How to Show the Benefits of Risk Management
From Harry Hall at www.pmsouth.com
Sometimes we struggle to illustrate the value of risk management. We sense we are doing the right things. How can we show the benefits?
Some products such as weight loss programs are promoted by showing a “before picture” and an “after picture.” We are sold by the extraordinary improvements.
The “before picture” and “after picture” are also a powerful way to make known the value of risk management.
We have risks in which no strategies or actions have been executed. In other words, we have a “before picture” of the risks. When we execute appropriate response strategies such as mitigating a threat, the risk exposure is reduced. Now we have the “after picture.”
Let’s look at one way to create pictures of our risk exposure for projects, programs, portfolios, and enterprises.
Say Cheese
The first step to turning risk assessments into pictures is to assign risk levels.
Assume that a Project Manager is using a qualitative rating scale of 1 to 10, 10 being the highest, to rate Probability and Impact. The Risk Score is calculated by multiplying Probability x Impact. Here is an example of a risk table with a level of risk and the corresponding risk score range.
|
Level of Risk |
Risk Score |
|
Very Low |
< 20 |
|
Low |
21 – 39 |
|
Medium |
40 – 59 |
|
High |
60 – 79 |
|
Very High |
> 80 |
Figure 1: Qualitative Risk Table
Looking Good
Imagine a Project Manager facilitates the initial risk identification and assessment. The initial assessment results in fifteen Urgent Risks – eight “High” risks and seven “Very High” risks.
Figure 2: Number of Risk before Execution of Risk Response Strategies
We decide to act on the Urgent Risks alone and leave the remaining risks in our Watch List. The team develops risk response strategies for the Urgent Risks such as ways to avoid and mitigate threats.
Figure 3: Number of Risks after Execution of Risk Response Strategies
After the project team executes the strategies, the team reassesses the risks. We see a drop in the number of Urgent Risks (lighter bars). The team has reduced the risk exposure and improved the potential for success.
How to Illustrate Programs, Portfolios, or Enterprises
Now, imagine a Program Manager managing four projects in a program. We can roll up the risks of the four projects into a single view. Figure 4 below illustrates the comparison of the number of risks before and after the execution of the risk strategies.
Figure 4: Number of Program risks before and after the execution of risk response strategies
Of course, we can also illustrate risks in a like manner at a portfolio level or an enterprise level (i.e., Enterprise Risk Management).
Tip of the Day
When you ask team members to rate risks, it is important we specify whether the team members are assessing the “before picture” (i.e., inherent risks) or the “after picture” (i.e., residual risks) or both. Inherent risks are risks to the project in the absence of any strategies/actions that might alter the risk. Residual risks are risks remaining after strategies/actions have been taken.
Question: What types of charts or graphics do you use to illustrate the value of risk management?
Explore posts in the same categories: risk assessmentTags: Business, Risk Management
You can comment below, or link to this permanent URL from your own site.
Riskviews 
January 2, 2015 at 1:47 pm
Harry
Thanks for taking the comments in the spirit they were intended. I suspect that the “gap” between us is not that large.
Your comment on (3) is helpful – and rarely indicated by anyone, including auditors (and risk registers do like their net and gross!)
Your (2) is pertinent and rather underplayed by approaches to risk culture which take the normal “tone at the top” line. It takes a skilled and politically aware person to cope with those who deny risk and uncertainty. To be honest I think that such people are unlikely to be convinced by either of our approaches. Companies run by such are just waiting to fail in the areas of solvency, liquidity or economic viability. All facilitated by more savvy competitors. Perhaps the better approach is to get out (if we can) – after a while it becomes a matter of professionalism and integrity.
I’m not too sure why you think my approach takes a long time (e.g. 2 years). Although I did not use your “imagine that…” approach I was thinking that “my” approach should be a proof of concept – and one where key metrics could in principle be tested. I mentioned the Kelly Criterion as one approach that has such a mathematical proof (of course in real world risk management we need to go beyond this but it’s a conceptual start). Panning does the same thing in the reference I mentioned.
Of course people who really want to avoid risk management will not be convinced by approaches that require sums. They will “cleverly” point out the gaps in your approach (just where was the actual value?) – and indeed mine. They will not be convinced by industry and cross industry studies. And we can’t run the same company with and without risk management.
January 2, 2015 at 10:45 am
Andrew, Thanks for all of the great comments. I have a couple of broad reactions:
(1) Your points are well taken but expensive and time consuming to implement. It may not be politically viable to say to an executive who asks “What are the tangible benefits of ERM” that the company must spend millions and wait two years to get the answer. Regardless of how much better that answer will be.
(2) Often the exec who asks that question is really not looking for an answer. What they really want is to get you to stop doing ERM. They may be the head of a business that has a high profit that becomes middling when risk adjusted, or they may prefer the freedom to make risk related decisions without interference from a new risk area. Or they may just not believe that any of the highly technical ERM stuff is of any worth, that experienced judgment has worked in the past and will work in the future as well.
(3) There are several levels of risk, not just 2. It really is possible to just collect premiums and put the money in a box. That is really without any mitigation. Which is equivalent to how Inherent risks are presented when they are physical risks. Not what anyone wants to hear about though regarding investment risk. Then there is the level of mitigation that existed before ERM thinking came into play. Putting the money to work with broad investment guidelines. Then there is the impact of risk management related thinking with limits and hedging and so on. There is no clear definition of that middle level. Also, some firms prefer to look at a level of “perfect” risk management where all insurance cash-flows have been exactly offset with investment cash flows – i.e. perfect replication.
January 2, 2015 at 9:57 am
Whoops – I forgot to add another point:
7) In moving from “before” to “after” the number of risks seems to have decreased from 37 to 30. Also the number of moderate risks has gone *down* despite only acting on the urgent (= high + very high) risks. Encouragingly the number of “low” risks has gone up, indicating some transfer between buckets.
January 2, 2015 at 8:37 am
An article with a useful title but it leaves uncovered key issues. Just some of these (noting that my points overlap):
1) Taking the probability and impact heuristic (often useful in e.g. deciding the focus of a particular risk management action / control) and implicitly assuming that risks are well described discrete probability distributions. Most “risks” are effectively continuous distributions – possibly with a point mass e.g. at 0.
2) Even taking a discrete example “risk” is not well defined without more precision. Consider rolling a single die; is the “risk” that of rolling a 6 (probability 1/6) or rolling at least a 5 (probability 2/6)? And that’s before considering items of corporate exposure to the “gross” or “inherent” risk and strategic rather than “just” financial impact.
3) Even if all risks were discrete distributions we’d still have the issue over “what level of risk are we assessing?” To cut to the chase if this a “1-in-20” or “1-in-200” or something else. The point that many probability (distribution assessments) are judgements does not mean we can drop the point. Without resolving this different “risk owners” will be assessing risks at different levels.
4) Putting 2 and 3 together, we can make lots of different statements about risk, many of which are (simultaneously) true. But which are most relevant? There are fundamental issues with probability-impact risk assessment as explained by Doug Hubbard and many others.
5) The idea of “inherent” or “gross” risk is at first attractive. It is also beloved of accountants and consultants who can look at the gross-net score, deduce what credit you are claiming for risk controls and then perform a “risk-based control assessment”. However there’s a huge issue: what really is an inherent risk? Consider an annuity provider. what is their inherent interest rate risk? Does it assuming no derivative holdings? No immunisation? No cashflow matching? Does it assuming we hold fixed interest, equities or put the money in “cash”? Perhaps inherent risk depends of assumptions. Is it a worthwhile concept *in practice*?
6) I love the idea of trying to show the value of risk management. But I’d be more specific. I’d look at expanding the Kelly Criterion (or an alternative if you have one) away from pure gambling and investments. I’d look at long run outcomes and accumulations (or discounting). In that context I would try to put some “science” around risk appetite, but using ideas such as the long runs versus short run, volatility and outcomes of certain metric within (or at the end of) a nominated time period.
A good starting point – and despite its quality it is only that – is Bill Panning’s “Managing the Invisible” paper – highly recommended, with implications beyond its short term insurance examples.
Once we’ve (subjectively) decided what’s important to us we can get to work showing the value.
Happy new year to all!