As individuals we all face a daily challenge to manage the risks that confront us more effectively. The choices we make, whether they are the methods of transport we use, the food we eat or the bets we place, are all surrounded by risk. Any review of a daily newspaper will identify numerous examples of risk occurrence from diverse spheres such as business, politics, entertainment or sport.
More importantly for business, how does an organisation with many potentially diverse stakeholder groups deal with the problems of risk management? How can one set of stakeholders, namely employees, manage risk to the satisfaction of the owners or shareholders? How does an organisation ensure risk management is effective?
Failures in risk management?
In our own industry there are numerous recent examples of risks materialising, leading to significant loss for the parties involved, including the collapse at Heathrow and the cost and programme increases on the Jubilee Line Extension. Are these failures evidence of poor risk management? If so, why? What measures can be put in place to reduce the possibility of similar events in the future?
And it’s not just tunnelling and the wider construction industry. Most of us will remember headlines from the past such as Maxwell, BCCI and Barings, and more recently Enron, Allied Irish Bank and WorldCom. Risks materialised in these organisations causing huge losses and, in some instances, the collapse of the business.
And what are the other consequences of such risk events on an organisation? Damaged reputations, impacts on unsuspecting third parties, increased insurance costs and reduced insurance cover, to name but a few. And yet organisations and their projects continue to fail to meet their delivery targets. Current and recent headlines include the Millennium Bridge, the Scottish Parliament and the British Library.
Of course, all of these are high profile, but there are numerous other projects that also fail to achieve project goals of time, cost and quality. Indeed, according to the UK’s Department of Trade and Industry (DTI) KPIs for the UK construction industry, in 2001:
The impact of all of these project failures, both the headline makers and those more mundane, can be significantly reduced if risk management is improved. In doing so we increase predictability, reduce risk events, implement contingency plans and ultimately improve the bottom line.
The problem for risk management
The problem for risk management, indeed the paradox, is the difficulty in valuing it. If we invest a significant amount of time and money on risk management training, systems and software, and subsequently find that many of our projects go without a hitch, just how much of this success is due to risk management?
Conversely, if we don’t invest in risk management but a project meets its targets, does this mean an investment was not required in the first place?
The fundamental problem is that risk is generally managed implicitly rather than explicitly. Our experience allows us to think through a sequence of events but we fail to share this with others. When a risk materialises, we may know what action to take but others may not.
In the past this may have been acceptable as long as the project went according to plan. Nowadays, it is essential that risk management actions are traceable in the event that the risks occur. Failure to be able to demonstrate effective risk management planning could prove to be detrimental in the event of an insurable event or claims situation.
All too often people perceive risk management as a secondary activity. It is considered a paper filling exercise that must be done because the rules say so. Often the consequences are that risks are not properly managed, planned for, or communicated, and when they do occur an inordinate amount of management time is spent fire-fighting the effects. The spiral continues – more time fire-fighting, less time spent risk managing!
It is only once improved risk management is in place and we can, with hindsight, look back on our project successes, that we can then begin to value risk management. So if we can’t value it, why do it?
Why manage risk?
It seems an obvious question, but why do we need to manage risk, and equally importantly be seen to manage risk? Cynically, we could ask ourselves why our approach should change simply because ‘risk management’ has become one of many industry buzz-phrases to join the ranks of ‘best practice’, ‘supply chain management’ and ‘partnering’?
There are increasing external factors exerted by stakeholders. Insurers can no longer afford to fund construction failures, sponsors and funders do not have a limitless supply of capital for projects, and clients expect to get what they pay for. Government regulation increases and corporate governance issues are constantly under review.
Perhaps the biggest external driver for the tunnelling industry is the recently published Association of British Insurers (ABI)/British Tunnelling Society (BTS) ‘Joint Code of Practice for Risk Management of Tunnel Works in the UK’ (T&TI, October 2003). This document requires that effective risk management is demonstrated before insurance can be put in place.
So even if you are not convinced that there is a need to visibly and effectively manage risk, others are. Furthermore, effective risk management processes can be put in place at relatively very little cost.
How to best manage risk
So what comprises good risk management? What is the key to success? Numerous guidelines such as the RAMP (Institution of Civil Engineers and Institute of Actuaries, 1998), BS6079 (BSi, 2000) and the Institute of Risk Management’s ‘Risk Management Standard’ (IRM, 2002) are all readily available and highly appropriate. Fundamentally, they all propose the same process: risk identification, risk analysis, responding to and monitoring risks. So while they all propose best practice in risk management, and provide a tool to be audited against, they don’t provide the key to effective risk management.
Perhaps successful risk management is achieved through use of one of the many off-the-shelf software packages, typically based around a Monte Carlo simulation. The acknowledged drawback to these systems is that they are entirely dependent on the information input into them. Many of us are familiar with the acronym GIGO – garbage in, garbage out.
However, experience suggests that a simple spreadsheet is all that is required to record risks, mitigation measures and residual risks. Bespoke risk analysis tools certainly look good, but at a basic level they are unnecessary. In fact, they can be decidedly dangerous as complicated, time consuming ‘new’ software packages are often avoided by overworked project managers.
Perhaps, then, the key ingredient is to appoint a dedicated risk manger, solely focused on risk analysis and management. But this defeats one of the essential factors of effective risk management, which is to integrate risk thinking into an individual’s every action. The project manager is the risk manager, and must take ultimate responsibility for risk management. Other project members also must be accountable for their own risk thinking rather than relying on colleagues.
So, what’s the secret?
Few will be surprised that, firstly, the success of any risk management programme is down to those individuals involved in it. It’s their experience, good and bad, that combines to determine a successful outcome. The ability to draw upon their familiarity with similar projects enables management to add value. There simply is no substitute for experience.
How do we transfer the knowledge derived from this experience to others within a project or organisation? Often, this knowledge and experience seem to be jealously guarded. After all, as the adage goes, ‘knowledge is power’.
So it’s incumbent upon those with the experience and reputation to spread the knowledge and give up some of the power. While societies such as the BTS and publications such as Tunnels & Tunnelling International go some way to assist in this, the best learning is done ‘on the job’, and it’s up to the project managers to ensure this happens.
Those with less experience can help to create the right culture to assist in this process, and it is this culture that is a second essential ingredient for effective risk management. By this we mean that individuals think about risk in every action they take, and their risk attitudes are aligned with each other and the organisation. Continual awareness of risk is essential. While monthly risk workshops with experienced colleagues are a useful tool, we must continue thinking about risk between workshops.
An open culture supporting continual questioning and testing must be developed and encouraged. We should find ourselves always challenging and asking “why?” and “how?”. If we sit back and always accept what we are told without understanding it, then we are all guilty of failure to do what we should.
In conclusion
So in the end, improved risk management can be achieved without a large expense that we would find hard to justify. While there is no doubt that effective processes are required, we do not have to reinvent the wheel, as suitable risk management guidelines are readily available. It’s not essential that we invest in the latest software to produce coloured matrices and pie charts so often loved by consultants.
Improvements can be made simply by developing a risk management culture throughout a project team or organisation, and it is the experienced project managers who must ensure this done. It is also incumbent on the rest of us to keep them on their toes and frequently challenge them.
If we can honestly make these modifications to our behaviour, then we are on the road to improving the way we manage risk and achieve the benefits this brings. The fancy software and the dedicated risk managers can all come later!
