What is 'Risk Management'
In the financial world, risk management is the process of identification, analysis and acceptance or mitigation of uncertainty in investment decisions. Essentially, risk management occurs any time an investor or fund manager analyzes and attempts to quantify the potential for losses in an investment and then takes the appropriate action (or inaction) given his investment objectives and risk tolerance.
Risk management occurs everywhere in the financial world. It occurs when an investor buys low-risk government bonds over more risky corporate bonds, when a fund manager hedges his currency exposure with currency derivatives and when a bank performs a credit check on an individual before issuing a personal line of credit. Stockbrokers use financial instruments like options and futures, and money managers use strategies like portfolio and investment diversification, in order to mitigate or effectively manage risk.
Successful risk management is one of the most difficult aspects of a Project Manager’s responsibilities, because it requires the ability to predict possibilities, probabilities, and potentialities. In means dealing with the 'could happens’, ‘might happens’, and ‘probably will happens’ that are part and parcel of any given project. While avoiding risk seems like an obvious goal, there are many risks in a project that cannot be completely avoided, and there are some that are actually taken on as part of a plan to extract the best profit, prestige or other favourable outcome for the company. Because of the large number of uncontrollable parameters involved in risk management, it ultimately comes down to making the best possible guess, and having the best possible contingency in place for when something goes wrong.
Project Management risks can usually be divided into three types: there are the avoidable risks that are a result of human error, or bad systems or frameworks; there are strategic risks that are taken on in pursuit of some kind of favourable return (such as building something ‘impossible’ and thereby increasing your company’s reputation); and, there are risks that are beyond anyone’s control, such as ‘acts of God’, unexpected market events, changes to laws, or political upheaval. Each one of these three types requires a different strategy for risk management, and the first step it to identify the type of risk so that the correct tactic can be utilized. Trying to create company rules and regulations, for example, to try to prevent a major political event is a pointless endeavour.
Avoidable risk is the one with which a Project Manager will have the most contact with and influence on. This is the risk that is created by poor choices by staff, or a faulty company structure. These risks can be managed with two key tools: regulations/company policies, and a well organized and maintained communication structure. Rules that clearly define what is allowed and not allowed, who is responsible for what, what behaviour is acceptable and what is not, and what is expected from each employee will go a long way to reducing risk created by unethical, or bone-head behaviour. Having a clear and well functioning communication system, and corporate structure will help to reduce the risk of operational breakdowns within the company. But rules and regulations are only useful for these types of risks.
Strategic risk is the risk that a company knowingly takes on in pursuit of benefit for itself. The risk of loaning or borrowing money, for example, is a strategic risk, and a necessary part of business. These risks are inherent to all business, and no amount of rules or company policies will eliminate this type of risk. To manage this type of risk, the cost benefit of taking the risk must be fully understood and analysed, and a contingency plan must be put in place for dealing with a disastrous situation, should it actually manifest itself. The better a company is at understanding and planning for strategic risk, the more risky the undertakings it can attempt, thereby leveraging itself past its competitors.
The third type of risk that any company will face is the risk of unavoidable, uncontrollable events, such as natural disasters or political turmoil. While controlling the weather is out of the control of any company, managing this kind of risk involves keeping a close eye on anything that may predict an undesirable event occurring, and having a plan in place that has, as it’s purpose, the reduction of the effect of any disaster on the project. Storms and political upheaval rarely appear out of the blue without any warning, and so, being cognisant of the warning signs is an important part of managing these types of risks. Identifying possible catastrophes, and having a plan in place for what to do if it occurs is the only possible risk management strategy for these types of risks. Insurance, for example, is a way of dealing with some uncontrollable risks, but having tsunami insurance for a project in Utah, hundreds of miles from the ocean, is not money well spent.