Independent Enterprise Risk Management Assessment Versus a Typical Project Risk Assessment

Project Risk Assessments and Risk Management Assessments have proven repeatedly to be effective “tools” to ensuring the likelihood of a project achieving its performance, cost and time goals. For example, the Project Management Institute’s (PMI) Project Management Book of Knowledge (PMBOK®)⁽¹⁾ outlines a risk management process that has been effectively used by many industries. That PMI process typically includes the following key elements:

• Identification of the risks
• Performance of a qualitative or quantitative analysis (whichever is more appropriate for the project involved)
• Development of risk response plan(s)
• Implementation of those risk response(s)
• Monitoring of the risks

However, too often many project managers have difficulty in implementing these concepts in a practical manner.  Their difficulties may be the result of several factors: including their own inexperience; a lack of understanding by project team members as to what is “risk management” and why they need to be involved; misconception of the efforts involved to implement fundamental project risk management; misunderstanding that identification of project risks is not a “once & done” effort, etc..  An earlier Becht blog, Team Building As Part Of Project Planning & Management – A Dynamic And Proven Approach, outlined one way of potentially avoiding some of those “pitfalls.” This blog discusses another approach.

Enterprise Risk Management (ERM) has different meanings for different industries and individuals. The following are a sample (and by no means an all inclusive list) of those meanings:

• One definition was summarized by a management ERM practitioner⁽²⁾ as “ERM is defined as a rigorous approach to assessing and addressing risks from all sources that either threaten the achievement of an organization’s strategic objectives or represent opportunities to exploit for competitive advantage”
• In 2014, a joint effort between Nuclear Electric Insurance Limited (NEIL)⁽³⁾ and the Institute of Nuclear Power Operations (INPO) was undertaken to better identify enterprise risks for the nuclear utilities. As part of that effort, an enterprise risk was identified as a substantial loss in property damage or result in unplanned outage duration in excess of a defined period. The nuclear industry still applies these ERM concepts to their projects
• A professional organization⁽⁴⁾ has defined it as “ERM is the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders”

What is the difference between Risk Management and Enterprise Risk Management? – In a traditional risk management process, a project primarily looks at things that could adversely impact the project’s performance, cost and time goals; and, often the risks that are insurable. Another definition of risk management is “…the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities⁽⁵⁾. ERM, on the other hand, goes beyond project specific risks to include areas of risk (or exposures) that could impact the entire corporate enterprise and may not be able to be transferred through insurance. Also, one project management practitioner⁽⁶⁾ characterizes the differences as:

• Insurable vs. non-insurable (mostly)
• One-dimensional assessment (severity) vs. multi-dimensional assessment
• Manages risks one-by-one vs. analyzes material risks and how they relate
• Occurs within one business unit (“siloed”) vs. spans the entire organization (“holistic”)
• Reactive & sporadic (rear-view) vs. proactive & continuous (forward-view)
• Disjointed vs. embedded in culture and mindset
• Standardized vs. more nuanced and requires soft skills
• Risk averse vs. risk taking

Enterprise Risk Management (ERM) Findings/Observations

 Common findings from my experiences in independent ERM assessments include:

1. Enterprise risks were recognized; however, the concept of enterprise risk was not be embraced at all organization levels
2. The adverse impacts of “group think⁽⁷⁾” types of behaviors were repeatedly noted
3. Instances of “latent risks” (e.g., previously unidentified issues that may have a significant adverse impact on the project)
4. Identification of First of a Kind (FOAK) and First in A While (FIAW) elements were often missed
5. Risk registers were being used; but, not as effectively as possible. While most of the companies involved in a large complex project had some sort of risk assessment process that included development of “risk registers,” no project had a “truly integrated” risk register that included input from each of the key companies involved
6. Limited stakeholder involvement was noted in the identification of potential risks; as well as, identification and development of response/mitigating actions and contingency plans
7. Multiple instances were found where the utility placed too much confidence or trust in a vendor’s expertise

Examples of ERM observations in the “2019 The State Of Risk Oversight⁽⁸⁾” include:

1. Most executives perceive that uncertainties in the business environment are leading to more complex risks
2. Despite concerns about a number of potential risk issues on the horizon, few executives describe their organization’s approach to risk management as mature
3. External stakeholders expect greater senior executive involvement in risk management
4. About half of the organizations engage in formal risk identification and risk assessment processes. About one-half (46%) of the organizations have a risk management policy statement, with 49% maintaining risk inventories at an enterprise level. Just over 40% have guidelines for assessing risk probabilities and impact
5. While boards receive written reports about top risk exposures, there is some question as to whether the process used to generate the reports is systematic or robust

Benefits of an Independent ERM Assessment

• Allows use of individuals with ERM experience, familiarity with industry ERM “best practices,” and who are not constrained by any organizational “silos”
• Provides access to Subject Matter Experts (SME’s) who can identify potential risks or suggest possible risk resolutions not previously considered by the project team; especially risks that might adversely impact the entire corporate entity
• Utilizes individuals with significant project management experience especially with complex, multi-disciplined projects to ensure all of the appropriate stakeholders have been identified/involved
• Enhances development of unbiased opinions as to the adequacy of the current project’s ability to achieve the project’s desired goals and objectives
• Provides an opportunity to obtain a better understanding of the project’s specific risk management “pluses and minuses,” and a deeper insight into the adequacy (and shortcomings) of the organization’s risk management’s effectiveness
• Proves to be beneficial at various “stages” of the project’s “life cycle”

Conclusion  

The typical project risk management process/assessments have been and will always play an important role in assisting a project’s identification of risks and measures to assist in the mitigation of events (both foreseen and unforeseen) that would otherwise challenge the project’s performance, cost and time goals.

However, when the project has the potential to adversely impact the entire corporation’s future or “bottom line,” innovative approaches that depart from “the way we’ve always done it” should be considered and use of additional assessment methodologies is prudent to consider. Conducting an independent enterprise Risk Management Assessment, such as has been discussed above, has repeatedly been proven to minimize the “threats” to the parent corporation; and, the project.

References

1. PMBOK® Guide – Sixth Edition (2017) “A Guide to the Project Management Body of Knowledge (PMBOK® Guide)”
2. “Enterprise Risk Management – An Analytic Approach,” A Tillinghast – Towers Perrin Monograph (May 2000, Jerry Miccolis Tillinghast-Towers Perrin)
3. Nuclear Electric Insurance Limited (NEIL) is a mutual insurance company which insures all nuclear power plants in the United States as well as some facilities internationally.
4. “Overview of Enterprise Risk Management,” The CAS Enterprise Risk Management Committee, May 2003
5. “Risk Management,” https://en.wikipedia.org/wiki/Risk_management
6. “8 Ways Enterprise Risk Management is Different (…and Better) than Traditional Risk Management – Carol Williams” https://www.erminsightsbycarol.com/traditional-risk-management-erm-differences/
7. “Group Think,” Communication Theory – https://www.communicationtheory.org/groupthink/
8. “2019 The State Of Risk Oversight – An Overview Of Enterprise Risk Management Practices, 10th Anniversary Edition, Spring 2019 Authored by Mark S. Beasley (Professor and Director of the ERM Initiative), Bruce C. Branson (Professor and Associate Director of the ERM Initiative) and Bonnie V. Hancock (Professor of Practice and Executive Director of the ERM Initiative).

contact becht