Project Risk Management
3.4 Types of Risk
3.4.1 Generic Risk Headings
There are of course many types of risk. In addition, risks take many forms and they impact on the organisation in a range of ways. The literature on risk management identifies a number of different primary headings. Some writers use different names for different types of risk. However, the broad headings are:
• strategic risk;
• operational risk;
• financial risk;
• knowledge risk;
• catastrophic risk.
Each is described further below.
• Strategic risk.
Strategic risk includes risk relating to the long-term performance of the organisation. This includes a range of variables such as the market, corpo-rate governance and stakeholders. The market is highly variable and can change at relatively short notice, as can the economic characteristics of the country or countries in which a given organisation is operating The corpo-rate governance risk of the organisation includes risk relating to the ethics within which the organisation operates. Examples include the reputation of the organisation and its desire to maintain that reputation, perhaps at the expense of innovation or new developments. Stakeholder risk includes the risk associated with the shareholders, business partners, customers and suppliers. Shareholder attitudes can change quickly if dividends fall.
• Operational risk.
Operational risk includes the process itself, the asset base, the people within the project team and the legal controls within which the organisation oper-ates. Project risk is one type of operational risk, although it could be argued
that risk management on longer-term projects should be considered in terms of strategic project risk management. The process of operational risk management includes the product itself, its suitability for market demand, marketing, sales and delivery. People risks include risks associated with human resources and staff development. Legal risks include contractual issues, together with statutory obligations and liability.
• Financial risk.
Financial risk includes market, credit, capital structure and reporting risks.
This particular risk heading is easily the most heavily covered in the litera-ture on risk management. Financial risk, which is comprehensively covered in other MBA electives from the Edinburgh Business School (and elsewhere), is outside the scope of the current work.
• Knowledge risk.
Knowledge risk includes IT hardware and software, information manage-ment, knowledge managemanage-ment, and planning. IT is an increasingly impor-tant area for many organisations. Most modern companies could not oper-ate without complex computer support; the risk of a major IT failure is the nightmare scenario for many large organisations.
• Catastrophic risk.
Catastrophic risk includes risk that cannot be predicted effectively and therefore cannot be quantified accurately. The usual precaution is to cover such risk with some kind of contingency sum or reserve.
These risk types are all linked to some extent. Operational risk is linked to catastrophic risk. Operational risk includes areas such as the risk of failure of a production line. This could be precipitated by a power failure (catastrophic risk).
The power failure could be caused by internal problems such as bad cabling or circuit breakers, or external problems such as a general power failure.
Within these broad headings for risk types, there are several specific subdivi-sions that can occur. These are discussed in sections 3.4.2–4.
3.4.2 Market Risk and Static Risk
Within the broad generic categories listed in section 3.4.1, risk can be considered in terms of outcomes. Some risks produce the possibility of both positive and negative outcomes, such as the risk associated with buying company shares.
The value of these shares could go up or down, and the end result could be a net gain or loss for the purchaser. Other types of risk can be less dynamic, and may be concerned only with losses. An example is insurance. A company with insurance cover loses less than a company without insurance, but both companies lose money; the difference is the amount of money that is lost.
These two classifications are sometimes summarised as market risk and static risk. Each is described below.
• Market risk (business risk or dynamic risk)
Market risk is dynamic. It is concerned with both positive and negative values, or potential gains and losses to the organisation. Market business risk is primarily concerned with the risk to all the stakeholders within the company, while market financial risk is restricted to equity holders.
Market risks can change over time and can shift between likely positive and negative values.
Market risk is measured by changes and variations in the general market-place. It is unavoidable, since it relates to factors that are outside the control of the decision maker and could result in positive or negative impacts. Mar-ket risk therefore provides the organisation with the potential for both profit and loss on trading. Obvious examples would include:
• share flotations;
• competitor activities;
• investment in research and development;
• release of new products;
• general economic activity.
In addition, market risk can be split into two primary components. These are business risk and financial risk. Market Business Risk (MBR) arises from the company trading with its assets. MBR is a risk to the company as a whole, and is therefore distributed among the shareholders, creditors, employees and all other stakeholders. Market Financial Risk (MFR) arises from the gearing ratio, which is a measure of the financing of the organisation. MFR is the risk of the annual dividend falling to zero, so that equity holders make no return on their shareholdings.
• Static risk (specific risk or insurable risk).
Static risk considers losses only. It looks at the potential losses that could occur and seeks to implement safeguards and protection in order to min-imise the extent of the loss. The obvious example is an insurance policy. Like market risks, static risks can change over time, and the level of protection provided by countermeasures can also vary.
Static risk refers to risks that only provide the potential for losses. Consid-erations of specific risk are therefore generally concerned with making sure that the company performs at a given level. It is most concerned with mak-ing sure that losses or problems are minimised. Obvious examples would include:
• fire insurance;
• third party and public liability (consequential loss) insurance;
• tortious liability (professional indemnity) insurance;
• personnel insurance;
• other optional forms of insurance.
Clearly, static risk can be reduced and controlled to some extent. However, market risk will always remain. One of the components of portfolio theory holds that risk takers cannot expect to gain reward for taking risks that can be
avoided. Reward can only be expected from taking market risks. In other words, an efficient market will not offer reward for specific risks. The best strategy, therefore, if appropriate, is to diversify. The organisation can reduce the effects of specific risks by insuring against them (where relevant) and by diversifying.
Acquisitions and mergers provide a means of allowing the organisation to evolve into new areas. By expanding the range of new areas within an organisation, the organisation spreads the specific risk and makes the system more resilient against market-risk shocks, such as a sudden change in statute or a change in government fiscal policy.
Market and static risk types overlap with the generic headings discussed in section 3.4.1. Opening a new production line would be an example of a strategic market risk. A company’s all-risks insurance policy to cover injury to persons and property would be an example of an operational static risk.
3.4.3 External Risk and Internal Risk
Risk can be further classified over and above the generic values given in section 3.4.1 and the market and static values discussed in section 3.4.2. The next obvious classification system would relate to whether the risk originates inside the organisation or outside it.
3.4.3.1 External Risk
External risk originates and operates outside the organisation. As a consequence, the organisation has virtually no control over it and has to predict possible even-tualities and move in advance or respond once the external factors have occurred.
External risks could originate from other organisations, the government, changes in consumer and client demand, and so on. The organisation has no alternative other than to respond to the risks as they appear.
Some obvious external risks are listed below:
• Competitor risk.
This includes the actions and strategies of ‘new kids on the block’ and established competitors, either of whom might develop and release a new product that is a direct threat to the established sales base of the company.
In the worst case, it could threaten the ability of the company to survive.
An obvious example would be the emergence of Sony’s Playstation in the games console market and its effect on the then established market leaders Sega and Nintendo. Sony is now a $20 billion company, and more than a third of its turnover is generated from Playstations I and II and the games that go with them.
• Market demand risk.
The demands of the customer base change and alter rapidly. This applies more in some markets than others. Good examples would include the pop-ular music industry and teenage clothing. These sectors have a reputation for being fickle, and demand can change greatly with little or no warning.
Other examples might include a requirement for a different type of product as a result of government policy or pressure groups, such as an increasing
demand in the UK for unleaded and low sulphur petrol as a result of the publicity and tax changes related to global warming.
• Innovation risk.
Increasingly, fast-track change and innovation are affecting risk strategies.
Again, this is more pronounced in some industries than in others. A good example is the PC market in the UK. Customers have been ‘educated’
to expect constant change and improvement in processor speed, memory storage, games handling, etc. Computer manufacturers have to be able to deliver constant improvement and development or they will be unable to compete. Mobile telephone manufacturers have adopted a similar strategy.
• Exposure risk.
All companies are exposed to different levels of risk, and different risks will affect them in different ways. Factors such as borrowing and gearing ratio will affect the firm’s exposure and its ability to survive changes in the environment, such as interest rate changes. High levels of borrowing could result in problems if interest rates are suddenly increased as a result of government concerns about inflation.
• Shareholder risk.
A firm that depends on shareholder equity has to keep the shareholders happy. If shareholder confidence declines, the effects on the company can be significant. In particular, it can affect the company’s ability to raise capital.
Companies sometimes have to put shareholders in an elevated position when it comes to declaring the dividend. An example is Railtrack in 2001.
The company made a significant profit in 2000 and declared a dividend of around 21p per share in that year. By 2001, as a result of extraordinary items involving major investment in the railways infrastructure, Railtrack made reduced profits but still paid the same 21p dividend to shareholders. One could argue that this dividend was simply not justified by the performance of the company.
• Political risk.
The government of the home country and of overseas countries where the company has expanded can represent a major risk. Government fiscal policy and the consequent performance of the economy can make the difference between success and failure in a new venture. Typical examples would include the decision of the UK government to retain the pound and not adopt the euro. This, coupled with a strong UK pound, has had an effect on manufacturing companies that export manufactured goods. The strong pound has similarly had an effect on the tourism industry, as tourists can get fewer pounds for their own currencies. This effect was multiplied in the UK in 2001 by the outbreak of foot and mouth disease, which further discouraged both UK and overseas tourists and had other negative effects on the UK tourism industry.
• Statute risk.
Governments constantly change existing statutes and introduce new ones.
These can affect the profitability of affected organisations. In some cases, these statutes can be one-offs, which are aimed at a specific problem or
issue. However, they could also be general and could affect all areas of industry. An example would be changes in environmental legislation affect-ing items such as pollution emissions, waste disposal, water standards, etc. Companies that are investing in electricity generation in the European Union in 2001 more or less have to opt for gas-powered boilers, as the alternatives are not viable on cost (oil) or environmental (coal and nuclear) grounds. The effects in terms of gas reserve depletion are largely ignored.
• Impact risk.
Some companies are better than others at withstanding big ‘hits’. This can depend on a lot of variables, including the degree of diversification.
The ability to withstand risk impact depends essentially on the degree of exposure of the company risk profile, and the sensitivity of different sectors of the company to that impact. Sometimes companies might be exposed to financial risk and reputation risk equally, but might be far more sensitive to reputation risk. These companies would be able to meet the financial consequences of a big impact (compensation, reinstatement etc.), but may suffer grievously from the damage to the reputation of the company (future loss of consumer confidence, falling sales etc.). Examples of big hits that have effectively destroyed companies include Ratners, White Star Line and Pan American Airways.
3.4.3.2 Internal Risk
There are very many possible internal risks. These are risks that originate from within an organisation and over which, at least in theory, the company should have some control.
Some examples of this category are listed below.
• Operational processes risk. This includes such factors as:
– human resources availability risk;
– production capacity risk;
– time-based competition risk;
– variations in customer demand risk;
– process failure risk;
– health and safety compliance risk;
– tactical response risk;
– change risk.
• Financial risk. This includes such factors as:
– borrowing risk;
– cash flow risk;
– equity risk;
– concentration risk;
– collateral (security) risk;
– opportunity loss risk;
– opportunity cost risk;
– exchange rate risk.
• Management risk. This includes such factors as:
– management error risk;
– leadership risk;
– outsourcing risk;
– strategy implementation risk;
– communications risk.
• IT and Technology risk. This includes such factors as:
– system obsolescence risk;
– breakdown and failure risk;
– fraud risk;
– malicious virus risk;
– system compromise risk;
– capacity limit risk.
3.4.4 Predictable and Unpredictable Risks
There are numerous other classification systems for risks. The last major classi-fication considered here relates to the predictability or otherwise of the risk.
Predictable risks are ‘known unknown’ risks, such as changes in interest rates during times of fluctuations in the economy. They can be predicted with some accuracy although not with certainty. Unpredictable risks are the ‘unknown unknowns’. These cannot be predicted with any accuracy. An example would be the economic instability in US markets caused by the close-run presidential election in December 2000, or the terrible events of 11 September 2001.
A dynamic internal unpredictable risk could therefore be a project status change. The organisation might start a project and give it top priority. However, another project might start up immediately afterwards and this new project might be given top priority. This is a dynamic risk in that it could increase or decrease the overall performance and effectiveness of the project. It is clearly internal as the status relates only to the company portfolio. It is unpredictable as it could not have been foreseen at the time that the initial project was implemented.