Manual for a Risk Management System for a company

List of Content

Introduction

A. How can we early identify projects that can lead to problems in later phases? Describe a graded approach that considers risks and project size in a balanced way

B. How can we recognize early when a project becomes troubled?
Describe a graded approach including triggers and thresholds

C. What roles and responsibilities do we have to integrate in this process? Who can fulfill these roles (Assign roles to functions)?

D. How can the executive management be enabled to provide management support but, on the other hand will be spared with unneeded information and workload?

E. How can the effect be minimized that different functions have different and unbalanced opinions resulting from their job role?

F. Considering the fact, that you cannot reduce/minimize all risks, the management asks you to provide a suggestion to put aside a reserve for the “residual risk”. Following the insurance principle uplifts to all projects shall be . calculated

G. Develop a strategy on how residual risk uplifts can be spread over all projects in a fair and justified way

Literature

ITM-Checklist

Introduction

In risk management it is important to achieve a healthy balance between risk control and risk volume, meaning that the single projects within a company have to be categorised as processes according to their complexity and size. If this is accomplished it is possible to assess the ongoing and pending business projects without disproportionate effort.

The assessment of control effort will, above all, be made according to the volume which a project has to realise monetarily: A project having a significant sales volume will therefore experience special attention during risk control and in the graded risk control system it will assume a higher position than a project which shows a lower sales volume.

The company : The Company’s business is the implementation of commercial projects for clients (e.g. construction, plant engineering, IT system integration etc.). The revenue is about € 70 Mio / year and arises from about 140 projects. There is a profit problem.

A. How can we early identify projects that can lead to problems in later phases? Describe a graded approach that considers risks and project size in a balanced way.

In risk management it is important to achieve a healthy balance between risk control and risk volume, meaning that the single projects within a company have to be categorised as processes according to their complexity and size. If this is accomplished it is possible to assess the ongoing and pending business projects without disproportionate effort.

The assessment of control effort will, above all, be made according to the volume which a project has to realise monetarily: A project having a significant sales volume will therefore experience special attention during risk control and in the graded risk control system it will assume a higher position than a project which shows a lower sales volume. In the case of the company that has to be analysed in this paper, the single business projects are not only categorised according to their sales volume but also according to a system which shows their complexity.^[1] The degree of complexity, however, is directly proportional to the sales volume – therefore a closer inspection of the sales volumes can be left aside and, in the case at hand, it is sufficient to only refer to the degree of complexity as a measure for the determination of the risk control effort.

In order for a preferably early identification or categorisation of very risky projects to be possible, the single projects have to first be organized according to their degree of complexity and then be put to measures of a graded risk assessment which will be looked at closer in the following paragraphs.

Within the company the business projects are organized in three categories: complex, average and less complex projects. Complex projects are structurally defined in three phases: plan, design and implementation, whereas average complex projects are defined in the two phases plan and design and less complex projects are structurally understood as implementation only. The sales volume of these project categories is very unequally distributed: the complex projects make up 40 million of 70 million Euros sales volume. Therefore it is obvious that special attention has to be paid to these projects.

In order for an early identification of risky projects to be possible, the methods of risk assessment have to be used in a graded approach and have to be applied to the structure of the single project categories.^[2] The project category of less complex projects has to be generally assessed according to an indicator system from business experience; thus, for this project category, the focus of risk assessment can only be put in the run-up to the project’s start. In the case of the complex projects, the focus can be put on the processes during the project’s implementation so that a risk control on the level of project process becomes possible. For the average complex projects that make up 20 of 70 million of the company’s entire sales volume, a middle ground between those two methods will have to be found.

In conclusion it can be said that an early identification of risky projects is not possible in the case of the less complex projects. Here, only a general assessment can be made during a project’s run-up according to business experience and key figures. For complex and average complex projects, a procedural aspect can be brought to the analysis: complex projects can be submitted to risk control at several points of their implementation, particularly as they justify the greatest effort of risk control due to their sales volume.^[3]

B. How can we recognize early when a project becomes troubled? Describe a graded approach including triggers and thresholds

For the creation of a plan for risk control the methodic approach of a PM-toolbox is interesting.^[4] Such a toolbox contains qualitative and quantitative methods for the risk assessment of single projects as well as methods of allocation of the different tools to certain project categories. Such a toolbox has to be created according to the specific requirements of the company.

It has to be kept in mind that a toolbox does contain pre-defined tools with regard to project management – it can be used in a twofold way, however: Single tools can be applied to projects in order for certain management concerns with regard to risk assessment to be answered; on the other hand, the toolbox can also be used to create new project categories that generate new insights and thus enable a new view on the risk problem of the single projects.^[5]

In order for risk factors to be recognised at an early stage in on-going projects, a system of identifiers has to be developed that illustrates risk assessment as the simple identification of risk identifiers. In order to achieve this, two aspects will be of importance: a qualitative approach of risk identification and a quantitative approach. The qualitative approach can be realised by the determination of certain triggers: Projects will then only have to be checked for the existence of such trigger elements for an initial risk assessment to be possible.^[6]

On a quantitative level identifiers have to be found which determine thresholds which enable an assessment within risk control. These thresholds will above all be of a monetary nature and refer to project costs; however, it is also possible to introduce other quantitative measures, such as a project’s length, for instance, or the personnel and logistic effort. As identifiers, these non-monetary factors can certainly be expressed as monetary, however.

Furthermore it is possible to define the concurrence of relevant triggers and quantitative thresholds as special risk identification and to undertake appropriate grading. An early identification of high risks will, however, above all happen via the allocation of relevant triggers for which a model of risk constellation can also be developed. According to this model, a special risk can be determined on the basis of the constellation of certain triggers without taking into account the qualitative dimension of the projects.

Since the different project categories of our company suggest a graded risk assessment, less complex projects will only be searched for triggers; when it comes to complex projects, not only the simple representation of triggers will have to be applied, but also quantitative measures along with constellative aspects.

[...]

^[1] See Karkowski, Waldemar, International encyclopedia of ergonomics and human factors, London 2006, p. 1327.

^[2] See: Crouhy, Michel/ Galai, Dan/ Mark, Robert: Risk management. New York 2000, p. 87.

^[3] See: Conrow, Edmund H.: Effective risk management: some keys to success, Reston 2003, p.70.

^[4] See: Milošević, Dragan: Project management toolbox: tools and techniques for the practicing project manager. London 2003, p. 12.

^[5] See ibid.

^[6] See Black, Rex: Critical testing processes: plan, prepare, perform, perfect, New York 2003, p. 301.