1.

2 Project risk Management

Risk Management Process

Strategy, Framework & Principles

If you don’t invest in risk management, it doesn’t matter

what business you are in, it’s a risky business.

Gary Cohn
American Business Leader
 2

Learning Objectives
• Upon completion, you should be able to:
– Explain how personality and cultural influences
affect
our attitudes and behaviour with regard to risk.
– Identify the 4 main risk personality types and their
distinguishing characteristics.
– Distinguish between what is controllable and what
is
the preserve of chance.
Risk Management Framework
• Before we start any risk management exercise
or process, we need to consider the framework
for that process.
• We need to be able to answer questions such
as:
– Why are we doing it, who is responsible, what
authority do they have?
• We therefore begin with a review of some key
issues.
Corporate Governance
• A major factor influencing the drive towards
more formalised approaches to risk
management has been the increased focus
given to corporate governance and internal
control.
• Corporate governance is the system by which
organisations are directed and controlled.
Boards of directors are responsible for the
governance of their organisations.
Enterprise Risk Management
• We will begin by considering the overall
approach to Risk Management in an
organisation or enterprise.
• Risk Management within a small project team
will be much easier to manage than within a
large (multi-national) enterprise.
• However, the same issues still apply, if on a
smaller scale – time, finance and people wise.
ERM

Source: https://www.rmahq.org/erm-framework/
Intended Benefits of RM
• For all types of organisations, there is a need to
understand the risks being taken when seeking
to achieve objectives and attain the desired
level of reward. Organisations need to
understand the overall level of risk embedded
within their processes and activities. It is
important for organisations to recognise and
prioritise significant risks and identify the
weakest critical controls.
Intended Benefits of RM
• When setting out to improve risk management
performance, the expected benefits of the risk
management initiative should be established in
advance. The outputs from successful risk
management include compliance, assurance
and enhanced decision-making. These outputs
will provide benefits by way of improvements in
the efficiency of operations, effectiveness of
tactics (change projects) and the efficacy of the
strategy of the organisation.
The ‘hard’ and ‘soft’ benefits of RM
‘hard’ benefits
H1 Enables better informed and more
believable plans, schedules and budgets
H2 Increases the likelihood of an
event/project adhering to schedules and
budgets
H3 Leads to the use of the most suitable
type of resource/contract
H4 Allows a more meaningful assessment
of contingencies
H5 Discourages the assessment of
financially unsound projects
H6 Contributes to the build up of statistical
information to assist in better management
of future projects
H7 Enables a more objective comparison of
alternatives
H8 Identifies and allocates responsibility to
the best risk owner
‘soft’ benefits
S1 Improves corporate experience and
general communication
S2 Leads to a common understanding and
team spirit
S3 Helps distinguish between good
luck/good management and bad luck/bad
management
S4 Helps develop the ability of staff to
assess risks
S5 Focuses business/project management
attention on the real and most important
issues
S6 Facilitates greater risk taking, thus
increasing the benefits gained
S7 Demonstrate a responsible approach to
customers
S8 Provides a fresh view of the
personnel/stakeholder issues in a business
issue/project
Management of Risk Principles
• Aligns with Objectives
• Fits the Context
• Engages Stakeholders
• Provides Clear Guidance
• Informs Decision-Making
• Facilitates Continual Improvement
• Creates a Supportive Culture
• Achieves Measurable Value
Risk Management Context
• In order to successfully implement, support and
sustain the risk management process, a
structure is required.
• The figure overleaf illustrates a suitable
structure in terms of architecture, strategy &
protocols.
Architecture, Strategy & Protocols
Risk Architercture
Risk Strategy
A risk management strategy provides a structured
and coherent approach to identifying, assessing and
managing risk. It builds in a process for regularly
updating and reviewing the assessment based on new
developments or actions taken.
It builds in a process for regularly updating and
reviewing the assessment based on new developments
or actions taken.
A risk management strategy can be developed and
implemented by even the smallest of groups or
projects or built into a complex strategy for a multi-
site international organisation.
Risk Protocols
Risk protocols concern the form of the risk guidelines
for the organisation and include the rules and
procedures, as well as specifying the methodologies,
tools and techniques that should be used.

An example is available on moodle

ISO 31000
• ISO is the International Organization for
Standardization.
• They develop and publish a wide range of
International Standards.
• One of them is ISO 31000.
ISO 31000
• ISO 31000 was published in 2009 as an
internationally agreed standard for the
implementation of risk management principles.
• ISO 31000 describes the components of a risk
management implementation framework.
• The figure overleaf provides a simplified version
of this implementation framework.
ISO 31000
ISO 31000
• The framework includes the essential steps in
the implementation and ongoing support of the
risk management process. The initial
component of the ISO 31000 framework is
‘mandate and commitment’ by the Board and
this is followed by:
– design of framework
– implement risk management
– monitor and review framework
– improve framework
Roles & Responsibilities
Everybody within an organisation has a role and responsibility for
risk management. The following are the main roles and
responsibilities within a medium or large organisation:

1. RM responsibilities for the CEO / Board:

Determine strategic approach to risk and set risk appetite
Establish the structure for risk management
Understand the most significant risks
Manage the organisation in a crisis

2. RM responsibilities for the business unit manager:

Build risk aware culture within the unit
Agree risk management performance targets
Ensure implementation of risk improvement recommendations
Identify and report changed circumstances / risks
Roles & Responsibilities
3. RM responsibilities for individual employees:
Understand, accept and implement RM processes
Report inefficient, unnecessary or unworkable controls
Report loss events and near miss incidents
Co-operate with management on incident investigations

4. RM responsibilities for the risk manager:

Develop the risk management policy and keep it up to date
Document the internal risk policies and structures
Co-ordinate the risk management (and internal control)
activities
Compile risk information and prepare reports for the Board
Roles & Responsibilities
5. RM responsibilities for specialist risk management
functions:
Assist the company in establishing specialist risk policies
Develop specialist contingency and recovery plans
Keep up to date with developments in the specialist area
Support investigations of incidents and near misses

6. RM responsibilities for internal audit manager:

Develop a risk-based internal audit programme
Audit the risk processes across the organisation
Receive and provide assurance on the management of risk
Report on the efficiency and effectiveness of internal controls
Risk Capacity & Appetite
• Risk capacity is the maximum amount of risk
that an organisation can bear, linked to factors
such as reputation, capital, assets and ability to
raise additional funds.
• Risk appetite is the amount of risk the
organisation is willing to accept.
• It is risky for an organisation to have a risk
appetite greater than the risk capacity.
Risk Management Process
• Once the appropriate framework and structure
are in place, we are ready to conduct a risk
assessment.
• The following slides shows the IRM’s overview
of the assessment process:
IRM Risk Management Process
Risk Management Process (APM)
References & Further Reading
• Two recommended references for further
reading are:
• The IRM’s Structured Guide
• The OGC’s Management of Risk (MoR)
• Details on the next slide….
References & Further
Reading

Copy on Moodle Copy in Library

Risk Identification (Dr Evi Viza)
• In the next lecture we will consider how to
identify risks.