Where do risks (threats and opportunities) arise from

Presenter: Lynn Stalker CMIRM

Date: 10th October 2016

Does this sound familiar?• It’s late …• It wasn't supposed to do that ..• It doesn’t work …• It’s going to cost me how much more …• Have you listened to a word I’ve said ..• Oh, I see you’ve done it in that way, well ...

Late Delivery of Project / Over Budget?

This presentation is aiming to consider sources of risk (though this is not exhaustive) and where to use them.

2

Introduction• In all types of undertaking, there is a potential for events

that constitute opportunities for benefit (upside), threats to success (downside) or an increased degree of uncertainty

• For all types of organisations, there is a need to understand the risks being taken when seeking to achieve objectives and attain the desired level of reward– All projects have risks, whether that be a threat or an

opportunity, and these can come from a multitude of different external and internal sources.  

3

Introduction Cont….• The purpose of using a variety of sources is to ensure that

the extent of unknown unknowns is as small as possible

• The first stage in identifying risks is to understand where the sources of risk can arise from. –  Asking the following questions:

• Who are the parties involved?• What do the parties involved want to achieve?• How is it to be done?• What resources are required?• When does it have to be done?• Etc….

4

5

Risk Management Process Framework

What are the risks?How significant are they?What can we do? What will we do?

Define risk treatment strategy

Assessment/Quantification

Identification

Monitor and review

Define boundaries and objectives for evaluation

INITIATE PROJECTProject Definition Risk Management Focus

How are we doing?What happened?

Step 1 in the 5 step process, identification is the first and most significant phase of

the risk management process.

Why?

IDENTIFYWhat are the risks

Sources of risk

ASSESSLikelihood / impact

Ranking / Prioritisation

PLAN RESPONSESIdentify an devaluate

optionsPlan mitigation strategiesIMPLEMENT RESPONSESAssigned responsibilities

Monitor and review

MANAGE PROCESS

Hierarchy of Risk Registers• Operations

Routine activities of any organisation, processes, maintenance, asset care. Efficiency of operations, including disruption associated with people, processes and products

• TacticsTypically associated with projects (mitigators to programme / strategic risks), mergers, acquisitions and product developments. Effectiveness of processes, as well as significant risks to improvement including management of projects

• StrategiesSets out the long-term aims, missions and objectives of the organisationExample – Implementation of a new IT system

6

External Drivers / Sources• Financial Risks

– Accounting standards– Interest rates– Foreign exchange– Funds and credit

• Marketplace Risks– Economic environment– Technological developments– Competition– Customer demand– Regulatory requirements

• Infrastructure Risks– Communications– Transport links– Supply chain– Terrorism– Natural disasters– Pandemic– Cyber attacks

• Reputational Risks– Product recall– Public perception– Regulator enforcement– Competitor behaviour

7

Internal Drivers / Sources• Financial Risks

– Internal control– Fraud– Historical liabilities– Investments– Capital expenditure decisions

(capex)– Liquidity and cash flow

• Marketplace Risks• Research & development activities• Intellectual property• Contracts / commercial

• Infrastructure Risks– Recruitment– People skills– Health and safety– Premises– It systems– Sabotage

• Reputational Risks– Brand extensions– Board composition– Control environment– Brand quality– Contamination / activity release

8

9

Project Scope and Programme / Project Objectives

• Scope of work needs to be understood before risk identification occurs – Every project has goals that need to be clearly defined and

understood as to what is to be accomplished, to prevent a lack of understanding, misinterpretation and getting off track

– The project needs to be fit for purpose and not a business wish list (too many nice to have features)

Programme / Project Assumptions• Circumstances or events that need to occur for the programme /

project to be successful, but are outside the total control of the programme / project team– If you have any reason to believe the assumption may be broken or

unstable, then you should include as a risk.– If you have no reason to believe it will impact the scope, then no risk is

required– It is necessary to understand and test assumptions for the project by

asking these questions:1. Stability – Is the assumption accurate?2. Sensitivity – What impact does the assumption have?

Assumption Example: “No contamination or unforeseen ground conditions found during site investigation”

Risk Example: Whilst undertaking excavations historically important remains are unearthedOr: Whilst undertaking excavations ground contamination is detected

10

1111

Stakeholders

Etc….Regulators

Represent a major risk factor because they often display unexpected resistance

Risk Example: Uncertainty in the ongoing support from external stakeholders to proposed technical, engineering, business andpermissioning approaches impacts on master production schedule timescales

12

Regulators

Etc….

Compliance with all applicable rules and regulations, especially in highly regulated sectors, for example Nuclear, Banking

Risk Example:The organisation breaches its authorised discharge limitsThe Branch breaches its financial sanctioning authorisations

Emergent Risks

• Emergent risks are those that have not yet occurred but are at an early stage of becoming known and/or coming into being and expected to grow greatly in significance.

• They do not have the ‘track record’ of other better known, non-emergent, risks and usually arise in the longer term.– Low probability with catastrophic consequences– Emergent risks cannot often be easily identified or anticipated– These risks are more likely to have the major effect

13

Resources• Sharing of learning from experience or other

projects• Subject Matter Experts

– Where the opportunity arises, individuals not immediately involved in the project can be brought in to risk workshops

• project managers, • engineers or • operations resources. • Supply chain

– These individuals will be independent from the project, but will be experienced and qualified.

14

Processes

• Flowsheets• Drawings / diagrams• Fault trees• Process flow diagrams• Plant or process walk downs• Safety Workarounds

15

Risk Identification Techniques

• Questionnaires& checklists• Workshops & brainstorming• Inspections & audits• Flowcharts & dependency analysis• HAZOP and FMEA approaches• SWOT & PESTLE analysis• VMOST

16

Ground Rules for Using Sources

17

Key Points / Summary• Risk Management is a continuous process and as such should be

owned and managed by the programme / project on a routine basis• It is not a one size fits all process• It is not possible to know if all possible sources of risk are ever

identified, there will always be some unknown unknowns• Identifying risks will provide benefits to any organisation / programme

/ project by way of improvements in:– Successful delivery of change and increased operational efficiency– Reduced cost of capital– Assurance to stakeholders regarding management of risk and improved

decision making– Competitive advantage– Enhanced political and community support

18

Group Think

What information would I utilise at a risk identification meeting / workshop?

19

20

Any Questions ?

This presentation was delivered at an APM event

To find out more about upcoming events please visit

our website www.apm.org.uk/events