Situation: You organization needs to take risk management a lot more seriously.
We recently spoke with Loren Padelford, Executive Vice President & General Manager at Active Risk. The folks at Active Risk talk a lot about establishing an "Active Risk Culture" at your organization - really making risk management a way of life, rather than a set of sterile processes. As a concept that sounds interesting, but how does it really work? Loren offers some clarification in his responses below.
How much difference can having a "Risk-Aware Culture" have on a business? Can you compare it to simply having Risk Management processes in place or even just using general policies to manage risk?
The difference between risk awareness and simple risk management is immense. In a risk-aware culture, risk is part of everyone’s daily activity. Most firms would argue that they have a risk management “process” or “policy” in place, but a risk-aware culture means that risk is analyzed to a granular level - where it has the most impact. This means that every single person within an organization, from the CEO to the finance department to the newest project manager, not only understands their risks, but implements and uses risk management on a daily basis. If everyone understands that their role has a component of risk management involved and that risk management needs to be practiced every day, than the organization’s ability to understand its risk at a more in-depth, mature level, increases.
We’re seeing and research is showing that organizations with higher levels of risk maturity have improved in profitability, enterprise value, and opportunity generation.”
Q. Could you describe how a Risk Aware Culture is established? What are the top 3 (must do) components of the process?
Establishing a risk-aware culture can be a relatively simple process if the organization, on an individual level and as a whole, is committed. Having executive level support is number one. Having the CEO involved in the process and actively understanding his or her own role as a risk manager is a must. Without senior level support and daily involvement, risk is seen as optional and a risk-aware culture will not be achieved.
Secondly, an effective risk management process must be goal-focused. In order to draw employees into the process, each individual in an organization needs to establish tangible goals that they want to achieve through risk management. Risk needs to be a valuable process to the people who do it every day and setting goals will show them how effective risk management is in helping them achieve their goals more quickly.
Finally, organizations must be careful not to over-complicate its risk management. In order for risk to take hold in a culture and become engrained in everyday activity, it must consist of simple tools and remain focused on the risk that really matters to each individual’s goals and objectives.
Q. How "Risk Mature" does your organization have to be to establish this sort of culture? Are there pre-requisites to keep in mind?
Because risk is an ongoing process, there is absolutely no threshold for risk maturity. Organizations that want to become more risk mature simply need to focus on the three attributes mentioned above – executive support, setting goals and keeping the process simple. If an organization achieves these things, they will find themselves in a position where the company starts to pull in risk awareness naturally, instead of finding it pushed onto them.
Q. When is it inappropriate to establish this sort of culture? In which industries is it more difficult?
Because every industry encounters risk on a daily basis, it is never inappropriate to establish a risk culture.
Additionally, every industry has a certain requirement to take risks in order to create opportunity. Of course, all industries have their particular challenges and some are more complicated than others, but there is never a time and place when risk is an inappropriate process to engage as a core component of a company’s strategy.
Q. Given your company's deep experience in fostering effective Risk Aware cultures, could you tell us what this takes from a staffing and a tool perspective?
From a staffing perspective, the organization must have executive-level support. I cannot stress this point enough: the Chief Executive Officer must also serve as the Chief Risk Officer. They will be the educator of risk throughout the organization and translators of the goals and objectives of the business. They are not only imperative to the success of the process, but they are the cultural enablers bringing risk to an organization-wide level.
Without the right tools, it’s nearly impossible to execute risk management well. Organizations should look for tools, like Active Risk’s ARM solution, that provide a centralized hub for all risk information, so that the defined Chief Risk Officer is able to own the risk management process. This tool should integrate seamlessly into existing systems and processes, and have the ability to be personalized to each user’s needs.
The most successful organizations are the ones who have taken the approach of giving individuals high power and highly capable, yet simple to use tools to support risk management as a daily activity in business. These are the organizations that reap the rewards of a risk-aware culture.
About Loren Padelford
Loren is responsible for all customer-facing activities at Active Risk including sales, marketing, services, partners and customer success.
Loren has a broad track record of success in technology, advertising and business services. Prior to joining Active Risk, Loren was Vice President of Strategic Alliances and Global Sales Director for Dyadem International, a leading enterprise HSE software provider. Loren was a key member of the leadership team and instrumental in the growth of the business, which led to the acquisition of Dyadem by IHS (NYSE:IHS) in April of 2011. Prior to Dyadem, Loren was National Sales Manager at Recall Corp, Sr. Director of Sales & Account Management at advertising firm Uthink and started his career selling photocopiers with Ricoh Corp.
Loren holds an MBA in Marketing from the University of Liverpool Management School, a Bachelors of Psychology from the University of Guelph and is a Certified Sales Professional.
| Situation: You want better assess project risk.|
ITProjectMetrics.com is a rather crude looking online tool - but the people who put it together may have really hit on something. The site gathers project information (both demographics and performance data) from people like you, then lets you know how different factors might affect project success. At this point the sample size is too small (86 projects), but we could all help change that if we were so inclined. Everyone wants benchmarks and everyone wants to better understand risk from every angle. These sorts of things help you define success and make sure you don't stumble over common obstacles that should have been avoided.
You only enter project data on completed efforts. Here's what the current breakout looks like:
Here are a few examples of the data you'll get back from the site:
| Situation: You're Wondering If Transparency Helps... |
“Transparency has a huge value on moving these things forward,” - Jonathan Breul, executive director for IBM Center for the Business of Government
An article today in The Federal Times, entitled OMB: IT project management is improving describes a substantial improvement in government project performance.
"The management watch list highlights weak business cases for hundreds of government IT projects. The projects are considered at risk because of deficient acquisition strategies, poor data security measures or flawed design plans. Agencies are required by law to submit the business cases to OMB for approval in order to get funding for them.
The number of IT project business cases on the watch list fell to 183 as of March 31 from 346 last December. Because some business cases cover multiple IT projects, the number of IT projects that are deemed at risk is likely far higher than this number. The business cases on the list cover projects worth a combined $9.7 billion in fiscal 2008 investments.
Business cases are dropped from the list as agencies document to OMB that they are addressing weaknesses. OMB spokeswoman Andrea Wuebker said that to get cases off the list, agencies assigned full-time project managers, completed certification and accreditation procedures to assess data security risks and showed they had conducted quantitative analysis for the investment. "
Situation: You want to create some interesting discussion around your PPM efforts...
Here's an example of one such pyramid in action. Whirlpool distributes its resources by placing big bets on new businesses at the top of the pyramid, replacing products at the bottom and driving incremental change in between.
| Situation: You've been making a lot of decisions on the fly lately...|
I read this cover story a couple of days ago on a plane - "Why We Worry About the Wrong Things, The Psychology of Risk." by Jeffrey Kluger. Even though it's really about the personal, sort of everyday risks that we all take, I thought it was particularly relevant to what we as Project Managers do for a living.
The author talks about the following reasons for our natural mis-perception of risks, saying:
- our pre-historic brains are pre-programmed to have fight or flight reactions to certain stimuli.(when we intuitively feel threatened, we react)
- we naturally are troubled more by the prospect of pain and suffering than even death. The closer in time we are to the unfortunate event, the more motivated we are to react.
- we fool ourselves into thinking we are less likely to suffer a bad outcome if we are in control (driving a car vs. being a passenger on a plane)
- we need to be particularly skeptical of statistics, as they can be rigged to say anything.
He concludes the piece by recommending we all make more reasoned, rather than intuitive choices.
I think he makes a good point. We need to be mindful of:
- how we react when we feel threatened.
- how we overreact when we feel like our reputation or career might suffer.
- how we sometimes take on tasks that would be better done by others, even though they might do things differently.
- decisions based purely on numbers.