I have been absence over the last few weeks due to taking some time off. So now that I am refreshed and back, let’s look at two questions concerning risks as this is one of the key areas for any PMO.
Risk issues are largely static, not changing from year to year, so why do we need any change in the organizational approach to addressing risk?
The traditional risk silos are addressed by specialists who know exactly how to deal with their respective areas of risk.
The issue of risk being static or dynamic is complex due to several issues. In a broad sense, the reason that there is risk is fairly static. However, what changes, and sometimes dynamically, is the mitigation of the risks. If we use a wedding as an example, the risks involve include such things as:
- Vendor no show
(the above is a partial list from table 20-1, pg 374, Daniels)
These events would be common to almost all weddings. Even an indoor wedding could be impacted by weather events. So the list of major risks for a wedding could be considered static. While the list of risks for a particular wedding can vary, the populations of risk events are pretty well defined for a wedding event.
The above can apply to businesses as well because companies have similar foundations regardless of size or market. They all have Finance, IT, HR, etc. departments that, just like the wedding example, have the same overall list of risks. IT departments are responsible for the company’s data, so they will provide backups and redundancies to mitigate the risk of data lost. There are companies like ‘Iron Mountain [that] provides highly secure facilities for both tape backup and archival purposes.’ (last para, ironmountian.com).
The perception that risk is ever changing and needs to be actively managed is because the mitigation plan for that risk needs to be tailored for that entity that the risk will affect. So, in most cases it is the mitigation that will be unique, even though the risk itself is well known. Continuing with the wedding day example, mitigating the weather risk will vary greatly depending on the couple involved. Some may provide a covered area in case of rain, change the date based on sites like at weather .com which give you the chance of bad weather and typical temperatures, or many other methods based on the couple’s approach to the wedding.
This is true for business as well. Iron Mountain provides a wide range of services in order to match up with what type of mitigation plan they need. So while the risk of data backup and recovery is a static risk, the mitigation of that risk requires a very varied response as each company has their viewpoint on how the mitigation will work best for them. This is what makes risk management dynamic, not the risks themselves but the mitigation of them.
The above shows how risks are somewhat static and mitigation is not. So how do companies (and couples) determine the correct mitigation plan for identified risks? With a wedding, the easiest solution is to hire a wedding planner. However, while this off loads many of the risks to a third party, similar to Iron Mountain, it opens up another risk if the planner is not a good one. Many organizations recognize this and so have developed associations to set standards and codes for their members to follow in order to reduce that risk. For wedding planners, they have The Association of Bridal Consultants (bridalassn.com) to help couples reduce their exposure to a bad planner.
There are numerous other associations that help businesses find qualified individuals (and other firms) to help them formulate strategies and solutions to their problems. For helping with risk management, The Risk Management Association (rmahq.org) provides that framework. While, this can help with the overall methods for risk management that the company wants to implement, it does not provide the expertise to determine the best specific mitigation for that risk for that company. So unfortunately this only provides half of the solution for good mitigation planning.
The specialist approach to each risk mitigation plan is not the best method to use. The best practice guidelines state that ‘Promoting an organizational philosophy and culture that says everybody is a risk manager’ (Treasury Board, Section C) is a key in effective risk management. So this would indicate that everyone throughout the organization should have input to determine what the mitigation plan should be rather than a few specialists.
So a hybrid method is needed. As risks themselves are pretty stable, it is the mitigations that require constant monitoring as things can change the situation. It was sunny this morning and now at the afternoon wedding, it’s raining. So to help with the overall risk management plan, a specialist is needed (wedding planner) from a reputable source (typically an association) for the overall risk management plan. However to come up with the best mitigation plan for a risk, everyone should be involved (family, friends, etc.). People that have a working knowledge of a company’s systems can have knowledge that an outside specialist (wedding planner) would not have. This could make all the difference in a successful mitigation versus a failed one. After all a family friend may have a great location for a wedding complete with a barn big enough for everyone in case the weatherman was wrong.
Daniels, Maggie , Loveless, Carrie, Wedding Planning and Management: Consultancy for Diverse Clients, Butterworth-Heinemann, 2007, ISBN 0750682337, 9780750682336
Treasury Board of Canada Secretariat,