uncertainty important to many of the company's projects. One scenario was that prices would remain stable. Another was that OPEC would demand much higher prices. As the latter scenario was developed, it became increasingly clear to the team that the scenario was not just plausible, it was highly likely. However, when the team warned upper management, no changes in company decisions could be observed. So, the team went one step further. They described the logical ramifications of the scenario in terms that leadership would understand — it meant slow growth for the industry and the possibility that OPEC countries would take over Shell's oil fields. When the Arab oil embargo did occur in 1973, only Shell was reasonably prepared. To manage risks highlighted by the scenario, the company had slowed refinery expansions and adapted their refineries to better accommodate alternative types of crude oil.

Methods for Dealing with Risk

A risk that has been identified can be managed using four basic approaches — accept, avoid, transfer, or mitigate.

  • Accepting a risk is the easiest approach for managers, since it requires no further action. Accepting a risk may be an appropriate response if the risk is small and there are no easy ways to make the risk even smaller. However, organizations with immature risk management practices often take this course even when the risk is significant. This is typically due to overconfidence and a failure to appreciate the adverse consequences that would result from the risk event. Also, familiarity plays a role. The better you get to know a risk (especially one that hasn't yet hurt you), the more accepting of it you become.
  • Avoiding a risk typically means not undertaking the activity that carries it. For example, not conducting a project that presents some risk. Although risk avoidance can be a very effective risk management approach, avoiding the source of risk means losing out on the potential gain that accepting the risk may have allowed. Risk avoidance is likewise frequently employed by organizations with less sophisticated risk management, especially as a means for dealing with risks that are less familiar or less well understood.
  • Risk transfer means transferring the risk to someone else, for example, via contracts or by purchasing insurance. Hedging is another method for transferring risk. For example, a farmer worried about weather might sell a futures contract — a contract to deliver his produce at a fixed price at some time in the future. If the value of the farmer's crop declines (e.g., due to bad weather), the value of the farmer's future position will likely go up to offset the loss.
  • Risk mitigation means reducing the risk, either by reducing the severity of the potential adverse outcomes or the likelihood of those outcomes. Safety programs and loss prevention measures such as medical care, fire departments, night security guards, fire sprinkler systems, and burglary alarms are all examples of techniques intended to reduce risks. Risk reduction is often a desirable approach, however, it may not be possible to eliminate all risk. Also, whether or not a risk-reducing alternative is worth doing depends on its cost and effectiveness, and also the organization's willingness to accept risk.

Project Risk Management

Project risk management has been defined as, "an organized assessment and control of project risks." Figure 29 shows the general, 3-step approach to risk management. Step 1 is to identify risks. Empirical data, recent events, and new regulations (which often signal regulator concern over new risks) are inputs to the risk identification process, and brainstorming and scenario analysis are useful as well. Step 2 is to characterize the identified risks, which means understanding the specific objectives that are threatened and the risk chain. Finally, Step 3, risk analysis, is concerned with assessing how serious the risk is. As suggested above, this assessment can be done either qualitatively or quantitatively.

Risk management process

Figure 29:   The basic steps of risk management.

The appropriate level of detail for risk assessment and risk management depends, obviously, on the magnitude of risk. Riskier projects, such as new product launches, global initiatives, projects involving new technology, some major regulatory-driven projects, and so forth, tend to have complex interacting elements and involve high stakes. Larger projects, in terms of cost or potential payoff, are typically more risky. A poor track record on similar projects is an indicator or risk. While sophisticated risk management is most needed for the most risky project environments, some level of project risk management should be provided in all cases. Studies show that large companies are most careful when it comes to risk, but small and mid-sized organizations with less ability to withstand risk can typically benefit the most from improving their risk assessment and management practices.

Opportunities for Managing Risk

Risk management, as indicated in Figure 30, can be practiced during project planning, project selection, and project execution. Many organizations have instituted risk management processes within project planning and project execution. For example, construction companies and others that routinely conduct large, complex projects typically require that the project plan include a plan for managing risks. The risk management plan identifies potential risks, estimates how likely they are to occur, and provides actions for preventing the risks that can be avoided and minimizing the ones that can't. Once the project is underway, risk management shifts to monitoring and controlling risks that threaten the successful completion of the project on time and on budget. Most project management methodologies, Six Sigma for example, provide guidance and templates for risk management during project planning and execution.

Opportunities for risk management

Figure 30:   Project planning, project selection, and project execution are all opportunities for risk management.

Despite the progress made in integrating risk management into project planning and execution, risk management in project selection, as noted above, is often little more than a yes/no answer to, "Should we do the project and accept the risk?"