Tải bản đầy đủ - 0trang
2 ``Dynamic´´ Frameworks of Risk Management
Fig. 5 Dynamic factors dominating risk management
Linking Strategy to the Real World
to as the efficient frontier, i.e. the level of residual risk under which no further risk
reduction is generally warranted.
Figure 5 further introduces the reader to some of the factors, which play a
significant role in both the quantification of current levels of risk, and future levels
of risk. Each factor in itself poses a treat, and unfortunately each factor reflects a
specific degree of uncertainty. In particular, it is submitted that “fire” as a risk
factor, by and large has become a factor that is well understood – and coherent with
far-reaching risk transfer mechanisms such as insurance packages. Other factors
such as IT failure, the War against Terror, Pandemic Flu or Global Warming are far
less understood and hence reflect more elevate degrees of uncertainty for risk
managers. Ignoring them in their entirety simply because the true quantitative
impacts cannot be assessed at this stage, should be considered an act of gross
negligence – if not more.
Risk managers in real life organizations, unfortunately, have to cope with far
more. The world, in which they operate, has mutated from single work places to
integrated supply chain networks with partially unknown levels of complexity and
some unknown interdependencies. At the same time, any attempt of an organization
to enhance the economic value added, be it through risk reduction initiatives,
organizational growth or the increased returns, usually has an impact on the residual
levels of risk. A choice of business models in order to reduce operating costs, for
example through just-in-time inventory management, of course can cause elevated
levels of residual risk too.
Needless to say, today’s complexities and dynamics render the bulk of the
available standards and regulatory frameworks almost useless when the main
focus is to provide governance and leadership to the true practical challenges
faced by risk managers.
Risk Management in Integrated Supply Chain Networks
To add insult to injury, the degree of dependency of individual organizations
ranging from the overall value chain that reaches from raw products to the ultimate
end consumer, has increased drastically in the last decades.
Figure 6, originally borrowed from internal presentation material of Marsh Risk
Consulting, outlines some typical risk factors, which may become relevant for the
design of a risk management system in the retail sector. Incidentally, while real-life
(risk) management systems may neglect some or most of these factors in their strife
for what is commonly referred to as enterprise-wide risk management, simply
because historically such frameworks were dominated far too much by accounting
and risk provisioning frameworks, the good news is that checklists can be traced via
the Internet to an extent that helps identify almost all risk factors fairly easily.
Today’s primary concern, however, reaches far beyond the scope of identifying
individual risk factors and designing response strategies. As a consequence of
having designed integrated supply chain networks and outsourcing, organizations
Fig. 6 Risk management in integrated supply chain networks
Linking Strategy to the Real World
have evolved to becoming rather vulnerable to changes in their supplier networks,
and this phenomena appears to be happening to an increasing extent. As a consequence of the financial crisis, numerous organizations have disappeared off the
market and/or have been fileted by institutional investors. And if not, these
organizations in many cases have become more vulnerable, and often impeded by
the fact that banks no longer function the same fashion they did prior to the crisis –
whether right or wrong. A speculation, which can be traced in common literature
and the media, and which would need to be substantiated, is that while financial
markets seem to have recovered from the financial crisis, the real world is still in the
midst of it – and will be so for an extended period of time.
The problem appears to be that more than just a few organizations have
outsourced what can and should be considered a part of their core business – at
least in the not so distant future. Hence, in the event of a core “strategic” supplier
disappearing, or of a change in attitude, or of a supplier being consolidated into a
new context, which unfortunately applies primarily to one of the core suppliers,
some central elements of the corporate value chain may become dysfunctional.
To add further insult to injury, the main interface between organizations and
their suppliers, besides technical and certain operational issues, is the procurement
function – which, as several authors have claimed, are far from adequately positioned or skilled to cope with today’s realities. It is submitted that a procurement
function should, in order to be effective, be able to assess the risk position of their
entire supplier organizations, including their respective suppliers and related
vulnerabilities in transportation from A to B. Buffering capacities, insurance
coverage, the true wording of contracts, and the effectiveness of early detection
mechanisms in risk and issue management have been equally or become more
important when compared to the historical set of quality and cost related key
Moreover, the skill set and the structural authority of the procurement function
appears to have become an impediment for effective beyond-enterprise risk management in that usually, the procurement function would be far from capable or
authorized to design and implement higher-level intervention mechanisms such as
supporting suppliers through short-term cash injections (be it debt or equity),
longer-term contracts in conjunction with forfeiting mechanisms, or even (partial)
insourcing decisions. Needless to say, such decisions would typically require the
structural power and higher authority of a corporate board. The question is, then,
why it is taking so much time to modify organizational structures to the effect that
the procurement function is raised to corporate board level, or that a board member
takes over the actual management of the procurement function. In this context the
reader is advised that such overdue changes are not observable as an obvious trend
in the quarterly or annual reports of most Fortune 500 organizations.
As a comment on the side, the author firmly believes that the above set of new
challenges will have an even worse impact on the effectiveness and efficiency of
risk management to the extent that, it relates to public sector organizations. The
same new vulnerabilities apply, however, the ability to react is far more impeded
than is the case in private sector organizations, given that public sector
Linking Strategy to the Real World
organizations are usually bound by public tendering policies and procedures which
were originally designed to render procurement neutral and robust against manipulation. In today’s environment, however, these policies and procedures as well as
related regulatory frameworks have the potential of becoming one of the worst
nightmares that is conceivable in the public sector. Of course, again: future will tell.
4 Implementing Risk Management in Real Life
Frameworks of Change: Project Management Techniques
It is submitted that one of the predominant organizational frameworks for the
introduction of change, are projects. The advantage is, of course, that projects
today are well understood and easily manageable. Frameworks such as PMI’s
renowned “Project Management Body of Knowledge” (PMBOK) offer a practicable process model including the integration of all related knowledge areas. Complementary frameworks such as the best-practice oriented PRINCE2 standard of the
Office of Government Commerce offer valuable additional tools and techniques.
The reader may be aware that a large number of complementary standards and
practitioner guides exist to address similar or complementary topics such as program management, project portfolio management, scheduling, project risk management, organizational project management maturity, work breakdown structures,
earned value management, and the like.
While one should assume that project management has become a technique in
which everything is entirely under control, the opposite seems to be the case in
larger organizations, and larger-scale change initiatives. Kross (2006) systematically traced troubled or failing change initiatives in the modernization of largerscale banks’ IT landscapes back to what can be considered a logical sequence in
which poor decisions and work processes of the past became the core change
impediment for the future – as Fig. 7 reflects.
Figure 7 renders it apparent that the increasing gap between true progress from
completed activities, and budget consumption, coincides with a lack of true complexity reduction in projects’ respective life cycles. The techniques, which are
commonly employed, seem unable to cure this problem. In particular, larger
changes to the IT landscapes in banks often follow a model whereby initially the
business departments define what is commonly referred to as their 180% solution to
business requirements (in order to leave some space for negotiations), followed by a
specification of technical requirements which are usually not questioned by anyone
but which coincide with a slight reduction or otherwise modification of the business
related scope and requirements. Then, everything is thrown over the fence into a
project management framework in which initially, a standard software solution is
chosen and parameterized. As soon as it is recognized that the standard software
solution cannot cope, logic and functionality is transferred into intelligent software
Fig. 7 Flawed risk management in typical major change initiatives
interfaces and complementary libraries or software modules. As and when the
resulting complexity has become unbearable, the scope or the quality is reduced
in order to keep a cap on the costs.
In these situations, project managers become vulnerable to separating themselves from their original set of responsibilities, partially because their escalations
typically do not result in the desired feedback from higher authorities. Risk Owner
systems such as those described by Kross (2009) become dysfunctional and counterproductive. Moreover, an elevated vulnerability to manipulation is established,
which augments the issues between the translation of facts and figures into human
perception and language – and backwards. The reader is advised that numerous
authors have addressed the “soft” factors in risk management very well.
Flawed Change and its Impacts for Risk Management
The earlier sections highlight numerous undesirable side effects for risk management, which result from flawed conceptual design and implementation of risk
analytics and risk management in dynamic environments, and the further impacts
resulting from flawed organizational change. It is submitted that the conflict arising
between overlapping organizational structures and processes, as well as the
resulting conflicting goals and objectives which face individual and team decision
makers, have the potential of making matters even worse. The reader may also
imagine the likely implications for any future change initiatives, which then need to
Linking Strategy to the Real World
be designed to operate within a partially dysfunctional landscape as it results of
earlier flawed change initiatives, and potentially with a scope that includes both the
new project focus, and the various liabilities, which have remained unresolved and
unaddressed by the earlier attempts.
Unfortunately, in some cases this is not the full story. Figure 8 displays for a
financial services provider environment, how certain dysfunctional aspects in
change initiatives have the potential to stifle the organization’s ability to perform
effective risk management line functions.
In particular, Fig. 8 reflects that flawed change management initiatives and/or
poor compromises lead to impeding effects in operational processes. For example,
value-adjustments and write-offs are performed or detected too late in order to
enable the back and middle offices to perform an early recognition of deviations
from the rule, and related reactions. Moreover, due to a flaw in the design and
implementation of risk management initiatives, ultimately, the financial services
provider becomes ineffective or entirely unable to perform what is commonly
referred to as risk-adjusted pricing. Needless to say, this would be a problem.
Framework for the Introduction of Systemic Process-Related
Risk Management in Real Life Organizations
In a number of earlier publications, the author suggested that a more systematic and
process-related framework for risk management should not be based on the assumption that the wheel needs to be reinvented. Rather, most organizations practice risk
management in some or other fashion already. The issue is, however, that risk
management in real life organizations often lacks more than just fragments of what
is commonly referred to as the risk analytics toolbox, and that decisions are hence
made on the basis of an insufficiently stable foundation. In more informal risk
management frameworks as they seem to have remained the norm in small to
medium scale enterprises, and in a surprisingly large number of public sector
organizations where the same status seems to apply, good risk-based decision by
logical inference become an accidental surprise and incident.
In order to develop a fast appreciation of what is truly needed, what is already
there and which priorities need to be set in order to close the gaps quickly and
efficiently, it is sensible to first, on the basis of a cursory understanding of a new
policy on risk management, identify how reactive and proactive risk management
techniques are employed in processes and work flows, and which metrics have a
true meaning for the organization (Fig. 9).
Corrective action including what is commonly referred to as “quick-win’s” can
then be interfaced into the real-life situation, and can be complemented with a
gradual enhancement of processes and workflows, and an upgrade and refocusing of
the key indicators that should have a true meaning for the organization. Planning
and implementing a prioritized action list can then become the basis of a continuous
Fig. 8 Impact of flawed change initiatives on risk management
Linking Strategy to the Real World
Fig. 9 Introducing systematic risk management in real-life
improvement framework, or a six-sigma framework for that matter. As things
evolve, an enhanced degree of quantification should be the target.
Shifting the Focus from Risk to Opportunity Management
While this chapter clearly outlines that risk management in real-life organizations is
far from what could be characterized as “fully under control,” and that a long road
to success is yet to be overcome, it is submitted that this is not the ultimate target.
Rather, the road from chaotic conditions via a systematic problem management, a
more systematic risk management, and via an increasingly systematic opportunity
management should ultimately be focused on the true success factors which count
in the sustainable competitive advantages of an organization; building on
frameworks such as the famous five forces of Michael Porter, and the like.
Given that a systematic opportunity management cannot function in real life
organizations as yet, partially due to the lack of risk management related skills as
they have remained in practice and academia, a quantitative proof of concept and
even more a quantitative proof of effectiveness and efficiency cannot be presented
at this stage. Rather, arguments must remain qualitative at this stage.
Perhaps an interim step in the ultimate direction can be to refer to a framework
which was originally conceived by Harold Kerzner (2000), commonly known to be
one of the gurus and the leading thinkers in the field of project management.
Kerzner submitted several years ago that the maturity models, which had developed
an elevated level of attractiveness for knowledge workers in many industries,
reflected some conceptual flaws. Kerzner identified it as a rather positive factor
that quite apparently, knowledge workers are ready to adopt change and to improve,
in some cases rather substantially. However, the highest level of most maturity
models, thus a continuous improving of the level of high maturity, cannot be the
ultimate goal. Kerzner presented the analogy of a product which, as soon as a high
level of maturity has been reached, potentially losses its attractiveness.
Kerzner suggested that the willingness to change should be considered as an
opportunity by higher level management, which could jump onto the change
initiatives and interface a vision for the development of sustainable competitive
advantages and what is commonly referred to as strategic competencies. Excellence
becomes the higher-level target, not just maturity.
Please note that Fig. 10 reflects a somewhat modified graphical representation of
Kerzner’s model in which his expression “project” was replaced by the word “risk,”
thereby submitting the notion that the model can apply similarly: enhanced beyondmaturity risk management, similarly to what seems to apply for the field of project
management, can become an opportunity enabler in which organizations differentiate themselves in their ability to manage risk, and change, far better than their
Fig. 10 Perspectives of effective risk and opportunity management
Linking Strategy to the Real World
5 Conclusions and Recommendations
This chapter submits that corporate and project (portfolio) risk management must
be set up for the specific circumstances of an organization within its supply chain
network, consisting of various inter-layered analysis and management levels.
Conceptually, this is not trivial and dreaming of all-encompassing software
solutions does not solve the problem. But, the good news is that many significant
problems have already been resolved conceptually, it is hence not necessary to
conceive or implement an overly narrowly minded approach; and there is usually no
need for the reinvention of the wheel. Historically, an overemphasized controlling
function seems to have prevailed in risk management, resembling a “tail wagging
the dog.” A probabilistic approach will in most cases be the most sensible framework for risk analytics, given the inherent degrees of uncertainty and the remaining
skill and knowledge gaps in theory and practice.
Projects should be understood as the main framework for change. These however require an upgrade toward enhanced risk and ultimately an explicit opportunity
management. Truly significant is the handling of‚ “soft” factors, as numerous
authors have submitted; “hard” metrics will not suffice in real life organizations.
This is due to numerous factors including but not limited to the observations that the
human understanding and attempts to manipulate dominate the initial evaluation,
the subsequent implementation, the delegation of responsibility, and the strategic
stakeholder communication. Rather than establishing “hard” controlling and
auditing frameworks first, and following the route of historic regulatory-driven
risk management initiatives, the targets should become an entrepreneurial prioritization framework, creating a transparent and strategy-supporting risk culture,
enhanced risk awareness, facilitated flexibility, and the creation of a fully functional
risk ownership structure.
It appears that risk management on the systems-, processes-, projects-, portfolio-,
initiative-, enterprise-wide and supply chain levels is currently experiencing a
fundamental change in mindset, a cultural paradigm change toward incentive
schemes for the delegated responsibility. This necessarily coincides with the
urgently needed creation of an interface to optimization and opportunity generation
frameworks, beyond enterprise boundaries and integrated logistic networks.
Clemen, R. T., & Reilly, T. (2001). Making hard decisions. Pacific Grove: Duxbury Thomson
Howson, C., & Urbach, P. (1989). Scientific reasoning: The Bayesian approach. Lasalle: Open
Court Publishing Company.
Kahneman, D., Slovic, P., & Tversky, A. (1982). Judgment under uncertainty: Heuristics and
biases. Cambridge, MA: Cambridge University Press.