Experienced managers know the value of the ‘elevator view’, that is, knowing when to press the button for the top floor to look down at the bigger picture, and when to descend to the ground floor to get down ‘amongst the weeds’.
From the top floor, we can observe how the elements of our organisation, the projects, programmes, and portfolios, combine to deliver our organisation’s strategic objectives. At the ground floor our project managers provide assurance that their projects are on target to deliver, according to stated objectives. At intermediate floors our programme managers confirm that projects together combine to deliver benefits, and our business managers confirm that the benefits enabled through the programmes will deliver business benefits.
Although we face many uncertainties at all of these levels, both in terms of threats and opportunities, we can be confident that our corporate risk management structure enables us to understand the risks, and provides a framework within which acceptable risk may be managed in line with stakeholder expectations.
Strategic Risk Management
Can we ever achieve this ideal world? That is open to debate; however, make no mistake, some companies do this really well. A recent Deloitte publication reported that, amongst 300 major companies surveyed across 5 major industry areas, 94% reported that they had changed the way in which they managed strategic risk, 81% reporting that this was now an explicit management area, with risk analysis incorporated into their business planning processes.
This may surprise some project managers who may not see much evidence of strategic risk management percolating down to project level, other than perhaps a (not always enforced) requirement to produce a risk register for their project. Of course, organisations with a high project management maturity may have sophisticated and effective project risk processes in place, but this does not necessarily translate into an alignment at enterprise level with the projected business benefits.
But how important is the strategic leadership and alignment of risk planning? Let’s look at a real (but anonymised) example.
Eight years ago, a business consultant in a well-known bank identified a great opportunity and received approval to go ahead. The bank would develop an electronic ‘trade portal’ that would allow the bank’s EU customers to control their supply chains ‘in the cloud’.
Benefits included security of supply and payment, and increased efficiency through not having to maintain their own infrastructure. Down the line, the core software component of the project was deemed to be 100% successful, in terms of budget, delivery dates and system performance.
However fewer than 5 customers bought the product, and it was scrapped after just one year. The total direct cost to the bank of the software project alone was in the region of $5 million.
Subsequent analysis showed that a number of factors contributed to the failure, however, significantly, none of these were at project level. Firstly, a number of reputational issues had impacted the market’s confidence in relying upon systems provided by the traditional banks.
Secondly, a new competitor had entered the market at a critical time, using a new but more straightforward technology.
Thirdly, organisational changes meant that local branches were under-resourced in promoting the product. At the same time, organisational support for the product had been practically withdrawn, as it had switched its priority from EU customers, to developing its clients in emerging markets.
Before reputational risks became reality, and a competing technology became available, and a competitor entered the market, and organisational changes occurred, these were all risks, however not at project level. Such risks can only be addressed at an organisational level.
Let’s revisit that software project manager on the ground floor, whose project delivered according to plan. This skilled project manager addressed risk according to the framework laid out in PMBOK 6th edition. Relevant parts of the project were managed using an Agile approach, and the project manager understood the importance of assessing risk at the start of and during each iteration, reprioritising work, whilst engaging with stakeholders, as more information became known.
- They created a project risk management framework that addressed both events (risk register type) and non-event (uncertainty type) risks;
- They understood that some types of risk are handled better in other knowledge areas (for example, requirements or communication management).
- They escalated known higher level risks to management, who in turn ensured that all risks were owned and managed at the appropriate level;
- They ensured, as far as they were able, alignment and coherence with enterprise-wide risk management systems.
Of course, the project manager can only escalate risks which they can identify, and certainly, in our example, the project manager had no knowledge of reputational, competitive, restructuring, or strategic risks. Only an enterprise-wide risk management system is capable of addressing the full range of risk.
Enterprise-Wide Risk Management
But what do these systems look like? Properly constructed, they offer rich risk information that provides risk aggregation vertically and horizontally through the enterprise. Importantly they also allow assessment of risk interaction.
For example, the use of a simple new technology within a single project may have a low individual risk, however, incorporated across multiple projects this technology may present an unacceptable risk in the event of failure.
Executive management understanding of the importance of risk management at an enterprise level is without doubt; there can be few if any, corporations without properly managed risk functions in the areas of safety, compliance, operational, finance and other key areas. However, and despite the Deloitte study, it is less clear that effective risk management is as widespread in the area of strategic and business planning.
Complicating the development of such integrated processes is the fact that the business environment is becoming ever more challenging, and subject to accelerating change. This has been characterised by the term ‘VUCA’, standing for Volatile, Uncertain, Complexity and Ambiguity. In such a world new disruptors arise continuously, as do the risks associated with them.
For example, Microsoft recently highlighted the fact that, in an age of digital transformation, emergent technologies such as AI, machine learning and big data are disrupting established business practices. Their study of 2017 suggests that only 38% of business leaders believe that their business model will exist in 5 years. Furthermore, the veracity of such data has fast become a significant risk: although data-driven decisions are being made on an unprecedented scale, a recent study showed that 97% of such decisions were made on data that the managers of those companies considered to be of unacceptable quality.
Significantly, different modes of thinking must be applied depending on the nature of the business environment. In the simple environment, we can rely on following defined procedures. In a complicated environment, we rely on procedures, but also have contingencies in place, based on probabilistic analysis. However, in the complex (and further, chaotic) environment, where risks are not just unknown but ‘unknowable’, traditional modes of thinking may not be effective, but indeed counter-productive.
As a proactive measure, and in the face of emerging ‘unknowable’ risks, PMBOK underlines that our response should be to build in project resilience. This involves the right budgets, flexible processes, an empowered project team, frequent review and stakeholder involvement. These cannot become a reality in the absence of clear senior management support and delegation of authority within an enterprise level framework.
So, do effective enterprise-wide systems exist, and what do they look like? They do exist, but they are not simple. Typical components are as follows:
- A strong portfolio tool allowing visualisation of all projects and programs in one repository.
- Multiple risk management tools separated vertically at levels of enterprise, project, benchmarking and approvals levels, with variable interface to an enterprise-wide platform. Tools separated horizontally as necessary, at, for example, pre-bid, bid and execution phases.
- Inputs from all relevant functions into risk registers using comprehensive and standardised categories (to allow effective prioritisation across risk areas, and to facilitate root cause analysis where there may be common causes).
- Interfaces allowing live input and instant update and analysis of risks.
- Visible senior management support and training, under the direction of an executive level corporate risk manager responsible.
- Support in modeling bid and pricing decisions as well as determining S-curves for assessing appropriate reserves.
A natural home for this function might be the Portfolio Management Office, who would be able to analyse the entire project portfolio, and provide risk-assessed options to executive management based upon the rich data now available to them. Off-the-shelf solutions do exist, however, it is almost certain that for the right tools specific expertise will be needed to build or customise an appropriate system.
In this article, we have ‘ridden the elevator’ from the top to the bottom of the organisational building, and back again. Strong risk processes must be in place within the project if it is to reliably achieve its objectives, however for the company to achieve its strategic objectives, not only must ‘joined-up’ enterprise-wide strategic risk management processes must be in place, but the appropriate ownerships and authorities must be allocated and communicated. This is not simply a case of new processes, but requires a project and risk-driven mindset. This is by no means a given in many organisations.
Is a company likely to survive if it continues to conduct its business as usual implementing traditional risk management processes? It depends on the competition. But we can be sure that at this moment the competition is busy building its enterprise-wide risk management capability.
 Deloitte, Exploiting Strategic Risk (2013).
 Project Management Institute, A Guide to the Project Management Body of Knowledge, 6th edn (2017).
 Microsoft, Creating a Culture of Digital Transformation (2017).
 Accenture, hbr.org/2017/09/only-3-of-companies-data-meets-basic-quality-standards quoted in Technology Vision: Intelligent Enterprise Unleashed (2018).