The accounting and finance industries surely lead the
way in management of risk, despite the recent mortgage debacle in the finance
industry. I say this because of the maturity of the risk management processes
in these industries. Risk management processes are represented by the
Integrated Framework study performed by the Committee of Sponsoring
Organizations (COSO) in September of 2004 which describes the committee's
recommended approach to what they refer to as Enterprise Risk management (ERM -
there's another acronym for your collection). This study was commissioned by
the American Institute of Certified Public Accountants (AICPA) and called the
Treadway Commission. The sponsoring organizations include a "who's
who" of the American accounting and Financial industries; just about all
the accounting organizations were represented as were companies such as I.E.
Dupont, Motorola, and PriceWaterhouse Coopers.
One of the key recommendations of their study, and a
cornerstone of their Enterprise Risk Management processes, was that the Board
of an organization was ultimately responsible for giving direction to the
company in the area of risk management. Their contribution to directing efforts
is represented by a statement of "risk appetite" which is intended to
be used by the management of the company to select the projects it undertakes
and to manage risk on those projects. The statement is a very general
description of the approach to risk which they wish the company's managers to
take. The COSO actually makes management responsible in part for solicitation
of the statement. Although this dual responsibility may muddy the waters of
statement creation it clearly implies that if the Board of Directors is not
educated in the ways of ERM it is up to management to educate them and be
proactive in educating the board and soliciting the statement. This statement
then governs the setting of risk tolerance thresholds, defining risk
activities, and monitoring and controlling the risk activities carried out by
The approach taken by the COSO, as described in their
Integrated Framework, mirrors that taken by many Quality methodologies in that
it is directed from the top down and requires support and input from the very
top of the organization's managerial hierarchy. ERM probably goes one step
beyond most Quality methodologies in this area by starting with the Board of
Directors. You can't get any higher up the ladder than that! Although the
approach may seem slightly over the top, the COSO have moderated it somewhat by
holding management dually responsible for soliciting direction from the board.
This strategy has worked for many quality methodologies for a good many years
so it seems to me that the COSO is emulating a proven approach.
By now, you will be asking yourselves what any of this
has to do with project management. Let me explain. We all know the frustration
of managing a project where the customer or client doesn't make their
requirements clear to us. We usually find out what our client wanted after we
have delivered what we thought they wanted and found out otherwise. Nowhere is
this more true than in the area of managing risks to the project. Those of us
who studied the best practices espoused by the PMBOK in a PMP course, or otherPMP Exam preparation training, attempt to get at a risk tolerance threshold
that we can use as a yardstick against which to measure our prioritized risks
to determine if we should mitigate or accept them. I'm not recommending that
you try to teach your sponsors, customers, and clients Enterprise Risk
Management; just that you communicate to them how important their guidance is
in defining an approach to risk management that mirrors their expectations.
Soliciting a "risk appetite" statement should be simpler than trying
to educate a sponsor in the mysteries of risk analysis and PI scores so that
they can define a tolerance threshold.
Don't simply approach your sponsor/client/customer and
ask them for a "risk appetite" statement. Schedule a meeting for the
purpose of discussing risk management for your project. You can begin with a
quick review of your Risk Management plan which should contain an explanation
of your approach, including this meeting. Explain the purpose of an appetite statement
and then break your project down into goals, objectives, milestones, and
deliverables. Ask them what their appetite is around each. You can ask them to
rate appetite on a scale of 1 to 10, or rate them as high, medium, or low.
Approaching risks in this fashion won't give you the threshold score you need
but should give you enough of an insight into their priorities to allow you to
prioritize your risk list. Don't forget to include goals in the areas of
performance, project budget, quality, safety, and Corporate Social
Responsibility. You can then decide on how to establish a threshold to apply.
One method is to determine the budget for mitigation and then determine how
much of the list your project can afford to mitigate.
The SANS Technology Institute is one organization that
has created a risk appetite statement that they are willing to share with the
public. They use a five point scale to measure appetite:
- Risk Averse. The institution is unwilling
to accept the risk
- Low Risk Appetite. This institution is
unwilling to accept the risk in most circumstances
- Balanced Risk Appetite. The institution is
willing to accept a "balanced" risk
- Moderately High Risk Appetite. The
institution is willing to accept a moderately high risk to their goals and
- High Risk Appetite. The institution uses
the sponsorship of a football team as an example of this degree of risk. They
assess the probability of an injury from playing football as a question of
when, not if.
The institution uses this scale as a guideline for
choosing which projects they are willing to undertake.
This is not a cure-all for what ails your project in
the area of risk management but is a new way of viewing risk management that
you may not have considered previously. The new approach to risk management
might just succeed in extracting direction in terms of risk appetite which has
been missing from your projects to date.