Many organizations have adopted enterprise risk management (ERM) as a way to make better decisions, get stronger operating results, and meet regulatory requirements. These same organizations may have program and project managers managing scores of projects. However, few organizations have yet to actually unite the enterprise and project risk management efforts.
Consequently, efforts are disjointed, projects lack strategic alignment with the organizational objectives, and resources are not properly utilized. Unfortunately, these organizations are not realizing their full potential.
What is Enterprise Risk Management?
The Risk Management Society (RIMS) defines ERM as “a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.” Why is ERM important?
If you were planning to buy a house, you would have a home inspection completed. The inspector would not only look at each room in the house, they would climb on the roof, crawl under the house, walk through the attic, and analyze the electrical, heating and air, and other systems. You would receive an inspection report listing all of the issues and risks.
An organization’s risk champion (e.g., Chief Risk Officer) ensures that risks are identified and evaluated at different levels of the organization. The risk information is captured in an enterprise risk register and analyzed qualitatively and quantitatively resulting in a risk profile. Risk owners are assigned to the most significant risks to develop and execute risk response plans as needed.
This approach allows an organization to see the full spectrum of risks and make better decisions. Rather than making a knee-jerk reaction to the latest problem, senior leaders are in a better position to prioritize their efforts and responses.
What is Project Risk Management?
The Project Management Institute (PMI) defines project management as “the application of knowledge, skills, tools, and techniques to project activities to meet the project requirements.”
Project risk management includes the processes to identify, evaluate, develop response plans, implement responses, and monitor project risks. The essence of good project risk management is making better choices in order to achieve the project objectives.
While ERM Champions and Committees seek to identify and manage significant enterprise risks, project managers seek to identify and manage significant project risks. What are the things that may help or hinder the team’s ability to achieve the project objectives?
Project managers capture the risk information in a project risk register and periodically perform risk reviews to reassess current risks and identify new risks.
Project Risk Management Processes
Plan Risk Management
Defining the approach to identifying, evaluating, developing response plans, implementing responses, and monitoring risks.
Identifying individual project risks and overall project risks.
Perform Qualitative Risk Analysis
Prioritizing risks by assessing probability and impact of individual risks.
Perform Quantitative Risk Analysis
Numeric analysis of individual and overall project risks.
Plan Risk Responses
The selection of risk strategies (e.g., mitigate, transfer) and plans to respond to individual and overall project risks.
Implement Risk Responses
The actual responses to the risks.
Continual monitoring of risks through risk reviews; evaluating the effectiveness of the risk management processes.
How to Unite Enterprise and Project Risk Management
Strategic risk management, a critical component of ERM, is the process for identifying, evaluating, and managing risks most critical to achieving an organization’s strategies and goals. It starts with defining the organization’s vision, mission, and values.
Next, we define goals. Imagine an insurance company with this goal: “Increase profit by 5% by 12/31/XX.”
We can improve profits by increasing our revenue. Therefore, we may plan to increase our insurance rates and provide our agents with incentives. The company may undertake a project to increase its auto insurance rates and another project to put in place a profitability bonus program for the agents.
Another way to improve profits is by decreasing losses. We can decrease our losses by increasing the policy deductibles and managing the concentration of risks.
Once again, we leverage project management to implement the homeowner deductibles and a process for managing the property exposure/concentration.
Why Project Management Matters
In many organizations, the project success rate (e.g., coming in on budget, on schedule, and meeting the requirements) is one out of three. If organizations wish to better manage their enterprise risks, they must improve their project success rate. Amazingly, many companies do not measure their success rate and have no idea of whether they are making progress.
Next Steps for You and Your Organization
What strategic projects are you undertaking? Strategic opportunities. Customer requests. Technology advances. Meeting regulatory requirements. Market demands.
High-performing organizations have learned to respond to enterprise risks through projects. They have improved their project success rate by identifying and managing their project risks. These organizations measure and monitor their project success rate and look for ways to gain a competitive advantage through better project management.
You may be thinking—this all sounds great, but I’m not in a position within my organization to do anything about these matters. If that’s the case, consider sharing this article with those who are—executive leaders, risk champions, individuals who direct or manage project management offices (PMOs).
Enterprise Risk Management Resources
- NC State ERM Initiative
- AICPA / NC State – An Overview of ERM Practices
- ISO 31000 – Risk Management
- COSO Guidance on ERM
Project Risk Management Resources
- The Project Management Institute (PMI)
- The Project Management Body of Knowledge – 6th Edition
- The Practice Standard for Project Risk Management
- PMI-Risk Management Professional Certification