| Review of: | Effective Risk Management: Some Keys to Success by Edmund H. Conrow |
|---|---|
| Reviewed By: | Boris Porfiriev |
| Reviewed in: | Journal of Contingencies and Crisis Management |
| Date accepted online: | 19/05/2004 |
| Published in print: | Volume 11, Issue 4, Pages 184-189 |
Book Reviews
In recent decades risk management has undergone a major change both conceptually and practically. From a set of tools for probability assessment and reduction of adverse outcomes (losses) used primarily in financial operations, including insurance, it has evolved into a multi-disciplinary approach to decision-making and implementation under conditions of uncertainty. Such comprehensiveness precipitated its application in a wide gamut of analytical explorations and all-level policies and business strategies including crisis management. A natural result of this has been an increasing pile of publications on theory and practice of risk management ranging from primers to monographs.
This book is neither of these but rather a specific kind of advanced manual, which combines some theoretical fundamentals of the risk management process as a whole with detailed considerations of its particular stages. This assumes a working knowledge of the subject and as such makes the volume not just an introductory text on risk management. However, for those with a limited expertise or needing to brush up in the area, an overview of risk management (chapter 2) is provided.
The volume focuses on project risk management and as such does not discuss the handling of the issues relevant to the finance, banking, insurance and other industries, or to hazards, public and occupational health, which relate to financial risk management and disaster and safety risk management, respectively. Such a choice is more than justifiable when one considers the strategic and economic value of the large development and production programs, particularly those of the federal government, on the one hand, and on the other hand the multiplicity and complexity of intra- and inter-organisational risks to their implementation.
These provide for a high probability and enormous price of an error or mismanagement of such a project often causing severe negative cost, performance and/or schedule (CPS) impact. The data covering large projects in the high-tech area in the USA from the 1950s to the 1990s show that most were running significantly over original budget and schedule thresholds. For instance, 84% of the soft-intensive projects were over budget, behind schedule or had fewer features and functions than originally specified. Those completed had an average of only 61% of originally determined performance characteristics (p. 6).
The art and practice of proactive handling of this inability to achieve overall program objectives within defined CPS constraints, Conrow considers the core of risk management. This is fundamentally different from crisis management, which is a reactive and resource-intensive process, and comes to the fore when risk reduction measures fail or are ineffective. As shown in chapter 3, effective risk management requires that activities to handle and reduce CPS risks are integrated with each other and with other key top-level project processes (project management and systems engineering), as well as low-level processes (e.g. cost analysis, design and schedule analysis to name but a few). This calls for a fundamental shift of both project management and in understanding risk as an avoidable obstacle to something that is inherent in any project and necessary to be analysed and treated on a day-to-day basis as a part of the working-level personnel job function. This does not suggest that everyone should become a risk manager but that risk management should be a matter for all involved in the project.
Within this interpretation, the book's orientation is mostly on practitioners. One should therefore not be surprised that the detailed contemplation of risk analysis and sophisticated tools like failure modes, fault and event trees, etc. are missing (with decision analysis only slightly covered in chapter 6). Instead, a more generic and balanced approach that marries technical and soft science data is represented in a way that helps even non-practitioners to diagnose the project's risks prior to bringing a professional risk manager in. This corresponds with the two-fold purpose of the book: first, to provide key lessons that the author documented from performing risk management on a wide variety of projects for over 20 years, and, second, to assist the reader in developing and implementing an effective risk management process on a selected project (p. vii).
The analysis of the risk management experiences and recommendations for effective project risk management that make up the bulk of the volume include more than 200 tips to succeed and traps to avoid. These are organised into five sections (chapters 4-8) that correspond to and provide detailed considerations of the basic structure elements or phases of the risk management process. These include: risk planning; risk assessment that incorporate risk identification and risk analysis; risk handling and risk monitoring integrated by direct and feedback linkages, which provide for the continuity and holisticity of the risk management process. Each of the risk management elements or phases involves a set of functions described in-depth in the above mentioned sections of the book.
Conrow argues that overall effectiveness of a risk management process is primarily determined by technical sophistication and implementation efficiency. It is typically far easier to increase the technical sophistication to an adequate level than proportionally strengthen the implementation efficiency. This at least partially explains why most of the risk management effectiveness failures are associated with decision execution process. This occurrence is irrelevant to the sensitivity of the project: high security provides no guarantee or even indication that the project's risk management process is effective and the project itself will be successful.
Two risk management implementation considerations provided in chapter 3 are of particular interest. To be efficient, training should be obtained from the people with state-of-the-art knowledge and practical experience in making risk management work, and should be given to most of the project team, from senior management through working-level engineers. In organisational terms, effective risk management implementation implies permanent and extensive top-down management support and participation, particularly that of the project manager. Crucially significant are his (her) encouragement of the free data flow between workers and management; honest, unbiased attitude towards risk management, and personal involvement in leading, or at least guiding. To provide continuity the tour of duty of project managers and other key decision makers should be extended to the moment the effectiveness of the process is accurately known. It is also recommended that the organisation's upper management monitor and sometimes independently evaluate the effectiveness of the risk management process to identify and work with the program manager to correct deficiencies before they turn into a project's major problems and crisis.
Many organisations do not have a history of effective risk management. In these organisations the ability to develop such a process is often more related to behavioural issues associated with the corporate culture change and resistance to a paradigm shift than training, planning and other like considerations. Such a shift assumes removing of disincentives that limit adverse risk information reported to upper management. Suitable incentives include reward identifying potential risk issues and upper management providing viable and visible support through leadership by example, bonus payments and so forth.
It is important that key personnel involved in risk management implementation are aware of the tendency to rely upon a limited number of heuristics that reduce complex tasks of assessing probabilities and estimating values to simpler judgmental operations. To the well-known heuristics such as adjustment and anchoring, availability and representativeness (see Tversky and Kahneman, 1974; Kahneman, Slovic, and Tversky, 1982), Conrow adds three: tendencies to fit ambiguous evidence into predispositions, to systematically omit components of risk, and overconfidence in the reliability of analysis. Such heuristics provide for biased risk assessment. However, it may well adversely influence risk identification and risk handling and thus result in the deterioration of the project's CPS and, eventually, in a crisis. To avoid this outcome, key risk management actors should not only be aware of such a hazard but also develop safeguards to prevent them.
No less crucial for evading biased risk decisions should be upper management efforts against subtle or overt administrative pressure on working-level personnel. Although such pressure may appear in the management's best interest to control project CPS in the short run, in the longer perspective it can transform into a crisis with a disastrous effect on these key characteristics and the project as a whole. Instead, creative thinking by a variety of personnel, if not all project personnel, should be encouraged to develop innovative risk handling approaches.
A comprehensive guide to the field, the book is not a cookbook for risk management and even much less a cure for all project deficiencies. Almost every consideration and recommendation of it must be tailored to a specific project or program. In addition, the knowledge base documented by Conrow has to be coupled with the desire to learn and practical experience to yield the wisdom of how to implement risk management to the project, recognise problems and take decisive actions to resolve them. The volume is highly recommended to all those interested in the area of risk management and/or responsible for successful project implementation and evading crisis.