7. Don’t Be Afraid of Risks

Although problems are inevitable, managers should not be afraid of problems simply because of their elusive nature. Managers typically do not like problems for two primary reasons: the resulting damage to cost, schedule, or quality, and the response or lack of response planning to deal with the problem and what that will require. When a problem occurs, the manager now has more work in damage control, which adds to an already hectic workload. In looking at problems, a primary issue is the fact that they are simply not planned and this is why problems can create stress for the manager.

Project managers have the same responsibility in overseeing a project because problems can occur, but there are tools they can use to plan for risk and how to respond to problems. Project managers also make this the culture of the project so that everyone is aware of the tools and techniques to plan and address problems.

Throughout history, organizations at many levels have capitalized on problems, resulting in bigger and better things for the organization. This might involve new product introductions, a failed attempt in an engineering lab that resulted in a new way to do something and possibly a patent, or a problem revealing a hidden element of the business that can now be improved. One thing is for sure: When problems occur it is how management responds to problems that reveals the maturity, professionalism, and experience the organization has in dealing with problems.

It would not be in the best interests of managers to address their responsibility using a reactive approach. This would suggest that processes are being carried out with no planning or scheduling of resources and without an objective. This approach would be ludicrous because there would be no planning, and managers would spend all of their time responding to process requirements. Unfortunately, this is, in fact, how many managers approach problems that come up, without identifying and planning for those problems beforehand.

This type of training for risk management is not difficult or time-consuming, but simply requires managers to have some basic fundamental tools and knowledge of how planning for risk and problems can now be a part of the culture of the organization.

This is how the culture of risk management is trained and implemented within an organization, improving the confidence and efficiency of those managing the organization. When risk management is carried out and the outcome of planning for problems is seen by others, this causes other management to follow this approach, and it becomes a part of the culture of the organization.

When managers develop a budget, they are estimating the cost of performing the processes within their department. In some cases, these costs might include extra overhead—rework and any added cost associated with ensuring that processes get completed. These budgets will also need to include monies allocated for the response to problems having an impact on the budget. If money is allocated ahead of time in case of certain potential risks, these funds will need to be spent only in the event the problem actually occurs. This type of planning should be desired by managers because it ensures that they will stay on budget, having additional funds allocated for potential serious problems that might occur.

This type of planning also is desired by most financial managers within the organization to better plan for operational expenses. Although operations and midlevel managers can submit budgets for financial planning, it is rare for these budgets to include contingency monies for potential serious risks that were planned for by the manager. This level of planning shows a higher level of maturity for an organization in more accurately estimating the cost of doing business.

When processes are carried out, there are many things that can happen that can slow down the process, cause it to break or stop functioning, or affect the output or deliverable in some way. If the resources performing these processes, other supporting staff, or subject matter experts were to walk through each component of the process, several potential problems could be identified.

In most cases managers and staff could generate an exhaustive list of potential problems with a wide range of probability of occurrence and impact on the process. There also could be myriad of other things that could happen in the physical universe that could have an impact but might not be as readily identifiable. These are broken down into two primary classifications: identifiable problems, called risk, and unidentifiable problems, called uncertainty.

Because these problems can be identified, they can also be analyzed for their probability of occurrence and impact, and a response plan can be formulated. As part of the response plan, contingency efforts can result in finance and schedule planning as well. This can be a big help for the manager in estimating a budget, as well as in resource allocation. Developing a risk management plan is covered in the next section of this chapter.

1. Identify risks

2. Analyze risk

3. Plan response

4. Monitor and control

5. Audit and review

It is advisable for managers to list individual areas of their department in which they would like to do risk management planning. It is best, in operations management, for the manager to have more individualized plans for specific processes within the department, rather than one large plan that covers everything. This will make it easier to manage response planning, monitoring, and contingencies. This will also help the manager identify only the risks for specific processes and keep the scope of the plan relative to that process.

Risk identification is the process of accumulating information about potential problems that will have the manager answering five fundamental questions about risk—three that are covered in risk identification and two that are covered in risk analysis. These are the three fundamental areas within risk identification:

1. Who—Who will be performing the identification, and who will be interviewed to offer information?

2. What—What kinds of risks will there be, what are the sources of risk, and what is the potential impact and probability of occurrence?

3. When—When are risks expected to happen so that planning and scheduling of resources will be accurate?

These individuals should be skilled or have experience in accurately gathering data from subject matter experts and doing simple analytical work to formulate the risk management plan. Because the risk management plan will work only as well as the accuracy of the data it is based on, it is imperative that these individuals understand how to gather data, what questions to ask, and the importance of detail within this information. The manager can also identify certain individuals whom she would like to train in performing risk information gathering and analysis, and these individuals can be assigned to do this occasionally throughout the department. These tools are covered later in this chapter in the section “Analyzing, Categorizing, and Prioritizing Risk.”

The second part of who is involved is what resources should be interviewed for accurate information. If the manager is gathering information about a process, he must look to how the process was developed and the details around the process to best know who would understand problems relative to that process. Resources performing the process should be interviewed because they have firsthand knowledge and details of problems that could happen. Others who might have been involved in developing the process, such as manufacturing or process engineers or functional managers within the department, should be interviewed as well because they would know where potential problems would be or would know about problems that have happened in the past.

In the course of developing a process, problems do occur, and a process improvement was developed by someone to eliminate those problems; these same individuals would also know if these problems could still present potential risk. If subcontractors are used, they can be a wealth of information about potential problems that could happen, and they might be considered a subject matter expert. Contractors are typically hired based on the fact that they are perceived as professionals who have knowledge and experience of not only how to do something but the potential risks as well.

In project management it’s a typical understanding that just because risks are categorized as medium- or low-probability or severity doesn’t mean that the classification can’t change in the course of the project due to other influences. This is why all levels of risk should be identified so that they can be categorized and prioritized by probability and severity. They can also be planned for if the probability or severity is to change at a later date or under different circumstances.

The manager must then rely on tools to understand the impact that a potential risk might have relative to the timing within the operation or within a process. One tool might be process documentation that outlines the steps within a process that can reveal how severe a potential risk could be based on when it occurred. If the scope of risk identification is on a larger scale, a tool like the work breakdown structure might help identify over the course of several days, weeks, or months when potential risks would occur and the corresponding impact they would have. Tables 7.1 and 7.2 show two examples of how work breakdown structure could include potential risks on a special project or on a normal process giving the manager a way to plan risk.

Table 7.1. Work Breakdown Structure for a Project with Risk Planning

Table 7.2. Work Breakdown Structure for a Process with Risk Planning

Another tool a manager could use is called a Network Diagram. It also shows the sequence of process steps or tasks and where potential risks could occur to help in understanding the severity and impact of those risks. Figure 7.1 shows an example of how a Network Diagram can be used to not only identify but plan for risk events that might happen.

Figure 7.1. Network Diagram with risk planning.

This does seem like extra work and in many cases is not necessary, but any manager who has experienced the power of having planned for a potential problem and having had that problem realized knows how good it feels to be prepared with a plan in place.

• Qualitative—More generalized, nonnumerical and subjective

• Quantitative—More specific, numerical and objective

In qualitative risk assessment, information that was gathered on specific risks might be in more a generalized format using less specific terms such as high, medium, or low; hot or cold; good or bad; pass or fail. Although these are descriptive enough for understanding risk, they do not have any numerical values and thus are more subjective in articulating the attributes of risk. In some cases, this might be all the information that is available to assess risk. Depending on the size and complexity of the process or environment the risk will be associated with, this level of analysis might or might not be suitable. In less complex environments, a more generalized qualitative assessment might be fine because it can provide a quick and basic assessment. In more complex environments or those that are more critical to the operation, a more in-depth, precise analysis with actual percentages and numbers is required.

Quantitative risk assessment is much more detailed, is objective, and usually results in percentages or other numerical values. If this level of information is available, it is always best to use a quantitative assessment because it will allow for better response planning and assessment of budgetary and schedule impact. If the manager will require actual cost data and numbers of days or weeks that will impact the schedule, this type of data needs to be obtained in the original information-gathering exercise.

Table 7.3. Risk Matrix

This information is prioritized and documented in project management using a tool called a risk register. This register is again a simple tool managers can build that can identify several pieces of information about each risk in addition to the overall prioritization and response strategies. The risk register shown in Table 7.4 gives an example of some of the areas of information associated with each risk that the manager can assign or view.

Table 7.4. Risk Register

The manager can customize her own risk register based on the complexity of process or risk monitoring she will need to have. In addition to the name of the risk and the associated probability and impact, other columns could include early indicators or triggers, the owner of the risk, expected timeframe, response plan, and/or contingency, as well as any other pertinent information the manager might want to include.

It’s important for the manager to keep risks logged onto the risk register and to not remove any, because risks, even small, can still pose a threat with minimal probability or impact. As discussed earlier, risks can change in probability or impact relative to other influences that might alter the situation and recategorize a risk to a higher level.

• Avoidance—This plan identifies an alternative that will eliminate the risk completely. This is usually the best plan of action because it eliminates the effect the risk would have and any associated impact to the cost, schedule, or quality of a process. This might require thinking out-of-the-box as to a new way of doing something to eliminate a risk. It might also be simply a minor modification in an existing process that avoids a risk.

• Mitigation—This plan is only able to identify a reduction in probability or impact and not completely eliminate the risk. Mitigation plans for the risk to happen, which places all the importance on the response’s being carried out accurately to minimize the impact of the risk.

• Acceptance—This plan is applied to risks that, after careful analysis and categorization, will likely have little impact based on severity. Acceptance assumes that the risk will play out with little or no response required, but will still be monitored for any shifts in severity. The cost, schedule, and quality impact in resource planning a response to avoid or mitigate this risk would cost more than simply letting the risk play out. This approach is left to the discretion of the manager as to the cost benefit in designing a response versus the overall cost the risk would have.

• Transference—This plan transfers the responsibility of risk and therefore the response or any contingency to a third party. This is commonly seen with the use of subcontractors who will assume the liability and risk of work being performed as defined by their contract. Any problems, setbacks, or added costs could be absorbed by the contractors based on the type of contract they have. Another form of transference is in the use of the organization’s insurance policy, which could be engaged should a major risk event result in a severe impact to the organization.

Another element in response planning is that of early indicators or triggers that can be identified to help give early detection that a risk event or problem is imminent. These are typically found during information gathering from subject matter experts and those directly involved with the process. Early indicators or triggers can be information offered in status meetings or phone calls from suppliers or vendors that might produce critical first-sign information that a bigger problem might be on the horizon. In areas where equipment or machinery might be used, the first signs of fatigue, however small, might be all that is needed to understand a full-scale problem before it actually happens, causing catastrophic damage or injury.

When heavy equipment or machines have the first sign or trigger, in many cases, the manager has time to respond with a workaround or replacement machine or equipment until that one can be repaired, resulting in minimal cost and downtime. If these triggers were not recognized, problems could result in higher-cost solutions, downtime, and no time to plan a response to a major problem with a workaround. Early-detection triggers, no matter how small and insignificant, can ultimately be one of the most powerful pieces of information in the risk register.

Another column to include in the risk register in planning responses is selecting an owner of a risk item. It is important that each risk have an owner assigned who is knowledgeable about the details of the risk and who will be responsible for executing the response. It might not always be the manager; in many cases it might be the subject matter expert or resource directly involved with the process. Resources with firsthand, direct knowledge of the process and potential risks are generally the best first responders who can identify early-detection triggers or initiate a response plan quickly. If a resource is identified as the owner of a risk event, the manager needs to make sure that information has been communicated to the resource along with the response plan and any contingency plans that have been made. This also gives that resource ownership of that risk, as well as accountability in ensuring that the response and contingency are carried out correctly and completely.

With monitoring systems in place and effective communication established, the manager also needs to ensure that the risk owners are aware of their responsibility with regard to established response plans and contingencies. In some cases, response plans might rely on avoidance or mitigation that involves critical early steps that need to be taken to effectively carry out that response.

These controls are vital and those responsible for the controls must be trained properly in their implementation and importance within the risk management plan.

Managers can also use this information to assess processes for improvement. One approach to process improvement is through reactive cost reduction, rework response, or efficiency improvement exercise. A better approach would be through the proactive assessment of potential problems that results in a response plan to avoid these problems, generating the necessity for process improvement. This not only accomplishes process improvement for cost reduction and efficiency, but also addresses potential risk. It will be this kind of forward-thinking, proactive-type approach to managing that takes the manager to the next level. It is always great to hear about a manager’s response time and problem-solving skill, but it would be better to hear that due to the manager’s planning, fewer responses are required! This gives the manager more time to focus on managing and planning, instead of running around fighting problems.

• Understanding the importance of why the plan is developed

• Understanding the importance of the information generated from risk responses

All too often, organizations make mistakes, continue to have problems, and seem to reinvent the wheel over and over. This is unfortunate for organizations that have weathered problems, written off cost, and dealt with schedule delays only to have a culture that still reacts to problems versus proactively avoiding problems.

A competitive advantage many organizations do not consider is the power of the avoidance of problems or setbacks and the corresponding savings in finances, scheduling, and resources. When organizations review their business performance for overhead expenditures and productivity, it usually indicates the effect that problems have had on the operation. Risk response planning would then improve these numbers, resulting in a savings to the organization in avoiding or minimizing risk.

This is how the organization begins to develop a culture for risk management planning, through the understanding of the effect it will have in improving the organization’s performance. This is also why executive management should drive this agenda as cost savings; schedule and resource management will be greatly improved, which will be seen in the overall bottom line! Executives get excited about these numbers and types of improvements within the organization.

Documenting risk events as they happen, and the effect that a response plan had, will serve as a lessons-learned document for others to review later. As mentioned, organizations should have a culture of learning from their mistakes and fine-tuning risk management plans to avoid future mistakes or problems. Documentation of actual risk events can also help in better estimating the cost and schedule impacts of similar risk events for future risk planning. This will be another source of information for identifying and analyzing risks as well as developing response plans to better understand the severity and impact risks can have within the operation.

• Planning for problems is a proactive approach, whereas responding to problems after they have occurred is a reactive approach to risk management. How managers respond to problems is largely a statement of the culture the organization has in preparing for risk.

• Planning for problems gives managers the confidence to oversee processes on a day-to-day level knowing that they have solutions planned for potential problems. This also allows managers to embark on new responsibilities they might acquire because they now have a tool that enables them to plan for problems.

• Budgeting for risk gives managers confidence that they will stay on budget and will have monies set aside for potential problems.

• The accuracy and completeness of information is critical in developing an effective plan for potential risk.

• The manager will have more confidence in day-to-day operations if potential problems have been identified and response plans are in place.

• The manager needs to continue to monitor all the risks to see whether any shift in priority in the risk register will be necessary. The risk register is then the primary tool the manager will use in monitoring potential risk.

• The contingency plan gives the manager the response tool needed to address risks confidently, in a timely manner, and cost-effectively.

• These early detections are control mechanisms that are designed to avoid problems or to put into place early detection of problems so that avoidance or mitigation can be carried out.

• When risk management planning is correctly developed and effectively implemented, managers will find that it does reduce or eliminate potential problems, reduce cost, and maximize efficiency.

• The manager developing and implementing the risk management plan will be more in tune with processes and activities conducted within the department, and can confidently prepare for any potential risks and significantly contribute to cost reduction through problem mitigation and elimination.