The Magic of Risk Management Studio

The Magic of Risk Management Studio is found in how categories, threats and controls are connected. In short, each category has a number of threats threatening it, and each threat has a number of controls that mitigate that threat. Lets look at each part in more detail.
The Role of Assets in Risk Assessment
We use Categories to group Assets together. You may also view Category(s) as a sort of prototype for Assets. During Risk Assessment, you must define the relevant Assets for your scope. So, each Asset should be placed in at least one Category. Risk Management Studio provides a predefined set of Categories which have been defined with Information Security in focus.
Threats are anything that can potentially damage your assets(physical or informational). Each Threat has a list of Categories which they threaten. When you create an Asset and place it in a specific Category, it inherits all the Threats which threaten that Category. So, when you take your newly defined Asset and use it in an Assessment, all relevant Threats connected to the asset,will be loaded into the Assessment, ready to be evaluated. Once Threats have been loaded into an Assessment, they are referred to as Risks.
Handling and Treating Risk
Let us take an example. Let us define a Category named Documents and list several possible threats, for example Theft and Fire. We Assign those Threats to the Category. Then we define our concrete Asset called Financial Records, placing it in the category Documents. Now we add a new Asset to our Assessment. Under that asset, 2 Risks corresponding to the the Threats that threaten the Category Documents, namely Theft and Fire, will be automatically added.
This example is simplified, but you can take a look at the data provided with Risk Management Studio, where our in-house experts have defined Categories and Threats based on their expertise with ISO 27001.
In addition to the connection between Threats and Categories, there is a connection between Threats and Controls from ISO 27001. Each Threat has a list of Controls which mitigate that threat. This connection is important when we take a Risk Assessment and choose to continue work in relation to a specific standard. The resulting object is then called a Risk Treatment.
When a Risk Treatment is created from a Risk Assessment and a Standard, all controls from the Standard are placed in the Risk Treatment. In addition to that, each Risk is connected to each Control from the list of mitigating Controls defined in the corresponding Threat. This means that if your Assessment only has a small number of Risks, and each Risk is only mitigated by several Controls, your Risk Treatment will only contain direct relations between those Risks and Controls. However, since the standard tells you a conscious stance must be taken towards all Controls, they are all included in the Risk Treatment.

Recession-Proof Risk Management Strategies: A Primer for Business

Recession-Proof Risk Management Strategies: A Primer for Business

and Industry

 

As the global economy slowly slides into recession, organizations face new challenges and opportunities. In today’s interconnected world, it’s impractical for companies to suspend their innovation initiatives until the worst of the storm blows over. To do so is to risk being well behind the curve when the economy does recover, and losing precious ground to competitors who found creative ways to keep their innovation initiatives moving during the darkest days of the downturn.

 

As part of this study, Chuck Frey of Innovation Tools and Renee Hopkins Callahan of Innosight recently contacted a diverse collection of innovation experts and practitioners to learn more about the strategies they recommend for maintaining innovation during these challenging times. Respondents include some of the best and brightest innovation authors, bloggers, consultants, and practitioners. In addition, this report includes links to more than 60 examples of recent coverage of this topic in online media and the blogosphere.

 

This collection of resources represents a practical roadmap that your firm can use to help identify opportunities for adapting your innovation initiatives to the current economic downturn. Use this roadmap to help to position your firm to take full advantage of the upturn when it inevitably comes.

Assume that you took your family on vacation somewhere distant and failed to study the type of weather you would encounter. You might pack for sun, and it turns out to be cold. You might pack for outdoor activities and have to spend the entire vacation inside. This is what your risk management program is about: matching your plans with the existing environment.

 

A global firm-wide risk management program consists of three prongs or strategies:

Identification of the specific risks. In this strategy, you identify and assess risks, measure them, and then use this information to prioritize and strategize each identified risk. Arrive at specific ways of dealing with the risk (specifically, controlling, mitigating,

or avoiding).

Monitor the risk. This is the most neglected strategy of the three because we have to slice

and dice each identified risk in three different ways. We look at the potential risk at the macro level to determine its affect on the culture, at the individual level to see how employees view and handle the risk at the process level, and, finally, at the activity level where the actual decision takes place.

The following chart illustrates this three-pronged approach.

 

 

Three specific global risks reside:

1. Strategic risk

2. Operational risk

3. Innovation risk

 

101/2 Rules for Successful Business Risk Taking

Focus on trouble, and you will get trouble. Focus on success, and you will get success. Trust that your people know what a risk is. Recognize that your people may not know how to recover from the negative effects of a risk. Know that no risk is worth undertaking when proper planning or analyzing cannot be completed beforehand. Know that no risk is worth undertaking when a “lessons learned” cannot be completed afterward. Recognize that every plan of action and strategy must have a feedback instrument built into it. Understand the costs of your risk tolerance and your risk avoidance. Know that no one is exempt from making errors in judgment. Tell the truth about the risk and its implications. Accept the truth about the risk and its implications. Be willing to live with the negative results of each risk undertaken.

10.1/2.Want more rewards? Take more risks! Want more success? Reward risk taking!

 

 

 

 

General introduction to Risk management

Every day we take risks. If we cross the street we risk being run over. If we go down the stairs, we risk missing a step and tumbling down. Taking risks is such a common occurrence, that we tend to ignore it. Indeed, life would be unbearable if we constantly worried whether we should or should not carry out a certain task or take an action, because the risk is, or is not, acceptable.

With projects, however, this luxury of ignoring the risks cannot be permitted. By their very nature, because projects are inherently unique and often incorporate new techniques and procedures, they are risk prone and risk has to be considered right from the start. It then has to be subjected to a disciplined regular review and investigative procedure known as risk management.

Before applying risk management procedures, many organizations produce a Risk Management Plan. This is a document produced at the start of the project which sets out the strategic requirements for risk assessment and the whole risk management procedure. In certain situations the risk management plan should be produced at the estimating or contract tender stage to ensure that adequate provisions are made in the cost build-up of the tender document.

The Project Management Plan (PMP) should include a resume of the Risk Management Plan, which will first of all define the scope and areas to which risk management applies, particularly the risk types to be investigated. It will also specify which techniques will be used for risk identification and assessment, whether SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis is required and which risks (if any) require a more rigorous quantitative analysis such as Monte Carlo methods.

The Risk Management Plan will set out the type, content and frequency of reports, the roles of risk owners and the definition of the impact and probability criteria in qualitative and/or quantitative terms covering cost, time and quality/performance.

The main contents of a Risk Management Plan are as follows:

General introduction explaining the need for the risk management process; Project description. Only required if it is a stand-alone document and not part of the PMP; Types of risks. Political, technical, financial, environmental, security, safety, programme etc.; Risk processes. Qualitative and/or quantitative methods, max. nos of risks to be listed; Tools and techniques. Risk identification methods, size of P-I matrix, computer analysis etc.; Risk reports. Updating periods of Risk Register, exception reports, change reports etc.; Attachments. Important project requirements, dangers, exceptional problems etc.

The Risk Management Plan of an organization should follow a standard pattern in order to increase its familiarity (rather like standard conditions of contract) but each project will require a bespoke version to cover its specific requirements and anticipated risks.

Risk management consists of stages, which, if followed religiously, will enable one to obtain a better understanding of those project risks which could jeopardize the cost, time, quality and safety criteria of the project. The first three stages are often referred to as qualitative analysis and are by far the most important stages of the process.

Stage 1 Risk awareness: This is the stage at which the project team begins to appreciate that there are risks to be considered. The risks may be pointed out by an outsider, or the team may be able to draw on their own collective experience. The important point is that once this attitude of mind has been achieved, i.e. that the project, or certain facets of it, are at risk, it leads very quickly to . . .

Stage 2 Risk identification: This is essentially a team effort at which the scope of the project, as set out in the specification, contract and WBS is examined and each aspect investigated for a possible risk.

Stage 3 Risk assessment: This is the qualitative stage at which the two main attributes of a risk, probability and impact, are examined.

Stage 4 Risk evaluation

Stage 5 Risk management: Having listed and evaluated the risks and established a table of priorities, the next stage is to decide how to manage the risks.

Website Business Risk Management

Is placing all the eggs in one basket, in the form of 1-stop shop website design, maintenance & hosting the best option? In my opinion, it most definitely is not! Keeping all website elements separate is sound business risk management practice!

When you are setting out to establish a new venture on the web, its a daunting task. The terminology is complex and confusing. There are multiple aspects to consider – domain registration, website hosting, web site design, maintenance, search engine optimisation etc. There is a temptation to take the easy option of a one-stop shop, where someone else takes care of all the complicated items that you don’t understand. That way, you get one all-inclusive bill per month. There is an old adage – Jack of all Trades, Master of None! A bigger web design company that does everything rarely does individual things as well as a carefully selected group of specialists in their own fields of expertise.

The relationship between you and your website design company will evolve over time. As you become more knowledgeable (and more demanding) the relationship might even deteriorate! It happens… If you are in a 1-Stop Shop environment, you may be unwittingly placing your web business in potential jeopardy.

Domain Registration

Do it yourself, and you ensure that you actually own the site. If you let your web designer do it for you, and he/she puts his/her name as the registrant, its not your site! Most website designers are aware of this, and take care to protect your interests. Some do not! For a company site, make sure the domain is registered in the company name, not an individuals name. If the office girl registers the site in her name, then leaves without a forwarding address, you’ve got a potential disaster in the making!

Website Hosting

Some web designers offer hosting as part of the package. Its usually a re-seller arrangement, where the designer gets a commission on the monthly hosting fees – as opposed to a server owned and operated by the website designer. Realistically, you are better to shop around and find a hosting package that delivers the functionality you require in terms of site management and software. For example, a classic Apache server with cpanel management, and PHP and MySQL databases will meet most needs. Performance can be an issue – and its not in your best interests to be hosted on a server with 600 other sites.

If you’ve chosen a .com domain, make sure you have hosting in the country that your clients are located in… otherwise, you’ll be excluded from country-specific searches!

Web Designers

Its best to develop a design brief – specify your goals and objectives, and give some examples of sites that appeal to you. Circulate the brief to a few designers you’ve selected after reviewing multiple web design sites. Build a chart that compares what each designer offers, at what costs. Engage in dialogue with a short list of 2-3 designers and resolve any issues you did not understand in their responses to your brief.

Finally, pick someone who can talk to you on your level without being condescending. Be firm about separating components such as domain registration, hosting, and design. If the designer is insistent on combining all elements, move them to the bottom of the pile. If they have a particular CMS that they want you to use, ask them if its an open-source system. If not, ask them what happens in the future, if you become unsatisfied with them or the product. All promises should be made in writing, and signed by the CEO… in the form of a legal and binding contract.

Make sure your potential designer is listening to you, and is trying to deliver what you require, rather than what is best for them.

Website Architecture

In terms of good search engine rankings, the simpler you can make the site, the better. HTML-based sites which allow total control over all page elements will always deliver the best results. If your potential designer is insistent on building the site in Frames, JavaScript, or Flash, or combination thereof, remove them from your list immediately. The rule is “form follows function.” It won’t matter a bit how wonderful your site looks, if no one can find it. Modest use of JavaScript or Flash is fine but the search engines can neither read or index anything in either, so it is best to ensure at the outset that your site is not doomed to obscurity!

Website Management

Free-form editing of individual HTML pages is the best option from a search engine optimisation perspective. Its not much more complicated than using a word processor, and uploading the page amendments to the live site is not particularly difficult. However, if you are going to use a Content Management System for maintenance instead, its in your best interests to opt for an Open-Source CMS! With “open source” the software is free, no license fees apply, and anyone can work on it. You own the site content, and can more readily export it to another CMS platform if you don’t like the current one. With an open -source platform, you are not limited to a single designer or developer. If things don’t go the way you want, changing designers or developers is relatively simple.

Content Management Systems – CMS

Proprietary Content Management Systems (CMS) present a real threat if you become dissatisfied with the developer’s service / performance. “They” own the site, not you, and you are effectively locked in to the package, which usually includes web design, development and hosting. If you want to change suppliers, you may have to abandon your entire development investment and start again from scratch!

Such an environment usually involves shared hosting on the CMS supplier’s server. This places your site in the midst of multiple other sites all running exactly the same software platform, and often all of the same site type – e.g. e-commerce. This is undesirable from a search engine optimisation point of view.

In my opinion, a CMS system is complete overkill for a site of less than 100 pages – which is most small business sites. This comment applies equally to any totally database-driven solution. Overall, content changes very little – for many pages, it might be an annual revision. Using an HTML editor to make minor page changes requires minimal technical ability, and publishing amended pages via FTP is a trivial exercise. Exceptions to this are e-commerce, dating, portal or similar special purpose site, where you require a pre-designed application such as a shopping cart solution. Even then, combining HTML informational pages with the open-source application is still the best option.

Website Backups

This can be a simple as a monthly download to your PC of the site plus databases. Do not totally rely on your hosting company for site backups! Do not totally rely on your website designer for backups! In the event of a total systems failure, or unresolved dispute, you may be left relying on what data you have at your disposal. As a minimum, you want multiple copies of the site, stored at multiple locations. The live site on your hosting companies server, plus a local copy on your PC, plus a backup copy on your external hard drive, plus a monthly copy on CD or DVD and stored at your Mum’s place should do it!

Business Resilience

Rule No.1: Do not put all your eggs in one basket! Basically, you need to ensure that you minimise your dependence on any one service supplier. If your web designer goes belly-up, what becomes of your proprietary CMS system? If the hosting company goes out of business, you need to be able to quickly change hosts and servers.

- use the national domain registrar – more expensive, but they might still be in business next year!

- use open-source software, if you must use a Content Management System!

- use an independent web designer – if your relationship deteriorates, you can easily switch to another!

- use a independent hosting supplier – if it does not work out, you can change hosting companies!

- use an independent SEO supplier – if it does not work out, pick another!

- use a regular site backup regime – multiple copies in multiple locations!

Doing so substantially insulates you from other’s failings, and ensures you can quickly respond to a change of circumstances. Even in cyberspace, an ounce of prevention is still better than a pound of cure!

The Top Risk Management Tips: Prevent Injury at Work

Accidents at work can cause misery and suffering to those unfortunate enough to be involved.

Here are some facts and figures about injuries in the workplace:

1. 20% of injuries where the employee is absent for over 3 days

2. 33% of all reported major injuries

3. 2 fatalities per year

4. 50% of all reported accidents to members of the public

5. A cost of 368 million British Pounds per year to employers in lost production and other costs

The highest rate of injuries occurs in the food and drink, repair of consumer goods and vehicle sectors. However with almost all workplaces being affected by this type of injury and with most slips occurring due to poor housekeeping, solutions to the problem are often simple and cost effective.

These Top Tips have been produced on how you can reduce your exposure to risk and with it your insurance premiums.

1. Planning

By having an effective management system in place the key areas of risk can be identified and goals can be set to make improvements. This should include selecting equipment and work practices that contain slip and trip hazards and if possible prevent them occurring.

2. Organisation

Get workers involved in and committed to reducing risks. This should involve giving people responsibilities to ensure that areas of the workplace are kept safe and then making sure everyone is aware who is responsible for each area.

3. Control

Keep a record of cleaning and maintenance work and encourage good health and safety.

4. Monitor and Review

Keep an accident log and re examine it on a regular basis to learn from incidents that have occurred.

5. Examine slip and trip risks

The Health and Safety Executive recommend a 5 step approach to risk management when dealing with slip and trip risks and these are:

Step 1: Look for slip and trip hazards around the workplace (e.g., uneven floors, trailing cables, areas that are sometimes slippery due to spillages)

Step 2: Decide who might be harmed and how. Are the people who come into your workplace at risk?

Step 3: Consider the risks: do you already have precautions to deal with the risks?

Step 4: Record your findings if you have 5 or more employees

Step 5: Regularly review the assessment. If any changes take place make sure that precautions are in place to deal with the risks

When it comes to preventing slips, trips and falls happening getting conditions right from the start will make dealing with risks easier. This can include choosing the right flooring, making sure lighting levels are sufficient, avoiding overcrowding and making sure access routes are clear. By doing this the chances of an accident occurring will be greatly reduced and therefore so will your exposure to risk. And with certain insurance companies now offering substantial discounts for good health and safety many businesses could also save money on their Business Insurance premiums.

How to Use Contractors as Insurance for Staffing Risk Management

Have you ever sat next to a contractor who you knew was making a better hourly rate than you for doing the same job? They have no long term commitment to the company, often less experience than you, and still you know they are being paid a premium for being there. It makes you wonder what the financial genius who hired them was thinking when they approved that plan doesn’t it?

Have you ever been through a layoff process where you watched a few, dozens or even 100s of employees suddenly let go? Perhaps you’ve even been one of the people let go. It can leave you wondering how a company could be so cruel or plan so poorly as to let this happen.

Well as different as they are, these two situations are not at all unrelated. In fact the former is part of the solution to the latter.

A typical company organization chart starts at the top with the president or CEO, and then spreads out like a pyramid below that. Similarly, the overall cost of salaries is bigger at the bottom of the pyramid then it is at the top. (Yes your manager probably makes more than you but in the big picture your team, or level in the organizational pyramid, collects more total payroll than the layer above you. If you are on a five person team I can almost guarantee that the 5 of you together make more than your manager.) So the layer at the bottom of the pyramid cost the company more than the layer at the top.

As you move from top to bottom in the organizational pyramid you notice something else as well. The people at the top of the pyramid spend their time planning strategy and direction, while the people closer to the bottom of the pyramid spend their time actually doing things for the customers.

So what does this have to do with layoffs and contractors?

One of the harsh realities of business is that no matter how much you plan you don’t really know how much work you are going to have until it actually gets ordered. A company can do all the planning in the world but still not foresee all the market changes and actions of your competitors. All business includes risk.

All smart businesses have risk management plans. If and when business slows down eventually your costs exceed the amount of money coming in and action needs to be taken. That action, unfortunately, generally means that not everyone can continue to be paid. This possibility should be considered and planned for.

So let’s look at the facts. If business slows down unexpectedly the company will not bring in enough money to continue to pay everyone. The people who won’t have enough to do will be the people who actually do stuff for the customers. The biggest cost to the company is also the people who actually do stuff for the customers. These people are located in the bottom half of our organizational pyramid.

When we look at it this way there are some obvious realities. The company will need to cut the cost of labor and react to the new situation or the entire company will be out of a job soon. The biggest opportunity for saving cash is in reducing the number of people near the bottom of the pyramid. The people at the bottom of the pyramid are also the people who suddenly won’t have much to do. The people at the top of the pyramid will be busier than ever trying to figure out how to correct the situation and turn the business around.

So what do you do? You get rid of some of the people at the bottom of the pyramid. There is not much choice about this.

Now here’s what contractors and layoffs have in common. Smart businesses with risk management plans may not know when business will slow down, but they can plan ahead for how they will react if and when that happens. If a business knows there is a real risk that orders could slow down by as much as 30% under certain conditions, then that business has two choices. Hire everyone they need and be prepared to lay people off if trouble hits, or hire 70% of the front line staff they need and fill the other 30% with contractors who are basically willing to trade job security and benefits plans for higher wages.

If the business has planned well then when orders take a downturn there is a plan designed to help its people. Short term adjustments need to be made but instead of laying off staff that are depending on a weekly paycheck, the company simply does not renew all of their current contracts. The full time staff keep their jobs, and the contractors have no hard feelings because they always knew they did not have job security. Contractors accepted this risk because they were getting paid enough to save up for this rainy day.

This risk management plan is good for everyone. The people doing the work have been taken care of. The managers that would have had to lay people off have been taken care of (believe me, no one likes to be the one to deliver that bad news to people they work with every day). The company reputation has been taken care of, since no business wants a reputation for repeatedly laying off staff.

So the next time you find yourself sitting next to a higher paid contract worker, don’t see it as an insult to your position and abilities. Recognize it for the insurance policy that it is to keep your job secure.

Hedging – What is It, and It’s Uses in Risk Management

The second of a two part article….
Before I discuss the use of hedging to off-set risk, we need to understand the role and the purpose of hedging. The history of modern futures trading begins in Chicago in the early 1800’s. Chicago is located at the base of the Great Lakes, close to the farmlands and cattle country of the U.S. Midwest making it a natural center for transportation, distribution and trading of agricultural produce. Gluts and shortages of these products caused chaotic fluctuations in price. This led to the development of a market enabling grain merchants, processors, and agriculture companies to trade in contracts to insulate them from the risk of adverse price change and enable them to hedge.

The first commodity exchange was the creation of the Chicago Board of Trade, CBOT in 1848. Since then, modern derivative products have grown to include more than the agricultural industry. Products include Stock Indices, Interest Rates, Currency, Precious Metals, Oil and Gas, Steel and a host of others. The origins of the commodity and futures exchange was created to support hedging. The role of speculators is beneficial as they add trading volume and important volatility to what would otherwise be a small and illiquid market place. You can view a complete listing of the worlds different exchanges at: http://www.genuinecta.com/World_Exchanges_Commodities_Trading_Advisors.htm

A bona-fide hedger is someone with an actual product to buy or sell. The hedger establishes an off-setting position on the futures or commodity exchange, thereby instituting a set price for his product. Someone buying a hedge is known as being “Long” or “Taking Delivery”. Someone selling a hedge is known as being “Short” or “Making Delivery”. These positions known as “Contracts” are legally binding and enforced by the exchange.

Entering your trades either for speculation or hedging is done through your broker. Commodity Trading Advisor, Genuine Trading Solutions President Dwayne Strocen, states that “Commodity and Futures exchanges are distinct from Stock Exchanges, although they operate using the same principals. They are regulated by different agencies such as the Commodity Futures Trading Commission who are responsible for regulation of retail brokers in the USA as well as Commodity Trading Advisors such as us.”

Now let’s view some real life examples of hedging or mitigation of risk by using exchange traded derivatives.

Example 1: A mutual fund manager has a portfolio valued at $10 million closely resembling the S&P 500 index. The Portfolio Manager believes the economy is worsening with deteriorating corporate returns. The next two to three weeks are reports of quarterly corporate earnings. Until the report exposes which companies have poor earnings, he is concerned of the results from a short term general market correction. Without the privilege of foresight, he is unsure of the magnitude the earnings figures will produce. He now has an exposure to Market Risk.

The manager thinks of his options. The greatest risk is to do nothing, if the market falls as expected, he risks giving up all recent gains. If he sells his portfolio early, he also risks being wrong and missing further rally’s. Selling also incurs substantial brokerage fees with additional fees to buy back again later.

Then he realizes a hedge is the best option to mitigate his short term risk. He begins by calling his CTA (Commodity Trading Advisor) and after consultation places an order to sell short the equivalent of $10 million of the S&P 500 index on the Chicago Mercantile Exchange “CME”. Now his result is when the market falls as expected, he will off-set any losses in the portfolio with gains from the Index hedge. Should the earnings report be better than expected, and his portfolio continues upward, he will continue making profits.

Two weeks later the fund manager calls his CTA and closes the hedge by buying back the equivalent number of contracts on the CME. Regardless of the resulting market events, the mutual fund manager was protected during the period of short term volatility. There was no risk to the portfolio.

Example 2: An electronics firm ABC has recently signed an order to deliver $5 million in electronic components of next years model to an overseas retailer located in Europe. These components will be built in 6 months for delivery two months after that. ABC instantly realizes they are exposed to two risks. 1. the rising and volatile price of copper in 6 months may result in losses to the firm. 2. the fluctuation in the currency could easily add to those losses. ABC being a young firm cannot absorb these losses in view of the highly competitive market from others in the field. Losses from this order would result in lay-offs and possibly plant closures.

ABC telephones their CTA and after consultation places an order for two hedges, both for an expiry in 8 months, the date of delivery. Hedge #1 is to buy long $5 million of copper effectively locking in today’s price against further price increases. ABC has now eliminated all price risk. The risk of plant closures is greater than the lure of increased profit should copper price fall. After all, ABC is not in the business of speculating on copper prices.

Hedge #2 is to sell short the equivalent of Euro Currency vs US Dollars. Since ABC is effectively accepting EC in payment, a rising US dollar and a weak EC would be detrimental and erode profits further. The result of the hedge is no risk and no surprises to ABC in either copper or currency levels. A risk free transaction and full transparency is the result. In 8 months with the order completed and the customer accepting delivery, ABC notifies the CTA to close the hedge by selling the copper and buying back the Euro Currency contacts.

Many examples exist to demonstrate the mitigation of risk to an institution or financial portfolio. Dwayne Strocen states that new products are constantly created and available on both over-the counter and exchange traded markets. If would be wise to consult with a qualified Commodity Trading Advisor or broker to discuss the analysis for an on-going risk management solution or a one time only hedge.

Project Management – Stakeholder Risk Management

In this article we’ll address the people swirling around your project: stakeholders. You’ll find some tips and other resources for optimizing stakeholder involvement in your project.

“Who cares?”

“What do they care about?”

“What am I going to do about it?”

Those are the three simple questions a project team can ask to understand their stakeholders and develop a strategy for keeping them happy.

As we developed a workshop on stakeholder management built on those three questions one of our project management experts, put all the pieces together when he said, “That’s just risk management for people.”

We think he’s right. Review this classic risk management process. Can you see the parallel?

1. Identify risks.

2. Analyze and quantify the risk.

3. Develop a risk response.

So on your next (or current) project consider treating your stakeholders as opportunities or threats.

Step One: Identify risks (stakeholders)

Just as with risk management, we can only manage stakeholders that we are aware of, so be creative and energetic in identifying stakeholders. Cast your net wide and consider all those stakeholders that won’t make a peep unless you step on their toes. Regulators, end-users, your customer’s customers, and internal support staff such as accounting or procurement. Too many project managers don’t include these secondary stakeholders in their normal communication

plans yet get indignant when they obstruct the project. In risk management we identify threats and opportunities. Stakeholders can be project adversaries just as easily as advocates.

While you are trying to uncover the hidden stakeholders, don’t forget about the obvious ones: your team, your sponsor, and the people who will be approving the funding.

TIP: Make sure your stakeholders have a name and email id. Stakeholders are people, not organizations. “Facilities” isn’t going to sign off on your change request, but Cindy, who runs the department, might.

Step Two: Analyze and quantify the risk (what do they care about?)

Risk management calls for prioritizing the risks according to probability and impact. We can prioritize stakeholders similarly – by authority and interest. Interest means “how much do they care?” and authority equates to their ability to affect the project.

Now analyze the high priority stakeholders. You won’t be able to quantify your stakeholders as much as your project risks, but you can organize some key information: What do they care about? How will the project affect them? How does this project fit into their priorities? What do you need from them for the project to run smoothly?

Step Three: Develop a risk response (What are you going to do about it?)

What we do to leverage our supporters and minimize the effect of our opponents will depend upon the answers to the questions above. The more we know about our stakeholders, the better we can plan to work with them. One thing is certain: ignoring them will sap their support and inflame their opposition, so plan for communication.

Rapid changes in information technology continue to bring us new ways to flood our stakeholders with data, but that doesn’t necessarily make us effective communicators. Who needs information? What information? How often? In what format? These questions form the basis of your communication plan. As you develop your communication plan remember these two tips:

1. Positive personal relationships are the foundation of effective communication. Personal relationships magnify the value of the technology we use to deliver information.

2. Use two or more mediums of communication for every stakeholder. For example, meetings should be accompanied by documentation.

The Secret to Success

What’s the secret to risk management? Do it. Proactive, systematic risk management means finding the problems before they find you. Risk management doesn’t have to be complex, but it does have to be disciplined. The same holds true for our stakeholders. Understanding who they are and what they want often isn’t that difficult. The key is to be proactive, to reach out, and influence them before they influence you.

About LSA Global

Since 1995, LSA has helped organizations create and maintain distinct competitive advantages through human capital.

We work with leading organizations to drive success through their people and the strategies, structures, systems, and processes that attract, inspire, develop, and retain top talent. Our solutions focus on the areas of:

Sales Revenue Growth

Leadership and Management Performance

Human Resource Performance

Strategy Execution and Transformation

Customer Service, Satisfaction, and Loyalty

Project Management Performance

Engineering Performance

We believe our clients’ success in the marketplace is realized through increased revenue, decreased costs, and higher productivity. We are fiercely devoted to the success of our clients and proud that over 85% of our business comes from repeat business with satisfied clients and that we have a 97%+ customer satisfaction rating.

Playing it Safe With Corporate Risk Management

The practice by which a firm optimizes the manner in which it takes business risks is called risk management. It includes monitoring of risk taking activities, upholding relevant policies and procedures and distributing risk-related reports.

The scope of Corporate Risk Management extends to the risks of non-financial corporations and financial institutions that are not engaged in trading or investment management. Risks vary from one corporation to another depending on factors such as size, industry, diversity of business lines, sources of capital, etc. Practices that are appropriate for one corporation are inappropriate for another. For this reason, corporate risk management may only be broadly defined. Companies pick and choose from several techniques to suit their own needs. To make things easier, risk management templates and tools are available with vendors such as

Let’s take a look at the prerequisites for successful corporate risk management (CRM).

Corporate Culture: Your business can manage risk only when your employees are willing to deal with it. Often, you might have a tough time with this. You build systems but cannot force implementation which is necessary to effectively manage risk.

Your company’s culture plays an important role in corporate risk management, as it has an influence on the level of risk taking by the organization. A positive risk culture promotes individual responsibility and supports risk taking. No risk culture is perfect, and is therefore open to improvement. Your challenge as a business leader is to honestly assess your organization’s culture and then work to change it. Books like “CRM: An Organizational Perspective” and “CRM: Global Best Practices

Policies & Procedures: These are powerful tools of corporate risk management as they direct your employees’ actions. They specify how people can accomplish their tasks, but if neglected, can become an impediment.

Just setting policies or procedures isn’t enough; you need to ensure your employees follow them. Formalizing the way in which you change existing policies or procedures will help your employees recognize the changes taking place.

Technology: Technology plays an important role in risk assessment and facilitating communication. It is used to quantify or summarize risks as they are being taken and then communicate this information to decision makers. It can include an interactive risk report that is electronically circulated to managers every day.

Independence: Effective corporate risk management demands independence of the risk managing functions from the risk taking ones. Some guidelines for fostering this independence are as follows:

1. Lines of reporting should be reasonably independent.

2. Except at the highest levels, risk takers should not be involved in reviewing performance, deciding compensation or recommending promotion of risk managers.

3. There should be no switching of employee roles between risk taking and managing.

Risk Management – Iso 9001 Way

Copyright (c) 2008 Ed Bones

In each human endeavour there is an element of risk; personal, project or financial, or a combination of them all. The job of the responsible individual is to identify the risk and act accordingly. We all do these ‘risky’ things, almost daily, aware that we are taking a risk. Rather than staying away from the risk we become adept at identifying it and having a strategy for dealing with it if the risk materialises. This is what risk management is about, and is an ability that is important in virtually every endeavour.

The popular misconception that risk management is difficult or complicated stems from the bureaucratic methodology of some system-oriented organisations and managers. It is neither complicated or bureaucratic, and need not be. Risk management is basically a simple proposition with a complexity dictated by the nature of the situation to which it applies – usually a project, and the parties involved. In its basic form risk management involves:

1. Identifying risk – Looking for anything that threatens the successful completion of the project against the original requirement. Risks can be environmental, organisational, technical, legal, economic or commercial.

2. Counteracting risk – Taking action to remove or reduce the probability of a risk being realised. The response depends on the nature or seriousness of the risk.

3. Acting when the risk event occurs – Invoking whatever contingency measures were devised for the risk that has materialised.

And for this to happen needs:

4. Monitoring at all stages – This typically means documenting a risk assessment in a profile that identifies the risk, the probability of its occurrence, and the impact if it does materialise. Factors that score paramount are those that require the greatest attention and monitoring. A good risk manager will devise contingency plans that reduce either the probability or the impact of these occurrences, and so remove them from the scene.

Working within a formal structured management system similar to that defined by ISO9001 requires the application of risk assessment practices to satisfy the requirements of the Standard. Auditors of such systems may not find specific references to risk management in these areas even though the identification of potential failure (8.5.3) is wholly concerned with a topic that is nothing less than risk management.

Well managed risk taking is an essential feature of any forward thinking enterprise, since risk is an element of any progression or advancement. It is the adoption of effective risk management in conjunction with the continuing need to drive forward from a comfortable position that leads to progress and advancement. Doing what we always do purely because the risks appear to be negligible or are well known is to be ‘risk averse’, and for progressive organisations cannot be acceptable. Neither is it acceptable to pursue new ideas without an understanding of their potential benefit, proper planning, a clear idea of the threats to these benefits being achieved , and a strategy for dealing with them should they materialise. We need to manage in a manner that is neither predictable or reckless. Risk assessment is an essential tool to support this strategy. We ignore it at our peril…

Next Page »