Formal Enterprise Risk Management
What It Takes and How it Pays
“If you do not actively attack the risks, they will actively attack you.” [1]
“The mastery of risk is the foundation of modern life, from insurance to the stock market to engineering, science, and medicine. We cannot see the future, but by calculating probabilities, we can do the next best thing: make intelligent decisions.” [2]
Organizations need to plan a successful future in a high-risk world today. No opportunity of worth can be seized without its accompanying risks. These opportunities, however, are often aggressively reached for, without care or attention paid to the risks. The company that does not practice proactive risk management is a company that practices reactive crisis management. People say they are too busy solving problems to think about the future so risks are not addressed until they become problems. Management does not support communication about risk, and reality is viewed as pessimism. Teams cross their fingers and hope they will catch a break. Projects go over budget, finish late, or are cancelled. If post-project reviews are conducted, causes of failure often include risks that could have been tackled and managed, but the cycle is not broken and history repeats itself.
A road to a better way is articulated by the SEI (Software Engineering Institute), creator of the CMM and CMMi maturity models for software development organizations and depicts five steps on a road to risk management maturity. [3]
The first step on the path to risk management maturity involves a management shift from crisis management to risk management. This is stage 2, with crisis management being stage 1. Project managers recognize that their knowledge of risk management is limited, and they seek expert advice. They begin to do risk identification and a superficial analysis. There is little follow-through for risk control, but they begin to see the benefits in talking about risks early in the project. Contingency plans are often used when original plans fail instead of implementing actions to prevent failures. The process remains reactive. This transition from crisis management to risk management is difficult because there is a cost involved in people learning a new way and there is a barrier to overcome in that people have previously not been rewarded for talking about risk.
A paradigm shift is now needed to move from the reactive to the proactive approach. This next step to risk management maturity requires the systematic application of a risk management process. We can call this stage 3. A policy exists and mandates the use of risk management processes. Each project has a documented risk management plan. Risk identification and assessment occur all during the project, not just at the beginning.[1] Gilb, T. Principles of Software Engineering Management. Boston: Addison-Wesley, 1988.
[2] Bernstein, P. Against the Gods: The Remarkable Story of Risk. New York: Wiley, 1996.
[3] Hall, E. Managing Risk: Methods for Software Systems Development. Boston: Addison-Wesley, 1998 .