STRATEGIC RISK MANAGEMENT SUMMER DIET 2009 STUDY NOTES MODULE 1 – INTRODUCTION
The Concept of Risk
Risk is an inherent factor in virtually every human endeavour.
The prevalence and complexity of risk tend to increase as a function of the development of society.
Human beings naturally consider risk and reward as part of any decision-making process, and people make decisions constantly, whether major or minor, or whether directly or subconsciously.
Risks can be evaluated ‘scientifically’ by identifying the various factors or variables that define the risk.
Risks can also be evaluated ‘intuitively’, where an individual evaluates the risk in the light of past experience and consideration of the key elements of this particular case and makes a subjective appraisal.
Between the two extremes of ‘scientific’ and ‘intuitive’ risk and reward consideration, the human reasoning and evaluation of any particular event is based on decision making within the limits of what are acceptable and non-acceptable outcomes.
The maximum loss limit that is affordable defines the upper limit of the range of acceptable outcomes. Losses above this limit cannot be afforded and are therefore non-acceptable irrespective of the size of the potential reward.
The consideration of risk and reward is the basis of risk analysis. Risk analysis can be considered as a basic function of the human cognitive process. People evaluate potential risks and rewards in terms of the range of acceptable outcomes when deciding on whether or not to do something.
Risk is not a negative concept. Risk is necessary in order for opportunity to exist. It can be a deterrent to competition, leaving the risk taker to take advantage.
The Basic Risk Types
There are numerous types of risk. The number of possible sources and combinations of sources of risk is almost beyond classification. The primary classification typologies revolve around the origin of the risk and around the nature of the effect.
Strategic risk relates to risk at the corporate level and affects the development and implementation of an organisation's strategy.
Operational risk relates to the production process.
Project risk operates at the programme or project levels.
Change risk operates at the strategic, operational and project levels. Changes can be imposed by variations elsewhere either within or outside the organisation, or can be planned and engineered by the organisation as a way to achieve objectives.
Unforeseeable risk also operates at the strategic, operational and project levels. Unforeseeable risk is the type of risk that cannot be accurately forecast before it occurs. It is generally allowed for by flexibility within the system with additional contingencies.
Internal risks originate from within the organisation, whereas external risks originate from the environment.
Static risk relates to risks where the net outcome can only be negative.
Risks at all levels and across all functions are interdependent. It is dangerous to consider any particular risk in isolation as risks at all levels and functions are linked. A change in any one can effect (i.e. bring about) changes in numerous others.
The Concept of Risk Classification
Risk can be measured or classified in terms of the probability and consequence of not achieving a specific goal or objective.
Risk depends both on thelikelihood(probability) of an event occurring and on theconsequences(impact) of that event should it occur.
Risk =ƒ(event, uncertainty, consequences)
Risk can also be classified in terms of the degree of hazard and the controls that are necessary to protect against that hazard.
Risk =ƒ(event, hazard, control).
The classification process identifies the importance of the risk. It highlights those risks that are critical and those that can perhaps be left alone for a while. This identification and rating can be based on likelihood and impact or on control and hazard.
Lions are high-impact, high-likelihood risks. They are very dangerous all of the time and have to be very carefully controlled.
Sharks are high-impact, low-likelihood risks. They are just as dangerous (high impact) as lions but the likelihood of them being able to injure a human being is much less than a lion because sharks are only a threat in their own environment (the sea). As long as a person remains out of the water, sharks are no threat. People therefore have a degree of control over the threat offered by sharks.
Rabbits are low-impact, high-likelihood risks. There are lots of rabbits but they do only limited damage so long as there are not too many of them around. It is generally safe to ignore rabbits so long as they are monitored in some way and some action is taken if their numbers begin to multiply to excessive levels.
Mice are low-impact, low-likelihood risks. There are not many mice around any more and they cause relatively little damage. Mice can be disregarded unless a person has a business or other kind of activity that is not compatible with even a small number of mice.
Exposure, Sensitivity and the Risk Profile
The profile of risk management and the risks defined by organisations in decision making is a part of a dynamic process.
Exposure is a measure of the extent to which an organisation has one or more of its functions open to risk.
All organisations have some degree of exposure and some are more exposed than others. The importance or significance of the degree of exposure in terms of the risk profile is determined largely by the sensitivity of the various functions.
Risk sensitivity is a function of how much a particular ‘hit’ can hurt the organisation.
Sensitivity is a function of the significance or severity of the organisation's exposure to the occurrence of different events.
Sensitivity is also a function of the organisation's ability to handle these different events, or combinations of events, should one or more of them occur within any give timescale.
The Concept of Risky Conditions for Decision Making
Risk is intrinsically linked to decision making. It is one of the three primary conditions under which decisions have to be made.
Conditions of risk apply where there is a reasonable likelihood that an event will occur and where some kind of assessment of its impact can be made. The decision can be made on the basis of likelihood and impact assessment.
Conditions of certainty apply where the outcome is known.
Uncertain conditions apply where it is not possible to identify anyknownevents.
The Concept of Risk Management
Risk management is the process by which risks are managed and controlled to an extent that is acceptable to the organisation. A typical risk management system comprises:
an identification process;
an analysis and classification process;
a controlled consideration of organisational attitude or strategy; a response.
It is crucial that all risks are identified and all high-impact, high-likelihood risks (lions) are properly classified and managed. They should never be ignored or underestimated.
Analysis and classification can take many forms. There are numerous established analysis tools and techniques, ranging from simulation to bidding theory.
The end result of the risk management process is the response. This depends largely on the results of the classification and analysis and the attitude of the risk taker.
The response can vary between refusing to accept the risk (don't overtake), reducing it (wait for straighter piece of road), avoiding it (go another way), or accepting it (accelerate and go for it).
MODULE 2 – BACKGROUND TO RISK Some Common Questions about Risk
A common concern is that people often do not fully understand what risk means and the range and extent to which it applies within organisations.
People often assume that risks are bad and should be avoided. Many organisation lack the knowledge and expertise to able to fully evaluate all aspects of a risk.
Many individuals and organisations still use rule of thumb techniques in identifying and managing risk, and lack the necessary expertise for accurate risk profiling.
There is a general feeling that there will always be some risks that are so bad that they have to be eliminated, even if this proves to be a very expensive process.
The human cognition process is clearly an important factor. It is one thing to identify a risk; it is quite another to allow for it in making the correct decision.
Some applications have to be carried out under conditions of risk rather than uncertainty. A common problem arises in accurately defining the boundary between these conditions.
Individuals and organisations may be unsure of how to respond to conditions of uncertainty where it is not possible to predict accurately the various outcomes.
Individuals and organisations can adopt different philosophies and take different approaches to risk and assume different risk attitudes.
Having gone into detail on all of the preceding points, individuals need to be able to use this information in developing and implementing a risk management system.
Some Common Misconceptions about Risk
The most common misconception about risk is that it is always bad. Risk and opportunity are intrinsically linked. It is necessary to have risk in order to have opportunity. It is more accurate to consider risk as neither good nor bad; it is simply there.
A ‘bad’ risk for one person can be a ‘good’ risk for another. Fire represents a ‘bad’ risk for homeowners and a ‘good’ risk for insurers and firefighters.
There is a ‘risk of not taking risks’. Risks are necessary in order to add value and create wealth. Innovation and development are essential developmental processes.
Risks should not be taken just for the sake of it. The risk should be carefully analysed and assessed and the possible gains weighed against the possible losses.
Experience and intuition should be used and where appropriate expert advice and analysis should be sought. The source and consequences of the risk should be clearly identified and evaluated.
The potential gain should be greater than the risk ‘stake’ (e.g. Watergate)
It is important not to use other people as an excuse for inaction.
One should never risk more than can be afforded.
The cost of eliminating (rather than reducing) major risks is often prohibitively expensive, and decision makers opt for risk reduction instead.
If in doubt, it may not always be better to play safe (e.g. MMR vaccinations).
If the hypothesis is right and it is accepted, then this is the correct decision. Similarly, if the hypothesis is wrong and it is rejected, then this is also the correct decision.
If the hypothesis is right and it is rejected, this is a type I error.
If the hypothesis is wrong and it is accepted, this is a type II error.
People have a natural tendency to avoid type II errors. Unless they are sure that the hypothesis is correct they will tend to reject it.
Individuals acting as members of a group make riskier decisions than individuals making decisions alone (risky shift).
Well-established groups are more efficient at identifying and handling risk.
Groupthink is sometimes an unintended consequence of highly successful team development and often starts to express itself during the performing stage of the team development process.
The Variable Significance of Risk
The significance of a given risk can vary in relation to circumstances.
The most significant risks in a given scenario may be those that have not even been identified.
Risk significance can be increased by failure to identify (e.g.Concorde)
Risk significance can be increased by failure to assess (e.g.Piper Alpha)
Risk significance can be increased by failure to monitor (e.g.Challenger)
Risk significance can be increased by failure to control (e.g.Herald of Free Enterprise).
A risk profile shows alternative risks and risk implications, usually quantified in some way.
Risk and the Decision-Making Process
Decision making and risk are elements of the human cognitive process.
People make decisions in relation to perceived rewards and risk within the limits of acceptable outcomes. Perception of risk varies from person to person and in relation to the potential effects of the risk event.
Most aspects of the human cognitive process make a subjective evaluation of risk.
Pattern recognition is where the brain takes incoming information and stores it temporarily at a superficial level. It then compares that information with previously stored information in order to make an assessment of what the new information represents.
As pattern recognition occurs, a second process called attention is taking place. This acts as a kind of filter, filtering out any unnecessary information so that only that information that is relevant to the decision is considered.
The next process relates to memory. Short-term memory stores the basic pattern recognition information.
Once interpreted, and after subjective assessment through attention, any relevant information is then stored in the long-term memory. Some information becomes permanently fixed in the long-term memory.
Bounded rationality assumes that a being will generally opt for rational behaviour within constraints. Most cognitive processes will be based on reasoning, and therefore logical and rational outcomes based on pattern recognition and learning will be naturally preferred to illogical and irrational ones.
The decision maker within bounded rationality therefore looks at all the possible actions and all the possible outcomes and then separates outcomes into those that are acceptable or unacceptable. The decision maker then rejects any action that leads to unacceptable outcomes and considers those options that lead to acceptable outcomes. Acceptable outcomes can be considered as goals of the decision maker.
The relationship between possible actions and acceptable outcomes then determines what action to take. In addition, possible actions are subject to the constraints of acceptable or satisfactory outcomes.
Risk forecasting is the process of throwing current and past knowledge forward into the future as an aid to decision making. It is a form of risk extrapolation in that it seeks to develop a projection of future risk levels or profiles as a function of the range of decision outcomes that are available today.
Intuition can be both individual and organisational. Companies store and use collective experience in much the same way as individuals do.
Forming a solution comprises four stages. These are framing, formulation, evaluation and appraisal.
Framing allows the decision maker to avoid working on the wrong problem and to consider only that information that is relevant to the decision. It configures the cognitive process to operate at the correct level and within the correct scope and boundaries.
Formulation provides a formal model based on the decision maker's problem. Formulation uses risk forecasting in considering the range of potential solutions available, the relationship between the potential solutions and consequent outcomes, and the preferences of the decision maker.
The evaluation stage involves a synthesis of all the data in order to establish a ranking order of options. The ranking of an option depends on the success and failure criteria of the overall outcome.
The appraisal stage considers the exposure and sensitivity of the decision and the effects of risk assessment on the preference order. Appraisal is different from evaluation. Evaluation considers the potential solutions in isolation. Appraisal considers the potential impact of the solution on the organisation.
Once the appraisal process is complete and a final solution has been decided, the information used in the assessment is filtered and the most relevant material is stored in memory through feedback. This is an automatic response in the brain.
Risk Conditions
The consideration of risk in decision making is a function of the risk condition. The risk condition is the degree of risk that is present in the conditions under which the decision is made.
Within a defined scope there may be conditions where there is no risk. These are conditions of certainty.
There may also be conditions where there is some risk. Where there is some risk, it may be possible to evaluate the likely extent of the risk, such as in tossing a coin.
In other situations it may not be possible to evaluate the likely extent of the risk. These are conditions of uncertainty.
The difference between conditions of uncertainty and conditions of risk is that under risk there are assigned probabilities. These probabilities relate to the ‘known unknowns’ that have to be considered and allowed for in making a decision.
The Hurwicz criterion is sometimes referred to as themaximaxcriterion.
The Hurwicz criterion is based on maximising profits at the risk of maximum loss. It is the high-risk strategy and is typical of a risk-seeking decision maker.
The Wald criterion is sometimes referred to as themaximincriterion.
Under the Wald criterion the decision maker is pessimistic and seeks to minimise the maximum losses. The decision maker is concerned with how much he or she can afford to lose. This option involves clearly defined limits of acceptable outcomes. The risk taker will consider only the minimum profits (not losses). Losses are not considered to be an option.
The Savage criterion is sometimes referred to as theminimaxcriterion.
Under the Savage criterion the risk taker seeks to minimise the maximum regret (the difference between the smallest and greatest pay-off).
The Laplace criterion assumes that Bayesian theory applies. If the probabilities of each state of nature are not known, they can be assumed to be equal. The probability of each state of nature is therefore the average pay-off value.
The Concept of Risk Management
Risk management is a collective term for the processes involved in identifying those risks that impact on a consideration and in establishing a monitoring and control system to ensure that the risks are managed
MODULE 3 – THE CONCEPT OF RISK MANAGEMENT Some Common Questions About Risk Management
People have generally heard of risk management but perhaps they associate it mainly with health and safety issues and/or finance.
Many organisations fail to understand exactly what is involved in the risk management process and what the various phases and stages represent.
Organisations often have difficulty in correctly identifying those risks that are relevant to a given decision, yet correct identification is crucial to the risk management process.
Having identified the relevant risks, some organisations have difficulty in carrying out the correct forms of assessment and in setting the correct levels of control and procedures for ensuring that these work properly.
Many organisations do not appreciate the magnitude and scale of the array of risks that face them nor the complexity of the interrelationships existing between the various risks.
As part of the management process it is important to be able to make correct and accurate recommendations on whether the risk should be eliminated (at what cost), transferred (how much), reduced (how far), or retained as residual risk.
It is one thing to identify assess and formulate a response to risk; it is quite another to set up a long-term system that can monitor and control risks over a period of time.
There are numerous tools and techniques that can be used to deliver part of the risk management process.
The Concept of Risk Management
Risk management is the term applied to the logical and formalised methodology of identifying, classifying, analysing, and responding to risk and then monitoring and controlling the resultant management process in order to ensure that the risks involved remain effectively managed in the long term.
The concept of risk is management not new, nor is it radical in its philosophy or scope. Humans subjectively manage risk all the time as part of their everyday lives.
The risk management system has to be able to identify and assess all the risks that impinge on a particular decision. The consequences of missing or wrongly assessing a particular risk can be considerable.
In most cases the system has to be designed and implemented to embrace the whole organisation and to include all external parties such as external consultants, contractors and suppliers.
The risk management system has to be practical and user-friendly. If it does not meet these two basic design criteria people will not use it or, if they do, they will do so only to a limited extent.
The risk management system is designed and commissioned as a project. In line with the development and implementation of any management programme it requires support and resources from the organisation.
The risk management system will function most effectively where it is designed to work organisation-wide and is implemented and operated organisation-wide.
The design and implementation of the risk management system should be allocated as a specific responsibility to a suitably qualified project manager. who will be responsible for ensuring that all aspects of the design and implementation of the system are carried out effectively.
Risk Management Methodology
Most risk management system frameworks agree on the following basic stages:
The risk context represents the starting point in the process. The first step has to be the definition of where the risk sits in the organisation and the extent to which it will affect the organisation as a whole if it does occur.
Consideration of context usually requires some form of formalised breakdown of the elements involved, coupled with some kind of corresponding evaluation criteria. At a project level this is often achieved by the use of a work breakdown structure (WBS). Risk identification is the process of identifying and considering all the risks that have
to be included in the risk management system. It is important that all relevant risks are identified, as any that are not identified will be excluded from the risk management system that is subsequently developed.
An unmanaged risk is potentially a very dangerous risk, and it is therefore worthwhile carrying out any relevant testing and calibration procedures to make sure that the risk identification system is working properly.
Brainstorming uses people collectively to identify risks by exchanging opinions and arriving at an approximation of the solution.
The objective of risk analysis and evaluation is to allow the risk to be measured in some way so that the dangerous risks can be separated from the more minor ones and all risks can be managed in relation to their threat.
Risk attitude allows for the risk appetite of the decision maker. Typical risk taker characteristics are risk seeking, risk neutral or risk averse.
There are a number of recognised response options. These include: risk retention;
risk reduction; risk transfer; risk avoidance;
seeking additional information about the risk.
Risk transfer involves transferring the risk to others. The obvious way of doing this is through an insurance contract.
Risk may sometimes be avoided or reduced by seeking additional decision-relevant information.
Risk monitoring and control is the long-term aspect of implementation for the risk management system.
Risk, Contracts and Procurement
A contract is a way of formalising an agreement so that the agreement can be legally enforced if required.
In general terms the greater the degree of risk transfer under a contract the greater the cost implication.
Commensurate risk is the risk of being unable to fulfil the obligation or duty because of inadequacy, incapacity, inadvertence or error, or because of interference from outside events or sources.
Specific conditions are drawn up specifically for that particular application. Clients often want to add specific terms and conditions to suit their own circumstances. Typical examples would include restrictions on noise, working times and access.
Consideration may or may not be appropriate depending on the legal system under consideration. It is the exchange of something of value (usually money).
Capacity relates to the ability of parties to perform their obligations under the contract. The contract can be void if one or more parties has agreed to it while knowing that they do not have the capacity to deliver.
The contract itself must be legal, and there must be an intention to create legal relations. For example, a contract cannot exist where the consideration or goods under the contract are illegal. A contract for the supply of banned narcotics would be voidab initio.
Fundamental risks are generally covered by express terms. Liabilities (such as reasonable duty of care) are generally covered by implied terms.
Contracts are vehicles for risk transfer. Risk can usually be transferred to whatever degree is considered necessary by the person who is drafting the contract.
MODULE 4 – STRATEGIC RISK The Concept of Strategic Risk
Strategic risk is an inevitable consequence of strategic planning.
As the organisation seeks to achieve its stated strategic objectives emergent risks and opportunities arise both internally, owing to the change itself, and externally, owing to variations in environmental factors.
The level of uncertainty in the modern business environment is higher than ever before owing to the increasing complexity of organisations and the speed of information flow within and between organisations.
Appropriate resources must be allocated to the risk management system.
Strategic risks in the external environment are generally beyond the control of the organisation.
Response to strategic risk requires constant monitoring of the issues and the development of scenarios to anticipate the impact of these risks if they manifest themselves.
The management of strategic risks is achieved through repositioning the organisation.
In selecting a future strategy for implementation the main risk is the potential for strategic drift.
Strategic drift arises where the outcome of the implementation process no longer matches original strategic objectives.
The strategy focus wheel highlights the role of risk management in monitoring the performance of the organisation under conditions of change.
Strategic Planning
Strategic planning originated within military planning applications.
To be effective, strategic planning should be proactive rather than responsive.
Strategic planning is more likely to be qualitative than quantitative in view of the uncertainty surrounding the future.
Analysis of the internal and external environments is critical in the development of strategy.
Research and development is critical to building and maintain a competitive position; however, there is a great deal of risk in bringing new products to the market.
Failure to develop new products exposes the organisation to risk owing to missed opportunity and the actions of competitors overtaking the organisation.
Short-termism through ineffective future resource planning is a fundamental business failing.
It is critical that the organisation can identify its core competences as it must focus upon these to exploit them for its advantage.
In defining strategy managers must be aware of the organisation's culture and its ability to create change or organisational problems.
Uncertainty is always present in the context of future performance owing to changes in the external environment and internal organisation.
Using Scenarios to Respond to Uncertainty
Scenarios represent different alternative future business positions.
Uncertainty in the future increases with the extension of the time horizon
As well as identifying the risks and opportunities that may arise in the future the organisation should also develop an understanding of how likely they are to occur and their potential impact on the organisation.
Scenario planning recognises that there is unlikely to be a single definitive view of the future.
Scenario planning is built on specific research and a defined process, and should be used to challenge the organisation's existing views of the future.
Scenario planning allows planners to work through their ideas in each of the different scenarios and allows the organisation to develop a long-term plan that relates research and analysis directly to the decision-making process in the business.
Scenario planning highlights uncertainties, and allows a medium for exploration, while acknowledging that the future may actually contain aspects from more than one scenario.
Scenarios are developed through a defined process, to allow the organisation to develop answers to a specific question.
In determining how to respond to scenarios, the organisation has a means to determine how one scenario and an associated strategy may produce an outcome for the organisation.
Organisations can respond to scenarios depending on the significance that they attach to the technique and in relation to the reliability that they associate with the results. It should be remembered that scenario planning does not guarantee an outcome. It simply gives an indication of the characteristics of one or more possible states as a function scenario variables.
Risk in Strategy Implementation
Implementation is a particularly difficult element, and poor implementation accounts for a high proportion of strategic failures.
Failure to align internal resources to the selected strategy results in a high level of variability around the selected outcome and increases the likelihood of the organisation drifting away from its objective.
Organisations that prefer incremental change to transformation, or which avoid open debate and challenge, or which ignore the performance of competitors, are likely to be susceptible to strategic drift.
Strategic drift due to internal factors is best managed through effective control.
Effective control requires the organisation to review its strategy, set critical success factors and key performance indicators around the critical business activities, and fully align supporting factors such as information systems and personal rewards.
The management of strategic drift due to external factors requires effective monitoring of changes and developments in the external environment.
The organisation can develop key environmental indicators to track changes in the external environment.
Corporate Governance
The significance of corporate governance in recent years has increased owing to high-profile corporate failures base on a lack of control or criminal acts.
Governance standards vary internationally, but are generally driven by legislation, stock market rules and the constitution of the organisation.
Governance is intrinsically linked with strategy, as both require control and monitoring: these are likely to be shared activities, rather than independent or duplications.
Governance has increased in significance as most organisations now realise that they have a wide group of stakeholders whom their actions affect, rather than just shareholders.
Governance starts with the board of the organisation and the responsibilities, authorities and competences that the individual members provide.
Effective non-executive directors are required to provide a critical level of challenge for the board.
Non-executive directors control board committees to determine board appointments, remuneration and the degree of control that is implemented by the organisation.
Socially responsible investments are the manifestation of increasing awareness of corporate social responsibility amongst organisations and individuals.
MODULE 5 – CHANGE RISK AND PM AS A TOOL FOR MANAGING CHANGE The Concept of Change Risk
The risk associated with change impacts at different levels within an organisation. The impact and consequences vary in relation to the organisational level where the impact occurs.
Change that occurs at one point or level in the organisational does not necessarily directly affect other parts of that same level or indeed of other levels. On the other hand major changes may occur that have a direct impact on all levels of the organisation.
Corrective/tactical response risk arises from a need to correct strategic objectives that were incorrectly assessed and specified.
Cascade risk results from the percolation of risks between levels in an organisation. In extreme cases risks can generate a chain reaction that can impact throughout the organisation.
Objective definition risk develops where strategic objectives were inadequately defined at the outset. The original strategic plan will have been based upon carefully assessed objectives that were considered to be reasonable and accurate at the time when the strategy was developed. Re-targeting strategic outcomes part way through a strategy implementation process generates an automatic likelihood of incorrectly identifying and assessing the revised strategic objectives.
Corrective error risk arises from the need to redefine and realign the implementation system when objectives or strategy implementation processes have been changed.
Corrective impetus risk develops as a result of strategic realignment. There may be a considerable delay between ordering a realignment and the organisation actually being able to implement it. This applies particularly where the existing strategy carries considerable implementation impetus.
Resource consumption risk originates from the frequent requirement for additional resources that arises as a consequence of the realignment process. These resources are not planned and considerable disruption can be caused as resources are shuffled around within the organisation.
Customer attitude risk is always present when high-level and visible planned changes are implemented. These can include everything from changing the company logo to the introduction of a complete new marketing strategy. Customers sometimes react badly to change.
Reserve depletion risk relates to the consumption of resources or reserves during the realignment process. There are generally sufficient reserves to soak up some change impacts, but there will usually be a point where
reserves are exhausted.
Responsive strategy implementation realignment risk arises from difficulties in precisely defining the
characteristics and sub-objectives of the corrective strategy. In addition, external events may occur that limit the degree of freedom available to the strategist.
Planned change is optional whereas imposed change is not. Most organisations experience a combination of planned and imposed change.
Changes can be foreseeable and unforeseeable. The more often a particular change occurs the more foreseeable it becomes. Changes that occur regularly and on a cyclic basis become entirely foreseeable.
Change Management
All organisations are subject to change and pressures to change. Change is a natural component of any evolutionary process, and organisations have to be able to change over time.
In order to manage the risks that develop from change it is necessary to develop a change management system.
Most organisations pace themselves when undergoing change. Typically, short periods of large-scale change are interspersed with longer periods of lower-level changes. This phenomenon is sometimes referred to as cyclic change or the change cycle.
Managing change is about moving the organisation from one point to another point. These points can be regarded as the start and end points of a problem-solving exercise. The management of change therefore becomes concerned with moving the organisation from the problem condition to the solution or solved condition.
The implementation of change usually involves individuals and groups at four levels within the organisation: Senior executive teams: these teams establish the overall culture strategy of this and other
Change leaders: the individual managers who are given responsibility for stated changes. It is important that an individual is given ownership of the change.
Teams: comprising team leaders and project managers together with high-performance teams. Steering committees: it is generally wise to include an impartial and informed steering
committee to advise on the efficacy or otherwise of the implementation.
In implementing change it is usually prudent to ensure that the change manager or team leader has executive control over the team. The change manger should accept responsibility for managing the change and for any associated risks that go with it.
Change implementation works best when it is applied enterprise-wide. It is often not practical to restrict even project change to a single level or area as the implications of a project change can move upwards through the system and generate corresponding changes at the operational and strategic levels.
Change is part of a life cycle process. It is important that everybody can see that change is implemented and that the effects of the change continue. The change should be viewed in terms of its life cycle consequences and possible long-term generation of a need for further changes.
A change management system must have a feedback and evaluation subsystem. Any control mechanism is only as accurate as its calibration. It is important that the system is carefully monitored after implementation in order to make sure that it is operating as it was intended to operate.
Resistance is one of the main obstacles to change. People might not agree that the change is necessary or productive. Alternatively they may agree with the viability of the change but fear the consequences. Resistance tends to occur as a result of a basic misalignment of the senior management view of the change and the view of the ordinary people that work in the operational sections.
The key elements in managing resistance are:
driver restraint balance (force field analysis); leadership;
participation;
cooperation to improve the status quo.
Force field analysis is sometimes used to evaluate the driver restraint balance. It allows the change manager to identify the source of resistance to a given change and also to generate possible resistance-reduction measures;
The most obvious way to achieve consensus alignment is through effective leadership.
Leadership for change can take a number of forms and the form that is most appropriate will depend on the change and on the people involved. Leadership flexibility can be considered at three levels:
the directive; selling; participation.
Sponsorship involves representatives from all of the various groups that are affected by the change meeting up and determining the main features and characteristics of the change. Participation is generally more effective than selling or directive.
Project Management
Project management is a generic discipline. It is applicable across virtually all disciplines, and it can be successfully used in a wide variety of applications.
Project management is therefore concerned with providing planning and control functions throughout the life cycle of the project.
Project production applies to those processes that cannot be operated on a mass or batch basis. They are one-off unique works where the characteristics are defined by the individual case. In addition projects are typically:
client specific; relatively complex;
probably not the main concern of the organisation; staffed by a multidisciplinary team;
of short lifespan but full life cycle; concerned with multiple objectives.
Changes and projects share these characteristics to a considerable degree.
Planned changes tend to be client specific. They are implemented by a particular client in response to the characteristics and requirements of the organisation at any one particular point in time.
Changes can involve complex processes. A change in one part of the operational process can result in other unforeseeable changes elsewhere within the system.
Change risk tends to be very much time dependent, and can generally be characterised by a definite and specific life cycle.
Changes tend to have clear outcomes. Planned changes are implemented with these specific outcomes as objectives.
Changes tend to be unique. Even if the same type of change occurs twice, such as an internal reorganisation, the second reorganisation can never be the same as the first reorganisation because the first reorganisation by definition changed the organisation.
Changes, like projects, are generally not about the main objectives of an organisation. It is very unusual for an organisation to make changes at a level that affects the primary objectives.
Project planning and control is a central project management function. It involves the project manager in breaking the project up into a set of components or work packages and then arranging these in such a way as to generate the optimum outcome for the duration of the project.
A statement of work (SOW) is a descriptive document that defines the overall content and limits of the project.
A work breakdown structure (WBS) is simply a representation of how large tasks can be considered in terms of smaller sub-tasks.
Project logic evaluation (PLE) is the process of taking the WBS work packages that have already been identified and showing the sequence in which they are to be carried out.
Scheduling is the process of calculating individual activity times in order to allow an estimate for the completion date to be calculated.
Project management makes use of an earned value analysis (EVA) approach to cost planning and control.
Cost variance (CV) indicates the difference between the budgeted costs of the works performed and the actual cost of the works performed.
Project Management as a Tool for Managing Change
Project success criteria are intrinsically linked. Changes in variables that affect one criteria will affect the performance of other criteria.
Contracts are widely used as a change risk control mechanism. Contract terms and conditions can limit the change that can impact on an organisation or project.
Project management tools and techniques allow the project manager to address many of the problems that result from change. The general tool is called change control response (CCR).
On a project the burn rate represents the curve that is generated by the actual costs expended in order to achieve an ongoing level of completion. The burn rate is therefore the same as the ACWP curve.
Trade-off analysis provides a quick and convenient tool for identifying the optimal sequence of actions where specific objectives are being looked for.
Time–cost trade-offs are easily the most common type of trade-off used in practice. They need relatively little complex calculation, and the data required are generally available relatively easily within the system.
Performance–cost trade-offs are also widely used in industry as a tool for managing change.
Performance–cost trade-offs can be produced relatively easily for some processes such as mass production. They may be more difficult to produce for one-off complex projects.
Project managers usually try to formalise the control and management of change by setting up a change control system (CCS). This sometimes operates within the wider scope of the project configuration management system (CMS).
IT projects are often prone to misunderstandings about the technological base to the project. The range and specification of IT systems in the market place change so rapidly that it is common for specifications to be out of date within a few months.
Creeping scope is a function of the human learning process. People tend to want to add more as they learn more about something.
Change control systems (CCS) attempt to mitigate the effects of such changes on the overall success of the project. Most project managers use a CCS to monitor information within the system that is relevant to change and then control that information to limit its effects on the system.
Most projects use some kind of authorising strata system that is itself usually based on financial limits. This system limits the cost implications of decisions that people can make.
Change notices are generally stored together, and a running total of the increased costs associated with them is monitored by the cost controller. This running total is sometimes referred to as a ‘bill of variations’ as it represents the additional cost of changed or varied works.
MODULE 6 – OPERATIONAL RISK MANAGEMENT The Concept of Operational Risk
Risk is a complex entity, and a single risk can impact at a specific level or across a range of levels within the organisation.
Traditional approaches to operational risk management tend to divide risk management or assurance functions into silos.
Operational risk can also be considered in the context of impositions on the organisation's behaviour and performance. Internally these risks arise from standards and initiatives such as quality management, whereas externally imposed risks can arise from legislation and the actions of legislators.
Typical risks associated with processes include poor alignment of processes to business objectives and an inability to perform at the level expected by customers.
Being able to break a business down into processes is critical to the process of setting the appropriate context for a business risk assessment (BIA), as the impact of a loss event or failed opportunity will be seen only when the risk is considered in relation to the business functions and what they are trying to achieve.
The increasing emphasis on getting more from less has led to a significant increase in dependency upon the assets and resources that exist within an organisation.
Insurance offers some financial protection against the economic consequences of the loss of an asset or resource. The impact of such a loss can be greatly magnified by changes in external factors such as the market or actions of competitors.
Contingency plans and business continuity management offer effective responses to losses that impact on assets or resources, but these are not effective control measures, and this is the priority.
Knowledge is one of the most important assets of the business, and there are significant risks around it, particularly a failure to exploit the benefits of knowledge management.
Enterprise-Wide Risk Management
Robust risk management processes help the directors of a company to meet the challenges of success by improving the linkage between risk and performance to exploit opportunities to their maximum. In this context, sound risk management can offer competitive advantage.
EWRM offers a comprehensive approach to risk management by aligning strategy, processes, people,
technology and knowledge with the purpose of evaluating the uncertainties that the enterprise faces as it creates value.
EWRM should support the business and encourage success, but should not be a means of additional control or bureaucracy over the business and its people.
Traditional risk management puts operational risks into silos and relies upon assurance functions rather than business functions to manage risks. This approach leads to omission and duplication, and does not consider risk in its widest sense or how it can impair the organisation's ability to achieve its objectives.
The risk silo approach to risk management typically involves a series of discrete functions including internal audit, legal, treasury, insurance, quality management, health and safety, environment, facilities management, business continuity planning and IT security.
EWRM aligns all these functions around the common theme of linking risk and opportunity to achieve business success.
A number of risks are outside the control of managers, and these will form strategic issues that should be considered in the strategic planning process.
Assessing risk in the context of business planning allows the organisation to determine what resources should be allocated to controlling those risks. A cost–benefit comparison of the investment in risk control as opposed to the potential cost of loss can be undertaken, but care is required, as risk is complex in its nature and the financial consequences of risk are unlikely to be clear cut.
In recent years the drive to increase the value of a company has seen increased emphasis on brand development. The building and management of a brand creates many risk exposures out of the collateral damage associated with certain actions or omissions on the part of the organisation.
Increased awareness amongst stakeholders such as investors, customers and employees has seen
organisations place much more emphasis on the management of their reputation and the avoidance of issues or events that could damage it.
Treatment Options
There are a wide range of risk treatment options, which revolve around avoidance, control, monitoring, assurance and transfer.
Control functions for risk can be broadly divided into hardware and software.
Hardware-based control mechanisms are based on standardised detection and response. They tend to be preferred as they reduce the dependency on human intervention, which has been shown to be susceptible to variations over time.
Software-based control systems refer to any action, behaviour or activity that is intended to mitigate risk or realise opportunity.
Typical components of a software-based control system include policies, responsibility, accountability, authority, competence, procedures, communication and monitoring.
Policies set out what the organisation is trying to achieve in terms of risk treatment.
Competence is a critical element in the prevention of loss and fulfilment of performance standards. It is widely seen as the main way in which error can be eliminated from a process or activity.
Internal audit serves as the corporate conscience, but more importantly it should act as a source of specialist advice and drivers for efficiency and control.
Emergency response is concerned with stabilising a situation in the immediate aftermath of a loss incident.
The main purpose of crisis management is to ensure the flow of accurate information and dispel any inaccuracies that arise around the problem, which could make the situation worse.
Business continuity planning is about recovering from an event and normalising the business and its operations as quickly as possible.
In most cases it is not possible to transfer all risk. In most cases only the financial consequences of the risk can be transferred.
Insurance leads to a considerable tie-up of capital, but few organisations or their creditors and investors would allow the company to operate without appropriate insurance.
An alternative means of transferring risk is to use a captive insurance company. Captives generally cover the risk of only one organisation or an industry sector, and were originally set up to provide insurance in the pound-swapping layer where premiums paid equalled claims made, and the transaction costs made the purchase of insurance uneconomic.
Captives offer tax benefits and direct access to reinsurance and alternative financial means of risk transfer.
Alternative risk transfer (ART) has arisen out of the convergence of banks, financial markets and insurance. ART offers an alternative means of transferring risk through products such as multi-line, multi-year products,
contingent capital and insurance-linked securities.
Some Common Questions about Unforeseeable Risk
People naturally tend to think that if something is unforeseeable then by definition it cannot be seen and therefore cannot be analysed. In practice unforeseeable events can be modelled if sufficient information is available.
It is a common assumption that anything can be analysed provided complete information is available. The level and detail of analysis that is possible diminishes as the amount of available information diminishes. As less and less information becomes available the accuracy of any possible analysis decreases until it reaches a level where it has little use.
People often have difficulties in being able to decide on an appropriate level of protection where unforeseeable risks are concerned.
People often treat unforeseeable risk differently from strategic operational and change risk. Unforeseeable risk can be much more difficult to identify and analyse than some other forms of risk, and therefore it is sometimes considered separately.
The Internet and the use of web-based communication are creating a whole new array of potentially unforeseeable risks such as hackers (malicious individuals who attempt to gain unauthorised entry to an organisation's computer and IT systems).
The most dangerous unforeseeable risks are the ones that can sink the company.
People often do appreciate how widespread unforeseeable risk can be, and there can be some confusion between the consideration of unforeseen risks at the three risk levels within the organisation.
People are often unsure about the extent to which unforeseen risks can be transferred and reduced through the use of insurance contracts. In general terms an insurer will consider providing cover so long as the overall risk can be measured and assessed in some way. This is not always possible with unforeseeable risks.
It can sometimes be very difficult to assess the unforeseeable risk in the first place. As a result it can be very difficult to decide on what level to transfer and what level to retain. Premiums on large unforeseeable risk transfers can be very high, and it is important to match this to the probability of the risk occurring.
Having accepted that some residual unforeseeable risk remains some provision has to be put in place in case the residual riskdoesoccur. Given that the risk is unforeseeable it can be very difficult to design suitable containment and control procedures.
In terms of managing unforeseeable risk the main objectives of the risk manager are to: identify all relevant unforeseeable risks;
analyse them as far as is possible;
decide on which unforeseeable risks to transfer and which to retain; decide on what level of transferable risks are actually to be transferred; mitigate any retained and residual unforeseeable risks;
set up procedures to cover the occurrence of any retained and residual unforeseeable risks.
Some Common Misconceptions about Unforeseeable Risk
In order to occur, unforeseeable risks depend on the successful development and linking of a series of related events. These events have to occur in some kind of order or sequence for the risk to occur.
Lightning really can strike in the same place twice. All it needs is for the conditions to be right.
Risks that appear to be unforeseeable before the event tend to look more foreseeable after the event (with hindsight).
The complexity of assessment of an unforeseeable risk is a function of the amount of information that is available.
Continuity planners often meet opposition from senior manages. Continuity planners generally try to develop detailed and fail-safe continuity plans that will safeguard the organisation in the event of a catastrophic impact. The more detailed and reliable the plan the more expensive it is likely to be. Senior managers sometimes feel uneasy about agreeing to fund expensive plans that may never be needed.
This is sometimes known as the ‘ostrich’ approach or ‘tempting fate’. The fact that an organisation has never experienced a major disaster or catastrophic failure is not a valid reason for concluding that no such event will ever happen.
The Concept of Unforeseeable Risk
The relative magnitude of unforeseeable risk varies from organisation to organisation and depends on application and point of view.
Unforeseeable risk is also a dynamic consideration. It varies over time and in relation to a whole series of internal and external factors. The sources of unforeseeable risk are varied and numerous, ranging from meteorological to physiological.
The basic choice before the risk manager is to either accept the unforeseen risk or to transfer some of it and retain a residual element that can be controlled and managed.
The objective of the risk manager is to reduce the residual level to a magnitude that is acceptable in terms of the risk profile and exposure of the organisation. The reduced level risk should then be managed or controlled so that the potential impact (if the riskdoesoccur) can be absorbed by the organisation.
The relative magnitude of covert corruption and fraud will depend on the nature of the organisation. Some organisations are more sensitive to the effects of corruption and fraud than others.
Unforeseeable risk often has a degree of time dependency. Some unforeseen risks can impact and have an immediate effect. Others impact and leave a finite amount of time before the full consequences of the impact are apparent. Some forms of unforeseeable risk have a considerable time-dependent element, and the effects of the impact may not be apparent for months or years.
Some forms of unforeseeable risk are strongly time dependent. A risk such as fire damage has an immediate impact. A serious fire in a production facility could immediately halt production until such time as any consequent damage has been repaired and the production system can be put back into full operation.
Other forms of unforeseeable risk are partially time dependent. The risk occurs and the affected company has a certain amount of time to make a tactical response before the full impact occurs. An example is a sudden downturn in the market, where existing production can be maintained on current cash flow but only for a certain amount of time.
Some forms of unforeseeable risk are very much time dependent. Risks such as warranties could exhibit a ‘dormant period’ where they exist but do not emerge until a discovered defect occurs.
Unforeseeable Risk Types
Internal unforeseeable risks are generated within the organisation and result from internal events. The impact of the unforeseeable risk is largely internal although there could be some external effects. Fraud and corruption are examples of internal unforeseeable risks.
A type 1 internal unforeseeable risk originates internally and has largely internal effects.
A type 2 internal unforeseeable risk originates internally and has both internal and external effects.
External unforeseeable risks are generated outside the organisation and result from external events.
A type 2 external unforeseeable risk originates externally and has both internal and external effects.
Typical sources of unforeseeable strategic product/process risks include the following:
Unforeseeable risks that impact at the strategic level are those that can affect the overall strategic performance of the organisation.
Market demand may have been incorrectly assessed.
Market demand may have changed since the original assessment was made. New technologies may have emerged, rendering the product obsolete.
New competitor products may have emerged, rendering the product uncompetitive. Changes in the market may lead to a reduced potential sale price.
The product may have been progressively modified away from the original specification (creeping scope).
Typical sources of unforeseeable strategic people risks include: high-level fraud or deception;
corruption; labour migration;
high-level/key person defection.
Typical sources of unforeseeable strategic market and finance risk include: general economic climate;
forced changes in company structure; investor trends;
competitor behaviour; customer demand;
underlying research and innovation levels; demographic and population patterns.
Typical sources of unforeseeable strategic support risk include: plans that are incompatible with technology; evolving obsolescence;
overambition.
Typical sources of unforeseeable operational product/process risk include: human error (including poor training inexperience and mistakes); poor maintenance;
configuration and programming errors; lack of back-ups and control systems;
inadequate coordination where multiple users are involved; system limit overload;
incorrect input of components and supplies.
Typical sources of unforeseeable operational people risk include: demotivation;
deception;
fraud;
sabotage; industrial action.
Typical sources of unforeseeable operational finance and market risks include: market changes, rendering current production obsolete; inflated production costs;
variations in fuel costs;
design/manufacture incompatibilities; failures in related support functions;
changes in customer requirements (such as faster production or earlier deliver times).
Typical sources of unforeseeable operational support risks include: viruses;
spies;
traitors; saboteurs.
Typical sources of unforeseeable change people risks include:
death;
illness;
defection to rivals; dismissal; reallocation;
transfer of additional duties.
Developing the Response
A risk breakdown structure (RBS) is a type of work breakdown structure (WBS) that breaks the various risks up into different levels and (where appropriate) different functional or departmental concentrations.
The magnitude of each unforeseeable risk can be calculated using the basic business risk analysis. The risk magnitude is a function of the probability of occurrence and of the impact of the risk. The risk magnitude is a function of the risk magnitudes of all the other sub-risks that are linked (see below) into the considered risk.
Risk linkages are the most important part of the analysis and yet are the consideration most often not considered or not considered fully by risk managers.
Risk linkages are interdependency lines within the risk universe orrisk interdependency fieldthat indicate where one risk impacts on another.
In determining and reassessing the potential unforeseeable risks that can impact on an organisation it is essential to take a holistic view of the organisation's risk profile.
The various risks in the risk interdependency field are related and interlinked. A change in the magnitude of one risk can result in a change in the magnitude of another risk. In addition, risk linkages can also have different magnitudes or strengths. The interdependency between any two risks is a function of both the risk magnitude (probability multiplied by impact) and the link magnitude or strength.
Insurance contracts have obvious limitations. If a specific unforeseeable risk does occur, the company concerned is ‘covered’ provided that:
the event falls within the agreed schedule that appears on the policy document; all premiums are up to date;
no disqualifying factors are present.
Partnering is a way of either transferring unforeseeable risk entirely or sharing it with another individual or organisation so that the impact becomes diluted.
Alliances and partnerships offer a means of both transferring and diluting unforeseeable risks. A partnership differs from a merger or acquisition in that both companies retain their existing organisational structures and authority networks. The two companies share resources and work together but they do not actually combine.
Contingency reserves are used at all levels of business. Most large organisations maintain a strategic reserve that is used to finance any actions or activities that have not been foreseen.
Smart financing and risk transfer can only eliminate some unforeseen risks. There will always be an element that is retained either optionally or because the unforeseen risks concerned have not been identified. These
areresidual unforeseen risksand are the most dangerous type.
The usual method of treatment is some form of emergency planning.
These types of plans operate at three primary levels: continuity planning;
contingency planning; crisis planning.
Business Continuity Planning
The continuity plan is concerned with keeping the organisation running while the event is occurring and being overcome.
Contingency planning is concerned with identifying and dealing with the interruption on an organisation-wide basis.
Crisis planning is concerned with emergency procedures to maintain the survival of the organisation where the level and impact of the risk reaches such levels.
Business continuity plans (BCPs) are required more and more in modern commerce and industry.
A BCP is concerned with the establishment of some kind of reserve or secondary plan and resources to cover the eventuality of an unforeseen risk occurring so that the normal (or as near normal as possible) production
processes can continuity until everything is back to normal.
The goal of the BCP is to preserve and maintain the essential elements of an organisation or company and to maintain an acceptable level of output or production through the unforeseen event and afterwards.
BCPs are usually developed and updated as frequently as internal and external changes require. They are usually the direct responsibility of a specialised team. The usual designation is business continuity plan management team (BCPMT).
Contingency Planning
Contingency planning works in addition to business continuity planning. A contingency plan is different from a business continuity plan in that it addresses all aspects of the organisation in terms of what needs to be done in order to recover from a given impact. It involves looking at virtually all aspects of the business, and therefore can be an enormous process.
A business contingency plan can be considered as a set of procedures that define how a business will continue and recover its critical functions in the event of an unplanned, disruptive event.
Most contingency planning approaches use a combination of top-down and bottom-up analyses. A bottom-up approach is required because the ‘coal-face’ knowledge of the various operational managers is required in establishing the detail of the emergency response. A top-down element is also required as the contingency plan has to be developed as an implementable strategy and therefore requires the collective overview of senior management.
The development of the contingency plan is a dynamic process. It is not completed as a formal document before being reviewed or evaluated by the other members of the continuity plan team.
The crisis plan details what each individual does and how processes and procedures are maintained throughout a disaster.
The plan should be implemented and then tested on a regular basis. Drills and dry runs are good ways of developing employees' detailed understanding of the design and functioning of the plan.
It is also normally good practice to have some kind of formal review procedures so that any failings in the plan are highlighted and brought to the attention of senior management.
The contingency plan should be effectively managed and should be communicated to everybody in the organisation. Those people with specific responsibilities should ensure that they understand these in detail.
Crisis Planning
Crisis plans are similar to contingency plans. A contingency plan is prepared with the intention of maintaining production and support when disruption occurs as a result of some event. The event itself is identified and assessed as discussed above. A crisis plan is a similar idea but it is designed to deal with an event that cannot be formally identified and assessed.
The valuation process involved in developing the crisis plan is very similar to that used in developing the contingency plan. The process involved follows the same basic stages and procedures with the difference that risks and impacts have to be considered in the context of how to make an immediate response without having any time to assess and plan in advance.
As with the contingency plan it is important that a team is established to oversee the development of the crisis plan. This team comprises executive level managers and is usually known as the crisis management team (CMT).
The team is on permanent stand-by and is called into action by senior management required. The CMT acts as the corporate centre for crisis planning, and it controls and coordinates the other individual crisis management teams within the organisation.
The CMT is charged with dealing with emergencies, so it is important that the CMT members are trained as necessary and are individually named as being members of the team. It is normal practice for each team member to be accompanied by a deputy at all times when dealing with the crisis plan.
Crisis plan implementation tends to be rather unusual in that it is often based more on operational actions than on discussion and committee decisions. Most crisis plans are implemented through drills and exercises. These can be more or less detailed depending upon the implementation stage that is being considered and on the level of detail that is required for the particular stage under consideration.
In most cases crisis plans are implemented in stages, beginning with a restricted or limited run and then building up to a full-scale exercise. By the time that the people involved reach the full-scale exercise level they are fully aware of what is required and what they will be expected to do.
MODULE 8 – THE RISK INTERDEPENDENCY FIELD AND DEVELOPMENT OF A PROCESS MODEL Some Common Questions about Risk Interdependency and Process Models
Risk interdependency analysis is concerned with the relative magnitude of risks and the way these risks interact with each other within the risk profile.
Risk interdependency is an important consideration because, as risks are interrelated, it is dangerous to consider any given risk in isolation.
A process model is intended to be a general or generic tool. The model represents the stages and phases to go through in reaching a certain outcome. The model is useful only if it is sufficiently generic to be applicable to each individual user. However, the general nature of the model may restrict the definition and applicability for individual companies and organisations.
For specific application the process model has to be tuned with some kind of plug-in that will give it the detailed company data and information necessary for an accurate and specific analysis.
The process model itself is generic. It can operate with reasonable accuracy in any given application. The risk interdependency is specific to each organisation and even (to some extent) to the characteristics of the individual risk manager or decision maker. The most logical way to assemble the complete model is to develop it as a generic model and then introduce the specific interdependency information as a plug-in.
The plug-in can be developed for each particular application, and can be inserted into the generic model to give specific output.
A process model can serve as both a predictive and a reactive tool.
Process models do have limitations. They tend to be relatively fixed and inflexible, and cannot always allow for change. They can only model the process that should be adopted within certain limits of reliability.
The Concept of Horizontal Risk Levels
Risks can be grouped into a number of clear headings, covering strategic, operational, change and unforeseeable. These are classifications of horizontal risk levels in that they run through organisations and across functional boundaries.
The primary horizontal risk levels relate to strategic risk, operational risk, change (project) risk ,and unforeseeable risk.
Strategic risk can result from external actions such as the launch of a successful new product by a competitor effectively changing the strategic objectives that were originally set.
Operational risk relates to the operational processes used by the organisation.
Operational risk can arise externally, for example where market demand requires increased beyond-capacity output.
Change risk relates to all levels of change occurring within the organisation primarily in the change required to convert strategies into operational procedures.
Change risk is sometimes known as project risk, because projects are usually set up either to bring about a change or to respond to change. Project management is sometimes known as ‘a tool for managing change’.
Unforeseeable risk underlies the other risk types. Unforeseeable change can be almost entirely unforeseeable such as an object from space landing on a factory and interrupting production.
Unforeseeable risk can also be ‘reasonably foreseeable’ such as a fire breaking out and causing damage to premises.
The four primary risk types or classifications can be represented as horizontal strata that run through an organisation over time.
The impact that the various risks have on each other can be considered as linkages. An unforeseeable risk will tend to influence change risk more than it does strategic risk (unless it is a particularly large unforeseeable risk).
The Concept of Vertical Functional Divisions
Most large organisations tend to evolve into some kind of functional structure over time. The need to specialise then leads to the concentration of particular skills in separate areas or divisions.
Each division concentrates on a specific aspect of the organisation’s overall objectives. A manufacturing company might have production, research and development, finance, sal