The benefits of the monitoring and control step are that it allows for visibility into risk status and the effects of risk resolutions activities, allows for the collection of metrics, aids risk-aware decision making, and prompts corrective actions as needed.
Without this systematic process in place with all the benefits it brings, the organization is left with crisis management and frustrated employees.
Next to consider is the organization’s infrastructure or culture. A mature risk-aware culture is one in which people want to do risk management, or at least know that they must. This culture is a reflection of senior management values and is written down in a policy statement. To support a mature risk management culture, people receive training in risk management, are given tools to use, and risk management activities are verified to ensure conformance to the systematic process.
Finally, it’s important to remember that risk management is done by people. Considering the human element of risk management means that people at all levels of the organization need to be given training, support, and experiences. The motivations to change must be stronger than the barriers to mature risk management. People need to feel safe to try something different and feel supported by management when they communicate about risk. They need to believe through training and then through experiences that mature risk management helps prevent problems and contributes to a more realistic plan. Engagement at all levels of the organization is part of what brings about the benefits of risk management maturity.
Thus far this paper has been addressing risk management within projects. The principles and concepts, however, are portable across project management, operations management, and financial management and also across industries. Because this is so, an organization’s risk management maturity can be informed by case studies in any of these management realms and in any industries. The process defined by the PMI for project risk management is the same for financial and operations risk management. Likewise, successes in operations and finance risk management can teach those seeking to perform better project risk management. Companies in financial services, manufacturing, even oil production can teach risk management lessons to software companies and vice versa.
This paper now moves to a brief discussion of how five companies have made enterprise risk management pay off. Chase Manhattan, DuPont, Microsoft, United Grain Growers, and Unocal have traveled down the road of risk management maturity and have lessons from which others can learn as they too travel that road. The case studies are found in Making Enterprise Risk Management Pay Off: How Leading Companies Implement Risk Management. [1] Each of the companies studied has to varying degrees arrived at the place on the road to risk management maturity characterized by risk management as a means to seize opportunities. They got there by making the paradigm shifts described above.
[1] Barton, T., Shenkir, W., Walker, P. Making Enterprise Risk Management Pay Off: How Leading Companies Implement Risk Management .New Jersey: Financial Times/ Prentice Hall PTR, 2002.