Strategic Risk Management

Alex S. Brown, PMP IPMA-C

Risk management is a truly universal tool. It protects individuals, corporations, and investments from harm every day. Managing projects to meet strategic, organizational goals requires a broader view of risk management. Looking at project risk is not enough. Inventing new “project portfolio risk management” methods is not enough. Strategic views of risk require integrating risk management across the organization. Organization-wide risk management is not a new research topic; companies all over the globe do it every day.

Risk Management for the Organization

Project managers have adapted risk management techniques to projects (PMBOK Guide, Hillson). These experts use various frameworks for risk management, but they share some common techniques:

  • Identifying risk
  • Explaining or exploring each risk
  • Quantifying risk
  • Assessing probability and impact
  • Logging or listing all identified risks
  • Creating plans based on classic risk responses (mitigate, avoid, accept, contingency plans, transference)
  • Establishing risk management policies and procedures to ensure all of these activities are consistently and purposefully done

“Risk management” is the broad term to encompass all of this work, along with the organizational discipline to ensure that the work is done regularly and consistently.

These project management techniques build on and inherit from general risk management discipline. Organizations like The National Alliance for Insurance Education & Research (www.scic.com) offer risk management courses and certification that include many of these same techniques. To them “risk management” is primarily an issue for an enterprise risk manager. Risk management applies to the entire organization, the same way it applies to individual projects. Risk managers can address more profound risks at the organizational level, using strategic alliances, insurance purchases, company-wide education, and other tools that are unavailable to individual project managers.

Project Portfolio Risk Management: Old Wine in New Bottles?

The project management experts are now discovering the power of project portfolio management. By managing multiple projects together, companies can deal with more strategic issues and enterprise-wide initiatives.

It is tempting to look at these new project portfolios as something new, different, and exciting. One recent article stated, “Organizations create project portfolios to implement strategic plans and to achieve strategic goals.” (Sanchez, Robert, Pellerin, p. 97) While it is true that organizations CAN create project portfolios to achieve strategic goals, they do not ALWAYS create project portfolios for strategic reasons. Just as with projects, some project portfolios are tactical, non-strategic, and even anti-strategic.

It takes hard work to communicate the organizational strategy consistently through the company. It is even harder to ensure all managers and employees act on that strategy consistently. Just as with projects, that communication breaks down with project portfolios, too. Not all project portfolios are strategic; not all of them achieve strategic goals.

Project portfolio risk management is also not fundamentally strategic, and is not organization-wide. Good project portfolio management can draw on the same traditions and practices as project risk management and general risk management.

There is no need to reinvent risk management for project portfolios. The key is to link risk management practices at all levels of the organization.

Link Risks at All Levels

The same, fundamental, common processes and practices apply when managing any risk:

  • Identification
  • Assessment
  • Quantification (where possible and practical)
  • Response development
  • Overall risk management

If a company adheres to these basic practices at all levels, it can have successful risk management at the project, project portfolio and enterprise level.

Risk management is a comprehensive practice. Risk managers do a better job if they sometimes focus on very small, specific problems, and then draw back to look at overall risk and opportunities. Changing perspective and gathering multiple points of view will only strengthen the risk management process. Asking “what if” and imagining diverse scenarios is critical to successful risk management.

Companies can benefit by sharing risk management information at all levels in the organization. The highest-ranked project risks often belong on the risk log for the project portfolio. The threats or opportunities to the individual project are often also threats or opportunities to the portfolio of the project. Project and project portfolio risks may also be organizational risks. Some of these risks may belong on the enterprise-wide risk register as threats or opportunities for the overall organization.

Practical Tips to Create Links

Linking these different risks is difficult in many companies. Separate experts and committees assess organizational, project portfolio, and project risks. Getting these experts to talk and share can be difficult.

A useful first step is to acknowledge that all risk managers are following a similar process. Risk management is a mature practice. The fundamental techniques are similar everywhere. Some methods emphasize certain techniques. Some methods use different terminology for the same concepts. At the core, however, risk managers at any level follow the same basic steps; they respond to risks using similar techniques. Recognizing the common practices of all risk managers is a first step.

Next, risk managers can begin sharing their risk logs or risk registers with each other. Project risks may inspire new ideas for risks at a project portfolio or enterprise level. Enterprise risks impact all or most projects within the company.

Sometimes sensitive or strategic risks might need to be kept confidential. For instance, an enterprise-level risk might include a legal or financial issues known only to top executives. Many risks, though, can be shared. Any risks that can be shared should be shared. Everyone’s risk identification and assessment steps will be stronger, the more risk managers share their lists with each other.

Even better, the risk managers can agree on a common format and categorization system for their risks. If all project, project portfolio, and enterprise risk logs follow a consistent format, it will be easy for managers to track and compare their lists. Managers will easily be able to move a risk from one list to the next. The enterprise-level risk log will often set the standards, because these lists are already being used by senior management.

The essential step, though, is to realize that risk management is happening at all levels of the organization and to get all risk managers talking to each other. Often enterprise-level risk managers are unaware that projects are performing any kind of risk management. Project managers and project portfolio managers can reach out and find the other risk managers in the organization. Risk management is often a lonely, misunderstood job. Personally, I have found that most risk managers appreciate anyone who understands their role. Anyone who can help them brainstorm and manage their risks is a valued friend and ally.

Areas For Associations and Certifications to Improve

At the time of this writing, Project Management Institute is launching a certification in project risk management, the PMI Risk Management Professional (PMI-RMP). The documentation for that exam never mentions other certifications, like the Certified Risk Manager (CRM) certification. CRM is a well-regarded risk-management certification for enterprise risk managers.

In my experience, few project managers are even aware that there is a job title called “risk manager” at many companies. “The risk manager” is discussed as a project-specific role in many project-management articles and conferences.

The “Risk Management” section of the PMI PMBOK Guide contains no references. There is an enormous, established literature outside of the project management world on this topic. The PMBOK Guide has adapted these core ideas to project management applications. PMI and project managers owe a great debt to many writers and thinkers who helped inspire these ideas. Neil Crockford, Bernard Webb, Connor Harrison, James Markham, and many others were writing on this topic long before the first edition of the PMBOK Guide was published. Including these non-project management references would help acknowledge the debt we all owe to these insurance and risk management professionals. It would also help make project managers aware of the other types of risk management being performed in their organizations.

The project management community would benefit from greater collaboration with these risk-management organizations. Project and project portfolio risk management is a little different from enterprise risk management, but there is great opportunity in emphasizing the commonality instead of the differences.

References

Neil Crockford, An Introduction to Risk Management. Woodhead-Faulkner, 1980.

Dr. David Hillson, “The Risk Doctor”. Multiple books and articles available at http://www.risk-doctor.com/publications-books.asp.

Hynuk Sanchez, Benoit Robert, and Robert Pellerin, “Project Portfolio Risk-Opportunity Identification Framework.” Project Management Journal, September 2008, pp. 97-109

Project Management Institute, A Guide to the Project Management Body of Knowledge, Third Edition. Newton Square, PA: PMI, 2004.

Project Management Institute, “PMI Risk Management Professional (PMI-RMP)” retrieved from http://www.pmi.org/CareerDevelopment/Pages/AboutCredentialsPMI-RMP.aspx on 13 October 2008.

Bernard Webb, Connor Harrison, James Markham, Insurance Operations: Second Edition. Malvern, PA: American Institute for Chartered Property Casualty Underwriters, 1997.