individual assignment risk management

Want to create or adapt books like this? Learn more about how Pressbooks supports open publishing practices.

16. Risk Management Planning

Adrienne Watt; David Wiley, et al.; Project Management Open Resources; and TAP-a-PM

Click play on the following audio player to listen along as you read this section.

Even the most carefully planned project can run into trouble. No matter how well you plan, your project can always encounter unexpected problems. Team members get sick or quit, resources that you were depending on turn out to be unavailable, even the weather can throw you for a loop (e.g., a snowstorm). So does that mean that you’re helpless against unknown problems? No! You can use risk planning to identify potential problems that could cause trouble for your project, analyze how likely they are to occur, take action to prevent the risks you can avoid, and minimize the ones that you can’t.

A risk is any uncertain event or condition that might affect your project. Not all risks are negative. Some events (like finding an easier way to do an activity) or conditions (like lower prices for certain materials) can help your project. When this happens, we call it an opportunity; but it’s still handled just like a risk.

There are no guarantees on any project. Even the simplest activity can turn into unexpected problems. Anything that might occur to change the outcome of a project activity, we call that a risk. A risk can be an event (like a snowstorm) or it can be a condition (like an important part being unavailable). Either way, it’s something that may or may not happen …but if it does, then it will force you to change the way you and your team work on the project.

If your project requires that you stand on the edge of a cliff, then there’s a risk that you could fall. If it’s very windy out or if the ground is slippery and uneven, then falling is more likely (Figure 16.1).

When you’re planning your project, risks are still uncertain: they haven’t happened yet. But eventually, some of the risks that you plan for do happen, and that’s when you have to deal with them. There are four basic ways to handle a risk.

• Avoid: The best thing you can do with a risk is avoid it. If you can prevent it from happening, it definitely won’t hurt your project. The easiest way to avoid this risk is to walk away from the cliff, but that may not be an option on this project.
• Mitigate: If you can’t avoid the risk, you can mitigate it. This means taking some sort of action that will cause it to do as little damage to your project as possible.
• Transfer: One effective way to deal with a risk is to pay someone else to accept it for you. The most common way to do this is to buy insurance.
• Accept: When you can’t avoid, mitigate, or transfer a risk, then you have to accept it. But even when you accept a risk, at least you’ve looked at the alternatives and you know what will happen if it occurs. If you can’t avoid the risk, and there’s nothing you can do to reduce its impact, then accepting it is your only choice.

By the time a risk actually occurs on your project, it’s too late to do anything about it. That’s why you need to plan for risks from the beginning and keep coming back to do more planning throughout the project.

The risk management plan tells you how you’re going to handle risk in your project. It documents how you’ll assess risk, who is responsible for doing it, and how often you’ll do risk planning (since you’ll have to meet about risk planning with your team throughout the project).

Some risks are technical, like a component that might turn out to be difficult to use. Others are external, like changes in the market or even problems with the weather.

It’s important to come up with guidelines to help you figure out how big a risk’s potential impact could be. The impact tells you how much damage the risk would cause to your project. Many projects classify impact on a scale from minimal to severe, or from very low to very high. Your risk management plan should give you a scale to help figure out the probability of the risk. Some risks are very likely; others aren’t.

Risk Management Process

Managing risks on projects is a process that includes risk assessment and a mitigation strategy for those risks. Risk assessment includes both the identification of potential risk and the evaluation of the potential impact of the risk. A risk mitigation plan is designed to eliminate or minimize the impact of the risk events —occurrences that have a negative impact on the project. Identifying risk is both a creative and a disciplined process. The creative process includes brainstorming sessions where the team is asked to create a list of everything that could go wrong. All ideas are welcome at this stage with the evaluation of the ideas coming later.

Risk Identification

A more disciplined process involves using checklists of potential risks and evaluating the likelihood that those events might happen on the project. Some companies and industries develop risk checklists based on experience from past projects. These checklists can be helpful to the project manager and project team in identifying both specific risks on the checklist and expanding the thinking of the team. The past experience of the project team, project experience within the company, and experts in the industry can be valuable resources for identifying potential risk on a project.

Identifying the sources of risk by category is another method for exploring potential risk on a project. Some examples of categories for potential risks include the following:

• Contractual
• Environmental

You can use the same framework as the work breakdown structure (WBS) for developing a risk breakdown structure (RBS) . A risk breakdown structure organizes the risks that have been identified into categories using a table with increasing levels of detail to the right. The people category can be subdivided into different types of risks associated with the people. Examples of people risks include the risk of not finding people with the skills needed to execute the project or the sudden unavailability of key people on the project.

Example: Risks in John’s Move

In John’s move, John makes a list of things that might go wrong with his project and uses his work breakdown structure as a guide. A partial list for the planning portion of the RBS is shown in Table 16.1.

The result is a clearer understanding of where risks are most concentrated. This approach helps the project team identify known risks, but can be restrictive and less creative in identifying unknown risks and risks not easily found inside the WBS.

Risk Evaluation

After the potential risks have been identified, the project team then evaluates each risk based on the probability that a risk event will occur and the potential loss associated with it. Not all risks are equal. Some risk events are more likely to happen than others, and the cost of a risk can vary greatly. Evaluating the risk for probability of occurrence and the severity or the potential loss to the project is the next step in the risk management process.

Having criteria to determine high-impact risks can help narrow the focus on a few critical risks that require mitigation. For example, suppose high-impact risks are those that could increase the project costs by 5% of the conceptual budget or 2% of the detailed budget. Only a few potential risk events meet these criteria. These are the critical few potential risk events that the project management team should focus on when developing a project risk mitigation or management plan. Risk evaluation is about developing an understanding of which potential risks have the greatest possibility of occurring and can have the greatest negative impact on the project (Figure 16.2). These become the critical few.

There is a positive correlation—both increase or decrease together—between project risk and project complexity. A project with new and emerging technology will have a high-complexity rating and a correspondingly high risk. The project management team will assign the appropriate resources to the technology managers to ensure the accomplishment of project goals. The more complex the technology, the more resources the technology manager typically needs to meet project goals, and each of those resources could face unexpected problems.

Risk evaluation often occurs in a workshop setting. Building on the identification of the risks, each risk event is analyzed to determine the likelihood of occurrence and the potential cost if it did occur. The likelihood and impact are both rated as high, medium, or low. A risk mitigation plan addresses the items that have high ratings on both factors—likelihood and impact.

Example: Risk Analysis of Equipment Delivery

A project team analyzed the risk of some important equipment not arriving at the project on time. The team identified three pieces of equipment that were critical to the project and would significantly increase costs if they were late in arriving. One of the vendors, who was selected to deliver an important piece of equipment, had a history of being late on other projects. The vendor was good and often took on more work than it could deliver on time. This risk event (the identified equipment arriving late) was rated as high likelihood with a high impact. The other two pieces of equipment were potentially a high impact on the project but with a low probability of occurring.

Not all project managers conduct a formal risk assessment on a project. One reason, as found by David Parker and Alison Mobey in their phenomenological study of project managers, was a low understanding of the tools and benefits of a structured analysis of project risks (2004). The lack of formal risk management tools was also seen as a barrier to implementing a risk management program. Additionally, the project manager’s personality and management style play into risk preparation levels. Some project managers are more proactive and  develop elaborate risk management programs for their projects. Other managers are reactive and are more confident in their ability to handle unexpected events when they occur. Yet others are risk averse, and prefer to be optimistic and not consider risks or avoid taking risks whenever possible.

On projects with a low-complexity profile, the project manager may informally track items that may be considered risk items. On more complex projects, the project management team may develop a list of items perceived to be higher risk and track them during project reviews. On projects of even greater complexity, the process for evaluating risk is more formal with a risk assessment meeting or series of meetings during the life of the project to assess risks at different phases of the project. On highly complex projects, an outside expert may be included in the risk assessment process, and the risk assessment plan may take a more prominent place in the project implementation plan.

On complex projects, statistical models are sometimes used to evaluate risk because there are too many different possible combinations of risks to calculate them one at a time. One example of the statistical model used on projects is the Monte Carlo simulation, which simulates a possible range of outcomes by trying many different combinations of risks based on their likelihood. The output from a Monte Carlo simulation provides the project team with the probability of an event occurring within a range and for combinations of events. For example, the typical output from a Monte Carlo simulation may indicate a 10% chance that one of the three important pieces of equipment will be late and that the weather will also be unusually bad after the equipment arrives.

Risk Mitigation

After the risk has been identified and evaluated, the project team develops a risk mitigation plan, which is a plan to reduce the impact of an unexpected event. The project team mitigates risks in various ways:

• Risk avoidance
• Risk sharing
• Risk reduction
• Risk transfer

Each of these mitigation techniques can be an effective tool in reducing individual risks and the risk profile of the project. The risk mitigation plan captures the risk mitigation approach for each identified risk event and the actions the project management team will take to reduce or eliminate the risk.

Risk avoidance usually involves developing an alternative strategy that has a higher probability of success but usually at a higher cost associated with accomplishing a project task. A common risk avoidance technique is to use proven and existing technologies rather than adopt new techniques, even though the new techniques may show promise of better performance or lower costs. A project team may choose a vendor with a proven track record over a new vendor that is providing significant price incentives to avoid the risk of working with a new vendor. The project team that requires drug testing for team members is practising risk avoidance by avoiding damage done by someone under the influence of drugs.

Risk sharing involves partnering with others to share responsibility for the risky activities. Many organizations that work on international projects will reduce political, legal, labour, and others risk types associated with international projects by developing a joint venture with a company located in that country. Partnering with another company to share the risk associated with a portion of the project is advantageous when the other company has expertise and experience the project team does not have. If a risk event does occur, then the partnering company absorbs some or all of the negative impact of the event. The company will also derive some of the profit or benefit gained by a successful project.

Risk reduction is an investment of funds to reduce the risk on a project. On international projects, companies will often purchase the guarantee of a currency rate to reduce the risk associated with fluctuations in the currency exchange rate. A project manager may hire an expert to review the technical plans or the cost estimate on a project to increase the confidence in that plan and reduce the project risk. Assigning highly skilled project personnel to manage the high-risk activities is another risk-reduction method. Experts managing a high-risk activity can often predict problems and find solutions that prevent the activities from having a negative impact on the project. Some companies reduce risk by forbidding key executives or technology experts to ride on the same airplane.

Risk transfer is a risk reduction method that shifts the risk from the project to another party. The purchase of insurance on certain items is a risk-transfer method. The risk is transferred from the project to the insurance company. A construction project in the Caribbean may purchase hurricane insurance that would cover the cost of a hurricane damaging the construction site. The purchase of insurance is usually in areas outside the control of the project team. Weather, political unrest, and labour strikes are examples of events that can significantly impact the project and that are outside the control of the project team.

Contingency Plan

The project risk plan balances the investment of the mitigation against the benefit for the project. The project team often develops an alternative method for accomplishing a project goal when a risk event has been identified that may frustrate the accomplishment of that goal. These plans are called contingency plans. The risk of a truck drivers’ strike may be mitigated with a contingency plan that uses a train to transport the needed equipment for the project. If a critical piece of equipment is late, the impact on the schedule can be mitigated by making changes to the schedule to accommodate a late equipment delivery.

Contingency funds are funds set aside by the project team to address unforeseen events that cause the project costs to increase. Projects with a high-risk profile will typically have a large contingency budget. Although the amount of contingency allocated in the project budget is a function of the risks identified in the risk analysis process, contingency is typically managed as one line item in the project budget.

Some project managers allocate the contingency budget to the items in the budget that have high risk rather than developing one line item in the budget for contingencies. This approach allows the project team to track the use of contingency against the risk plan. This approach also allocates the responsibility to manage the risk budget to the managers responsible for those line items. The availability of contingency funds in the line item budget may also increase the use of contingency funds to solve problems rather than finding alternative, less costly solutions. Most project managers, especially on more complex projects, manage contingency funds at the project level, with approval of the project manager required before contingency funds can be used.

Project Risk by Phases

Project risk is dealt with in different ways depending on the phase of the project.

Risk is associated with things that are unknown. More things are unknown at the beginning of a project, but risk must be considered in the initiation phase and weighed against the potential benefit of the project’s success in order to decide if the project should be chosen.

Example: Risks by Phase in John’s Move

In the initiation phase of his move, John considers the risk of events that could affect the whole project. Lets assume that John’s move is not just about changing jobs, but also a change of cities. This would certainly incur more risks for the project.  He identifies the following risks during the initiation phase that might have a high impact and rates the likelihood of their happening from low to high.

• His new employer might change his mind and take back the job offer after he’s given notice at his old job: Low.
• The current tenants of his apartment might not move out in time for him to move in by the first day of work at the new job: Medium.
• The movers might lose his furniture: Low.
• The movers might be more than a week late delivering his furniture: Medium.
• He might get in an accident driving from Chicago to Atlanta and miss starting his job: Low.

John considers how to mitigate each of the risks.

• During his job hunt, John had more than one offer, and he is confident that he could get another job, but he might lose deposit money on the apartment and the mover. He would also lose wages during the time it took to find the other job. To mitigate the risk of his new employer changing his mind, John makes sure that he keeps his relationships with his alternate employers cordial and writes to each of them thanking for their consideration in his recent interviews.
• John checks the market in Atlanta to determine the weekly cost and availability of extended-stay motels.
• John checks the mover’s contract to confirm that they carry insurance against lost items, but they require the owner to provide a detailed list with value estimates and they limit the maximum total value. John decides to go through his apartment with his digital camera and take pictures of all of his possessions that will be shipped by truck and to keep the camera with him during the move so he has a visual record and won’t have to rely on his memory to make a list. He seals and numbers the boxes so he can tell if a box is missing.
• If the movers are late, John can use his research on extended-stay motels to calculate how much it would cost. He checks the moving company’s contract to see if they compensate the owner for late delivery, and he finds that they do not.
• John checks the estimated driving time from Chicago to Atlanta using an Internet mapping service and gets an estimate of 11 hours of driving time. He decides that it would be too risky to attempt to make the drive by himself in one day, especially if he didn’t leave until after the truck was packed. John plans to spend one night on the road in a motel to reduce the risk of an accident caused by driving while too tired.

John concludes that the medium-risks can be mitigated and the costs from the mitigation would be acceptable in order to get a new job.

Planning Phase

Once the project is approved and it moves into the planning stage, risks are identified with each major group of activities. A risk breakdown structure (RBS) can be used to identify increasing levels of detailed risk analysis.

Example: Risk Breakdown Structure for John’s Move

John decides to ask Dion and Carlita for their help during their first planning meeting to identify risks, rate their impact and likelihood, and suggest mitigation plans. They concentrate on the packing phase of the move. They fill out a table of risks, as shown in Table 16.2.

• RA: Risk avoidance
• RS: Risk sharing
• RR: Risk reduction
• RT: Risk transfer

Implementation Phase

As the project progresses and more information becomes available to the project team, the total risk on the project typically reduces, as activities are performed without loss. The risk plan needs to be updated with new information and risks checked off that are related to activities that have been performed.

Understanding where the risks occur on the project is important information for managing the contingency budget and managing cash reserves. Most organizations develop a plan for financing the project from existing organizational resources, including financing the project through a variety of financial instruments. In most cases, there is a cost to the organization to keep these funds available to the project, including the contingency budget. As the risks decrease over the length of the project, if the contingency is not used, then the funds set aside by the organization can be used for other purposes.

To determine the amount of contingency that can be released, the project team will conduct another risk evaluation and determine the amount of risk remaining on the project. If the risk profile is lower, the project team may release contingency funds back to the parent organization. If additional risks are uncovered, a new mitigation plan is developed including the possible addition of contingency funds.

Closeout Phase

During the closeout phase, agreements for risk sharing and risk transfer need to be concluded and the risk breakdown structure examined to be sure all the risk events have been avoided or mitigated. The final estimate of loss due to risk can be made and recorded as part of the project documentation. If a Monte Carlo simulation was done, the result can be compared to the predicted result.

Example: Risk Closeout on John’s Move

To close out the risk mitigation plan for his move, John examines the risk breakdown structure and risk mitigation plan for items that need to be finalized. He makes a checklist to be sure all the risk mitigation plans are completed, as shown in Table 16.3. Risk is not allocated evenly over the life of the project. On projects with a high degree of new technology, the majority of the risks may be in the early phases of the project. On projects with a large equipment budget, the largest amount of risk may be during the procurement of the equipment. On global projects with a large amount of political risk, the highest portion of risk may be toward the end of the project.

Parker, D., & Mobey, A. (2004). Action Research to Explore Perceptions of Risk in Project Management. International Journal of Productivity and Performance Management 53( 1), 18–32.

Text Attributions

This chapter was adapted and remixed by Adrienne Watt from the following sources:

• Text under “Risk Management Planning” was adapted from “Risk Management Planning” in Project Management for Skills for All Careers by Project Management Open Resources and TAP-a-PM. Licensed under a CC BY 3.0 licence .
• Text under “Risk Management Process ” and “Project Risk by Phases” adapted from   Project Management for Instructional Designers by Amado, M., Ashton, K., Ashton, S., Bostwick, J., Clements, G., Drysdale, J., Francis, J., Harrison, B., Nan, V., Nisse, A., Randall, D., Rino, J., Robinson, J., Snyder, A., Wiley, D., & Anonymous.  Licensed under a CC BY-NC-SA (Attribution-NonCommercial-ShareAlike) licence .

Media Attributions

• Risk Management Options © Barron & Barron Project Management for Scientists and Engineers is licensed under a CC BY (Attribution) license
• Risk and Impact © Wiley, et al. is licensed under a CC BY-NC-SA (Attribution NonCommercial ShareAlike) license

16. Risk Management Planning Copyright © 2014 by Adrienne Watt; David Wiley, et al.; Project Management Open Resources; and TAP-a-PM is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License , except where otherwise noted.

Share This Book

Attention! Your ePaper is waiting for publication!

By publishing your document, the content will be optimally indexed by Google via AI and sorted into the right category for over 500 million ePaper readers on YUMPU.

This will ensure high visibility and many readers!

Your ePaper is now published and live on YUMPU!

You can find your publication here:

Share your interactive ePaper on all platforms and on your website with our embed function

HCS 451 week 2 Individual Assignment Risk Management Assessment Summary- hcs451dotcom

For more course tutorials visit www.hcs451.com 1. Individual Assignment: Risk Management AssessmentSummary Leaders in a health care organization have identified risk management as an opportunity for improvement for the upcoming year. The organization has hired you as a consultant to help assess the organization’s current status and define the future plan for addressing risks. • Resource: Risk Management Assessment Summary Grading Criteria and Sample Executive Summary located in the Center for Writing Excellence o Navigate to the Center for Writing Excellence in the University Library. o Under Writing Resources, click Tutorials & Guides. o Under Samples, click Sample Executive Summary.

• No tags were found...

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

<strong>HCS</strong> <strong>451</strong> <strong>week</strong> 2 <strong>Individual</strong> <strong>Assignment</strong> <strong>Risk</strong> <strong>Management</strong> <strong>Assessment</strong><br />

<strong>Summary</strong><br />

Click Here to Buy the Tutorial<br />

http://www.hcs<strong>451</strong>.com/product-12-<strong>HCS</strong>-<strong>451</strong>-Week-2-<strong>Individual</strong>-<strong>Assignment</strong>-<br />

<strong>Risk</strong>-<strong>Management</strong>-<strong>Assessment</strong>-<strong>Summary</strong><br />

For more course tutorials visit www.hcs<strong>451</strong>.com<br />

1. <strong>Individual</strong> <strong>Assignment</strong>: <strong>Risk</strong> <strong>Management</strong> <strong>Assessment</strong><strong>Summary</strong><br />

Leaders in a health care organization have identified risk management as an<br />

opportunity for improvement for the upcoming year. The organization has hired you<br />

as a consultant to help assess the organization’s current status and define the future<br />

plan for addressing risks.<br />

<br />

Resource: <strong>Risk</strong> <strong>Management</strong> <strong>Assessment</strong> <strong>Summary</strong> Grading Criteria and Sample<br />

Executive <strong>Summary</strong> located in the Center for Writing Excellence<br />

o<br />

Navigate to the Center for Writing Excellence in the University Library.<br />

Under Writing Resources, click Tutorials & Guides.<br />

Under Samples, click Sample Executive <strong>Summary</strong>.<br />

Select an organization type in the health care industry as the basis for this<br />

assignment. The organization may be your employer or a health care organization<br />

of particular interest to you. Types of health care organizations include, but are<br />

not limited to, the following:<br />

Hospital, nursing facility, physician office, emergency medical services,<br />

managed care organization, home health care, community health department<br />

or provider, pharmacy, laboratory, drug manufacturer, medical device<br />

manufacturer, durable medical equipment supplier, and electronic medical<br />

records software suppliers<br />

Research the key concepts of risk management in health care and the factors that<br />

influence risk management for your chosen type of organization.<br />

Write a 1,050- to 1,400-word executive summary in which you complete the<br />

following:<br />

Describe the purpose of risk management in health care organizations in<br />

general and in your chosen organization in particular.<br />

Explain key steps this organization may take to identify and manage their risks.<br />

Identify three typical or actual risks in your chosen organization. Describe<br />

how each risk might negatively affect your organization and its stakeholders.

• More documents
• Recommendations

<strong>HCS</strong> <strong>451</strong> <strong>week</strong> 2 <strong>Individual</strong> <strong>Assignment</strong> <strong>Risk</strong> <strong>Management</strong> <strong>Assessment</strong> <strong>Summary</strong> Click Here to Buy the Tutorial http://www.hcs<strong>451</strong>.com/product-12-<strong>HCS</strong>-<strong>451</strong>-Week-2-<strong>Individual</strong>-<strong>Assignment</strong>- <strong>Risk</strong>-<strong>Management</strong>-<strong>Assessment</strong>-<strong>Summary</strong> For more course tutorials visit www.hcs<strong>451</strong>.com 1. <strong>Individual</strong> <strong>Assignment</strong>: <strong>Risk</strong> <strong>Management</strong> <strong>Assessment</strong><strong>Summary</strong> Leaders in a health care organization have identified risk management as an opportunity for improvement for the upcoming year. The organization has hired you as a consultant to help assess the organization’s current status and define the future plan for addressing risks. Resource: <strong>Risk</strong> <strong>Management</strong> <strong>Assessment</strong> <strong>Summary</strong> Grading Criteria and Sample Executive <strong>Summary</strong> located in the Center for Writing Excellence o o o Navigate to the Center for Writing Excellence in the University Library. Under Writing Resources, click Tutorials & Guides. Under Samples, click Sample Executive <strong>Summary</strong>. Select an organization type in the health care industry as the basis for this assignment. The organization may be your employer or a health care organization of particular interest to you. Types of health care organizations include, but are not limited to, the following: o Hospital, nursing facility, physician office, emergency medical services, managed care organization, home health care, community health department or provider, pharmacy, laboratory, drug manufacturer, medical device manufacturer, durable medical equipment supplier, and electronic medical records software suppliers Research the key concepts of risk management in health care and the factors that influence risk management for your chosen type of organization. Write a 1,050- to 1,400-word executive summary in which you complete the following: o o o Describe the purpose of risk management in health care organizations in general and in your chosen organization in particular. Explain key steps this organization may take to identify and manage their risks. Identify three typical or actual risks in your chosen organization. Describe how each risk might negatively affect your organization and its stakeholders.

Extended embed settings

Inappropriate

You have already flagged this document. Thank you, for helping us keep this platform clean. The editors will have a look at it as soon as possible.

Delete template?

Are you sure you want to delete your template?

DOWNLOAD ePAPER

This ePaper is currently not available for download. You can find similar magazines on this topic below under ‘Recommendations’.

Save as template?

• Help & Support
• tuxbrain.com
• ooomacros.org
• nubuntu.org
• Terms of service
• Privacy policy
• Cookie policy
• Cookie settings

Choose your language

Main languages

Further languages

• Bahasa Indonesia

Performing this action will revert the following features to their default settings:

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!

Value and resilience through better risk management

Today’s corporate leaders navigate a complex environment that is changing at an ever-accelerating pace. Digital technology underlies much of the change. Business models are being transformed by new waves of automation, based on robotics and artificial intelligence. Producers and consumers are making faster decisions, with preferences shifting under the influence of social media and trending news. New types of digital companies are exploiting the changes, disrupting traditional market leaders and business models. And as companies digitize more parts of their organization, the danger of cyberattacks and breaches of all kinds grows.

Stay current on your favorite topics

Beyond cyberspace, the risk environment is equally challenging. Regulation enjoys broad popular support in many sectors and regions; where it is tightening, it is putting stresses on profitability. Climate change is affecting operations and consumers and regulators are also making demands for better business conduct in relation to the natural environment. Geopolitical uncertainties alter business conditions and challenge the footprints of multinationals. Corporate reputations are vulnerable to single events, as risks once thought to have a limited probability of occurrence are actually materializing.

The role of the board and senior executives

Risk management at nonfinancial companies has not kept pace with this evolution. For many nonfinancial corporates, risk management remains an underdeveloped and siloed capability in the organization, receiving limited attention from the most senior leaders. From over 1,100 respondents to McKinsey’s Global Board Survey for 2017 , we discovered that risk management remains a relatively low-priority topic at board meetings (exhibit).

A long way to go

Boards spend only 9 percent of their time on risk—slightly less than they did in 2015. Other questions in the survey revealed that only 6 percent of respondents believe that they are effective in managing risk (again, less than in 2015). Some individual risk areas are relatively neglected, and even cybersecurity, a core risk area with increasing importance, is addressed by only 36 percent of boards. While many senior executives stay focused on strategy and performance management, they often fail to challenge capabilities or strategic decisions from a risk perspective (see sidebar, “A long way to go”). A reactive approach to risks remains too common, with action taken only after things go wrong. The result is that boards and senior executives needlessly put their companies at risk, while personally taking on higher legal and reputational liabilities.

Boards have a critical role to play in developing risk-management capabilities at the companies they oversee. First, boards need to ensure that a robust risk-management operating model is in place. Such a model allows companies to understand and prioritize risks, set their risk appetite, and measure their performance against these risks. The model should enable the board and senior executives to work with businesses to eliminate exposures outside the company’s appetite statement, reducing the risk profile where warranted, through such means as quality controls and other operational processes. On strategic opportunities and risk trade-offs, boards should foster explicit discussions and decision making among top management and the businesses. This will enable the efficient deployment of scarce risk resources and the active, coordinated management of risks across the organization. Companies will then be prepared to address and manage emerging crises when risks do materialize.

A sectoral view of risks

Most companies operate in a complex, industry-specific risk environment. They must navigate macroeconomic and geopolitical uncertainties and face risks arising in the areas of strategy, finance, products, operations, and compliance and conduct. In some sectors, companies have developed advanced approaches to managing risks that are specific to their business models. These approaches can sustain significant value. At the same time companies are challenged by emerging types of risks for which they need to develop effective mitigation plans; in their absence, the losses from serious risk events can be crippling.

• Automotive companies are controlling supply-chain risks with sophisticated monitoring models that allow OEMs to identify potential risks upfront across the supply chain. At the same time, auto companies must address the strategic challenge of shifting toward electric-powered and autonomous vehicles.
• Pharma companies seek to manage the downside risk of large investments in their product portfolio and pipeline, while addressing product quality and patient safety to comply with relevant regulatory requirements.
• Oil and gas, steel, and energy companies apply advanced approaches to manage the negative effects of financial markets and commodity-price volatility. As social and political demands for cleaner energy are increasing, these companies are actively pursuing growth opportunities to shift their portfolios in anticipation of an energy transition and a low-carbon future.
• Consumer-goods companies protect their reputation and brand value through sound practices to manage product quality as well as labor conditions in their production facilities. Yet they are constantly challenged to meet consumers’ ever-changing tastes and needs, as well as consumer-protection regulations.

Toward proactive risk management

An approach based on adherence to minimum regulatory standards and avoidance of financial loss creates risk in itself. In a passive stance, companies cannot shape an optimal risk profile according to their business models nor adequately manage a fast-moving crisis. Eschewing a risk approach comprised of short-term performance initiatives focused on revenue and costs, top performers deem risk management as a strategic asset, which can sustain significant value over the long term. Inherent in the proactive approach are several essential components.

Strategic decision making

More rigorous, debiased strategic decision making can enhance the longer-term resilience of a company’s business model, particularly in volatile markets or externally challenged industries. Research shows that the active, regular reevaluation of resource allocation, based on sound assessments of risk and return trade-offs (such as entering markets where the business model is superior to the competition), creates more value and better shareholder returns. 1 See, for example, Yuval Atsmon, “ How nimble resource allocation can double your company’s value ,” August 2016; William N. Thorndike, Jr., The Outsiders: Eight Unconventional CEOs and Their Radically Rational Blueprint for Success , Boston, MA: Harvard Business Review Press, 2012; Rebecca Darr and Tim Koller, “ How to build an alliance against corporate short-termism ,” January 2017. Flexibility is empowering in a dynamic marketplace. Many companies use hedging strategies to insure against market uncertainties. Airlines, for example, have been known to hedge future exposures to fuel-price fluctuations, a move that can help maintain profitability when prices climb. Likewise, strategic investing, based on a longer-term perspective and a deep understanding of a company’s core proposition, generates more value than opportunistic moves aiming at a short-term bump in the share price.

Debiasing and stress-testing

Approaches that include debiasing and stress-testing help senior executives consider previously overlooked sources of uncertainty to judge whether the company’s risk-bearing capacity can absorb their potential impact. A utility in Germany, for example, improved decision making by taking action to mitigate behavioral biases. As a result, it separated its renewables business from its conventional power-generation operations. In the aftermath of the Fukushima disaster, which sharply raised interest in environmentally friendly power generation, the utility’s move led to a significant positive effect on its share price (15 percent above the industry index).

Higher-quality products and safety standards

Investments in product quality and safety standards can bring significant returns. One form this takes in the energy sector is reduced damage and maintenance costs. At one international energy company, improved safety standards led to a 30 percent reduction in the frequency of hazardous incidents. Auto companies with reputations built on safety can command higher prices for their vehicles, while the better reputation created by higher quality standards in pharma creates obvious advantages. As well as the boost in demand that comes from a reputation for quality, companies can significantly reduce their remediation costs—McKinsey research suggests that pharma companies suffering from quality issues lose annual revenue equal to 4 to 5 percent of cost of goods sold.

Comprehensive operative controls

These can lead to more efficient and effective processes that are less prone to disruption when risks materialize. In the auto sector, companies can ensure stable production and sales by mitigating the risk of supply-chain disruption. Following the 2011 earthquake and tsunami, a leading automaker probed potential supply bottlenecks and took appropriate action. After an earthquake in 2016, the company quickly redirected production of affected parts to other locations, avoiding costly disruptions. In high-tech, companies applying superior supply-chain risk management can achieve lasting cost savings and higher margins. One global computer company addressed these risks with a dedicated program that saved $500 million during its first six years. The program used risk-informed contracts, enabling suppliers to lower the costs and risks of doing business with the company. The measures achieved supply assurance for key components, particularly during market shortages, improved cost predictability for components that have volatile costs, and optimized inventory levels internally and at suppliers.

Stronger ethical and societal standards

To achieve standing among customers, employees, business partners, and the public, companies can apply ethical controls on corporate practices end to end. If appropriately publicized and linked to corporate social responsibility, a program of better ethical standards can achieve significant returns in the form of heightened reputation and brand recognition. Customers, for example, are increasingly willing to pay a premium for products of companies that adhere to tighter standards. Employees too appreciate being associated with more ethical companies, offering a better working environment and contributing to society.

The three dimensions of effective risk management

Ideally, risk management and compliance are addressed as strategic priorities by corporate leadership and day-to-day management. More often the reality is that these areas are delegated to a few people at the corporate center working in isolation from the rest of the business. By contrast, revenue growth or cost savings are deeply embedded in corporate culture, linked explicitly to profit-and-loss (P&L) performance at the company level. Somewhere in the middle are specific control capabilities regarding, for example, product safety, secure IT development and deployment, or financial auditing.

Would you like to learn more about our Risk Practice ?

To change this picture, leadership must commit to building robust, effective risk management. The project is three-dimensional: 1) the risk operating model, consisting of the main risk management processes; 2) a governance and accountability structure around these processes, leading from the business up to the board level; and 3) best-practice crisis preparedness, including a well-articulated response playbook if the worst case materializes.

1. Developing an effective risk operating model

The operating model consists of two layers, an enterprise risk management (ERM) framework and individual frameworks for each type of risk. The ERM framework is used to identify risks across the organization, define the overall risk appetite, and implement the appropriate controls to ensure that the risk appetite is respected. Finally, the overarching framework puts in place a system of timely reporting and corresponding actions on risk to the board and senior management. The risk-specific frameworks address all risks that are being managed. These can be grouped in categories, such as financial, nonfinancial, and strategic. Financial risks, such as liquidity, market, and credit risks, are managed by adhering to appropriate limit structures; nonfinancial risks, by implementing adequate process controls; strategic risks, by challenging key decisions with formalized approaches such as debiasing, scenario analyses, and stress testing. While financial and strategic risks are typically managed according to the risk-return trade-off, for nonfinancial risks, the potential downside is often the key consideration.

Finding the right level of risk appetite

Companies need to find the right level of risk appetite, which helps ensure long-term resilience and performance. Risk appetite that is too relaxed or too restrictive can have severe consequences on company financials, as the following two examples indicate:

Too relaxed. One nuclear energy company set its standards for steel equipment in the 1980s and did not review them even when the regulations changed. When the new higher standards were applied to the manufacture of equipment for nuclear power plants, the company fell short of compliance. An earlier adaptation of its risk appetite and tolerance levels would have been significantly less costly.

Too restrictive. A pharma company set quality tolerances to produce a drug to a significantly stricter level than what was required by regulation. At the beginning of production, tolerance intervals could be fulfilled, but over time, quality could no longer be assured at the initial level. The company was unable to lower standards, as these had been communicated to the regulators. Ultimately, production processes had to be upgraded at a significant cost to maintain the original tolerances.

As well as assessing risk based on likelihood and impact, companies must also assess their ability to respond to emerging risks. Capabilities and capacities needed to manage these risks should be evaluated and gaps filled accordingly. Of particular importance in crisis management is the timeliness of an effective response when things go awry. The highly likely, high-impact risk events on which risk management focuses most of its attention often emerge with disarming velocity, taking many companies unawares. To be effective, the enterprise risk management framework must ensure that the two layers are seamlessly integrated. It does this by providing clarity on risk definitions and appetite as well as controls and reporting.

• Taxonomy. A company-wide risk taxonomy should clearly and comprehensively define risks; the taxonomy should be strictly respected in the definition of risk appetite, in the development of risk policy and strategy, and in risk reporting. Taxonomies are usually industry-specific, covering strategic, regulatory, and product risks relevant to the industry. They are also determined by company characteristics, including the business model and geographical footprint (to incorporate specific country and legal risks). Proven risk-assessment tools need to be adopted and enhanced continuously with new techniques, so that newer risks (such as cyberrisk) are addressed as well as more familiar risks.
• Risk appetite. A clear definition of risk appetite will translate risk-return trade-offs into explicit thresholds and limits for financial and strategic risks, such as economic capital, cash-flow at risk, or stressed metrics. In the case of nonfinancial risks like operational and compliance risks, the risk appetite will be based on overall loss limits, categorized into inherent and residual risks (see sidebar, “Finding the right level of risk appetite”).
• Risk control processes. Effective risk control processes ensure that risk thresholds for the specified risk appetite are upheld at all levels of the organization. Leading companies are increasingly building their control processes around big data and advanced analytics. These powerful new capabilities can greatly increase the effectiveness and efficiency of risk monitoring processes. Machine-learning tools, for example, can be very effective in monitoring fraud and prioritizing investigations; automated natural language processing within complaints management can be used to monitor conduct risk.
• Risk reporting. Decision making should be informed with risk reporting. Companies can regularly provide boards and senior executives with insights on risk, identifying the most relevant strategic risks. The objective is to ensure that an independent risk view, encompassing all levels of the organization, is embedded into the planning process. In this way, the risk profile can be upheld in the management of business initiatives and decisions affecting the quality of processes and products. Techniques like debiasing and the use of scenarios can help overcome biases toward fulfilment of short-term goals. A North American oil producer developed a strategic hypothesis given uncertainties in global and regional oil markets. The company used risk modelling to test assumptions about cash flow under different scenarios and embedded these analyses into the reports reviewed by senior management and the board. Weak points in the strategy were thereby identified and mitigating actions taken.

2. Toward robust risk governance, organization, and culture

The risk operating model must be managed through an effective governance structure and organization with clear accountabilities. The governance model maintains a risk culture that strongly reinforces better risk and compliance management across the three lines of defense—business and operations, the compliance and risk functions, and audit. The approach recognizes the inherent contradiction in the first line between performance (revenue and costs) and risk (losses). The role of the second line is to review and challenge the first line on the effectiveness of its risk processes and controls, while the third line, audit, ensures that the lines one and two are functioning as intended.

• Three lines of defense. Effective implementation of the three lines involves the sharp definition of lines one and two at all levels, from the group level through the lines of business, to the regional and legal entity levels. Accountabilities regarding risk and control management must be clear. Risk governance may differ by risk type: financial risks are usually managed centrally, while operational risks are deeply embedded into company processes. The operational risk of any line of business is managed by the business owning the product-development, production, and sales processes. This usually translates into forms of quality control, but the business must also balance the broader impact of risk and P&L. In the development of new diesel engines, automakers lost sight of the balance between compliance risk and the additional cost to meet emission standards, with disastrous results. Risk or compliance functions can only complement these activities by independently reviewing the adequacy of operational risk management, such as through technical standards and controls.
• Reviewing the risk appetite and risk profile. Of central importance within the governance structure are the committees that define the risk appetite, including the parameters for doing business. These committees also make specific decisions on top risks and review the control environment for enhancements as the company’s risk profile changes. Good governance in this case means that risk decisions are considered within the existing divisional, regional, and senior-management governance structure of a company, supported by risk, compliance, and audit committees.
• Integrated risk and compliance governance setup. A robust and adequately staffed risk and compliance organization supports all risk processes. The integrated risk and compliance organization provides for single ownership of the group-wide ERM framework and standards, appropriate clustering of second-line functions, a clear matrix between divisions and control functions, and centralized or local control as needed. A clear trend is observable whereby the ERM layer responsible for group-wide standards, risk processes, and reporting becomes consolidated, whereas the expert teams setting and monitoring specific control standards for the business (including standards for commercial, technical compliance, IT or cyberrisks) become specialized teams covering both regulatory compliance as well as risk aspects.
• Resources. Appropriate resources are a critical factor in successful risk governance. The size of the compliance, risk, audit, and legal functions of nonfinancial companies (0.5 for every 100 employees, on average), are usually much smaller than those of banks (6.9 for every 100 employees). The disparity is partly a natural outcome of financial regulation, but some part of it reflects a capability gap in nonfinancial corporates. These companies usually devote most of their risk and control resources in sector-specific areas, such as health and safety for airlines and nuclear power companies or quality assurance for pharmaceutical companies. The same companies can, however, neglect to provide sufficient resources to monitor highly significant risks, such as cyberrisk or large investments.
• Risk culture. An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models. Especially important are capability-building programs on risk as well as formal mechanisms to assess and reinforce sound risk management practices.

An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models.

3. Crisis preparedness and response

A high-performing, effective risk operating model and governance structure, with a well-developed risk culture minimize the probability of corporate crises , without, of course, completely eliminating them. When unexpected crises strike at high velocity, multinational companies can lose billions in value in the first days and soon find themselves struggling to keep their market position. A best-in-class risk management environment provides the ideal conditions for preparation and response.

• Ensure board leadership. The most important action companies can take to prepare for crises is to ensure that the effort is led by the board and senior management. Top leadership must define the main expected threats, the worst-case scenarios, and the actions and communications that will be accordingly rolled out. For each threat, hypothetical scenarios should be developed for how a crisis will unfold, based on previous crises within and beyond the company’s industry and region.
• Strengthen resilience. By mapping patterns that arose in previous crises, companies can test their own resilience, challenging key areas across the organization for potential weaknesses. Targeted countermeasures can then be developed in advance to strengthen resilience. This crucial aspect of crisis preparedness can involve reviewing and revising the terms and conditions for key suppliers, shoring up financials to ensure short-term availability of cash, or investing in advanced cybersecurity measures to protect essential data and software in the event of failures and breaches.
• Develop action plans and communications. Once these assessments are complete and resilience-building countermeasures are in place, the company can then develop action plans for each threat. The plans must be well articulated, founded on past crises, and address operational and technical planning, financial planning, third-party management, and legal planning. Care should be taken to develop an optimally responsive communications strategy as well. The correct strategy will enable frontline responders to keep pace with or stay ahead of unfolding crises. Communications failures can turn manageable crises into irredeemable catastrophes. Companies need to have appropriate scripts and process logic in place detailing the response to crisis situations, communicated to all levels of the organization and well anchored there. Airlines provide an example of the well-articulated response, in their preparedness for an accident or crash. Not only are detailed scripts in place, but regular simulations are held to train employees at all levels of the company.
• Train managers at all levels. The company should train key managers at multiple levels on what to expect and enable them to feel the pressures and emotions in a simulated environment. Doing this repeatedly and in a richer way each time will significantly improve the company’s response capabilities in a real crisis situation, even though the crisis may not be precisely the one for which managers have been trained. They will also be valuable learning exercises in their own right.
• Put in place a detailed crisis-response playbook. While each crisis can unfold in unique and unpredictable ways, companies can follow a few fundamental principles of crisis response in all situations. First, establish control immediately after the crisis hits, by closely determining the level of exposure to the threat and identifying a crisis-response leader, not necessarily the CEO, who will direct appropriate actions accordingly. Second, involved parties—such as customers, employees, shareholders, suppliers, government agencies, the media, and the wider public—must be effectively engaged with a dynamic communications strategy. Third, an operational and technical “war room” should be set up, to stabilize primary threats and determine which activities to sustain and which to suspend (identifying and reaching out to critical suppliers). Finally, a deliberate effort must be made to address and neutralize the root cause of the crisis and so bring it to an end as soon as possible.

In a digitized, networked world, with globalized supply chains and complex financial interdependencies, the risk environment has grown more perilous and costly. A holistic approach to risk management, based on the lessons, good and bad, of leading companies and financial institutions, can derive value from that environment. The path to risk resilience that is emerging is an effort, led by the board and senior management, to establish the right risk profile and appetite. Success depends on the support of a thriving risk culture and state-of-the-art crisis preparedness and response. Far from minimal regulatory adherence and loss avoidance, the optimal approach to risk management consists of fundamentally strategic capabilities, deeply embedded across the organization.

Daniela Gius is a senior expert in McKinsey’s Hamburg office, Jean-Christophe Mieszala is a senior partner in the Paris office, Ernestos Panayiotou is a partner in the Athens office, and Thomas Poppensieker is a senior partner in the Munich office.

Explore a career with us

Related articles.

The business logic in debiasing

Are you prepared for a corporate crisis?

Nonfinancial risk today: Getting risk and the business aligned