“When you combine leverage with ignorance you get some pretty interesting results.”
To extend Warren Buffet’s sentiment, the greatest threat to effective risk management, therefore, is poor risk identification. Put simply if we can’t discover and quantify risks then our exposure is neither visible nor manageable. This may be acceptable to small, contained project/investment teams who have a greater inherent understanding of the risk context but it certainly should send shivers up the spine of any senior executive.
Business v Metaphysical Risk
Firstly, let us be clear that we are trying to identify business risks, not metaphysical risks. A business risk has a clear and direct impact in cost or time. A metaphysical risk might still, theoretically, be a risk but without any effect which may be directly quantifiable in cost or time, is not a threat to the business.
It stands to reason, therefore, that business risks can be uncovered from the Business Artefacts. The 5 core business artefacts are the: Contract, Cost Model, Schedule/Plan, Architecture and, of course, Risk Register.
Business artefacts are made up of business elements and should encompass all the discoverable things that could potentially go into a Risk Register. A business element is not necessarily a business driver, because business elements should be used to extend visibility in a project. For instance, a construction company may be building a steel frame. The steel is the core component. Its price is a critical driver of cost and its arrival is a critical driver of the schedule. However, what happens when upon inspection of the welds and joins the company discovers that the steel is of poor quality? Insurances and liability clauses indemnify the company for loss but they will never get all their money back and nor will they recover their schedule. In this real life example the business would never have had any visibility over their supply chain risk. It would not normally go in the cost model because their is no cost of quality, i.e. it isn’t a cost driver, it’s a compliance factor. It should, however, go into the cost model as a business element in order to give visibility to the project team and allow them to draw out risks. It is, therefore, vital that teams have as much visibility as possible into business drivers if they are to develop effective mitigation strategies. For instance, the business without full visibility into the elements of cost and quality will naturally use insurance to offset the risk from having to indemnify clients from faulty workmanship. The business with visibility into the elements behind the cost or steel or its delivery or place in the business architecture, will be able to place simple quality mechanisms in place to reduce their insurance costs. Will this come from the cost model? Possibly but if not then such technical risk may be modelled or measured from the architecture (a topic we will look into later).
3 Criteria of a Risk
As not all business elements are business drivers, so too not all business drivers are risks. For a business element to be a risk it needs to have the following criteria, i.e. it needs to be:
- HOT. Once the deal has started, the element needs to be running at a variance (negative or indeed positive).
- SENSITIVE. The element needs to cause volatility within the cost model or the schedule. It needs to cause exposure in the contract or significant problems within the architecture.
- WEAK. The element needs to exhibit some structural weakness. The structure may be a commercial structure, a financial structure, a technical structure or an organisational structure. The key point is that it must not be something that the business or agency traditionally recovers well from. For example, a business element might be running hot and it might be sensitive but if there is no inherent structural weakness in it then it’s highly likely that it is just following a standard pattern of variance trajectory.
A business element may evidence one or more of these criteria but unless it fulfills all three then it just isn’t a risk. A problem, a potential problem maybe but not yet a business risk worthy of inclusion on a business’ Risk Register. After all, a business can only quantify tangible problems, not the metaphysical.