If you are starting a risk management system for the first time, then you have to prepare the organization for risk management. This is what culture building is all about.
The following are the components in Preparing for Risk:
Risk culture is the soft side of risk management and often gets taken for granted, even though it is a critical dimension in building an effective risk management architecture. At a basic level, risk culture is the way management and everyone else in the organization feel about risk - recognizing that feelings, attitudes and perceptions about risk will influence how it is managed. The risk culture sets the tone of an organization, influencing the risk-consciousness of its people as they conduct their daily activities and pursue their business objectives.
Risk culture is the degree to which management recognizes the need for risk management competency within the organization. It encompasses an organization’s appetite and tolerance for risk in its daily operating activities and decision-making processes. (Risk appetite is the desire or tendency to take on risk, ranging from risk-averse, risk-neutral, risk-taker to risk-seeker. Risk tolerance is the maximum amount of risk that the enterprise considers acceptable.) An organization with a strong risk culture is committed to the establishment of standards and protocols for identifying, assessing and managing risks.
As the risk culture matures, the paradigm shifts. Previously known and imminent risks are attacked, as in crisis management. With experience, internal risks are mitigated. After the house is in reasonable order, the external risks are engaged. Then project-level risk management is supported by enterprise risk management. The larger problems are solved using long-term strategies. This is the time when risks are exploited. As risks are solved, the associated opportunities are seen with clarity and pursued with added focus.
When risk perception is respected, there are many risk owners. These employees own the risks because risks affect their goals and objectives. They do not shun risks but welcome risk discovery and appreciate its positive aspects.
Decision analysis practitioners take risk analysis in their stride. All decision analysis methods consider risk and payoffs in decision alternatives and allow the decision maker to make optimum choices. The decision analysts examine risks in a scientific manner. They value risk perception as a way to make the right choice. To take a decision is to choose among risks. They choose the least harmful option and acknowledge the fact that risks prevail in the real world.
When the organization matures and possesses prediction models, risk forecasting becomes an obvious output. Such models are not only used to predict the steady state-values of processes but also to simulate dynamic variations and risks. All estimation models are potential risk forecasters.
The growth architects of an organization cautiously hunt for opportunities. Their caution is actually risk perception. Soon the employees realize that perceiving and responding to risks will pave the foundation for growth. An organization that does not see risks is blind. An organization that does not respond to risks is dead.
As the organization achieves capability, the risk response shows progress that is continual but subtle. Here is a list of risk-response types, illustrating a progression in risk management:
Mature risk cultures imbibe an ability in project teams to perceive and solve risks with speed and energy. The mature teams make detailed project plans and map risks to subtle shifts in microlevel tasks; thus, they are able to detect risk symptoms at the task level and predict risk early in the project. The frequent sharing of risk information, exchange of successes and failures in risk mitigation, and a frequently visited common risk repository all have one significant consequence: the mature project team cultivates a sixth sense for risk from the continual corroboration of risk data and assimilation of risk practices. Risk culture fills gaps in the risk management process, makes the project team vigilant well beyond the scope of defined processes, equips people with an organic power to detect and solve problems posed by risks, and empowers processes with an everlasting vision and energy to hunt for risks. Although, most risk management processes are capable of dealing with known risks, a risk culture has the power to see unknown risks. When it comes to project survival in the midst of catastrophic risks, one relies more on risk culture than on defined processes. Risk culture, which is the accumulation of risk practices, experiences, and practical wisdom, is a worthy complement to defined risk management processes. Maturity involves years of practice and mastery over risk management processes.
It is important to remember that risk perception is based on vision and calls for unfailing foresight.
The Japanese Five S methodology, which are the following, demands that we keep both the mind and environment in order:
1.) Sort (Seiri) - Put things in order (remove what is not needed and keep what is needed)
2.) Straighten (Seiton) - Proper Arrangement (Place things in such a way that they can be easily reached whenever they are needed)
3.) Shine (Seiso) - Clean (Keep things clean and polished; no trash or dirt in the workplace)
4.) Standardize (Seiketsu) - Purity (Maintain cleanliness after cleaning - perpetual cleaning)
5.) Sustain (Shitsuke) - Commitment (Actually this is not a part of ‘4S’, but a typical teaching and attitude towards any undertaking to inspire pride and adherence to standards established for the four components)
Cleanliness in Five S is kept at a high level, and disorder is detected instantly. The effect of the environment on both the psychological and physical aspects is the theme behind Five S. Quintessential risk control requires controlling the risk environment. Disorder in the environment, both internal and external, is detected by the risk identifier.
To see risks in perspective, one must clearly distinguish between defects, issues, and risks. Defects are the results of mistakes and are found by inspection, testing, and analysis. Issues are discrepancies between planned and actual results, and are found out by reviews. Risks are futuristic problems that may either materialize or melt away with time. When risks are solved, defects and issues decrease.
In summary, defects, issues, and risks have something in common: they are all problems and disorders. But there is a major difference: defects and issues are historic, things of the past, whereas risks are futuristic.
In software development projects, risk-driven approaches are known to pay rich dividends. Phase-end risk reviews and appropriate responses enable projects to sail smoothly. Risks are seen as roadblocks and barriers, and diversions are taken to reach project objectives. The project team looks at risks and treats them. They are told to watch out for risks, handle them, or escalate the risk upward for higher-level involvement.
A few software development methods have admirable inherent risk treatment abilities. The evolutionary development model exposes risks clearly at every increment. The project reviews at these increments are ideally suited to detecting risks and acting upon them. Natural risk detection is superior to forced risk detection. Another life-cycle model worth considering from a risk point of view is the agile process. Certain types of risks melt in the face of organic communication methods in the agile process. For example, the ubiquitous dependency risks are weakened by the communication speeds of agile development.
Stocks plunged again today, sending the Dow Jones industrial average down 679 points — more than 7 percent — to its lowest level in five years. The Dow ended the day at its lows, finishing down 678.91, or 7.3 percent, at 8,579.19. The blue chips hadn’t closed below 9,000 since June 30, 2003, and haven’t closed at this level since May 21, 2003.
This reminds me of the risks involved when you are into stock trading. It also reminded me on Software Development and Project Risks. What is a Risk anyway? The original meaning of risk is associated with gambling — to risk is to gamble. When we take risks, there is a chance of gaining and perhaps an equal chance of losing.
The following are the Six definitions of Risk: