Stakeholder Risk Tolerance
Stakeholder Risk Tolerance
By Lynda Bourne
Managing the inherent risk associated with undertaking any project, anywhere, in any industry is a critical organizational capability. Within the organizations overall Project Delivery Capability (PDC) the maturity of its risk management approaches is central to the organization’s ability to generate value.
Only very immature or deluded organizations seek or expect to run ‘risk free’ projects. To quote Suzanne Finnamore: “Delusion detests focus and romance provides the veil.” Any sensible analysis of any business activity will indicate levels of risk; effective organizations understand and manage those risks better then ineffective organization.
The skills that a mature organization brings to the art of ‘risk management’ is to focus effort on managing risks that can be managed, providing adequate contingencies for those risks that cannot be controlled and deciding how much residual risk is sensible. The balance that has to be struck is between the cost and time needed to reduce the risk exposure further (the pay-back diminishes rapidly), the impact of the risk if it occurs and the profit to be made or value created as a result of the total expenditure on a project.
The sums are superficially simple; adding another $100,000 to the cost of a project to reduce its risk exposure by $10,000 reduces the value of the project by $90,000. In competitive bids, increase your bid price too much and the value drops to $Zero because the organization fails to win the work! However, the situation is more complex; the nature of the risk may require the expenditure regardless of the potential saving (particularly in areas of safety and quality) and whilst expenditures are reasonably quantifiable, the actual cost of a risk event and the probability of it occurring are variable and cannot be precisely defined for a unique project.
To develop a mature approach to risk management, each layer of management has a role to play:
- The organization’s governing body (typically a Board of Directors) is responsible for developing an appropriate risk taking policy and defining the organizations ‘risk appetite’.
-
The Executives are responsible for creating the culture and framework that approached the management of risk within the parameters set by the Board in a capable and effective way.
-
Senior management isresponsible for implementing the risk management system.
The mark of a mature organization is the recognition at all levels of management that having implemented these systems, the organization still has to expect failure! Every single project has an associated risk and properly managed, these risks are at an acceptable level for the organization. But if there is a probability for success, there has to be a corresponding probability of failure!
Assuming the organization is very conservative and requires budgets to be set with appropriate contingencies to offer a 90% certainty of being achieved, and this setting is applied to all projects consistently, the direct consequence is an expectation that 1 in 10 projects will overrun cost. Certainly 9 out of 10 projects will equal or underrun cost but there is always the remaining 10%. Mature organizations expect the profits and un-spent contingencies on the ‘9 underruns’ to more then offset the ‘1 overrun’. However, these ‘expected failures’ tend to be totally ignored by immature executives who want to pretend there is ‘no risk’ and then blame the PM for the failure.
There are two aspects of dealing with the ‘expected failures’ implicit in any realistic risk assessment. The first is setting the boundaries of accepted risk at an appropriate level of the organization. Aggressive ‘risk seeking’ organizations will set a lower threshold for acceptability and experience more failures that conservative organizations. But the conservative organizations will achieve far less.
Looking at the cost aspect of risk for the project above, the most likely cost for this project is $17,500 but this is optimistic with a less then 50% chance of being achieved. The range of sensible options are to set the budget at:
- The Mean (50% probability of being achieved) is $17,770.
-
Add one standard deviation to the Mean increases the probability of achieving the project to 84%, but the budget is now $18,520.
-
Add two standard deviations to the Mean and the probability of achieving the budget increases to 97% but the budget is now up to $19,270.
From this point, the pay-back diminishes rapidly, to move from 97% to 99.99% (six sigma), an additional $3,000 would be required in contingencies making a total contingency of $4,770 to effectively guaranteed there will be no cost overruns. Because of this very high cost for a very limited change in the probability of achieving the objective most projects focus on either the 80% or the 90% probabilities.
However, even within these relatively sensible ranges, making an appropriate allowance for risk has consequences. Assuming all projects have a similar cost distribution and the organizations total budget for all projects is $10 million the consequences are:
- To achieve a 50%/50% probability of projects achieving budget, approximately 1.6% of the budget will need to be allocated to contingencies: $160,000
-
To achieve an 84% probability of projects meeting the allocated budget, approximately 5.8% of the budget will need to be allocated to contingencies: $580,000
-
To achieve a 97% probability of projects meeting the allocated budget, approximately 10.1% of the budget will need to be allocated to contingencies: $1,010,000
Whilst the mathematics used above are highly simplified, the consequences of risk decisions are demonstrated sufficiently for the purpose of this post. To be 97% sure there will be no cost overruns, more than 10% of the available budget to undertake projects will be tied up in contingencies that may or may not be needed, the consequence is less than 90% of the possible project work will be undertaken by the organization in a year. The projects ‘not done’ are opportunities foregone to be ‘safe’.
In a competitive bidding market, adding 10% to your estimate to be 90% sure there will be no cost overruns is likely to have a more dramatic effect and price the organization out of the market resulting in no work. In either situation a careful balance has to be struck between accepted risk and work accomplished, this is a governance decision that needs input from the executive and a decision by the Board.
The governance challenge is getting the balance ‘right’:
- The higher the safety margin the more likely most projects will underrun and the greater the probability some of the contingent reserves will not be used and therefore opportunities to use the funds elsewhere are foregone.
-
However, reducing the reserves increases the probability that more projects will overrun (ie, ‘fail’) and this increases the probability that in aggregate the whole project budget will be exceeded.
The challenge for the rest of management is making sure the data being used is as reliable as possible.
The second key feature of mature organizations is the existence of efficient scanning systems to see problems emerging backed up with effective support systems to proactively help the project team achieve the best outcome. The key words here are ‘proactive’ and ‘help’. The future is not set in concrete and timely interventions to help overcome emerging problems can pay dividends. This requires a culture of openness and supportiveness within the organization so that the root cause of the emerging issue can be quickly defined and appropriate support provided, promptly and effectively. This approach is the antithesis of the approach adopted by immature organizations where the ‘blame game’ is played out and the project team ‘blamed’ for every project failure.
In summary, the organization’s directors and executive managers need to determine the appropriate risk tolerance levels for their organization and then set up systems that have the capability of keeping most projects within these accepted boundaries. Understanding and managing risk is a key element of PDC. But having done all of this, mature risk organizations know there are still ‘Black Swans’ lurking in the environment and remain vigilant and responsive to unexpected and unforeseen events.
Dr. Lynda Bourne DPM, PMP.
Lynda is the Managing Director of Stakeholder Management Pty Ltd. This business is focused on improving the capability of organizations to effectively manage their stakeholder relationships to the benefit of both the stakeholders and the organization’s projects. She is also the Director of Training with Mosaic Project Services Pty Ltd, where she is responsible for the development and delivery of OPM3, PMP, CAPM, Stakeholder Management and other project management training.
Lynda is a recognised international author, seminar leader and speaker. She is a SeminarsWorld® presenter and an accredited OPM3 ProductSuite Assessor and Consultant who has led a number of commercial OPM3 ProductSuite assessments.
She graduated from RMIT University Melbourne as the first professional Doctor of Project Management in 2005. Her research on defining and managing stakeholder relationships has lead to the development of the Stakeholder Circle® tool set and the SRMM® maturity model. Lynda blogs regularly on the Mosaic Projects blog.