Risk Management Experts

Having talked in previous posts as to why it’s important, and today how accessible it is for any size of organisation to adopt a healthy approach to risk, I’ll now take you through my top ten tips on how you can maximize your risk management programme:

1. Get buy-in
Risk management is not an optional extra. It is a business critical tool that is an asset and an integral part of the project. The company culture must be developed to embrace QRM (quantitative risk management) and DMU (decision making under uncertainty) in order that everyone understands their benefits and therefore accepts the need for them.

2. Get budget
Business tools cost money, but managing risk is an investment - not an overhead – and must be regarded as such. Allocating resource and making it a formal business process should be seen as an insurance policy.  Not only will it help organisations make better decisions that will save them money in the long term but, by identifying potential risks and adverse events, it can protect them against unexpected costs in the future.

3. Get words
As with any organisational change, it is essential that everyone is clear on the new processes. Therefore a common risk language – or 'glossary' – needs to be developed to avoid misunderstanding and to ensure a consistent approach to QRM and DMU.

4. Get numbers
Qualitative assessment is essential, but numbers are more powerful – for example the percentage chance of meeting a deadline or budget. Monte Carlo simulation random sampling provides the margin of error for a venture and is a good way to illustrate the consequences of different courses of action. Risk management experts must ensure everyone understands these figures, and accepts them.

5. Get structure
Managing risk in order to make better-informed decisions requires an appropriate organisational structure. Individuals and groups need clearly defined roles, and must then each take responsibility for their own area of expertise.

6. Get lateral
Every organisation has risks that it deals with on a daily basis and which must therefore be factored in to the decision-making model. However, no enterprise operates in isolation, so other external variables must be included. For example, even a small rise in fuel costs could have a major effect on revenues if raw materials need transporting long distances.

7. Get perspective
Political, cultural and social risk factors can be explored by involving all stakeholders.  Investing time and money in consultation and research ensures that businesses have a clear idea of the complete environment in which they operate, and therefore minimise the chances of products and services failing.

8. Get reporting
Risks, and the management of them, must be reviewed regularly – and the programme amended if necessary. This requires a regular reporting process, in which risks are clearly identified and prioritised.

9. Get with it
Being risk aware does not mean being risk averse. Businesses should guard against rigidly adhering to 'the way we've always done it' approach, instead keeping up-to-date, learning new tricks and not being afraid to be bold.  Although risky on the surface, these tactics prevent being left behind – much of the potentially uncertainty can also be removed with QRM and DMU.

And finally…

10. Get it documented
Back up the commitment to a thorough QRM and DMU programme with documentation. This validates the budget and buy-in requested at the start. And it’s good for business – organisations this thorough are guaranteed a competitive edge.

Craig Ferri
EMEA Managing Director of Risk & Decision Analysis

In a report issued last month, KPMG emphasizes the need for comprehensive, strategic risk management across an organization. Entitled “The Business Case for a Risk Executive: Leading Efforts to Avoid Surprises, Maneuver through Challenges, and Add Value,” the report notes that most current risk management efforts are specific to particular departments, projects, or regulations, and do not approach risk from an enterprise level. This had led to critical oversights and missed opportunities.

To address this gap, KMPG recommends the appointment of a risk executive. This person’s dedicated purpose is “to help prepare the organization to respond to change and the risks that emerge in changing times, and to turn those efforts into opportunities that benefit the organization.” More specifically, such an executive would unify risk approaches across business units and departments, standardize reporting, and establish a common risk “language.” (Note: Risk modeling software and Monte Carlo techniques play central roles in this effort.)

Expounding on the importance of risk management experts, the report concludes, "Without a risk executive, risk management efforts will likely continue to lag and hamper the organization’s effort to recover. But with a risk executive owning the process, risk management can move beyond a support role and help enable the organization to realize its strategic goals and rebuild business value."

» Read the full report (PDF)

In a previous blog, I presented a very simple way to allocate contingencies to uncertain cost elements in the project risk management process. However, that methodology works well when there are not risk events that affect a cost element or a group of cost elements.
A risk event is described by two elements: the probability of occurrence and the conditional impact to the project given its occurrence. For example, we have a risk that describes the possibility of a new regulation. If it occurs, it will increment the cost of group of cost elements by a minimum of 10%, most likely 15%, and a maximum 20%. If the risk does not occur, no impact will be observed. Using a Discrete and a PERT distribution, we can model such risk such as:



When sampling from this distribution approximately only 20% of the time will generate a multiplier with a minimum of 1.1, most likely 1.5 and a maximum of 1.2; in 80% of instances the multiplier will be 1. That means that only 20% of the time the risk will increment the cost of selected cost elements by the multiplier previously described as show in the figure below:



In addition to risk events in our cost risk analysis models, we often use distributions that describe cost uncertainties. These distributions model ranges are mostly in a different order of magnitude. Therefore, the variance will also be in a even greater order of magnitude. For example, the cost of Item 3 modeled using a 3-point estimate (i.e., min 100,000, ML 120,000, and max 150,000) has a variance of   87,698,412.70), while the variance of the risk event is 0.0036. 

If we are to distribute the contingency using the % of contribution of the variance method, the risk event that we just modeled will be ignored even though we know that such risk event has an impact that we cannot dismiss. Given this practical scenario, the method of variance contribution will not work appropriately.

As an alternative, we can use a tornado diagram that results from @RISK’s sensitivity analysis. Here we can use the regression coefficients to understand what risk events or uncertainties are affecting the total cost in a more drastic way. In the case that you also incorporated events that represent an opportunity to reduce cost, you will observe that the coefficient is negative; in your allocation calculations you should not consider negative coefficients.

In the figure below you can observe the Regression Tornado. Here risk events and uncertainties are represented in a scale that goes from 0 to +/-1:



Knowing the regression coefficient of each input that affects the total cost in a negative way, we can construct a table and obtain a normalized percent that can be used to distribute contingency. If for example, we have a contingency of $100,000, it can be distributed to each input proportionally to the regression coefficient as shown below.



Some risk management experts do not distribute the entire amount of the calculated contingency. It is common practice to distribute only a percentage of it (i.e., 70%). The remaining amount will be used as a reserve that will handle unidentified risks.

Javier Ordóñez, Ph.D
Director of Custom Solutions

Palisade is gathering trainers from our New York and London offices to present software training seminars next week at the 2009 Palisade Conference: Risk Analysis, Applications, & Training. The conference is set to take place on 21 - 22 October at the Hyatt Regency in Jersey City, 10 minutes by PATH from Manhattan's Financial District.

Take this convenient and inexpensive opportunity to learn from Palisade’s trainers and software developers. Learn how to use the elements of the new DecisionTools Suite 5.5 as a comprehensive risk analysis, optimization, and statistical analysis toolkit. See how each of the products in the Suite — @RISK, RISKOptimizer, Evolver, PrecisionTree, TopRank, StatTools, and NeuralTools — can be used to solve practical problems in the real-world.

The conference also features case studies demonstrating how to use @RISK and DecisionTools Suite, from risk management experts in the fields of finance, healthcare and pharmaceuticals, energy, oil and gas, DFSS and Six Sigma, project management, operations management, manufacturing, and more.

See the full schedule for the Conference here.

Next Week: October 21-22 in NYC

Building on the success of last year’s record-breaking event, the conference will offer a wide range of software training, model building, and real-world case study sessions. Last year, the event drew over 150 practitioners and decision-makers from a broad spectrum of industries. The @RISK and DecisionTools software tracks were more popular than ever. This year, we’re expanding software training with sessions that let you walk through examples and try the tools directly. This will enable you to take some new tips back to the office. Please join us in October for a great opportunity to learn and connect with colleagues.