Risk management strategies for business

Abstract

Risk is a multifaceted phenomenon that virtually exists in all organizations. Some organizations even base their existence on risk. Such organization as stock markets, venture capitalism and insurance agencies rely on risk to create financial opportunity. Other organizations such as health institutions are very risk-averse and thereby rely on established traditions and practices to reduce uncertainty of project’s outcomes. Whichever the approach to risk, it can be asserted that all types of organizations require a strategic plan to manage risk. Most guidelines of project risk management advice the employment of successive steps in the creation of a risk management strategy. The recommended sequence for this successive management steps begins with establishment of risk, measurement and ranking of established risks, planning on the responses to these risks and ultimately the implementation of the entire strategies. Communication is however at the center of the entire strategy since sharing of information to link the above successive steps. Nevertheless, organizations could also reduce the likelihood of risk occurrence by adopting certain recommended practices such as identifying potential risk through brainstorming of all team members on their past experiences.

Risk Management Strategy

Organizations often base their projects to their company objectives and their strategic plans. However, the uncertainties and dynamics of the real world may hinder companies from implementing their projects and consequently their strategies. Risk management involves maneuvering the dynamics and uncertainties to inform organization decision making processes to ensure successful delivering of company projects. Therefore, risk management has become a vital factor in business success for projects and entire organizations.

Even with the recognized importance of risk management, it is also true that implementing it involves laborious undertakings such as research of all the projects’ factors. The primary priority of most project managers is the realization of an effective risk management strategy (Hopkinson 2012). Nonetheless, such knowledge has not always been salient and only became conventional after the corporate world experienced several financial crises in the 21st century.

This project will thereby provide a definition of the concept of risk, how risk can be measured, ranked and finally how a risk management strategy can be constructed for successful implementation of a project.

The Notion of Risk

Since the dawn of mankind, the events that have unfolded on a daily basis have been a source of risks that humans have processed through the emotions of fear and insecurity. Human has thereby developed a coping strategy that informs them when something bad is about to happen (Bernstein & Bernstein 1996). For years, people were divided into the approaches to action when this emotional fear was involved. In essence, the choice was boiled down to fight or flight. However, as mankind progress, better ways of mapping out possible results of an action resulted in a scenario whereby one could take on a risky venture since he or she has projected the possible outcomes of the venture and developed mitigation measures in advance.

Through this knowledge, mankind got better at putting itself in a risky situation such as hunting big game without fear of death (Andrews, Bonta & Wormith 2006). The notion of risk that comes from real life situation such as the one described above is not different to the notion of risk experienced in the corporate world. The main difference between the two scenarios is that in a business setting, risks are tied to threats that managers need to stave off to maximize opportunity. Researchers have provided different definitions of risk. Therefore, while some authors could argue with others on whether certain types of risks exist, it is invariable that risk will always be associated with uncertainty connected to future events. This project will use a working definition of risk provided by (Galati & Tsatsaronis 2003). The author asserted that risk is a situation where a possibility that presents itself in the present and has a direct correlation with a deviated outcome in the future.

Different types of organizations approach risks from different perspectives. While some try to minimize risk at all cost, other induces risk since they are often related to rewards (Manning, Basu & Mullahy 2005). An organization that maximizes risk are referred to as risk-seeking while those that minimize it are referred as risk-averse. Examples of risk-averse organizations include the government, the health sector, and chemical industries. Most business moreover, also often falls in this category. Risk-seeking organizations include high performing business companies, venture capitalists, and entrepreneurs, what differentiate these organizations concerning risk is that risk is sometimes associated with reward (Skinner 2008). Thereby, high performing business companies will engage in risk-seeking behavior that gives them more reward than most businesses. The most venture capitalists and successful entrepreneurs in the world started off with an alien idea whose uncertainties were staggering high. However, it is not always the case that high risks will yield high rewards. An example lies in the health sector where uncertainties are frowned upon, and the players in this industry prefer proven methods over novel ones (Irwin, Grit & Chase 2004). The differences in approaches of risk thereby determine where an organization lies on the risk aversion spectrum. Before determining their approach to risk, organizations fast consider their business factors with emotional, political, social and financial in mind. Most 21st century organizations prefer aversion to risk and only take risks when the cost of doing otherwise beats the cost of taking the risk. Nevertheless, other companies see that there are opportunities involved with risks. Such a scenario may be like winning a war when nations may see that loss of life is a risk that they are bound to take if they value victory. In such instances, organizations tend to reduce the involved risk to achieve the projected reward (Gompers & Lerner 1997). This is the cornerstone of project management. However, before risks are eliminated, managers have to identify them, measure, ranked and ultimately mitigate them.

Measuring Risks in Management

Human beings have seen the dawn of time tried to stave off uncertainty and risk albeit in objectively ineffective ways. For example, people in the ancient days responded to risk through prayer, sacrifice and even acceptance of their fate. The idea of God was heavily used for consolation purposes when their fates betrayed them. Divine Providence was used to intervene on their behalf; they believed that to get a positive outcome, one had to appease spirits of their ancestors contrary to which bad outcomes would haunt them (Bernstein & Bernstein 1996). In these ages, the risk was not quantified for their belief in predestination and non-changeability of fate was firm with them. As humanity progressed through the Greek, Chinese and Roman civilizations, the calculation of probability become more common. The Middle Ages became the first time that human sued mathematics to quantify risk. This was when the Pacioli Puzzle was used to calculate the probabilities of winning a dice game. Blaise Pascal developed the Pascal triangle to calculate the probabilities of winning games with equal odds. The use of probabilities was streamlined by antecedent by Fermat and Bernoulli who came up with the Fermat principle and Bernoulli’s effect respectively (Bernstein 1996). Bernoulli theorized that when randomly sampling coin flips, the proposition of tails to head approach 0. 5 with an increase in the volume of coin tosses, thereby, laying the foundation for population properties generalization. In 1738, Abraham de Moivre developed the normal distribution which has since become critical in measuring probability in the modern age (Bernstein 1996). In this method, about 60% of the plotted data lies in a single standard deviation of the data mean, 95% lies in double standard deviation while 98% lies in triple standard deviation. The works discovered above lay the foundation for more complex risk measuring technique such as life tables. For example, in life tables, it is estimated that for a population sample in the year 1670, 64 out of a 100 people reached six years. However, only one person in a hundred reached 76 years. Life tables were somewhat defined to calculate life annuities and other actuarial measurements of risk (Hart, Michie & Cooke 2007). In actuarial risk calculation, companies calculate the probability of an insured risk and then indemnify investors upon the event of realization of such a risk.

This project’s section will, however, give examples of risk calculation concerning financial market since such methods can be extrapolated to almost any other modern industry. There are several ways in which risk in an organization can be measured. The most common way is the use of standard deviation (Wilson 1996). A standard deviation is a form of measurement that quantifies the dispersion amount within a data set. When financial data or data of any kind is mapped, such dispersion can then be figured out. An example of how risk can be measured through the use of standard deviation is through the computation of volatility versus uncertainty (Rockafellar & Uryasev 2000). For example, in a stock portfolio optimization that assumes that a certain company’s stocks will yield a 12% return and 15% standard deviation, the 15% is either interpreted as the volatility of these stocks over the period or as uncertainty measure attached to the 12% return. In the initial case, the total return is estimated over the entire time followed by additionally estimating the returns value under smaller time frames (Avellaneda & ParÁS 1996). The next case, however, estimates the total return and provides the level of confidence, or lack of, that an investor has overestimated return. In essence, the first case provides two focused while the other provides a single estimate and a disclaimer on the estimated value.

For instance, when one wants to differentiate between uncertainty and volatility, one should consider differences between a decade old bond and a capital partnership with a decade old capital lock up. For the bond, the certainty of return is guaranteed, but the investor is aware of the high volatility the bond has (Moschini & Hennessy 2001). The venture capitalist, however, has no volatility due to the unmarketable nature of his investment but still suffers substantial uncertainty. The above examples provide two approaches to risk characterized by organization attitude towards risk. For example, air travel, the medical sector, and government prefer to liken risk to uncertainty while in the capital investment, the risk is volatility (Carson, Madhok & Wu 2006). The above example also shows that over long periods of time, organizations can be more confident about their risk measurement techniques when compared to measuring risk in the short term.

Ranking of risks

Some types of risks differ from each other in terms of their severity. This is an important phenomenon to consider since a risk that has lower probability may pose more danger to an organization if its severity is high compared to another types of risk that has higher probability of occurrence but lower severity (Hillson 2002). The discipline applied to balance significance of risks is referred to as risk ranking. It can be done by application of different sets of tools. However, risk matrices are the most commonly employed of the tools. The matrix has likelihood of occurrence and consequence of the risk as its axis. It gives managers an impression of the risk’s significance by helping him determine the amount of resources that should be input into managing the risk. When constructing a risk matrix, managers should first determine the intended purpose of the matrix. Acceptability levels or risk tolerance levels should be established so as to determine the severity of potential future events (Hillson 2009). Typically, a risk matrix resembles the table below.

Certain

Likely

Possible

Unlikely

Rare negligible Marginal Critical catastrophic

The columnar axis of the matrix above represents a probability range that list events with respect to increasing likelihood of occurrence from ‘ rare’ to ‘ certain’. The horizontal axis represents a consequence range that list events with increasing severity upon occurrence from ‘ negligible’ to ‘ catastrophic’ . Negligible events that also fall into the rare category have the list severe impact upon project. Thereby, they are ranked lowest. Inversely, catastrophic event that also fall into the certain category are the most severe risks and are thereby ranked highest. Events that lie in between the two have an increasing degree of severity. Managers should thereby come up with a threshold for determining each project’s risk tolerant. To demonstrate the above risk ranking method, this paper proposes an example where each event will be replaced with a monetary value. The above ranking method is intuitive due to its color coded nature. The warmer part of the matrix represent increasing severity whereas the cooler parts represent decreasing severity. Managers should therefore aim to strike a balance along the range of the matrix to establish an effective risk tolerant threshold. For instance, negligible risk will be given a monetary value range between $2000 and $10000. marginal risks will be given values between $10000 and $200000. Critical risks will be given values between $2000 and $1000000 whereas catastrophic risks will e given value above $1000000. After inputting the above case scenario into the matrix, the ranking of risk results as follows.

Rank Range Loss ($) Description of the loss

4 Catastrophic More than 1000000 • Death and/or permanent disability to employees

• Irredeemable environmental damage
• Dissolution of business
• 3 critical Between 200000 and 1000000 Partial disability or injuries and/or illness to more than 3 employees
• Redeemable environmental damage.
• Violations of laws and regulations
• 2 marginal Between 10000 and 200000 Illness or injury that results into loss of work days.
• Placable damage to the environment
• 1 negligible Between 2000 and 10000 Minor injury and/or illness to employees that results into a singular loss of a work day.
• No violation of regulations or laws occur.
• Minimal or little environmental damage.

Since a risk matrix is two dimensional, two tables are required to map out both the probability ranking and the consequence ranking. Just as the consequence ranking has been performed above, monetary value will be given to the range of probability to provide a mathematically based ranking. The range thereby run from 1 to 5 to represent improbable, remote, occasional, probable and frequent. By combining the two tables, one can get a clearer ranking of a risk based on both consequence and likelihood. Managers can then deduce the risk tolerance of the project towards certain risks. For example, a risk that has a consequence rank of four and a likelihood ranking of certain, would not be tolerable for any project while that that has a consequence ranking of one and a likelihood ranking of two is addressable through adjusting of the project parameters or the organization policy.

Rank Range Probability within a business’s life description

5 Certain Once in every two years Continually experienced

4 Likely Once in every four years Frequently occurs

3 Possible One in every six years Occur several times

2 Unlikely Once in every twelve years Reasonable expectation for unlikely occurrence

1 rare Once in every twenty four years Unlikely occurrence, impossible

Project Risk Management Strategy

The end game of a project risk management strategy is the minimization of negative incidences and minimization of negative events during the course of a project. It is iterative owing to the fact that it begins at project commencement, continues through the project’s lifecycle and ends during the project termination. It maps out the risk factors outlined in the risk management program of the organization. Construction of a risk management strategy follows four steps. These include:

1. Elucidation of the strategy’s objectives
2. Assessment of the risks connected to different project areas.
3. The risk management process
4. Decision making throughout the process of risk management

A sample risk management strategy

After evaluation of the above risk management process, the following steps will be used to construct our own risk management strategy.

1. Identification of risk
2. Risk measurement and risk ranking
3. Planning the response to risk
4. Implementing the response to risk
5. Communication

The first four steps are sequential and successive whereas the fifth takes place between all of the four. Each step has inputs, processes and outputs.

Identification of risk

The inputs of this step are activity analysis, stakeholders map, lessons learnt, organization object and issues that crop up during the project timeline. The processes and technique used to identify the risk include checklist, group technique, questionnaire, risk description and constraints analysis. The output of risk identification will be the risk register and early warning indicators. The output of this stage will give three dimensions that will define the risk. The first dimension will explain in detail the risk sources which are also known as drivers. The second dimension will be a detailed explanation of the impact associated with the identified risk. The last dimension will classify the risk as either a threat or an opportunity.

Measuring and ranking of risk

As previously discussed in this paper, risk measurement and risk ranking are crucial in project management since they help managers to assess the severity of projected risk. To craft the severity of the identified risks, the following factors should be considered.

• Each risk is associated with either threat or opportunity
• The risks’ impacts should be based on the project’s objectives
• The expected time of risk occurrence should be calculated.
• The value of loss should moreover be calculated
• The inputs of this process will be risk register and early warning signs derived from the outputs of the previous state.

The techniques and processes to be implemented will include probability trees, risk matrices volatility versus uncertainty assessment, probability impact grid, Pareto assessment and expected value assessment. The output of this stage will be an update of the risk register. To convert the rating and measurement of risk into computable figure, the following formula will be used:

RMV = P*RIV

RMV = Risk Monetary Value

P = Probability of occurrence

V = Risk Impact Value

Planning of the risk response

There are many possible responses that a manager may come across in the event of encountering a risk. Difference in approach to risk response is determined by the nature of the risk whether the risk is opportunity or a threat. The table below shows a summary of possible responses that a manager may choose from.

Opportunity responses Threat responses

Exploit the impact of the risk Avoid

Enhance the impact of the risk Reduce the probability of risk impact

Reduce the impact of the risk

Transfer the financial impact of the risk

Share the impact of the risk Share the financial impact of the risk with others

Reject the impact of the risk Accept the financial impact

The inputs of this stage are the risk profile summary from the previous stage output, the risk ranking and dependency, the update risk register and insurance policies. The techniques and processes to be cost benefit-analysis and decision trees. The output of this stage will be the risk owner, the risk auctionee, the risk register update and the risk response planning.

Implementation of the risk response

This is the process where the drafted risk response plan is put into action. The outputs of the previous stage will define the implementation strategy as follows:

Risk owner- this is identified in planning stage of the risk management strategy. The individual is held accountable for controlling the risk and other aspects of management such as controlling, implementing and monitoring risk responses.

Risk auctionee- the individual is given the sole mandate of carrying the action plan. The action plan derived from the risk response plan.

Communication

Communication binds or the other four processes together through the creation of feedback loops. Several types of document are involved in the communication process of a project’s risk management strategy. They include:

• Highlights- these are publication reports showing the progress of a project with inclusion of completed subprojects, sub-projects pending completion and the performances of these sub-projects in terms of quality, cost and time.
• Checkpoints- these are typical reports published in the midst of different project packages executions.
• Lesson learned- this are detailed report on the progress of the project with the inclusion of successfully realized objectives, failures of objective realization and potential mitigation strategies to these failures.

Best practices in minimizing risk in projects

• Several rules should be considered as primary when one wants to minimize occurrence of risk in a project.
• Identification potential risk in the project’s beginning- Potential risks could be identified through the input of the project’s team from their knowledge and past experiences. It could also be brainstormed from all the missed opportunities of projects that did not reach fruition.
• Communication throughout the project should be clear- communication about risk should be performed effectively through solicitation among team members in frequent periodic meeting. The project’s sponsors should also be included in the communication process for them to provide the necessary resources that risk management process requires. Opportunities and threats should be considered during risk assessment. Risk often possess a negative connotation thereby likening them to threats. However, since opportunities also exist in the form of risks,
• Prioritize risk- since risks differ in their degrees of significance and severity, those with higher impacts and probabilities should be given precedence.
• Develop effective responses to identified risk- appropriate responses should be developed to provide strategies to reduce probabilities of risk occurrence, manage risks upon occurrence and ensure that opportunities are capitalized.
• Record all encountered project risks- this could be helpful for reference purpose during future projects since managers can borrow the strategies that worked and apply them to the current risk scenario.

Conclusion

The occurrence of risks is unescapable event in any project. This is since projects are future oriented and the future is rife with uncertainties. Therefore, project managers do not only need to develop means of combating the harmful effects of risks but also need to come up with ways of capitalizing on the positive effects of risks. Risks management has been the result of years of trial and error approaches to dealing with risks. The current world however has at its disposal techniques that assist in the process of risk management in terms of identification of risk, measuring, ranking, planning and implementing strategies. Organizations should invest in a team of individuals proficient in the conducting of risk management strategies to ensure that their projects reach fruition. Moreover, there are practices that organization could use to minimize risks in an organization by reducing the probability of risk, occurrence and reducing the effects of occurred risks.