HOW TO DEAL WITH PROJECT RISK MANAGEMENT EFFECTIVELY IN YOUR ORGANIZATION? Maxime LE BRAS ESC RENNES SCHOOL OF BUSINESS

Transcription

1 HOW TO DEAL WITH PROJECT RISK MANAGEMENT EFFECTIVELY IN YOUR ORGANIZATION? Maxime LE BRAS ESC RENNES SCHOOL OF BUSINESS Abstract The management of risk inside a project should follow different steps to be more effective. According to the authors, the number of steps varies as well as the approaches, so according to the structure of an organization one process or one approach would match better. Project risk management is seen differently by senior managers or project ones, and is well perceived by the project managers whereas senior managers assume that issues coming out from a project are mainly the fault of its leader than a bad management of risks. Talking about differences, we also distinguish the operational risks from the strategic ones. We note that most of risks are operational, so shortterm view. The project risk management takes another dimension when we display it in a project portfolio. In this case, processes (steps) are close to the risk management at a project level, however the impacts and influence are getting bigger, therefore should be dealt with even more attention. Key words: risk management, project management, risk overview, success, processes JEL Classification: D81, G32, H43

2 Introduction We first start with a definition from the Project Management Institute (PMI, 2008), which defines that Project risk management has the objective to decrease the probability and/or impact of negative events in the project and to increase the probability and impact of positive events. According to this definition, companies have interests in using carefully project risk management. Basically, the risk management establish a ranking of the risks according to their level of influence on the project, frequency to happen, level of impact. The final objective is to determine the decisions to choose and the action to do in order to control the identified risks (Didraga et al., 2012). Indeed, risk management is a key part of the overall project management. During my last experience in Salomon S.A.S, I have been in charge to organize a business meeting for the clients of my Export department. My job was mainly to coordinate the different mangers to make sure that the product presentations will be ready for the D-day, and to take care of the logistics part such as booking hotel, restaurants, transportation etc. Be the project manager of this event has shown me different key aspects of project management, and particularly risk management. What should I do if one of our partners flies away or if we face some delays in the preparation, how to make sure that everything will be ready for the event? These are few examples of questions that I asked myself running the project. I have found interesting to give an overview of key aspects of project risk management, because some managers don t know much about it, or don t consider risk management as a critical part of project management. Instead of focusing on one precise aspect or relation which

3 have already been studied and analysed by many authors, I have chosen to give you all the different keys to well understand project risk management and successfully implement it in your projects in the future. We will first discuss the different approaches and steps that have been already defined by many authors. Then we will note some key variables that should be analysed in the risk management process. We will also compare the different views of project risk management among the managers, and finally we will see the risk management at project portfolio level. The different steps of Risk Management Many authors such as Gemmer, Ropponen & Lyytinen or Kutsch & Hall (Didraga et al., 2012) globally agree that risk management could be analysed trough 5 important steps which are identification, analysis, response, monitoring and control. However, according to the Project Management Institute (PMI, 2008) and Besner and Hobbs (2006) (Didraga et al., 2012), there are 7 main practices of risk management: Risk management planning, risk identification, risk registration, risk analysis, risk allocation, risk reporting and risk control. Risk Management Planning Firs, it s definitely not about writing a list of risks How the project team is going to deal with risks? What would be the tools? Risk Identification Designation of risks thanks to previous experiences, brainstorming sessions, focus groups, externs point of view (e.g. experts interview)

4 Risk Registration The objective is to establish a list of risks. To create a ranking of the risks is a good additional task. Risk Analysis This step is needed to estimate the probability, impact and consequence of each risk. Risk Allocation Different project members are named responsible for the different risks. This way, management of risk is divided to make sure that each risk is taken into consideration by someone, at least. Risk Reporting The aim of risk reporting is to give update to stakeholders about the nature of the risks, and the possible impact on the project or the company. Risk Control Meet the stakeholders to present them the current project situation and to take decisions about the actions to implement to prevent risks or solve them. (Bakker et al., 2010) Kwak and Stoddard (2004) assume that the identification of risks is the most essential activity in risk management. At this time, identifying and analyzing known risks are well done by most of companies, but the organizations are still not effective to detect the hidden risks or uncertainties, which are not obvious. Most of them still react to some issues instead of face them proactively in their early stages (Smith & Merritt, 2002). Here is a key challenge for the companies to improve their risk management.

5 Because our business processes and projects are getting more complex, we better realize the different connections of risk variables in our systems. Many companies have developed their own systems to manage the risks or uncertainties they are used to face. Different well-known tools are used by the companies to identify the risk factors, such as review meetings, brainstorming or focus groups (Thamhain et al., 2006). Project risk management approaches Different approaches to project risk management exist, we define the main ones: the evaluation approach, the management approach and the contingency approach. Evaluation approach: The aim of this approach is to determine the risks factors and causes of project failure. It s essentially based on previous experiences. Basically, with this approach you determine which risks happened in past projects. There are three main aspects in the evaluation approach: - Risks factors, which have been recognized, contribute to the project - The project risk management process enables the project team to get information that collects about potential risks and failure of the project - The existing list of risks is updated thanks to the new identified ones This approach is based on past researches and presumes that learning about risks and its causes in previous projects will bring have some positive effects on the running of the project. According to Bakker et al. (2010a), the aim of this approach is to create project predictability in new projects by

6 using information regarding risks and causes of project failure gathered from previous projects. It is interesting to notice that results from this approach help you in future projects and not in the current one. So, we can suppose that it gets better over time and project experiences. Management approach: The objective is to understand how we can manage risks to avoid project failure. This approach to risk management is defined as rational. It means that it determines likely events, situations which can happen during a project, and can have some effects on the initial plan or process. Then, thanks to this approach you find some solutions or alternatives to keep the project going well. Contingency approach: According to this approach, the success of a project depends on the capacity of the project team to deal with uncertainties linked to the project. The contingency approach establishes that risk management is not a separate management process but is part of the different processes and steps of the project. After seeing the different approaches of risk management, let us move to essential variables affection this management. Key variables affecting risk management According to Thamhain, three basic variables should be at least taken into consideration while studying risks: - Degree of uncertainty - Complexity of project

7 - Impact In order to make the best decision, organizations should well understand these variables to implement the risk management method which will solve the issues. The Degree of uncertainty variable includes variations, contingencies, accidents, unknown-unknowns (Thamhain & Skelton, 2007). Variations could be cost, timing, or technical requirements for example. The level of uncertainty, the probability of an issue to happen and the potential impact on the project determine the possible risk of the project. The contingencies are known events that could occur and negatively affect project performance (Thamhain, 2013). Managers can hardly know when these events would happen and how they would impact the project. However, the real issue is that they usually don t anticipate them for different reasons. Either the impact could be too high and it s hard to find an alternative, or they consider that the time spent on these issues is not worth. Here are few examples: customer changes, design failures or supplier issues. Events, which are easily defined but are very difficult or almost impossible to predict are the accidents. In this situation, companies have a very small interest in planning a contingency plan as this one would have very low significance and wouldn t be a real solution. An example could be the possible earthquakes in seismic regions. Companies know that it could occur, but can t prevent it. Finally, we talk about unknown-unknows for the events which were defined as impossible or were not known to happen in the project

8 scope, but finally occurred. You can only react to this variable as you consider it is impossible to happen. Unknown-unknows are sudden bankruptcy of a strong key partner or a competitor s breakthrough innovation (Thamhain, 2013). The project complexity is a variable which focus on the complexities around the project. Basically, we could think of the PESTEL 1 analysis for the external dimension. An internal analysis about the dynamics and changes in the company is also needed (Cicmil & Marshall, 2005; Cooke et al.). The Diamond Model (figure1) suggests characterizing project complexity through four dimensions which are structural complexity, novelty, pace, technology (Shenhar & Dvir, 2007). Each dimension affects the project management a different way, as you can see on the figure 1. 1 PESTEL : Political, Economical, Social, Technological, Environmental and Legal

9 Figure 1: Diamond model (Shenhar & Dvir, 2007) Complexity affects the project organization and the level of bureaucracy, and formality needed to manage (Shenhar & Dvir, 2007). The novelty aspect is about the time taken to meet product requirement and match with marketing data. The autonomy of the project team, the support and reactivity from the top management to major issues and the planning are the aspect affected in the pace dimension (Shenhar & Dvir, 2007). Technology influences the time needed to get the good design and the technical skills the project team should have.

10 The last variable is the impact of risk on project, company. The impact could be at different levels; Thamhain and Skelton have defined four ones: - Little or no impact on project: delayed contract delivery, technical issue, project team members conflicts... - Limited impact on project: same kind of issues seen in the previous point, which may require more time but are not critical regarding the project performance. Generally, it concerns local problems affecting cost or quality of the project. - Significant impact on project: test failure on an essential activity, or issues that have cascade effects 2 - Significant irreversible impact on project and even on overall organization: important issues that have effects on the whole project but also on other projects and even the company globally. It could be a Brand image going down because of some illegal actions done by a manager on a project. The different views of risk among the managers Senior managers mainly think that negative results in project management are the results of bad management from the project manager and not the results of bad management to anticipate the different risks. They have a different vision than the project managers. For example, they consider less the relation between contingencies and project success than the project managers. 2 A problem having negative consequences on another aspect, which has then some negative effects on another one, and so on.

11 Talking about project managers, they generally put most of their efforts on solving problems after they have impacted performance, than preventing them; therefore they are more reactive than proactive which is not good to deal with risk management. As recommendations, Project managers have to identify the likely risks and should know when they will most likely happen during the project life cycle (Thamhain, 2013). Another distinction is the difference of point of view between the top management and the project management. The top managers have more a strategic view, while the project managers have more an operational view. We briefly see these differences in the next point. The distinction between strategic and operational risks To start with this point, some surveys have shown that risk elements in a project are composed of 90% of operational risks and only 10% of strategic risks, therefore, organizations have huge interests to deal with the operational ones. From this operational point of view, the objectives are short-term objectives. It means that organizations focus on direct results and the achievement of tasks or activities which are under the control of the project manager. Krane, Hans Petter et al. (2012) also mention the future operations. These operations have longer term objectives than project operations (project operational point of view) but are still considered as operational. The other objective view is strategically. We distinguish 2 different objectives levels, the short-term strategic one and the long-term strategic one. The effects or consequences of a project in terms of gains to the top

12 management of a company or the organization itself are related to the shortterm strategic view. The long term-strategic view takes care about societal effects and project sustainability (Krane et al., 2012). Among the 10% of strategic risks, almost all of them are seen as short-term. Some risks are trickier as they could be the combination of both operational and strategic factors. Risks may also change through the different project steps; this way an operational risk could get more importance and become a strategic one, on the contrary, a strategic risk could lose some impact and become an operational one. Globally, companies or organization focus mostly on operational risks, and don t make any link with the strategic view. It has some negative effects on the quality or the significance of strategic objectives, because they achieve the operational goal, but not in the most efficient way, or without adding value to the company Now, we move to another dimension to analyse the project risk management at the portfolio level. The portfolio Risk Management According to the Project Management Institute (PMI, 2008) portfolio risk management is the management of uncertain events and conditions as well as their interdependencies at the portfolio level that cause significant positive or negative effects on at least one strategic business objective of the project portfolio and thus influence project portfolio success.

13 The Project Management Institute suggests that management of project portfolio risks should go through four process steps: 1. Portfolio risks identification 2. Portfolio risks analysis 3. Risk prevention 4. Risk monitoring The number and nature of steps varies from an author to another one, as we have seen previously for project management risk. According to Juliane Teller and Alexander Kock (Teller, Kock, 2012), there are six steps, which are: risk identification, risk prevention, risk monitoring, integration of risk information into the project portfolio management, formalization of portfolio risk management and risk management culture. How to measure the success of a project portfolio? Cooper, Edgett, Kleinschmidt (2001), Martinsuo and Lehtonen (2007), Meskendahl (2010), and Müller Martinsuo, Blomquist (2008) think of 6 aspects in their approach: average project success, average product success, strategic fit, portfolio balance, preparing for the future, and economic success (Teller & Kock, 2012). Respect of the established budget, planning, as well as the quality expected and the customer satisfaction are some criteria to measure the average success of all the projects of the portfolio. The average product success includes business results such as the return-on-investment, the profit, the goal-achievement on all the projects. Strategy of each project

14 must respect the corporate business strategy. Then, resources are allocated according to the strategies. Portfolio balance is about the relation between risk and profit. Companies should analyse carefully what will be the benefits regarding the risks taken. We are used to say that the more risks you take the more profits you make. There s also a notion of short term and long term; this difference of time brings different levels of risks. So, managers have to balance these two variables in all the projects of the portfolio in order not to have too many risky projects. Preparing for the future is the ability of a company to take advantage of any results or opportunities after the end of a project. Economic success addresses the short-term economic effects at the corporate level, including overall market success and commercial success of the organization or business unit (Teller & Kock, 2012). In addition to these 6 criteria, Turner & Mueller underline another factor to lead well and get success in a project: interactions between key stakeholders. In this case we mainly talk about the sponsors, the project manager and the project team, of each project. Good relations and interactions between these actors are essential to agree on some guidelines, to take decisions at the overall company level, etc. (Turner & Mueller, 2004). Conclusion Through this overview of risk management in a project or portfolio projects, we have seen that dealing with risks is about method, whatever the

15 approaches. Different processes co-exist, however we can assume that some steps are essential in every approach, such as the identification of risks. As we have noticed in this paper, managers are currently good to identify the known risks but are still too reactive instead of being proactive. A great management of risks should lead to prevention of most of risks. There is a kind of reluctance regarding management of risks. Indeed, many managers consider that this management is based only on subjective analysis and can t be trusted, which is untrue, because some methods to identify, analyse, monitor and prevent risks do exist. Risks have different natures and are influenced by some key variables we have seen in this paper (degree of uncertainty, project complexity and impact). Risks are source of negative or positive effects on the project or the overall company in the extreme cases. The growing complexity of projects interactions between each other makes the risks more widely spread inside the company. A good project team should be able to determine the probability of the diverse risks to happen and estimate the consequences. To conclude, a company or an organization, which is able to use a relevant and efficient risk management approach when risk events happen, will more easily assess the results of the project regarding the planning, the cost and the quality. The evaluation of the project success, and its communication to the stakeholders, is getting better thanks to the project risk management.

16 References Bakker, K.D., Boonstra, A., Wortmann, H., Does risk management contribute to IT project success? A meta-analysis of empirical evidence. International Journal of Project Management, 28(5), p Didraga, O., Bibu, N., Brandas, C., Annals of the University of Oradea. Economic Science Series. Vol. 21 Issue 1, p Cicmil, S., & Marshall, D Insight into collaboration at the project level: Complexity, social interaction and procurement mechanisms. Building Research and Information, 33(6), Krane, H.P., Olsson, N., Rolstadås, A., April How project manager project owner interaction can work within and influence project risk management. Project Management Journal, Vol. 43 Issue 2, p54-67 Kwak, Y.H., Stoddard, J., Project risk management: lessons learned from software development environment. Technovation 24 (11), Project Management Institute, The Standard for Portfolio Management - Second Edition, 2 nd ed. Project Management Institute, Newtown Square, PA. Shenhar, A., & Dvir, D Reinventing project management: The diamond approach to project management. Boston, MA: Harvard Business School Press Smith, P. G., & Merritt, G. M., 2002, Proactive risk management. New York, NY: Productivity Press Teller, T., Kock A., International Journal of Project Management, Elsevier

17 Thamhain, H., April 2013 Project Management Journal, Vol. 44 Issue 2, p Thamhain, H., & Skelton, T., Managing the sources of uncertainty in technology projects. Proceedings of the 2006 IEEE International Engineering Management Conference, Salvador, Bahia, Brazil (pp ) Turner, J. R., & Mueller, R Communication and co-operation on projects between the project owner as principal and the project manager as agent. European Management Journal, 22(3),