A Technical Note On Risk Management PDF

Document Details

JudiciousDetroit6938

Uploaded by JudiciousDetroit6938

The University of Western Australia

2007

Donna Fletcher and Susan Newell

Tags

risk management project management corporate governance business strategy

Summary

This document provides a technical note on risk management. The note focuses on risk management in project-based organizations. It discusses the challenges faced by these organizations in capturing and transferring knowledge and learning across projects. It also examines the components of effective corporate strategy through risk management.

Full Transcript

S w 907M43 A TECHNICAL NOTE ON R...

S w 907M43 A TECHNICAL NOTE ON RISK MANAGEMENT Donna Fletcher and Susan Newell wrote this case solely to provide material for class discussion. The authors do not intend to illustrate either effective or ineffective handling of a managerial situation. The authors may have disguised certain names and other identifying information to protect confidentiality. Ivey Management Services prohibits any form of reproduction, storage or transmittal without its written permission. Reproduction of this material is not covered under authorization by any reproduction rights organization. To order copies or request permission to reproduce materials, contact Ivey Publishing, Ivey Management Services, c/o Richard Ivey School of Business, The University of Western Ontario, London, Ontario, Canada, N6A 3K7; phone (519) 661-3208; fax (519) 661-3882; e-mail [email protected]. Copyright © 2007, Ivey Management Services Version: (A) 2007-05-24 Many question the point of new government-sponsored corporate governance codes and tighter standards for accounting and banking when the strategic errors made at the top of an organization can easily ruin the company. None of the existing regulations governs how a company should cope with the specter of strategic risk. Company strategy needs to be checked, but it can only be managed effectively if the management structure for monitoring and tackling strategic risks exists in the first place. Business risks may arise from either internal or external influences and may be more or less under the control of the organization. For example, an unscrupulous employee may embezzle company funds; an information technology (IT) project may be significantly delayed, causing a massive spending over-budget; or major flooding may cause a plant to have to shut-down and thus lose customer orders. Although nothing we do is risk-free, these problems are more likely to occur when lack of management awareness and/or lack of control of the potential risks is associated with a particular type of business. Safeguarding against these types of risk requires both financial and non-financial control systems that support risk self- assessment, early warning and timely issue escalation. Furthermore, critical information must be delivered in sufficient time for management to take action to either protect or enhance stakeholder value. Given the importance of managing risks, then, the focus of the background literature provided in this note is the application of risk management from the narrow project level broadening to the organizational level, within the context of project-oriented firms. We begin first with the challenges faced by project-based organizations. In the process, the components of effective corporate strategy through risk management are considered. The focus of this note is risk management in a project-based organization, that is, in an organization where the project is the primary business mechanism for coordinating and integrating all the main business functions of the firm.1 The knowledge, capabilities and resources of the firm are built up through the execution of major projects. The project-based organization is intrinsically innovative and therefore able to cope with the evolution of production properties and respond flexibly to changes in client needs. However, project-based organizations face difficulties in capturing and transferring knowledge and learning across 1 Mike Hobday, “The Project-based Organisation: An Ideal Form for Managing Complex Products and Systems?” Research Policy, August 2000, pp. 871–893. This document is authorized for use only in Prof. M P Ram Mohan & Prof. Viswanath Pingali's Senior Management Programme (SMP-BL13) 2024 at Indian Institute of Management - Ahmedabad from Apr 2024 to Oct 2024. Page 2 9B07M043 projects,2 with each project having a tendency to “reinvent the wheel,” rather than learn from what has happened in previous projects.3 This difficulty in learning from previous projects exists because the autonomy of a project from bureaucratic structures and processes provides its flexibility and at the same time limits the extent to which efficiencies can be effectively shared. This autonomy and independence can also work against the interests of corporate strategy and business coordination. For example, in his research comparing project-based organizations to the more traditional matrix or functional-based organizations, Mike Hobday found that the project teams felt they had achieved a highly effective and professional approach to project management and implementation with strong team coherence and close identity with the project.4 Project leadership and management were viewed as strong by team members, and internal communications proceeded well. However, Hobday also found that the lack of regular reporting to senior management created some tensions between project progress and corporate-wide strategies and goals. Lessons learned from particular projects were not shared formally because there were no structures or incentives for cross-project learning or communication. For a visual representation of the isolating barriers, see Exhibit 1. Given this potential isolation of projects from the broader organizational goals, a need clearly exists to have effective risk management processes in place at both the project and the organizational levels to ensure that project team members do not engage in excessive risk-taking behavior that could have disastrous implications for the organization as a whole. In this literature review, therefore, we consider the literature on project and organizational risk management. We then present the findings from our case analysis to develop a broader conceptual framework for approaching risk management in project-based organizations. RISK MANAGEMENT AT THE PROJECT LEVEL The literature on risk management at the project level is discussed within the framework of project management. The major steps involved in risk management of a project are risk identification, risk assessment and the processes of prioritization and response to the risks.5 The authors note that risk communication is also very important in successful project risk management. In a study of construction design management, Chapman6 states that the way the identification process is conducted will have a direct influence on the contribution that risk analysis and management make to the overall project management of construction projects. The risk analysis stage of the project risk management process can be divided into two stages: a qualitative analysis sub-stage that focuses on identification together with the assessment of risk; and a quantitative analysis sub-stage that focuses on the evaluation of risk. The risk management phase is concerned with the monitoring of the actual progress of the project and the associated risk management plans. It specifically involves identifying, implementing and tracking the effectiveness of the planned responses, reviewing any changes in the priority of response management and monitoring the status of the risks. 2 Harry Scarbrough et al., “Project-based Learning and the Role of Learning Boundaries,” Organization Studies, November 2004, pp. 1579–1600. 3 Laurence Prusak, Knowledge in Organizations, Oxford: Butterworth-Heinemann, 1997. 4 Mike Hobday, “The Project-based Organisation: An Ideal Form for Managing Complex Products and Systems?” Research Policy, August 2000, pp. 871–893. 5 A. V. Thomas et al., “Modeling and Assessment of Critical Risks in BOT Road Projects,” Construction Management and Economics, April 2006, pp. 407–424. 6 Robert C. Chapman, “The Controlling Influences on Effective Risk Identification and Assessment for Construction Design Management,” International Journal of Project Management, 2001, pp. 147-160. This document is authorized for use only in Prof. M P Ram Mohan & Prof. Viswanath Pingali's Senior Management Programme (SMP-BL13) 2024 at Indian Institute of Management - Ahmedabad from Apr 2024 to Oct 2024. Page 3 9B07M043 Given the myriad categorizations of the elements of risk management at the project level, for the purposes of our focus study, we have organized them into three components: 1. Risk assessment (including risk identification and analysis) 2. Risk management plan (including risk response and controls) 3. Risk monitoring (including monitoring of the risk management plan, controls effectiveness and communication) Studies of the application of project risk management have focused on one or several of these three components. Terry Williams7 provides a bibliography of project risk management research and notes that historical evidence on projects show failure to achieve targets. Research in this area tends to focus on the contract, since it determines who is liable for the risk and therefore has the motivation to vitiate the risk.8 Success of project participation depends on who bears the risks, and on the vital role of risk analysis in informing the contractual allocation of risk. Similarly, authors Alquier and Tignol9 focus on bidding by small- and medium-sized companies through the European Project Risk Management (PRIMA) project and find that risk knowledge captured at the bid phase supported by a precise definition of internal risk, project and enterprise performance measures and a decision support system leads to more success. Vrassidas Leopoulos et. al.10 also studied the bidding process in construction firms and conclude that those firms who strategically integrate risk management during the bidding process to determine whether or not to invest in bids end up with profitable projects. According to Schwab and Schwab,11 the most challenging aspect of project management is the proper management of risk, or the balancing of potential opportunity against possible loss. The major causes for problems in project management include inadequate controls that do not signal potential difficulties early enough and clearly enough, continuing incorrrect assessment of the remaining potential risks or of risks based on wishful thinking, and management’s unwillingness to take swift and appropriate corrective action, even when a problem is apparent. Exhibit 2 summarizes the prescriptive results of the literature on project risk management. Project risk management should begin at the bid phase of the project, continue throughout the life of the project, emphasize communication and training in risk assessment, reward innovation and include lessons learned in performance appraisals and the evolving risk management process. Finally, it is essential that the risk management structure fit within the overall project management infrastructure. RISK MANAGEMENT AT THE ORGANIZATIONAL LEVEL Organizations face multiple risks, specific to their business and general to the global markets in which they operate. That said, some industries are more prone to risk (e.g. financial services, environmental services and petroleum exploration) and some firms within these industries take on more risk than their competitors. Michael Walls and James Dyer12 studied petroleum firms’ risk taking and performance. They 7 Terry Williams, “A Classified Bibliography of Recent Research Relating to Project Risk Management,” European Journal of Operational Research, August 1995, pp. 18–39. 8 Ibid, p. 28. 9 A. M. Blanc Alquier and M. H. Lagasse Tignol, “Risk Management in Small- and Medium-Sized Companies,” Production Planning and Control, April 2006, pp. 273–282. 10 Vrassidas Leopoulos et al., “An Applicable Methodology for Strategic Risk Management during the Bidding Process,” International Journal of Risk Assessment and Management, Vol. 4, Iss. 1, 2003, pp. 67–72. 11 Bernhard Schwab and Helmut Schwab, “Better Risk Management: A Key to Improved Performance,” Journal of General Management, Summer 1997, pp. 67–75. 12 Michael Walls and James Dyer, “Risk Propensity and Firm Performance: A Study of the Petroleum Exploration Industry,” Management Science, July 1996, pp. 1004–1021. This document is authorized for use only in Prof. M P Ram Mohan & Prof. Viswanath Pingali's Senior Management Programme (SMP-BL13) 2024 at Indian Institute of Management - Ahmedabad from Apr 2024 to Oct 2024. Page 4 9B07M043 note that although the finance theory of risk taking by firms posits return (i.e. shareholder value) for taking on non-diversifiable risk, in the presence of asymmetric or incomplete information and other market imperfections, firms will act in a risk-averse manner, at times avoiding risky opportunities. Consequently, rather than focus solely on maximizing shareholder value, managers attempt to reconcile the interests of all stakeholders, including themselves, employees, suppliers, customers and the communities in which they operate. The risk appetite of a firm is thus dependent on its risk culture. Kendrik13 points out that a firm’s risk appetite is not static and is dependent on the organization’s risk culture. Managers are challenged by the risk attitude of the organization in its environment and whether the employees share the same risk attitude as the organization. Until recently, risk management at the organizational level has largely focused on financial risks and their management (e.g. hedging through derivatives and insurance). In a seminal article appearing in Harvard Business Review, Kenneth Froot and his colleagues14 state that the role of risk management is to ensure that companies have the cash available to make value-enhancing investments, regardless of competitor strategy vis-à-vis hedging. Increasing long-term value (or earnings growth) is reliant on financial risk management. A broader view of organizational risk management is currently referred to as enterprise risk management (ERM). According to Schneier and Miccolois,15 ERM is a systematic approach to managing risk, which means that risk factors and mitigation programs must be considered on a business-wide basis, internally and externally. “Enterprise risk management provides an enhanced ability to identify and assess risks and establish acceptable levels of risk relative to growth and return objectives.”16 The Committee of the Sponsoring Organizations of the Treadway Commission (COSO) provides a framework for ERM that views objectives at the entity, division, business-unit and subsidiary levels, in four key categories: strategic, operations, reporting and compliance. At the same time, the framework focuses on eight interrelated components that are integrated with the management processes used to run a business: internal environment (mission, firm culture, corporate and governance policy), objective setting (strategic, operational, reporting and compliance goals and objectives), event identification, risk assessment, risk response, control activities, information and communication, and monitoring. Exhibit 3 provides a useful cross-reference for the three elements of risk management at the project level, previously discussed, as they relate to the eight ERM components. ERM has taken on renewed interest due to the Sarbanes Oxley Act of 2002, which imposes regulations on public companies with respect to internal controls. Both COSO and the Public Company Accounting Oversight Board (PCAOB) advocate linking the internal control efforts required by the act to specific risks a company faces to better focus its compliance efforts, thereby reducing implementation costs.17 13 Terry Kendrick, “Strategic Risk: Am I Doing OK?” Corporate Governance, Bradford, 2004, pp. 69-77. 14 Kenneth Froot et al., “A Framework for Risk Management,” Harvard Business Review, November/December 1994, pp. 91–102. 15 Robert Schneier and Jerry Miccolis, “Enterprise Risk Management,” Strategy and Leadership, March/April 1998, pp. 10- 16. 16 “Enterprise Risk Management — Integrated Framework,” COSO, September 2004, p. 2. 17 In August 2005, COSO released its exposure draft, “Implementing the COSO Control Framework in Smaller Business” for public comment. The guidance states, “A thorough and well thought-out risk assessment is a precursor to ensuring effective and efficient control activities.” In practice, then, implementation of 404 for small- and medium-sized companies appears to have a strategic risk focus. On May 19, 2006, panelists for the SEC/PCAOB Roundtable on Internal Control Reporting noted that external auditors improved their process with a top-down, risk-based approach and increased reliance on the work of others. See Exhibit 4 for a summary of Section 404. This document is authorized for use only in Prof. M P Ram Mohan & Prof. Viswanath Pingali's Senior Management Programme (SMP-BL13) 2024 at Indian Institute of Management - Ahmedabad from Apr 2024 to Oct 2024. Page 5 9B07M043 Stephen Gates and Ellen Hexter18 surveyed 271 executives from a variety of industries on their use of ERM and found that companies tend to begin measuring operating risks before they contemplate strategic risks. Financial risk comes first, most likely because it can be quantified. Yet, practitioners report in the survey that engaging in strategic risk management gives a sense of the risk likelihood, the potential impact and the extent to which an issue is critical to a company. According to Adrian Slywotsky and John Drzik,19 even among the more advanced practitioners of ERM, the focus of enterprise risk management rarely encompasses more than financial, hazard and operational risks (or those risks that can be quantified). Most managers have not yet systematically addressed the strategic risks that can be a much more serious cause of value destruction. Laurie McWhorter and colleagues20 surveyed members of the Institute of Management Accountants Controllers Council and found respondents that use a strategic performance measurement system realize improved organizational performance, employee efficacy and an enhanced ERM system. The researchers define the strategic performance measurement system as a management tool combining financial and non- financial performance measures to reflect organizational strategy. It appears, then, that a hindrance to full implementation (and effective utilization) of ERM is the lack of performance measurement of organizational strategy and strategic risk management. Jan Emlemsvag and Lars Kjolstad21 define strategic risks as risks that arise during the pursuit of business objectives. They emphasize that risk refers to not only bad things happening but also good things not happening. The authors also state that many companies fail from not capitalizing on their opportunities. Strategic risk management is ultimately about being proactive — the effective business focuses on opportunities rather than problems. Combining firm characteristics and risks is a crucial aspect of risk management as well as strategy, yet is often not done in practice. Similar to the lack of practitioner scrutiny of strategic risk management, Morris and Jamieson22 find that there is a dearth of literature regarding the translation of corporate strategy into implementation, particularly at the program or project level. The authors note that strategic management is dynamic, ambiguous, complex, organization-wide and has long-term implications, hence both the need for further study and the deficiency. Linking the literature on project and organizational risks, Slywotsky and Drzik23 discuss project risks as one of seven major classes of strategic risk. The authors suggest that the best protection against project risk begins with a clear assessment of the project’s chance of success before it is launched, verifying the importance of risk identification and assessment.24 However, they also argue that the risk of taking on each new project is reduced by incorporating the knowledge and customer relationships the company developed 18 Stephen Gates and Ellen Hexter, “From Risk Management to Risk Strategy,” Conference Board Research Report, No. R- 1361-05-RR, 2004. 19 Adrian Slywotsky and John Drzik, “Countering the Biggest Risk of All,” Harvard Business Review, Vol. 83, No. 4, 2005, pp. 78–88. 20 Laurie McWhorter et al., “The Connection between Performance Measurement and Risk Management,” Strategic Finance, February 2006, pp. 50–55. 21 Jan Emblemsvag and Lars Kjolstad, “Strategic Risk Analysis — A Field Version,” Management Decision, Vol. 40, No. 9, 2000, pp. 842–852. 22 Peter W. G. Morris and Ashley Jamieson, “Moving From Corporate Strategy to Project Strategy,” Project Management Journal, Vol. 26, No. 4, December 2005, pp. 5-18. 23 Adrian Slywotsky and John Drzik, “Countering the Biggest Risk of All,” Harvard Business Review, Vol. 83, No. 4, 2005, pp. 78–88. 24 A. V. Thomas et al., “Modeling and Assessment of Critical Risks in BOT Road Projects,” Construction Management and Economics, April 2006, pp. 407–424. This document is authorized for use only in Prof. M P Ram Mohan & Prof. Viswanath Pingali's Senior Management Programme (SMP-BL13) 2024 at Indian Institute of Management - Ahmedabad from Apr 2024 to Oct 2024. Page 6 9B07M043 in the previous project, suggesting a crucial link between the project and the organizational levels, a link that in practice is often difficult to forge.25 Performance outcomes, as a feedback to both project management programs and strategic risk management thus appear to be essential to successful corporate strategy. Project risks can only be effectively ameliorated if the risk management process is linked to the broader strategic goals and if there is learning from past experiences of situations in which risks were not mitigated. At the same time, a key problem in project-based organizations is that the autonomy of each project isolates it from the broader organizational context, making the sharing of lessons across projects often very problematic. 25 Harry Scarbrough et al., “Project-based Learning and the Role of Learning Boundaries,” Organization Studies, November 2004, pp. 1579–1600. This document is authorized for use only in Prof. M P Ram Mohan & Prof. Viswanath Pingali's Senior Management Programme (SMP-BL13) 2024 at Indian Institute of Management - Ahmedabad from Apr 2024 to Oct 2024. Page 7 9B07M043 READINGS Jan Emblemsvag and Lars Kjolstad, “Strategic Risk Analysis — A Field Version,” Management Decision, Vol. 40, No. 9, 2002, pp. 842–852. Stephen Gates and Ellen Hexter, “The Strategic Benefits of Managing Risk,” MIT Sloan Management Review, Spring 2006, 6–7. Kenneth Froot, et al., “A Framework for Risk Management,” Harvard Business Review, November/December 1994, pp. 91–102. Mike Hobday, “The Project-based Organization: An Ideal Form for Managing Complex Products and Systems?” Research Policy, No. 29, 2000, pp. 871–893. Alan Levinsohn and Kathy Williams, “How to Manage Risk — Enterprise-Wide,” Strategic Finance, November 2004, pp. 55–56. Thomas Peltier, “Risk Analysis and Risk Management,” EDPACS, September 2004, pp. 1–17. Laurence Prusak, Knowledge in Organizations, Oxford: Butterworth-Heinemann, 1997. Bernhard Schwab and Helmut Schwab, “Better Risk Management: A Key to Improved Performance,” Journal of General Management, Summer 1997, pp. 65–75. “Sentencing Guidelines,” Chapter 8, Guidelines Manual, November 1, 2004, available at http://www.ussc.gov/guidelin.htm, accessed January 2005. Adrian Slywotsky and John Drzik, “Countering the Biggest Risk of All,” Harvard Business Review, Vol. 83, No. 4, 2005, pp. 78–88. Michael Walls and James Dyer, “Risk Propensity and Firm Performance: A Study of the Petroleum Exploration Industry,” Management Science, July 1996, pp. 1004–1021. Terry Williams, “A Classified Bibliography of Recent Research Relating to Project Risk Management,” European Journal of Operational Research, August 1995, pp. 18–39. This document is authorized for use only in Prof. M P Ram Mohan & Prof. Viswanath Pingali's Senior Management Programme (SMP-BL13) 2024 at Indian Institute of Management - Ahmedabad from Apr 2024 to Oct 2024. Page 8 9B07M043 Exhibit 1 CHALLENGES TO PROJECT-BASED ORGANIZATIONS Source: Mike Hobday, “The Project-based Organization: An Ideal Form for Managing Complex Products and Systems?” Research Policy, No. 29, 2000, pp. 871–893. This document is authorized for use only in Prof. M P Ram Mohan & Prof. Viswanath Pingali's Senior Management Programme (SMP-BL13) 2024 at Indian Institute of Management - Ahmedabad from Apr 2024 to Oct 2024. Page 9 9B07M043 Exhibit 2 PROJECT RISK MANAGEMENT: PRESCRIPTIVE GUIDELINES FOR SUCCESS BASED ON THE LITERATURE Source: created by author from research and interviews at Tetra Tech. This document is authorized for use only in Prof. M P Ram Mohan & Prof. Viswanath Pingali's Senior Management Programme (SMP-BL13) 2024 at Indian Institute of Management - Ahmedabad from Apr 2024 to Oct 2024. Page 10 9B07M043 Exhibit 3 RISK MANAGEMENT PROCESSES RELATIONSHIP TO THE COMMITTEE OF THE SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION (COSO) ENTERPRISE RISK MANAGEMENT (ERM) COSO ERM Risk Risk Risk Assessment Management Monitoring Plan Internal × environment Objective setting × Event × identification Risk assessment × Risk response × Control activities × Information and × × communication Monitoring × Source: created by author from research and interviews at Tetra Tech. This document is authorized for use only in Prof. M P Ram Mohan & Prof. Viswanath Pingali's Senior Management Programme (SMP-BL13) 2024 at Indian Institute of Management - Ahmedabad from Apr 2024 to Oct 2024. Page 11 9B07M043 Exhibit 4 SUMMARY OF THE PROVISIONS OF THE SARBANES-OXLEY ACT OF 2002 Section 404: Management Assessment of Internal Controls. Requires each annual report of an issuer to contain an “internal control report,” which shall: state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and contain an assessment, as of the end of the issuer’s fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. Each issuer’s auditor shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the Board. An attestation engagement shall not be the subject of a separate engagement. The language in the report of the Committee which accompanies the bill to explain the legislative intent states, “... the Committee does not intend that the auditor’s evaluation be the subject of a separate engagement or the basis for increased charges or fees.” Directs the SEC to require each issuer to disclose whether it has adopted a code of ethics for its senior financial officers and the contents of that code. Directs the SEC to revise its regulations concerning prompt disclosure on Form 8-K to require immediate disclosure “of any change in, or waiver of,” an issuer’s code of ethics. Source: Center for Public Company Audit Firms, http://cpcaf.aicpa.org. This document is authorized for use only in Prof. M P Ram Mohan & Prof. Viswanath Pingali's Senior Management Programme (SMP-BL13) 2024 at Indian Institute of Management - Ahmedabad from Apr 2024 to Oct 2024.

Use Quizgecko on...
Browser
Browser