Organisational Risk Management in Project Management

CHAPTER 2

2.1 Preview

This chapter provides the reader about the theory and rationale behind the use of Organisational Risk Analysis (ORA) on project management and its methodologies available in the market. It will also cover the work of different authors to afford better understanding of the subjected area i.e. Project management, Risk analysis and Organisational risk analysis. The source of information of this literature review is mainly from books, journals and white papers.

2.2 Introduction

Through this literature review one can know what others understanding about this study i.e. nothing but historical perspectives. First part of the literature focuses on project management and risk analysis and risk analysis types, second part of this literature focuses on Organisational Risk Analysis (ORA) and Role of ORA in Project management. It mainly concentrates on Project management, risk analysis and organisational risk analysis.

2.3 Introduction to Project Management:

PMBOK (Project Management — Body of Knowledge as defined by the Project Management Institute — PMI):”Project management is the application of knowledge, skills, tools and techniques to project activities to meet project requirements.” (PMI 2004)

According to James P. Lewis “The Project management is facilitating the planning, scheduling and controlling of all activities that must be done to achieve project objectives” (James P. Lewis: 2007)

PRINCE 2 project management methodology: “The planning, monitoring and control of all aspects of the project and the motivation of all those involved in it to achieve the project objectives on time and to the specified cost, quality and performance.”
A project is usually one time activity with a well defined set of desired and results. It can be divided into subtasks that must be accomplished in order to achieve the project goals.

In this day and age also it is assumed that project management can be enhanced by scientific methods. There is a very strong reason why these beliefs are created, it all accounts to the fact that today’s modern world has given professionals numerous amount of opportunities to execute their projects successfully. Such are the kind of investment options that are given to project investors. They are briefed with all the minute details so that they feel that their investment is secure. They also make sure that the estimated time of completion and the end can be calculated at the beginning of the project itself. The decisions that are taken on a technical basis or which are taken looking at the low opportunity costs that it presents are reversible in nature. The demand for resources can also be calculated once the initial parameters such as the duration and time frame of the project are estimated. Due to the advancement in technology even the most terrible consequences can be predicted. “The failure of the project was due to the lack of skills rather than an inappropriate feasibility, suitability or acceptability of the solution. This is a normal–science view of project management.” (Charette and Robert, 1996)

The projection of ideas and activities into new accomplishments are one of the common characteristics of all projects. There are many different definitions of what constitutes project management such as “An unique set of co-ordinated activities, with definite starting and finishing points, undertaken by an individual or a team to meet specific objectives within a definite period of time, cost and performance parameters” (Office of Government Commerce). (Web4, 2009)

J. Pinto and Prescott (1990) stated, “Researchers in project management need to first and most importantly offer a comprehensive, inclusive, and clear definition of project success before attempting to undertake studies of the project implementation process”. (J.Pinto and Prescott, 1990)

The modern project management started in 1950s, before this period projects were executed in an unplanned manner and the methods and tools used for execution were not professional in nature. The importance of project management is a very important topic because all organisations i.e. either be they are small or large organisations, those are involved in implementing new accomplishments. These accomplishments may be diverse, such as, the improvement of an innovative product, introducing a new range of products in a manufacturing base, a promotional advertisement or a major construction project. In the 1980’s the focus was more on the quality of work. Globalisation played a huge role in the 1990’s as we were trying to improve our economy, the 2000’s saw projects with decreased time frames. A new field known as project management was developing from all new areas of application which included construction, engineering, telecommunications, and defence. This emerging field has now become an important part of our economy as it has produced a string of fabulous results. Hence it is now being applied by the corporate world as well as the government. Duncan Haughey (2008) explained some main definitions of what project management is:

“Project management is not a continuous process. It has a definite beginning and end.”
“Project management uses various tools to measure accomplishments and track project tasks. These include Work Breakdown Structures, Gantt charts and PERT charts.”
“Projects frequently need resources on an ad-hoc basis as opposed to organisations that have only dedicated full-time positions.”
“Project management reduces risk and increases the chance of success.”
“Successful project management is delivering your projects on time, to brief and within budget.” (Duncan Haughy, 2008)

2.3.1 Methodology of Project Management:

According to Bradley (2002) Project management methodology means “Project Management Methodology focuses on the project and can be in any industry and any type of projects ranging from construction to aerospace industries and from projects of Financial to IT in nature, it encompasses all projects”

The above diagram shows the main components of one of the main project management methodology. Some of the elements like project start-up and project closure occur only once. The remaining elements like planning, managing and controlling, form an interactive cycle that may repeat many times before the completion of the project. In other words we can also say project management is the discipline of planning, organising and managing resources to bring about the successful completion of specific project’s goals and objectives. Each and every project is different in nature. Any project would involve a certain amount of risk and hence require perfect planning and execution if they have to succeed. The main aim of project management is to predict any complications or problems in the project well before hand so that when the project plan is made all these factors can also be taken into consideration and hence the chances of the project being completed successfully would be much higher.

Almost every project we do in today’s business world involve a risk of some kind: change in customer needs, unrealistic time scales, inappropriate staff, poor project specifications , failure to manage user expectations could delay the project. Projects need to be performed and delivered under certain constraints. Traditionally these constraints have been listed as scope, time and quality. This is also called as ‘project management triangle’.

One side of the triangle cannot be changed without affecting others. The time constraint refers to the amount of time available to complete a project, scope refers to what must be done to produce the project’s end result and cost refers to the budgeted amount available for the project.
Increasing Scope ( Increasing Time + Increasing Cost
Decreasing Time ( Increasing Cost + Reducing Scope
Tight Budget ( Increase Time + Reducing Scope.

If we modify any of the factors, the other two has to be changed, if not the risk may appear high. But formal risk analysis and risk management can help you to assess these risks and decide what action to take to minimize disruptions to your project plans.

According to J. Davidson Frame (2007) the basic outline of project management is described below “Project managers bear ultimate responsibility for making things happen. Traditionally, they have carried out this role as mere implementers. To do their jobs they needed to have basic administrative and technical competencies. Today they play a far broader role. In addition to the traditional skills, they need to have business skills, customer relations skills, and political skills. Psychologically, they must be results-oriented self-starters with a high tolerance for ambiguity, because little is clear-cut in today’s tumultuous business environment. Shortcomings in any of these areas can lead to project failure.” – (J. Davidson Frame, 2007)

Project management is discipline that applies to any project; every company has their own way of doing their projects. The project management is not very easy it is totally a leadership position and with technical talent it cannot be done. Project manager without enough experience cannot hold for a long-time on the same project if the assumption of the company goes wrong in selecting the project manager it will be in risk. (Sanjay Murthi, Preventive Risk Management for Software Projects)

2.4 Risk Analysis:

The word ‘RISK’ derives from the early Italian risicare, which means ‘TO DARE’. (Webster’s Dictionary: 1989)

One of the most important activities in project management is to identify and manage the uncertainties and problems during the project tenure. When dealing with research and development projects it must be made note of that the number of events present are very high which could alter the course of the project

The amount of risk involved in the project would mainly depend on the size of the project. The contractors of the project are the people who deal with the risks of the project, their main duties would involve to identify risks. Then they study them and find as solution so that could remove or minimize them. Apart form this they should also have a clear understanding of the different types of risk involved and ways as to how they can be managed and projects can be completed in a risk free manner.

(The Owner’s Role in Project Risk Management National Research Council (U.S.A). Committee for Oversight and Assessment of U.S. the national academic press, Washington DC).

A report that shows assets, vulnerabilities, likelihood of damage, estimates of the costs of recovery, summaries of possible defensive measures and their costs and estimated probable savings from better protection. A “risk analysis” is the process of assessing the level of risk involved, this is also known as a “threat and risk assessment.” A “threat” is a harmful act such as the deployment of a virus or illegal network penetration. A “risk” is the expectation that a threat may succeed and the potential damage that can occur. (Web1, 2009)

Risk analysis allows you to examine the risks that your organization faces. It is the process of systematically identifying and assessing the potential risks and uncertainties that occur when trying to achieve a certain goal (like reaching a target income or finishing a project), and then finding a feasible strategy for most efficiently controlling those risks.

‘The systematic process to understand the nature of and to deduce the level of risk. It provides the basis for risk evaluation and decisions about risk treatment.’ (AS/NZS 4360:2004 (p. 4).

According to Michael R. Greenberg ”Risk Analysis – ranked among the top 10 journals in the ISI Journal Citation Reports under the social sciences, mathematical methods category – is designed to meet the need for organization, integration, and communication and provide a focal point for new developments in the field.” (Michael R. Greenberg: 2008)

Evidence from the literature suggests that project managers perform risk analysis because somebody else, e.g. their client, the parent company or the Government, has demanded it (Boothroyd, 1996; Smith, 1998).

The analysis of risk is being increasingly viewed as a field in itself, and the demand for a more orderly and formal treatment of risk is great. This international journal is committed to publishing critical empirical research, conference proceedings, and commentaries dealing with risk issues. In other terms we can say the measure of risk can be determined as a product of threat, vulnerability and asset value in an organisation.
Risk = Asset * Threat * Vulnerability.

Risk analysis may play an important role in cost- benefit studies, which compare the costs of a particular action or project against its potential benefits. It is a systematic study of uncertainties and risks we encounter in business, engineering and many other areas. Risk analysts seek to identify the risks faced by an organization or a business unit, understand how and when they arise, and estimate the impact of adverse outcomes. Techniques used in risk analysis include sensitivity analysis, probability analysis, simulation and modeling. Risk analysis may be used to develop an organizational risk profile, and also may be the first stage in risk management program. Risk analysis may be undertaken to varying degrees of detail depending upon the risk, the purpose of the analysis, and the information, data and resources available.

In today’s world where competition has become global, it is very important that firms control the different kinds of risk that they are dealing with as it has become an essential part in achieving corporate success. The people who are involved such as customers, investors and others asking companies for complete transparency on their investments. Thus risk analysis is necessary to protect an organisation’s competitive position. Most industries are particularly plagued by risks, but it has been slow in realising the potential benefits of sound and systematic risk management (Al-Bahar and Crandall, 1990; Ward et. al. 1991; Thomson and Perry, 1992; Flanagan and Norman, 1993; Raftery, 1994; Fellows, 1996; Edward and Bowen, 1998).While coming for the software industries risk analysis and management are a sequential progression that help in guiding a software team in understanding and managing risks. A risk is a potential problem, it might happen, it might not. But regardless of the outcome it is really good idea to identify it, assess its probability of occurrence, estimate the impact and establish a contingency plan should the problem actually occurs.
According to Bernstein “the mystery of risk is a critical step in the development of modern society. One can discuss the validity of his conclusion, but there should be no doubt that risk and uncertainty are important concepts to address for supporting decision-making in many situations”.

This Risk Analysis may be qualitative, semi-qualitative or quantitative or a combination of these three, depending on the circumstances. The criticality of risk analysis doesn’t wholly depend on identifying the risk factors. It also depends on categorizing them according to their threat level. So let us see how the whole concept of risk analysis starts. There are two types of risk analysis. Both these methods are very important in the assessment of risk and can be executed in any order. It is very important to understand the difference between these two risks as there is a very thin line separating them. Those are:
Quantitative Risk Analysis
Qualitative Risk Analysis

(Identification of types of risk analysis)
2.5. Quantitative Risk Analysis:

Quantitative Risk Analysis has become an important component of project management. Quantitative risk analysis attempts to assign independently objective monetary values to the components of the risk assessment and to the assessment of the potential loss.

According to Guide to the Project Management Body of Knowledge (PMBOK ® Guide, Third edition 2004, Project Management Institute) “Quantitative Risk Analysis is performed on risks that have been prioritized by the Qualitative Risk Analysis process as potentially and substantially impacting project ‘s completing demands. The Quantitative Risk Analysis process analyzes the effect of those risk events and assigns a numerical rating to those risks.” (PMBOK Guide, 2004)

This method gives the project manager a foresight as to how the project would progress if risks associated with it would occur. Hence due to this method the project mangers are able to counter these risks and also account to better execution of projects. A quantitative risk analysis offers the following distinct advantages:
much more neutrality is involved in this assessment
offers much more advantages to management when compared to assessment techniques More powerful selling tool to management
It is very flexible in nature and can be moulded to different situations.
It can be adjusted according to the needs of specific industries.
Its appeal is very universal in nature and hence does not give rise to much disagreements
The base facts of the analysis are very convincing ones.

In order to implement quantitative risk analysis, the total estimated value that would account to the losses that would occur due to time delay, theft or loss of data is to be calculated. Then a probability analysis is done so that the chances of the risk occurring can be calculated. After all this is done in the final step the annual loss expectancy is calculated. (Miller).

A quantitative risk analysis analyses the results that certain controversial units would have on outcomes that we are most concerned about such as loss, profit and investment returns. Quantitative risk gives different perspectives on different people:

To the security consultant:
To attract newly started businesses by adapting quantitative analysis to access projects that were out of reach in the past.
If the projects met up to the predicted return on investment then it could serve as a better tool for marketing.
To the company’s upper management:
Less vulnerable to company politics
time required for assessing proposal validity is very less
Inter- relates final results to financial aims and goals.

Quantitative risk analysis assists managers in analyzing whether the projects can be completed in a particular time frame and within the required estimated budget. It also helps in finding out the key parameters that would determine the success or failure of the project. It also helps in finding out whether the project is worth investing in for investors. But all these data should have some historical backing otherwise they would be rendered meaningless. These data should be updated from time to time during the due course of the project taking the actual input parameters into consideration. This in other terms is also known as “Garbage In – Garbage Out”. Even though all this is done project management is subject to certain biases. The most basic solution is to collect data from qualitative project management software. This kind of integration has already been implemented and has been successful in the past as well.

Quantitative risk analysis tools initiate Monte Carlo process to find out how risks would have an impact on project schedules. The most well known methods for simulating risks and other problems is Event Chain Methodology. In this methodology all the projects tat are present are effected by certain external parameters which could in turn change the face of the project. These events should be analysed with the help of the qualitative risk management software. This is an important aspect as these measures could give rise to event chains that can alter the course of the project. By finding out these event chains the risks involved can be reduced.

Quantitative risk analysis is more related to implementing safety measures when compared to qualitative risk analysis is. This risk analysis when implemented by companies tries to protect the firm from every defined risk. It also helps in determining which counter method can be used for minimizing the risks involved with projects. In this method the risk assessments are generally represented in graphs and probability charts which generates a clear understanding among firms and hence is also favoured by management teams.

2.6 Qualitative Risk Analysis:

Qualitative risk analysis forms as primary source of data for further evaluations. It acts as an initial screening for all activities associated with the project to identify the possible risks that may or may not require further analysis (Quantitative). Sometimes managers tend to overlook simple risks which may cause substantial damage while looking for more complex ones which might not be that important. Also studying the project document and technologies used might help identifying certain generic risks. For example, a project which uses widely used or known components poses minimal threats when compared to using first to use or more advanced technology.

Qualitative analysis helps prioritizing such risks according to the level they affect the final project objectives. This helps the managers with the decision making on how best they can plan the project in a safe way. While doing qualitative risk analysis, managers generally tend to include their personal and previous experiences in dealing with similar kind of projects or tasks. They asses the importance of risk factors according to their experience.

In this process we first identify what are the main sources from where risk can originate. This is done by conducting interviews and getting feedback fro questioners. Then an assessment is done to increase the level of understanding of each risk and the extent to which they could affect the project. For this qualitative risk analysis process there is no probability database required and it is widely used analysis by the organisations.

2.7 Techniques used for Qualitative Analysis:

The most common methods of obtaining necessary data for screening risks are:
To know the stakeholders and shareholders’ interests regarding the current project.
Collecting critical information from stakeholders and clients to analyze the final objectives in a realistic way.
Understanding the organizational structure and policies to carry out the task efficiently.
Using effective benchmarking techniques from projects handled previously.
Understanding the key objectives and criticality of each task associated with the project to categorize risks according to their importance.

However, after collecting the information and assigning the risk factors to different grids or categories, the managers need to decide on the need to go for further investigation and to implement effective risk management plans. In order to do this, every manager should ask themselves a few questions such as:
What are the critical phases in the project and where the potential risks are going wrong during that phase?
The effect of that risk in carrying out the tasks related to the respective phases and how it’s delaying the overall project.
Weather the potential risks can be eliminated by simple methods or changes in the project plan or they are far too complex to minimize without using further analysis and sophisticated techniques.

When a manager could answer these questions, he would be in a position to effectively plan and implement risk aversion plans by using appropriate tools or techniques. The Qualitative risk analysis gives the manager a true power of information to make his decision.

Generally the qualitative risk analysis will be succeeded by quantitative risk analysis which gives more insight on numbers such as project period, completion dates and budget.

3. Organisational Risk Analysis:

The combination of a threat and the resulting impact to the organisation defines the risk to the organisation. It is an important task that we asses all the intricate issues that the organisation is facing. Only after this assessment we can know the overall risk that the firm is facing and the appropriate counter methods that can be implemented in minimizing these risks. When a risk assessment is carried out we take an over all perspective on behalf of the organisation. We first find out every major business processes that take place in the organisation and then we focus on the situations from where risks would arise. We then provide detailed list to management of the different types of risk involved so that management can counter with them..

The National Audit Office Report ‘Managing Risks to Improve Public Services’ ( NAO 2004) identified five key aspects of organisational risk analysis and made recommendations for improving organisational risk analysis practice in central government.
Sufficient time, resource and top level commitment needs to be devoted to handling risks in an organisation.
Responsibility and accountability for risks need to be clear, backed up by scrutiny and robust challenge to provide assurance.
In an Organisation, departments need to base their judgements about risks on reliable, timely and up to date information.
Risk analysis needs to be applied throughout departments’ delivery networks.
Departments need to continue to develop their understanding of the common risks they share and work together to manage them.

An Organisational Risk Analysis is a tool for governance and getting its …

Students Paper: Direct Quote:

… getting its right is important. Selecting the correct method for performing the analysis is …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228

… getting it right is important. Selecting the correct method for performing the assessment is … … analysis is a critical first step. Successful audit staff or risk analysis team creates evaluation criteria that will be used to evaluate the risks to the organisation. The analysis team reviews each risk and assigns it an impact value. Successful audit staff uses some basic approaches to determine which technique will provide the most value for the organisation.

Organisational Risk Analysis is a very important factor while handling projects for all organisations in today’s business world. In any project that is undertaken risk is present. It depends on the nature of the project. Some projects are riskier when compared to others; this is due to the kind of risk, the technology present and the environment in which they are encountered. Project management has been designed to coordinate and be in charge of complicated and different business processes in different field such as IT and industrial sectors. (Web2, 2009)

This above diagram shows how an organisation relates with other departments like software, technology and environment etc. Handling with any of them causes uncertainties or risks. To overcome those risks associated in projects, ORA (Organisational Risk Analysis) helps. Risk is uncertainty of outcome, and good risk analysis allows an organisation to:

Have increased confidence in achieving its desired outcomes
Effectively constrain threats to acceptable levels
Take informed decisions about exploiting opportunities.

When ever we will get a change this risk occurs for those organisations. It is important to understand effect of change and the results of change as these are important in devising an appropriate strategy. Those are

Developmental: “It is a change which enhances or corrects existing aspects of an organisation, often focusing on the progress of a skill or process. “

Transitional: It is episodic, planned and fundamental. Most of the organisational change literature is based on this type of change only.

Transformational: It is radical in nature; it requires a change in assumptions made by the organisation and by its people.

Using these types of changes and its characteristics can be placed beside two scales: radical- incremental and core- peripheral (Pennington 2003).

The diagram above shows us how difficult it is introduce a particular decision into the market and the number of changes that may result in introducing this decision. If major changes are made to the central business then it would initiate a lot of disturbance. The processes that are associated with the core business can be changed as they can be adjusted in the due course of time; this is mostly for firms who are involved with continuous improvement.

Successful audit staff or risk analysis team generally use any of the three basic approaches.
The database approach
The algorithm approach
The matrix approach

Understanding the strengths and weakness of each method is essential for determining which technique will provide the most value for the organisation.

3.1 The Database Approach:

For assessing any kind of organisational risk, compiling a risk database is a popular method. Here each work group is interviewed and the main products and processes are identified where the risks associated with each process are displayed. These are then stocked in a database from where similar reports can be accessed for reference so that the risk faced by the work unit can be analysed.

This database approach is chosen by so many accounting firms and it is favoured by them, which may tag it as “risk profiling …

Students Paper: Direct Quote:

… the analysis is a critical first step. Successful audit staff or risk …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228

… the assessment is a critical first step. Successful audit staffs generally use … … or risk analysis team creates evaluation criteria that will be used to evaluate the risks to the organisation. The analysis team reviews each risk and assigns it an impact value. Successful audit staff uses some basic approaches to …

Students Paper: Direct Quote:

… approaches to determine which technique will provide the most value for the organisation.

Organisational …

http://www.thefreelibrary.com/Assessing+Organizational+Risk.-a063326228

… is essential for determining which technique will provide the most value for the organization.

THE … … organisation.

Organisational Risk Analysis is a very important factor while handling projects for all organisations in today’s business world. In any project that is undertaken risk is present. It depends on the nature of the project. Some projects are riskier when compared to others; this is due to the kind of risk, the technology present and the environment in which they are encountered. Project management has been designed to coordinate and be in charge of complicated and different business processes in different field such as IT and industrial sectors. (Web2, 2009)

This above diagram shows how an organisation relates with other departments like software, technology and environment etc. Handling with any of them causes uncertainties or risks. To overcome those risks associated in projects, ORA (Organisational Risk Analysis) helps. Risk is uncertainty of outcome, and good risk analysis allows an organisation to:

Have increased confidence in achieving its desired outcomes
Effectively constrain threats to acceptable levels
Take informed decisions about exploiting opportunities.

When ever we will get a change this risk occurs for those organisations. It is important to understand effect of change and the results of change as these are important in devising an appropriate strategy. Those are

Developmental: “It is a change which enhances or corrects existing aspects of an organisation, often focusing on the progress of a skill or process. “

Transitional