This post is intended to provide the foundational concepts around sustainable risk management. This post also recommends adopting sustainable risk management as a core discipline within sustainable change delivery. This is part of a series that provides the foundation for understanding sustainable change delivery.
“It is far better to grasp the universe as it really is than to persist in delusion, however satisfying and reassuring” – Carl Sagan (1997).
(Quote borrowed from Douglas Hubbard’s The Failure of Risk Management)
Risk management is a core discipline in sustainability. The importance of risk management is magnified exponentially in change delivery initiatives.
The classic Machiavelli quote from The Prince sets the stage:
“…it ought to be remembered that there is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order of things, because the innovator has for enemies all those who have done well under the old conditions, and lukewarm defenders in those who may do well under the new” (Machiavelli, Kindle Locations 477-479, 2015).
In short… a lot of risk. From an organizational perspective, sustainable change delivery offers the following, with sustainable risk management as an essential and integrated component:
Sustainable Risk Management Overview
With numerous resources for risk management, the following will provide a high-level overview. The following represents the traditional Western viewpoint regarding the foundational concepts of risk management:
- A risk is an uncertain event or set of events that, should they occur, will have an effect on the achievement of objectives. A risk is measured by the combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on objectives.
- “A threat is used to describe an uncertain event that could have a negative impact on objectives” (OGC, p. 77, 2009).
- “Because it has been raining heavily (risk cause), there is a threat that the river flowing through the farmer’s field might overflow (risk event), which would severely damage the farmer’s crop (risk effect)” (OGC, p. 82, 2009).
- “An opportunity is used to describe an uncertain event that could have a favourable impact on objectives” (OGC, p. 77, 2009).
- “Because the weather has been particularly mild this winter (risk cause), there is an opportunity that fewer people will be hospitalized with influenza (risk event), which will mean that there will be less disruption to planned routine operations (risk effect)” (OGC, p. 82, 2009).
There are different perspectives on whether risks should include opportunities. This is discussed in a related post entitled “Current Challenges with Risk Management“.
A few more foundational risk management concepts are outlined below in exhibit 2 to provide context:
- “Risk cause
- It should describe the source of the risk, i.e. the event or situation that gives rise to the risk. These are often referred to as risk drivers. They are not risks in themselves, but the potential trigger points for risk. These may be either internal or external to the project
- Risk event
- This should describe the area of uncertainty in terms of the threat or the opportunity
- Risk effect
- This should describe the impact(s) that the risk would have on the project objectives should the risk materialize ” (OGC, p. 81, 2009).
Exhibit 3 provides a table that outlines some scenarios and descriptions to help understand what a risk event actually is and how to describe risks.
“In stating risks, care should be taken to avoid stating impacts which may arise as being the risks themselves, and to avoid stating risks which do not impact on objectives; equally care should be taken to avoid defining risks with statements which are simply the converse of the objectives. A statement of a risk should encompass the cause of the impact, and the impact to the objective (cause and consequence) which might arise” (UK HM Treasury, p. 14, 2004).
Exhibit 4 provides a helpful model for understanding the types of risks based on probability and outcome and context.
There are a variety of risk management methods and processes. Exhibit 5 is a reasonable representation:
The following list describes the steps in the risk management process:
- This includes risks being considered that could affect the achievement of the project’s objectives, and then described to ensure that there is a common understanding of these risks
- This includes ensuring that each risk can be ranked in terms of estimated likelihood, impact and immediacy, and understanding the overall level of risk associated with the project” (OGC, Kindle Locations 2570-2571, 2009).
- The goal of a plan is to prepare specific management responses to the threats and opportunities identified ideally to remove or reduce the threats and to maximize the opportunities. (4.8)
- The goal of implementation is to ensure that the planned risk management actions are implemented and monitored as to their effectiveness, and corrective action is taken where responses do not match expectations.
Another representation is provided below in exhibit 6 for dealing with asset integrity management, which is also a foundational concept for sustainable change delivery.
Due to the importance of the ISO standard 31000 Risk Management, exhibit 7 provides the important concepts including the recommended process:
Organizational Risk Management
Please refer to Sustainable Risk Management – 2 Organizational Risk Management.
Organizational Risk Management Competencies
Change Delivery Sustainable Risk Management Competencies
There are numerous ways to integrate sustainability into risk management. One straightforward approach is to employ the P5 Standard (outlined below), facilitate a P5 impact analysis concerning the various risks (threats and opportunities), incorporate the high-impact areas into a Sustainability Management Plan (SMP) and use the organizational Sustainability Management System (SMS) to mitigate/enhance the risks.
A foundational understanding of risk management is critical for any project. There are numerous risk management programs to provide guidance, including GPM Global’s sustainable risk management training program. The GPM Global program helps organizations evaluate their risk management systems, mature their risk management understanding and competency, and provide new tools and techniques to incorporate sustainable risk management into their change delivery initiatives.
This series is all about raising awareness of sustainable change delivery and the integral elements, disciplines and competencies associated with it. In the graphic below, each of these elements is identified in terms of its use in allowing for sustainability. These elements form the basis of the GPM® Global’s P5™ Standard for Sustainability in Project Management, the GPM® Global Training Programs and the GPM® Global Portfolio, Program and Project Sustainability Model (PSM3™) for organizational assessment.
Association for Project Management. (2014). Project Risk Analysis and Management Guide, Second Edition. Retrieved September 21, 2015, from http://www.amazon.com/Project-Risk-Analysis-Management-Guide-ebook/dp/B00JJ0MSRK/ref=sr_1_1?s=books&ie=UTF8&qid=1442807872&sr=1-1&keywords=project+risk+analysis+and+management+guide
Atkinson, R., Crawford, L., & Ward, S. (2006). Fundamental uncertainties in projects and the scope of project management. International Journal of Project Management, 24(8), 687–698. doi:10.1016/j.ijproman.2006.09.011. http://www.sciencedirect.com.ezproxy.royalroads.ca/science/article/pii/S0263786306001438
Bacon, R., & Hope, C. (2013). Conundrum: Why every government gets things wrong and what we can do about it by. Retrieved October 18, 2015, from http://www.amazon.com/gp/product/B00LLP1HK0?keywords=Conundrum%3A Why every government gets things wrong and what we can do about it&qid=1445198964&ref_=sr_1_2&sr=8-2
Baxter, Keith (2012). Risk Management: Fast Track to Success. Financial Times/ Prentice Hall Limited. http://www.amazon.com/Risk-Management-Fast-Track-Success-ebook/dp/B00A8N8I6C/ref=sr_1_1?s=books&ie=UTF8&qid=1442809841&sr=1-1&keywords=Risk+Management%3A+Fast+Track+to+Success
Capers Jones. 1994. Assessment and Control of Software Risks. Yourdon Press, Upper Saddle River, NJ, USA. http://www.amazon.com/Assessment-Control-Software-Risks-Capers/dp/0137414064/ref=sr_1_1?s=books&ie=UTF8&qid=1442808208&sr=1-1&keywords=Assessment+and+Control+of+Software+Risks
Chapman, C. (2006). Key points of contention in framing assumptions for risk and uncertainty management. International Journal of Project Management, 24(4), 303–313. doi:10.1016/j.ijproman.2006.01.006. http://www.sciencedirect.com.ezproxy.royalroads.ca/science/article/pii/S0263786306000159
Chapman, C., & Ward, S. (2004). Why risk efficiency is a key aspect of best practice projects. International Journal of Project Management, 22(8), 619–632. doi:10.1016/j.ijproman.2004.05.001. http://www.sciencedirect.com.ezproxy.royalroads.ca/science/article/pii/S026378630400050X
Connolly, T. & Arkes, H.R. & Hammond K.R. (1999). Judgment and Decision Making: An Interdisciplinary Reader (2nd ed.). Cambridge Series on Judgment and Decision Making. Cambridge University Press. http://www.amazon.com/Judgment-Decision-Making-Interdisciplinary-Cambridge/dp/0521626021/ref=sr_1_1?ie=UTF8&qid=1445222869&sr=8-1&keywords=Judgment+and+Decision+Making%3A+An+Interdisciplinary+Reader
Dallas, M. F. (2008). Value and Risk Management: A Guide to Best Practice. Retrieved September 21, 2015, from http://www.amazon.com/Value-Risk-Management-Guide-Practice-ebook/dp/B0014TS2IS/ref=sr_1_1?s=books&ie=UTF8&qid=1442809546&sr=1-1&keywords=value+%26+risk+management+a+guide+to+best+practice
Down, A., Coleman, M., & Absolon, P. (1994). Risk Management for Software Projects. Retrieved September 21, 2015, from http://www.amazon.com/Management-Software-Projects-Mcgraw-Hill-Hardcover/dp/B011YTH38W/ref=sr_1_2?s=books&ie=UTF8&qid=1442808709&sr=1-2&keywords=%22risk+management+for+software+projects%22
Hamzah, S. Z. (2012). Use Bow Tie Tool for Easy Hazard Identification. Retrieved December 22, 2015, from http://rpsonline.com.sg/proceedings/9789810714451/html/SyedZaifulHamzah.pdf
Hillson, D. (2002). Extending the risk process to manage opportunities. International Journal of Project Management, 20(3), 235–240. doi:10.1016/S0263-7863(01)00074-6. http://www.sciencedirect.com.ezproxy.royalroads.ca/science/article/pii/S0263786301000746
Hillson, D. (2007). Understanding and Managing Risk Attitude, Second Edition. Retrieved September 21, 2015, from http://www.amazon.com/Understanding-Managing-Risk-Attitude-Paperback/dp/B010EW7C7W/ref=sr_1_4?s=books&ie=UTF8&qid=1442810145&sr=1-4&keywords=understanding+and+managing+risk+attitude
Hillson, D., & Simon, P. (2012). Practical Risk Management: The ATOM Methodology, Second Edition. Retrieved September 21, 2015, from http://www.amazon.com/Practical-Risk-Management-Methodology-Second/dp/1567263666/ref=sr_1_1?s=books&ie=UTF8&qid=1442809066&sr=1-1&keywords=practical+project+risk+management+the+atom+methodology+2nd+edition
Hubbard, Douglas W. (2009). The Failure of Risk Management: Why It’s Broken and How to Fix It. Wiley. http://www.amazon.com/Failure-Risk-Management-Why-Broken/dp/0470387955/ref=sr_1_1?s=books&ie=UTF8&qid=1442807076&sr=1-1&keywords=the+failure+of+risk+management
Hubbard, Douglas W. (2014). How to Measure Anything: Finding the Value of Intangibles in Business, Third Edition. Wiley. http://www.amazon.com/How-Measure-Anything-Intangibles-Business/dp/1118539273/ref=sr_1_1?ie=UTF8&qid=1442806937&sr=8-1&keywords=How+to+Measure+Anything%3A+Finding+the+Value+of+Intangibles+in+Business
International Organization for Standardization. ISO 31000:2018, Second Edition: Risk Management – Guidelines. 2018. https://www.iso.org/standard/65694.html
Jaafari, A. (2001). Management of risks, uncertainties and opportunities on projects: time for a fundamental shift. International Journal of Project Management, 19(2), 89–101. doi:10.1016/S0263-7863(99)00047-2. http://www.sciencedirect.com.ezproxy.royalroads.ca/science/article/pii/S0263786399000472
Kahneman, Daniel (2011). Thinking, Fast and Slow. Random House, Inc.. http://www.amazon.com/gp/product/0374533555?keywords=Thinking%2C%20Fast%20and%20Slow&qid=1445222667&ref_=sr_1_1&sr=8-1
Kendrick, T. (2015). Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project, Third Edition. Retrieved September 21, 2015, from http://www.amazon.com/Identifying-Managing-Project-Risk-Failure-Proofing/dp/0814436080/ref=sr_1_1?s=books&ie=UTF8&qid=1442809235&sr=1-1&keywords=%22identifying+and+managing+project+risk%22
Koletar, J. W. (2010). Rethinking Risk: How Companies Sabotage Themselves and What They Must Do Differently. Retrieved September 21, 2015, from http://www.amazon.com/Rethinking-Risk-Companies-Themselves-Differently/dp/B005B1LVF6
Kutsch, E., & Hall, M. (2010). Deliberate ignorance in project risk management. International Journal of Project Management, 28(3), 245–255. doi:10.1016/j.ijproman.2009.05.003. http://www.sciencedirect.com.ezproxy.royalroads.ca/science/article/pii/S0263786309000520
Machiavelli, Niccolo (2015). The Prince (Xist Classics). Dover Publications.
OGC – Office of Government Commerce (2012). Management of Risk: Guidance for Practitioners 2010 Edition, Third Edition. The Stationery Office (TSO). http://www.amazon.com/Management-Risk-Guidance-Practitioners-3rd/dp/0113312741/ref=sr_1_1?ie=UTF8&qid=1442806817&sr=8-1&keywords=management+of+risk
OGC – Office of Government Commerce (2009). Managing Successful Projects with PRINCE2™ 2009 Edition. http://www.amazon.com/gp/product/0113310595?keywords=prince2%202009&qid=1445050419&ref_=sr_1_1&sr=8-1
Olsson, R. (2007). In search of opportunity management: Is the risk management process enough? International Journal of Project Management, 25(8), 745–752. doi:10.1016/j.ijproman.2007.03.005. http://www.sciencedirect.com.ezproxy.royalroads.ca/science/article/pii/S0263786307000531
Pender, S. (2001). Managing incomplete knowledge: Why risk management is not sufficient. International Journal of Project Management, 19(2), 79–87. doi:10.1016/S0263-7863(99)00052-6. http://www.sciencedirect.com.ezproxy.royalroads.ca/science/article/pii/S0263786399000526
Perminova, O., Gustafsson, M., & Wikström, K. (2008). Defining uncertainty in projects – a new perspective. International Journal of Project Management, 26(1), 73–79. doi:10.1016/j.ijproman.2007.08.005. http://www.sciencedirect.com.ezproxy.royalroads.ca/science/article/pii/S0263786307001263
Ramsden, M. (2013). Ten rules for smart bowtie analysis. Retrieved December 22, 2015, from http://www.erm.com/en/news-events/platform/ten-rules-for-smart-bowtie-analysis/
Reuvid, J. (2014). Managing Business Risk: A Practical Guide to Protecting Your Business, Tenth Edition. Retrieved September 21, 2015, from http://www.amazon.com/Managing-Business-Risk-Practical-Protecting/dp/0749470437/ref=sr_1_1?s=books&ie=UTF8&qid=1442809984&sr=1-1&keywords=managing+business+risk+a+practical+guide+to+protecting+your+business
Savage, Sam L. (2012). The Flaw of Averages: Why We Underestimate Risk in the Face of Uncertainty. Wiley. http://www.amazon.com/Flaw-Averages-Underestimate-Risk-Uncertainty/dp/1118073754/ref=sr_1_1?ie=UTF8&qid=1442807005&sr=8-1&keywords=The+Flaw+of+Averages
Taleb, Nassim Nicholas (2010). The Black Swan: Second Edition: The Impact of the Highly Improbable Fragility” (Incerto). Random House Publishing Group. http://www.amazon.com/Black-Swan-Improbable-Robustness-Fragility/dp/081297381X/ref=sr_1_2?ie=UTF8&qid=1445222701&sr=8-2&keywords=black+swan
Thibault, Marc (2010). An Enhanced Tookit for Plans and Projections.
Thibault, M. (2013). Calculating Uncertainty. John Marc Thibault. Retrieved from http://www.amazon.ca/Calculating-Uncertainty-John-Marc-Thibault-ebook/dp/B00BEY0MPO/ref=sr_1_1?ie=UTF8&qid=1450755455&sr=8-1&keywords=marc+thibault
UK HM Treasury. (2004). Orange Book: Management of risk – Principles and Concepts. Retrieved November 3, 2015, from https://www.gov.uk/government/publications/orange-book
Ward, S., & Chapman, C. (2003). Transforming project risk management into project uncertainty management. International Journal of Project Management, 21(2), 97–105. doi:10.1016/S0263-7863(01)00080-1. http://www.sciencedirect.com.ezproxy.royalroads.ca/science/article/pii/S0263786301000801
Westerman, G., & Hunter, R. (2007). IT Risk: Turning Business Threats into Competitive Advantage. Retrieved September 21, 2015, from http://www.amazon.com/Risk-Turning-Business-Competitive-Advantage/dp/1422106667/ref=sr_1_1?s=books&ie=UTF8&qid=1442808278&sr=1-1&keywords=it+risk+turning+business+threats+into+competitive+advantage
Zwilling, M. (2014). How To Balance Business Risk Versus Opportunity. Retrieved March 6, 2016, from http://www.forbes.com/sites/martinzwilling/2014/01/16/how-to-balance-business-risk-versus-opportunity/#2612a9df36f7