Risk – what is it really?
Great game!
Seriously, we deal/handle risk situations all day, every day, in our domestic lives, making decisions and judgements based on instinct/intuition, and a bit of educated guessing, with regards to the risk of doing something, or not.
Yet in business change initiatives, meaning change that we pursue either as formal projects or operational changes, risk becomes something of a “hot potato”, something to avoid as much as possible, like a “virus”. The irony in that is that this is a big “risk” in itself!
Why is this – in both domestic and business the resulting impact of not evaluating risks could be as serious as life-threatening. Maybe this is why we tend to be more focused, as noted almost instinctively, on risks in our domestic lives than business.
The rest of this article is relevant to both environments, domestic and business – however, the emphasis today is more on the business change initiatives.
So, what is Risk
simply put (for the moment)
- something that MAY happen – an uncertainty
- and in the future – by this providing a “window of opportunity”
Window to do what, you may ask? time to MANAGE the risk
So, what is Risk, again
- A POTENTIAL ISSUE!
meaning – if we did not anticipate and so pick up an event that could happen/materialize during our change initiative timeframe beforehand and then it does materialize, then we have an Issue which we have to resolve, (reactive), as no plan is in place. This is a characteristic of an Issue, is happening or 100% about to happen.
When we identify this “potential issue” beforehand, it is still an uncertainty and so a Risk and we have the time to put some response, a plan, in place.
Risks and Issues are not the same thing, but they are linked. A Risk response could give rise to an Issue, if the initial response was either inadequate, believing it was, or cause some other incident, an issue, directly we had not considered. An Issue may also create a Risk, that is something that MAY happen, sooner or later, the “uncertainty” as a result of the issue itself or the resolution of it. And Risks do NOT become an Issue when they materialise. They are still tracked as Risks.
The reason for this is that a risk, in either a project or programme, could impact more than one deliverable or project, respectively, and should that risk materialize for the first one and then be moved to the issue register, the second or other deliverable/project would lose sight of it. And it certainly should not be in both registers as a Risk AND an Issue. This creates duplication and confusion!
Risk is an organization wide activity and responsibility and at ALL levels.
Strategic-Portfolio
Programme
Project
Operations (BAU)
Each of these areas will have specifically defined needs, however, there is a relationship between them all and a common policy that defines them all in relation to the Organization’s Mission and Objectives as a whole.
Strategic-Portfolio
– defines the Risk policy for the organization and this policy is supported by the process to manage Risk with the organization. The Policy takes into account the Organization’s Mission and Objectives and the context within which the organization operates with respect to the global and local environment. Such analytical tools like PESTLE and Porter’s 5 Forces help to inform and understand the organization’s “Capacity” and hence “Appetite” for Risk.
Programme
– which is a grouping of related projects for an overall transformation change, are seen as delivering the Strategic changes for an organization and hence will have Risk associated with that specific programme relating to its context to the wider Organizational strategy and “Portfolio” of change initiatives and BAU. For this there is the Risk Management Strategy, RMS, which will define how risk will be managed at this level, using the policy and guide as reference.
Project
– where Risk is about being able to achieve delivering the desired outcome, the Business Need, the Benefit, and so identifying any Threats or Opportunities, and again using the context of the Project to define and describe how risk will be managed at this level. As with programmes, using the Policy and Process guide as reference and producing the Risk Management Approach, RMA, (as now defined in PRINCE2 2017). From above, if the project is part of a programme, the RMA will use the Programme’s Risk Management Strategy as a reference as well.
Note that with programmes and projects, risks here are about achieving a successful delivery of the goal, the Business Need. Once the change initiative has completed the Risk are no longer valid for these environments!
Operations
– the BAU of the organization where it will earn its “Bread and Butter” if you like! So, whereas in Programmes and Projects, Risks are for the relevant specific timeframes, the Programmes’ and Projects’ lifecycles, (remember these change initiatives are temporary and so have a finite timeframe – operations is on-going), in Operations the timeframe is open and Risk management is an on-going activity. Of course there is a direct link to Programmes and Project because the changes coming from these initiatives usually, but not always, impact on Operations. However, the Operations Environment will have its own Risks to manage and so its own Risk Management Strategy/Approach that will define this. The process, tolerances, Probability/Impact grids and Escalations to name but a few. This will also take reference from the Policy and Process guide of the Organization. There is, therefore, a direct relationship with aspects of operational management such as Service management, being ITIL, or other approaches, that are employed in the Operational Environment.
So as you can see there is a keen interrelationship between the four perspectives and Risk as an Organizational responsibility. This means that it is important that culturally it is embedded into the Organization as a whole, as a responsibility for everyone and some will be accountable, especially the leadership team, to ensure that everyone is aware of their responsibilities, and this needs to be addressed from a positive and beneficial aspect for the individual and organization as a whole, which goes back to the start of this document:
