The effectiveness of the discipline of project risk management is influenced by a series of factors, many of which are now well documented. However the use of, for instance, an appropriate process, technique or software tool is overshadowed by the extent to which risk management is used to support decision making. The integration of risk management within the project lifecycle stages is to a large degree influenced by the culture of the organisation and where within the project organisational structure the risk management function sits.
It is surprising then, that so little attention is given to which position the ‘senior risk representative’ occupies within the project team and more importantly their role in the decision making process. I have used the label ‘senior risk representative’ as there are many job titles in use all with the same function. Given that risk management is the raison d’être for project management and the escalating scale of risk exposure for project sponsors, the position and role of the risk function within projects warrants fresh examination.
The growth in risk exposure stems from the visible trend of the ever increasing scale, complexity, size and speed of delivery of major projects. For OECD countries through to 2030, annual infrastructure investment requirements for electricity, road and rail transport, telecommunications and water is likely to average around 3.5% of world gross domestic product (GDP). The increasing scale of contemporary capital investment is amply illustrated by the following list of projects currently in progress or recently completed:
- The Boston Big Dig (US)
- Etihad Rail Network (Abu Dhabi)
- Hyderbad Metro (India)
- The Three Georges Dam (China)
- Beijing International Airport (China)
- Marmaray Rail Project (Turkey)
- Crossrail (UK)
Capital projects are important for businesses as their success is critical to their plans for growth and failure can attract additional costs, damage their reputation, interrupt business continuity and make shareholders nervous.
The rise of the Chief Risk Officer
For the majority of companies employing enterprise risk management they have come to realise that the role of the corporate risk representative must take on greater importance through being given a more elevated position. Within businesses the position of the Chief Risk Officer (CRO) continues to grow in popularity.
The eighth risk management survey by Deloitte Touche Tohmatsu of 86 financial institutions from around the globe, representing more than $18 trillion in combined assets, found that 89% of institutions reported having a CRO or equivalent, up from 73% in 2008 and 65% in 2002. This popularity stems from businesses’ failure to properly understand and manage risk.
Poor risk management was cited as the root cause for the global financial crisis of 2007-2010. There is now widespread acceptance that for businesses the risk representative should have a high profile. The CRO has a strategic, senior-level role at most institutions and reports to either the CEO or the board of directors at roughly 80% of participating institutions. The position is now seen as critical rather than just a supporting role, and the CRO provides input into the development of the business strategy.
The survey established a consensus that enterprise risk management has improved the understanding of the risks and controls, increased the ability to escalate critical issues to senior management, enhanced the risk culture and provided a better evaluation of the balance between risks and rewards. Given the attention risk management has received within the business sector combined with the growing size of projects, it could be argued the debate is well overdue as to whether the position of the senior risk representative on major projects should be elevated.
For many multi-billion Australian dollars, Euro and Sterling projects the senior risk representative (like the head of the Quality and HSE departments) already reports directly to the project director. However this reporting line provides no guarantee that risk management as a discipline will be integrated effectively into decision making. The shortcomings may be numerous. For example the risk representative:
- Is provided with an ill-considered job description, is engaged late in the project lifecycle or is engaged on the insistence of the client rather than being considered an essential team member.
- Is given restricted access to project personnel and is not invited to project director meetings.
- Is not involved in an assessment of the business case, establishing stage gates or in the choice of procurement, form of contract or contract conditions.
- Is not called upon to provide risk based analysis of options for decision making.
- Has restricted access to project communications.
In addition in terms of the project directors themselves, the ability of a risk professional to effectively report to or work alongside the senior management team will be influenced by a series of factors including, but not limited to:
- The project directors’ knowledge of project risk management, their perception of the role of risk management, their view of the contribution the discipline makes to successful project delivery and their understanding of when risk management practices should be applied.
- The dynamics of the interaction between the project directors (for instance whether the directors have significantly different views on the importance of risk management).
- The personal agenda of each of the project directors (the degree of autonomy they seek without the involvement of or oversight by others).
- The governance structures put in place (for instance the execution plan, procedures, organisational structure, reporting lines and communication methods).
It will also depend on the risk professional’s own knowledge of the project lifecycle, experience of the industry and their personal attributes such as clarity of thought together with interpersonal and communication skills. The risk specialist must command the respect of his colleagues and be persuasive when proposing alternative courses of action.
In summary, the risk management role needs to be at a position where the senior risk representative automatically participates in strategic decision making throughout the project lifecycle. That is from the development of the business case through to commencement of operations, for instance, option analysis, stakeholder management, the procurement process and seeking approvals are all about managing risk exposure.
As with the progressive acceptance of the CRO role and the evolving receptiveness of the C-Suite to risk management, however, project directors will have a significant impact on the future integration of the risk management role in decision making. There can be a number of hurdles to surmount particularly in establishing risk management and gaining project director support. Project sponsors and project management consultancies alike need to consider a change in approach to elevate the role of risk management so it is consistently and explicitly at the heart of decision making.