Managing the inherent risk associated with undertaking any project, anywhere, in any industry is a critical organisational capability. Within the organisations overall Project Delivery Capability (PDC) the maturity of its risk management approaches is central to the organisation’s ability to generate value (see more on PDC Maturity).
Only very immature or deluded organisations seek or expect to run ‘risk free’ projects. To quote Suzanne Finnamore: “Delusion detests focus and romance provides the veil.” Any sensible analysis of any business activity will indicate levels of risk; effective organisations understand and manage those risks better then ineffective organisation.
The skills that a mature organisation brings to the art of ‘risk management’ is to focus effort on managing risks that can be managed, providing adequate contingencies for those risks that cannot be controlled and deciding how much residual risk is sensible. The balance that has to be struck is between the cost and time needed to reduce the risk exposure further (the pay-back diminishes rapidly), the impact of the risk if it occurs and the profit to be made or value created as a result of the total expenditure on a project.
The sums are superficially simple; adding another $100,000 to the cost of a project to reduce its risk exposure by $10,000 reduces the value of the project by $90,000. In competitive bids, increase your bid price too much and the value drops to $Zero because the organisation fails to win the work! However, the situation is more complex; the nature of the risk may require the expenditure regardless of the potential saving (particularly in areas of safety and quality) and whilst expenditures are reasonably quantifiable, the actual cost of a risk event and the probability of it occurring are variable and cannot be precisely defined for a unique project. Our paper ‘The Meaning of Risk in an Uncertain World’ discusses these issues in more depth.
To develop a mature approach to risk management, each layer of management has a role to play:
- The organisation’s governing body (typically a Board of Directors) is responsible for developing an appropriate risk taking policy and defining the organisations ‘risk appetite’.
- The Executive are responsible for creating the culture and framework that approached the management of risk within the parameters set by the Board in a capable and effective way.
- Senior management are responsible for implementing the risk management system.
The mark of a mature organisation is the recognition at all levels of management that having implemented these systems, the organisation still has to expect failure! Every single project has an associated risk and properly managed, these risks are at an acceptable level for the organisation. But if there is a probability for success, there has to be a corresponding probability of failure!
Assuming the organisation is very conservative and requires budgets to be set with appropriate contingencies to offer a 90% certainty of being achieved, and this setting is applied to all projects consistently, the direct consequence is an expectation that 1 in 10 projects will overrun cost. Certainly 9 out of 10 projects will equal or underrun cost but there is always the remaining 10%. Mature organisations expect the profits and un-spent contingencies on the ‘9 underruns’ to more then offset the ‘1 overrun’. However, these ‘expected failures’ tend to be totally ignored by immature executives who want to pretend there is ‘no risk’ and then blame the PM for the failure.
There are two aspects of dealing with the ‘expected failures’ implicit in any realistic risk assessment. The first is setting the boundaries of accepted risk at an appropriate level of the organisation. Aggressive ‘risk seeking’ organisations will set a lower threshold for acceptability and experience more failures that conservative organisations. But the conservative organisations will achieve far less.
Looking at the cost aspect of risk for the project above, the most likely cost for this project is $17,500 but this is optimistic with a less then 50% chance of being achieved. The range of sensible options are to set the budget at:
- The Mean (50% probability of being achieved) is $17,770.
- Add one standard deviation to the Mean increases the probability of achieving the project to 84%, but the budget is now $18,520.
- Add two standard deviations to the Mean and the probability of achieving the budget increases to 97% but the budget is now up to $19,270.
From this point, the pay-back diminishes rapidly, to move from 97% to 99.99% (six sigma), an additional $3,000 would be required in contingencies making a total contingency of $4,770 to effectively guaranteed there will be no cost overruns. Because of this very high cost for a very limited change in the probability of achieving the objective most projects focus on either the 80% or the 90% probabilities.
However, even within these relatively sensible ranges, making an appropriate allowance for risk has consequences. Assuming all projects have a similar cost distribution and the organisations total budget for all projects is $10 million the consequences are:
- To achieve a 50%/50% probability of projects achieving budget, approximately 1.6% of the budget will need to be allocated to contingencies: $160,000
- To achieve an 84% probability of projects meeting the allocated budget, approximately 5.8% of the budget will need to be allocated to contingencies: $580,000
- To achieve a 97% probability of projects meeting the allocated budget, approximately 10.1% of the budget will need to be allocated to contingencies: $1,010,000
Whilst the mathematics used above are highly simplified, the consequences of risk decisions are demonstrated sufficiently for the purpose of this post (for more on probability see: WP1037 – Probability). To be 97% sure there will be no cost overruns, more than 10% of the available budget to undertake projects will be tied up in contingencies that may or may not be needed, the consequence is less than 90% of the possible project work will be undertaken by the organisation in a year. The projects ‘not done’ are opportunities foregone to be ‘safe’.
In a competitive bidding market, adding 10% to your estimate to be 90% sure there will be no cost overruns is likely to have a more dramatic effect and price the organisation out of the market resulting in no work. In either situation a careful balance has to be struck between accepted risk and work accomplished, this is a governance decision that needs input from the executive and a decision by the Board.
The governance challenge is getting the balance ‘right’:
- The higher the safety margin the more likely most projects will underrun and the greater the probability some of the contingent reserves will not be used and therefore opportunities to use the funds elsewhere are foregone.
- However, reducing the reserves increases the probability that more projects will overrun (ie, ‘fail’) and this increases the probability that in aggregate the whole project budget will be exceeded.
The challenge for the rest of management is making sure the data being used is as reliable as possible.
The second key feature of mature organisations is the existence of efficient scanning systems to see problems emerging backed up with effective support systems to proactively help the project team achieve the best outcome. The key words here are ‘proactive’ and ‘help’. The future is not set in concrete and timely interventions to help overcome emerging problems can pay dividends. This requires a culture of openness and supportiveness within the organisation so that the root cause of the emerging issue can be quickly defined and appropriate support provided, promptly and effectively. This approach is the antithesis of the approach adopted by immature organisations where the ‘blame game’ is played out and the project team ‘blamed’ for every project failure.
In summary, the organisation’s directors and executive managers need to determine the appropriate risk tolerance levels for their organisation and then set up systems that have the capability of keeping most projects within these accepted boundaries. Understanding and managing risk is a key element of PDC. But having done all of this, mature risk organisations know there are still ‘Black Swans’ lurking in the environment and remain vigilant and responsive to unexpected and unforeseen events.