Risk is the price of progress
We cannot avoid risk in business or life.
The first reason we cannot operate “risk-free” is well understood - Risk and Reward. The level of risk is usually proportional to the potential level of reward available if that risk pays off. Therefore if we try to avoid all risks then we will probably obtain low (or zero) rewards. This might be acceptable in our personal lives but not to our stakeholders or shareholders if we lead an enterprise, department, project or organization.
"Risk-free" is just an illusion
However the second reason we cannot have a risk-free life, business or project is less well understood. Counter-intuitively even if we try to find and follow a totally risk-free path we are still equally likely to be a victim of risk. Only in this case it will be an unexpected risk which we did not identify or fully consider in advance. So if you think you have found a risk-free path you probably have not done your risk assessment properly.
Let’s take a fun example to clarify:
Imagine you are on a roller coaster ride with a possible break in the track between where you are now and the final station. The obvious mitigation is to jump off the roller coaster early but that carries with it a risk of being injured in the jump. The passive action which might be perceived as lower risk is to stay on the ride and hope for the best. The lattter choice could be seductively appealing as it is also the path of least resistance. Experience shows however that such passive or default paths are rarely the best options when confronted with risky situations.
Most risks are dilemmas
A useful technique here is to recognise that the most difficult decisions are actually dilemmas where a trade-off has to be made between two or more outcomes. The key thing about a dilemma is that, at least in the short-term, there is no pain free (risk free) compromise. In the case of the roller coaster example the trade-off is between the high possibility of a minor injury (jumping off early) versus the low possibility of death or serious injury (staying on). You can read more about dilemma identification and management here.
Dont confuse impact and likelihood
This simple example also highlights two other important characteristics of risk - the likelihood of a risk happening versus the impact of the risk if it does occur. Separating out these two characteristics (likelihood and impact) and not conflating them is a key aspect of effective risk analysis. More about this in a minute!
There are also two types of risk - elective risk and reactive risk
Elective risk (risks you proactively decide to take) leads us into the important topic of corporate governance. Lack of such governance can result in you betting your organization's future on the hoped for outcome of a single decision. For the latest thinking on the evolving discipline of Governance, Risk and Compliance (GRC) it is worth looking at the excellent free resources provided by OCEG - a non-profit thinktank dedicated to developing and promoting GRC globally in organizations.
According to OCEG there are 4 Key Components of GRC:
- LEARN about the organization context, culture and key stakeholders to inform objectives, strategy and actions.
- ALIGN strategy with objectives, and actions with strategy, by using effective decision-making that addresses values, opportunities, threats and requirements.
- PERFORM actions that promote and reward things that are desirable, prevent and remediate things that are undesirable, and detect when something happens as soon as possible.
- REVIEW the design and operating effectiveness of the strategy and actions, as well as the ongoing appropriateness of objectives to improve the organization.
Good governance starts with your stakeholders
As an example of some of the practical challenges of governance, we run a Supply Chain Business Simulation where teams must buy raw materials on the international commodity markets at a good price to fulfil both existing and anticipated customer orders. If you think the commodity prices are going to rise in the future you might stock-up now to get a better price ("buying long"). Conversely if you think the commodity prices are likely to fall then you might minimise your purchases now in the hope of buying them cheaper later ("buying short").
A team can do really well financially in any single year if they predict the commodity markets well in terms of future price movements. However they may have (inadvertently) “bet the business” on one or more of these long or short procurement decisions being right. They might have got lucky but they failed on their corporate governance responsibilities - their stakeholders/shareholders would not have been happy with the risk they accepted on their investors behalf!
In teams where this happens their leaders may have forgotten that they are a customer production business and have started to operate as if they were commodity traders instead - but without the right skills or balance sheet!
Risk Management is preparing for incoming risks
Reactive risk leads us directly into the field of Risk Management and it’s components - Identification, Assessment and Mitigation.
For example, in our XSIM (Business Acumen) or SPREAD (Project Management) Simulations, as part of a team’s planning, they are encouraged to conduct a risk identification exercise to determine their top priority risks and then decide what they might do to mitigate against them.
The effective management of Risk involves 4 interlocking disciplines:
- Risk Identification
- Risk Analysis
- Risk Mitigation
- Risk Management
Let’s look at each risk discipline in a little bit more detail
What are all the possible risks which could occur and negatively impact your up-coming project?
For each risk you have identified, what is the likelihood of it happening (low, medium or high) and the impact on your project if it did (also low, medium or high). Some people find it helpful to show this as a 3x3 matrix of likelihood and impact.
The screenshot above shows a 3x3 map created using our free Risk Analysis tool RiskMapp.
For your top priority risks, e.g. medium/high on both likelihood and impact, what can you do to either stop them happening (Risk Reduction) and if not then to lessen their impact if they do (Risk Resilience)
Now you must implement your risk mitigations and then periodically cycle round steps 1-3 to make sure your risk identification, analysis and mitigations are both current and effective. Adjust as necessary.
For more details on Risk Management see “A Systematic Guide to Project Management”.
Business Risks or Project Risks?
If you wish to test skills in managing Business or Enterprise risks then you should refer to our Business Acumen Simulations such as XSIM or YSIM which encourage teams to identify and prioritise risks and then mitigate them through Simulation decisions via Risk Reduction and Risk Resilience building. For the rest of this article however we will focus on Project Risks.
Learning Risk Management on the job is a high risk strategy!
It is like an airline pilot learning on the job with a real airplane, live crew and fare-paying passengers! Not a pilot most people would knowingly fly with!
With a configurable Simulation like SPREAD you can:
- Setup a typical project over an agreed time period (e.g. 12 weeks or 12 months)
- Configure a list of project activities which participants can choose from to do the project. Include good, non-optimum and undesirable activities in your list so that participants can learn from making poor choices. You also define the impact of each activity in progressing the project.
- Project Activities can be once-off or repeatable and can also depend on other activities. Dependencies can be “hard” or “soft”. Hard dependencies stop you selecting the dependent task, whilst soft dependencies allow you to run a dependent task but with its performance degraded. Like non-optimum and undesirable activities, soft dependencies allow participants to learn by making poor choices.
- You now design a schedule of potential “risk events” and when each can be triggered (unless mitigated first).
- You configure certain project activities to mitigate against each of these risks (as well as the activity’s other project impacts)
- You may have one project activity mitigating or partly mitigating more than one risk. If you wish, an activity’s mitigating effect can be expired so the activity needs repeated for its mitigating effect to become active again.
- You can have a risk which requires more than one activity to mitigate it. (Thus it is a many-many relationship between risks and project activities – just like the real world).
If the appropriate risk mitigating activities have not been selected before the risk event schedule is reached then the risk will occur and its impact will be felt in your project and you will be notified that the risk has occurred and what it means.
In the screenshot of the SPREAD Business Simulation Game (above) note the list of allowed project activities on the left side of the screen (configured for your typical project), your current risk management score on the gauge and the pop-up window advising you that you have missed the opportunity to mitigate a risk which has just occurred on your project with whatever specific consequences.
Risk Management or Corporate Governance are not the kind of skills you can get right first time or learn on the job!
These skills are ideally suited for learning experientially through computer-based Business Simulations or paper-based scenarios. Usually, but not always, it is best if these are team-based Simulations/Scenarios (rather than individually played ones) as risk management is very much a team activity. The closer these scenarios reflect the type of risks your managers are likely to encounter the better. You would not train a Boeing 747 pilot in a Spitfire Simulator!