Corporate Risk Management E-Book

Table of Contents

Title Page

Copyright Page

Dedication

Chapter 1 - Introduction

1.1 INTRODUCTION

1.2 WHY MANAGING RISK IS IMPORTANT

1.3 GENERAL DEFINITION OF RISK MANAGEMENT

1.4 BACKGROUND AND STRUCTURE

1.5 AIM

1.6 SCOPE OF THE BOOK

Chapter 2 - The Concept of Risk and Uncertainty and the Sources and Types of Risk

2.1 INTRODUCTION

2.2 BACKGROUND

2.3 RISK AND UNCERTAINTY: BASIC CONCEPTS AND GENERAL PRINCIPLES

2.4 THE ORIGIN OF RISK

2.5 UNCERTAINTIES

2.6 SOURCES OF RISK

2.7 TYPICAL RISKS

2.8 PERCEPTIONS OF RISK

2.9 STAKEHOLDERS IN AN INVESTMENT

2.10 SUMMARY

Chapter 3 - The Evolution of Risk Management and the Risk Management Process

3.1 INTRODUCTION

3.2 THE EVOLUTION OF RISK MANAGEMENT

3.3 RISK MANAGEMENT

3.4 THE RISK MANAGEMENT PROCESS - IDENTIFICATION, ANALYSIS AND RESPONSE

3.5 EMBEDDING RISK MANAGEMENT INTO YOUR ORGANISATION

3.6 RISK MANAGEMENT PLAN

3.7 EXECUTIVE RESPONSIBILITY AND RISK

3.8 SUMMARY

Chapter 4 - Risk Management Tools and Techniques

4.1 INTRODUCTION

4.2 DEFINITIONS

4.3 RISK ANALYSIS TECHNIQUES

4.4 QUALITATIVE TECHNIQUES IN RISK MANAGEMENT

4.5 QUANTITATIVE TECHNIQUES IN RISK MANAGEMENT

4.6 QUANTITATIVE AND QUALITATIVE RISK ASSESSMENTS

4.7 VALUE MANAGEMENT

4.8 OTHER RISK MANAGEMENT TECHNIQUES

4.9 COUNTRY RISK ANALYSIS

4.10 SUMMARY

Chapter 5 - Financing Projects, Their Risks and Risk Modelling

5.1 INTRODUCTION

5.2 CORPORATE FINANCE

5.3 PROJECT FINANCE

5.4 FINANCIAL INSTRUMENTS

5.5 DEBT

5.6 MEZZANINE FINANCE INSTRUMENTS

5.7 EQUITY

5.8 FINANCIAL RISKS

5.9 NON-FINANCIAL RISKS AFFECTING PROJECT FINANCE

5.10 MANAGING FINANCIAL RISKS

5.11 RISK MODELLING

5.12 TYPES OF RISK SOFTWARE

5.13 SUMMARY

Chapter 6 - Portfolio Analysis and Cash Flows

6.1 INTRODUCTION

6.2 SELECTING A PORTFOLIO STRATEGY

6.3 CONSTRUCTING THE PORTFOLIO

6.4 PORTFOLIO OF CASH FLOWS

6.5 THE BOSTON MATRIX

6.6 SCENARIO ANALYSIS

6.7 DIVERSIFICATION

6.8 PORTFOLIO RISK MANAGEMENT

6.9 CROSS-COLLATERALISATION

6.10 CASH FLOWS

6.11 AN EXAMPLE OF PORTFOLIO MODELLING

6.12 SUMMARY

Chapter 7 - Risk Management at Corporate Level

7.1 INTRODUCTION

7.2 DEFINITIONS

7.3 THE HISTORY OF THE CORPORATION

7.4 CORPORATE STRUCTURE

7.5 CORPORATE MANAGEMENT

7.6 CORPORATE FUNCTIONS

7.7 CORPORATE STRATEGY

7.8 RECOGNISING RISKS

7.9 SPECIFIC RISKS AT CORPORATE LEVEL

7.10 THE CHIEF RISK OFFICER

7.11 HOW RISKS ARE ASSESSED AT CORPORATE LEVEL

7.12 CORPORATE RISK STRATEGY

7.13 CORPORATE RISK: AN OVERVIEW

7.14 THE FUTURE OF CORPORATE RISK

7.15 SUMMARY

Chapter 8 - Risk Management at Strategic Business Level

8.1 INTRODUCTION

8.2 DEFINITIONS

8.3 BUSINESS FORMATION

8.4 STRATEGIC BUSINESS UNITS

8.5 BUSINESS STRATEGY

8.6 STRATEGIC PLANNING

8.7 RECOGNISING RISKS

8.8 PORTFOLIO THEORY

8.9 PROGRAMME MANAGEMENT

8.10 BUSINESS RISK STRATEGY

8.11 TOOLS AT STRATEGIC BUSINESS UNIT LEVEL

8.12 STRATEGIC BUSINESS RISK: AN OVERVIEW

8.13 SUMMARY

Chapter 9 - Risk Management at Project Level

9.1 INTRODUCTION

9.2 THE HISTORY OF PROJECT MANAGEMENT

9.3 DEFINITIONS

9.4 PROJECT MANAGEMENT FUNCTIONS

9.5 PROJECT STRATEGY ANALYSIS

9.6 WHY PROJECT RISK MANAGEMENT IS USED

9.7 RECOGNISING RISKS

9.8 PROJECT RISK STRATEGY

9.9 THE FUTURE OF PROJECT RISK MANAGEMENT

9.10 SUMMARY

Chapter 10 - Risk Management at Corporate, Strategic Business and Project Levels

10.1 INTRODUCTION

10.2 RISK MANAGEMENT

10.3 THE RISK MANAGEMENT PROCESS

10.4 COMMON APPROACHES TO RISK MANAGEMENT BY ORGANISATIONS

10.5 MODEL FOR RISK MANAGEMENT AT CORPORATE, STRATEGIC BUSINESS AND PROJECT LEVELS

10.6 SUMMARY

Chapter 11 - Risk Management and Corporate Governance

11.1 INTRODUCTION

11.2 CORPORATE GOVERNANCE

11.3 CORPORATE GOVERNANCE APPROACH IN FRANCE

11.4 CORPORATE GOVERNANCE APPROACH BY THE EUROPEAN COMMISSION

11.5 CORPORATE GOVERNANCE AND INTERNAL CONTROL

11.6 SUMMARY

Chapter 12 - Risk Management and Basel II

12.1 INTRODUCTION

12.2 RISK RATING SYSTEM (RRS)

12.3 BORROWER RISK RATING SYSTEM AND PROBABILITY OF DEFAULT

12.4 RISK RATING AND PROVISIONING

12.5 RISK RATING AND PRICING

12.6 METHODOLOGY OF RRS AND RISK PRICING

12.7 GRID ANALYSIS OR STANDARDISING THE RISK ANALYSIS

12.8 REGULATION IN OPERATIONAL RISK MANAGEMENT

12.9 SUMMARY

Chapter 13 - Quality Related Risks

13.1 INTRODUCTION

13.2 DEFINING QUALITY RISKS

13.3 STANDARDISATION – ISO 9000 SERIES

13.4 QUALITY RISKS IN MANUFACTURING PRODUCTS

13.5 QUALITY RISKS IN SERVICES

13.6 QUALITY CONTROL AND APPROACHES TO MINIMISE PRODUCT QUALITY RISKS

13.7 SUMMARY

Chapter 14 - CASE STUDY 1

14.1 INTRODUCTION

14.2 THE PHARMACEUTICAL INDUSTRY

14.3 FILING WITH THE REGULATORY AUTHORITY

14.4 IDENTIFICATION AND RESPONSE TO RISKS ENCOUNTERED IN DDPs

14.5 SUMMARY

Chapter 15 - CASE STUDY 2

15.1 INTRODUCTION

15.2 FINANCING A REFINERY PROJECT

15.3 BUNDLING CRUDE OIL CONTRACTS

15.4 ASSESSING A CASE STUDY

15.5 BUNDLE SOLUTIONS AFTER RISK MANAGEMENT

15.6 SUMMARY

Chapter 16 - CASE STUDY 3

16.1 INTRODUCTION

16.2 LEVELS OF RISK ASSESSMENT

16.3 AMALGAMATION AND ANALYSIS OF RISKS IDENTIFIED

16.4 THE PROJECT: BAGGAGE HANDLING FACILITY

16.5 RISK STATEMENT

16.6 SUMMARY

Chapter 17 - CASE STUDY 4

17.1 INTRODUCTION

17.2 UUU OVERVIEW AND RISK REGISTER

17.3 CORPORATE RISK REGISTER

17.4 STRATEGIC BUSINESS UNITS RISK REGISTER

17.5 PROJECT LEVEL RISK REGISTER

17.6 RISK STATEMENT TO SHAREHOLDERS

17.7 SUMMARY

References

Index

Copyright © 2008

John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England

Telephone (+44) 1243 779777

Email (for orders and customer service enquiries): [email protected] Visit our Home Page on www.wiley.com

All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London W1T 4LP, UK, without the permission in writing of the Publisher. Requests to the Publisher should be addressed to the Permissions Department, John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England, or emailed to [email protected], or faxed to (+44) 1243 770620.

Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The Publisher is not associated with any product or vendor mentioned in this book.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the Publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought.

Other Wiley Editorial Offices

John Wiley & Sons Inc., 111 River Street, Hoboken, NJ 07030, USA

Jossey-Bass, 989 Market Street, San Francisco, CA 94103-1741, USA

Wiley-VCH Verlag GmbH, Boschstr. 12, D-69469 Weinheim, Germany

John Wiley & Sons Australia Ltd, 42 McDougall Street, Milton, Queensland 4064, Australia

John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-01, Jin Xing Distripark, Singapore 129809

John Wiley & Sons Canada Ltd, 6045 Freemont Blvd, Mississauga, ONT, L5R 4J3, Canada

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

A catalogue record for this book is available from the British Library

Library of Congress Cataloging-in-Publication Data

Merna, Tony.

p. cm.

Includes bibliographical references and index.

ISBN 978-0-470-51833-5 (cloth : alk. paper)

1. Risk management. 2. Corporations — Finance — Management.

3. Industrial management.

I. AL-Thani, Faisal F. II. Title.

HD61.M463 2008

658.15’5 — dc22

2008004969

Typeset in 11/13pt Times by Aptara Inc., New Delhi, India

Printed and bound in Great Britain by TJ International Ltd, Padstow, Cornwall, UK

This book is printed on acid-free paper responsibly manufactured from sustainable forestry in which at least two trees are planted for each one used for paper production.

Tony Merna – to my loving mother; an inspiration

Faisal AL-Thani – to my family

1

Introduction

If you can’t manage risk, you can’t control it. And if you can’t control it you can’t manage it. That means you’re just gambling and hoping to get lucky.

(J. Hooten, Managing Partner, Arthur Andersen & Co., 2000)

The increasing pace of change, customer demands and market globalisation all put risk management high on the agenda for forward-thinking companies. It is necessary to have a comprehensive risk management strategy to survive in today’s market place. In addition, the Cadbury Committee’s Report on Corporate Governance (1992) states that having a process in place to identify major business risks as one of the key procedures of an effective control system is paramount. This has since been extended in the Guide for Directors on the Combined Code, published by the Institute of Chartered Accountants (1999). This guide is referred to as the ‘Turnbull Report’ (1999) for the purposes of this book.

The management of risk is one of the most important issues facing organisations today. High-profile cases such as Barings and Railtrack in the UK, Enron, Adelphia and Worldcom in the USA, and recently Parmalat, demonstrate the consequences of not managing risk properly. For example, organisations which do not fully understand the risks of implementing their strategies are likely to decline. Marconi decided to move into a high-growth area in the telecom sector but failed in two distinct respects. Firstly, growth was by acquisition and Marconi paid premium prices for organisations because of the competitive consolidation within the sector. Secondly, the market values in the telecom sector slumped because the sector was overexposed owing to debt caused by slower growth in sales than expected.

The Cadbury Report on Corporate Governance Committee Working Party (1992) on how to implement the Cadbury Code requirement for directors to report on the effectiveness of their system of internal control lists the following criteria for assessing effectiveness on the identification and evaluation of risks and control objectives:

The London Stock Exchange requires every listed company to include a statement in its annual report confirming that it is complying with this code, or by providing details of any areas of non-compliance. This has since been re-enforced and extended by the Turnbull Report (1999). The Sarbanes-Oxley Act (2002) is similar to the Turnbull Report. This Act introduced highly significant legislative changes to financial practice and corporate governance regulation in the USA. The Act requires chief executive officers (CEOs) and group financial directors (GFDs) of foreign private registrants to make specific certifications in annual reports.

In today’s climate of rapid change people are less likely to recognise the unusual, the decision-making time frame is often smaller, and scarce resources often aggravate the effect of unmanaged risk. The pace of change also means that the risks facing an organisation change constantly (time related). Therefore the management of risk is not a static process but a dynamic process of identification and mitigation that should be regularly reviewed.

The art of risk management is to identify risks specific to an organisation and to respond to them in an appropriate way. Risk management is a formal process that enables the identification, assessment, planning and management of risks.

All levels of an organisation need to be included in the management of risk in order for it to be effective. These levels are usually termed corporate (policy setting), strategic business (the lines of business) and project. Risk management needs to take into consideration the interaction of these levels and reflect the processes that permit these levels to communicate and learn from each other.

The aim of risk management is therefore threefold. It must identify risk, undertake an objective analysis of risks specific to the organisation, and respond to the risks in an appropriate and effective manner. These stages include being able to assess the prevailing environment (both internal and external) and to assess how any changes to that prevailing environment would impact on a project in hand or on a portfolio of projects.

This book provides background knowledge about risk management and its functions at each level within an organisation, namely the corporate, strategic business and project levels.

Figure 1.1 illustrates a typical organisational structure which allows risk management to be focused at different levels. By classifying and categorising risk within these levels it is possible to drill down and roll up to any level of the organisational structure. This should establish which risks a project is most sensitive to so that appropriate risk response strategies may be implemented to benefit all stakeholders.

Figure 1.1 illustrates the corporate, strategic business and project levels which provide the foundation for this book. Risk management is seen to be integral to each level although the flow of information from level to level is not necessarily on a top-down or bottom-up basis. Merna and Merna (2004) believe risks identified at each level are dependent on the information available at the time of the assessment, with each risk being assessed in more detail as more information becomes available. In effect, the impact of risk is time related.

Figure 1.2 illustrates the possible outcomes of risk. The word ‘risk’ is often perceived in a negative way. However, managed in the correct way, prevailing risks can often have a positive impact.

Figure 1.1 Levels within a corporate organisation (Merna 2003)

Figure 1.2 Relationship of risk to possible losses and gains

Risk management should consider not only the threats (possible losses) but also the opportunities (possible gains). It is important to note that losses or gains can be made at each level of an organisation.

The aim of this book is to analyse, compare and contrast tools and techniques used in risk management at corporate, strategic business and project levels and develop a risk management mechanism for the sequencing of risk assessment through corporate, strategic business and project stages of an investment.

Typical risks affecting organisations are discussed and risk modelling through computer simulation is explained.

The book also examines portfolio risk management and cash flow management.

Chapter 2 discusses the concept of risk and uncertainty in terms of projects and investments. It then outlines the sources and types of risk that can affect each level of an organisation.

Chapter 3 is a general introduction to the topic of risk management. It summarises the history of risk management and provides definitions of risk and uncertainty. It also describes the risk process, in terms of identification, analysis and response. It then goes on to identify the tasks and benefits of risk management, the risk management plan and the typical stakeholders involved in an investment or project.

Chapter 4 is concerned with the tools and techniques used within risk management. It prioritises the techniques into two categories, namely qualitative and quantitative techniques, and describes how such techniques are implemented. It also provides the elements for carrying out a country risk analysis and briefly describes the risks associated with investing in different countries.

Chapter 5 outlines the risks involved in financing projects and the different ways of managing them. The advantages and disadvantages of risk modelling are discussed, and different types of risk software described.

Chapter 6 is concerned with portfolios and the strategies involved in portfolio selection. Bundling projects is examined and cash flows specific to portfolios are analysed. Various methods of cash flow analyses are discussed.

Chapter 7 is specific to the corporate level within an organisation. It is concerned with the history of the corporation, corporate structure, corporate management and the legal obligations of the board of directors, corporate strategy and, primarily, corporate risk.

Chapter 8 is specific to the strategic business level within an organisation. It discusses business formation, and defines the strategic business unit (SBU). It is primarily concerned with strategic management functions, strategic planning and models used within this level. Risks specific to this level are also identified.

Chapter 9 is specific to the project level within an organisation. It outlines the history of project management, its functions, project strategy and risks specific to the project level.

Chapter 10 provides a generic mechanism for the sequence and flow of risk assessment in terms of identification, analysis and response to risk at corporate, strategic business and project levels.

Chapter 11 describes a number of corporate governance codes and how they address the need for risk management.

Chapter 12 introduces the Basel II framework and discusses, in particular, how probability default (PD) and loss given default (LGD) are addressed and other operational management issues.

Chapter 13 describes how quality management can be used to manage many of the risks inherent in organisations and how quality related risks can affect the profitability of an investment.

Chapter 14 provides Case Study 1 which investigates the pharmaceutical industry and illustrates the typical risks in a drug development process (DDP) and how many of these risks can be mitigated.

Chapter 15 provides Case Study 2 which shows the risks associated with the procurement of crude oil and the sale of refined products. This case study also addresses the risks in the supply and offtake contracts and utilises Crystal Ball as the simulation software for modelling and assessment of risks.

Chapter 16 provides Case Study 3 which describes the development of risk registers at corporate, strategic business unit and project levels and the development of a risk statement for a specific project.

The final chapter, Chapter 17, provides Case Study 4 which describes how the major risks at each level of a corporation can be identified and quantitatively analysed and then summarised to develop a risk statement for shareholders.

2

The Concept of Risk and Uncertainty and the Sources and Types of Risk

Man plans, God smiles

(Hebrew proverb)

Fortune favours the prepared

(Louis Pasteur)

Risk affects every aspect of human life; we live with it every day and learn to manage its influence on our lives. In most cases this is done as an unstructured activity, based on common sense, relevant knowledge, experience and instinct.

This chapter outlines the basic concept of risk and uncertainty and provides a number of definitions of them. It also discusses the dimensions of risk and the perception of risk throughout an organisation. Different sources and types of risk are also discussed.

Uncertainty affects all investments. However, uncertainty can often be considered in terms of probability provided sufficient information is known about the uncertainty. Probability is based on the occurrence of any event and thus must have an effect on the outcome of that event. The effect can be determined on the basis of the cause and description of an occurrence. For example, the cause, description and effect can be illustrated by the following:

Figure 2.1 illustrates the concept of risk in terms of uncertainty, probability, effect and outcome.

Figure 2.1 The concept of risk (Merna and Smith 1996) (Reproduced by permission of A. Merna)

Once the probability, cause and effect of an occurrence can be determined then a probability distribution can be computed. From this probability distribution, over a range of possibilities, the chances of risk occurring can be determined, thus reducing the uncertainty associated with this event.

The authors suggest that uncertainty can often be interpreted as prophecy, since a prophecy is not based on data or experience. A prediction, however, is normally based on data or past experience and thus offers a basis for potential risk.

According to Chapman and Ward (1997):

Risk and uncertainty are distinguished by both Bussey (1978) and Merrett and Sykes (1983) as:

In today’s business, nearly all decisions are taken purely on a financial consequences basis. Business leaders need to understand and know whether the returns on a project justify taking risks, and the extent of these consequences (losses) if the risks do materialise. Investors, on the other hand, need some indication of whether the returns on an investment meet their minimum returns if the investment is fully exposed to the risks identified. (Merna 2002) suggests:

Therefore identifying risks and quantifying them in relation to the returns of a project is important. By knowing the full extent of their gains and/or losses, business leaders and investors can then decide whether to sanction or cancel an investment or project.

The origin of the word ‘risk’ is thought to be either the Arabic word risq or the Latin word riscum (Kedar 1970). The Arabic risq signifies ‘anything that has been given to you [by God] and from which you draw profit’ and has connotations of a fortuitous and favourable outcome. The Latin riscum, however, originally referred to the challenge that a barrier reef presents to a sailor and clearly has connotations of an equally fortuitous but unfavourable event.

A Greek derivative of the Arabic word risq which was used in the twelfth century would appear to relate to chance of outcomes in general and have neither positive nor negative implications (Kedar 1970). The modern French word risqué has mainly negative but occasionally positive connotations, as for example in ‘qui de risque rien n’a rien’ or ‘nothing ventured nothing gained’, whilst in common English usage the word ‘risk’ has very definite negative associations as in ‘run the risk’ or ‘at risk’, meaning exposed to danger.

The word ‘risk’ entered the English language in the mid seventeenth century, derived from the word ‘risque’. In the second quarter of the eighteenth century the anglicised spelling began to appear in insurance transactions (Flanagan and Norman 1993). Over time and in common usage the meaning of the word has changed from one of simply describing any unintended or unexpected outcome, good or bad, of a decision or course of action to one which relates to undesirable outcomes and the chance of their occurrence (Wharton 1992). In the more scientific and specialised literature on the subject, the word ‘risk’ is used to imply a measurement of the chance of an outcome, the size of the outcome or a combination of both. There have been several attempts to incorporate the idea of both size and chance of an outcome in the one definition. To many organisations risk is a four-letter word that they try insulate themselves from.

Rowe (1977) defines risk as ‘The potential for unwanted negative consequences of an event or activity’ whilst many authors define risk as ‘A measure of the probability and the severity of adverse effects’. Rescher (1983) explains that ‘Risk is the chancing of a negative outcome. To measure risk we must accordingly measure both its defining components, and the chance of negativity’. The way in which these measurements must be combined is described by Gratt (1987) as ‘estimation of risk is usually based on the expected result of the conditional probability of the event occurring times the consequences of the event given that it has occurred’.

It follows then that in the context of, for example, a potential disaster, the word ‘risk’ might be used either as a measure of the magnitude of the unintended outcome, say, 2000 deaths, or as the probability of its occurrence, say, 1 in 1000 or even the product of the two – a statistical expectation of two deaths (Wharton 1992). Over time a number of different, sometimes conflicting and more recently rather complex meanings have been attributed to the word ‘risk’. It is unfortunate that a simple definition closely relating to the medieval Greek interpretation has not prevailed – one which avoids any connotation of a favourable or unfavourable outcome or the probability or size of the event.

The model shown in Figure 2.2 suggests that risk is composed of four essential parameters: probability of occurrence, severity of impact, susceptibility to change and degree of interdependency with other factors of risks. Without any of these the situation or event cannot truly be considered a risk. This model can be used to describe risk situations or events in the modelling of any investments for risk analysis.

The use of a risk model helps reduce reliance upon raw judgement and intuition. The inputs to the model are provided by humans, but the brain is given a system on which to operate (Flanagan and Norman 1993).

Figure 2.2 Typical risk parameters (Adapted from Allen 1995)

Models provide a backup for our unreliable intuition. A model can be thought of as having two roles:

Models provide a mechanism by which risks can be communicated through the system. A risk management system is a model, it provides a means for identification, classification and analysis and then a response to risk.

A common definition of risk – the likelihood of something undesirable happening in a given time – is conceptually simple but difficult to apply. It provides no clues to the overall context and how risks might be perceived. Most people think of risk in terms of three components: something bad happening, the chances of it happening, and the consequences if it does happen. These three components of risk can be used as the basis of a structure for risk assessment. Kaplan and Gerrick (1981) proposed a triplet for recording risks which includes a set of scenarios or similar occurrences (something bad happens), the probabilities that the occurrences take place (the chances something bad happens), and the consequence measures associated with the occurrences.

In some ways, this structure begs the question of definition because it is still left to the risk assessors to determine what ‘bad’ actually means, what the scenarios or occurrences are that can lead to something bad, and how to measure the severity of the results. The steps involved in defining and measuring risk include:

The severity or magnitude of consequences is measured by a value function that provides the common denominator. The severity can be measured in common units across all the dimensions of risk by translating the impact into a common unit of value. This can be a dimensionless unit such as the utility functions used in economics and decision analysis or some common economic term (Kolluru et al. 1996).

The issue here is selecting an appropriate metric for measuring impacts and then determining the form of the effects function. This form has to be capable of representing risk for diverse stakeholders and of expressing the impacts to health, safety and the environment as well as other assets.

One response, still surprisingly common, is to shy away from risk and hope for the best. Another is to apply expert judgement, experience and gut feel to the problem. In spite of this, substantial investments are decided on the basis of judgement alone, with little or nothing to back them up.

Risk and uncertainty as distinguished by both Bussey (1978) and Merrett and Sykes (1973) were discussed earlier in this chapter. The authors Vernon (1981) and Diekmann et al. (1988), however, consider that the terms risk and uncertainty may be used interchangeably but have somewhat different meanings, where risk refers to statistically predictable occurrences and uncertainty to an unknown of generally unpredictable variability.

Lifson and Shaifer (1982) combine the two terms by defining risk as:

Uncertainty is used to describe the situation when it is not possible to attach a probability to the likelihood of occurrence of an event. Uncertainty causes a rift between good decision and good outcome. The distinguishing factor between risk and uncertainty is that risk is taken to have quantifiable attributes, and a place in the calculus of probabilities, whereas uncertainty does not (Finkel 1990).

Hetland (2003) believes the following assertions clarify uncertainty:

Smith et al. (2006) suggest that risks fall in to three categories: known risks, known unknowns and unknown unknowns.

Known risks include minor variations in productivity and swings in materials costs and inevitably occur in construction and manufacturing projects. These are usually covered by contingency sums to cover for additional work or delay, often in the form of a percentage addition to the estimated cost.

Known unknowns are the risk events whose occurrence is predictable or foreseeable with either their probability of occurrence or likely effect known. A novel example of this is as follows. An automobile breaker’s yard in a borough of New York has the following sign on its gate.

These premises are protected by teams of Rottweiler and Doberman pinscher three nights a week. You guess the nights.

A potential felon can deduce from this sign that there is a 3/7 chance of being confronted by the dogs, and possibly being mauleds and a 4/7 chance of success. Therefore there is a better chance of not being caught than being caught, however, without any data regarding the respective nights – you guess the nights.

Unknown unknowns are those events whose probabilities of occurrence and effect are not foreseeable by even the most experienced practitioners. These are often considered as force majeure events. An example of unknown unknowns is common in the pharmaceuticals industry. In the first stage of a drug development process the side effects and their probabilities are unknown although it is known that all drugs have side effects.

Uncertainty is said to exist in situations where decision-makers lack complete knowledge, information or understanding concerning the proposed decision and its possible consequences. There are two types of uncertainties: uncertainty arising from a situation of pure chance, which is known as ‘aleatory uncertainty’; and uncertainty arising from a problem situation where the resolution will depend upon the exercise of judgement, which is known as ‘epistemic uncertainty’.

An example of aleatory risk is the discovery of the drug Viagra. Although this drug was initially being developed as a treatment for angina it was found during clinical trials that the drug had side effects which could help prevent sexual dysfunctional syndrome in males.

The situations of uncertainty often encountered during the earlier stages of a project are ‘epistemic’. The phenomenon of epistemic uncertainty can be brought about by a number of factors, such as:

Many of the above factors have been encountered in private finance initiative (PFI) types of investments where risk assessments are required to consider events over long operation periods once a project has been commissioned, in some cases 25 years or more. Rowe (1977) distinguished uncertainty within the decision-making process as descriptive uncertainty and measurement uncertainty. Descriptive uncertainties represent an absence of information and this prevents the full identification of the variables that explicitly define a system. As a result, the decision-maker is unable to describe fully the degrees of freedom of a system, for example problem identification and structuring, solution identification, degree of clarity in the specification of objectives and constraints.

Measurement uncertainties also represent the absence of information; however, these relate to the specifications of the values to be assigned to each variable in a system. As a result the decision-maker is unable to measure or assign specific values to the variables comprising a system, for example the factors of information quality, the futurity of decisions, the likely effectiveness of implementation.

Table 2.1 Risk-uncertainty continuum (Adapted from Rafferty 1994)

RISKUNCERTAINTYQuantifiable→Non-quantifiableStatistical Assessment→Subjective ProbabilityHard Data→Informed Opinion

The need to manage uncertainty is inherent in most projects which require formal project management. Chapman and Ward (1997) consider the following illustrative definition of such a project:

This definition highlights the one-off, change-inducing nature of projects, the need to organise a variety of resources under significant constraints, and the central role of objectives in project definition. It also suggests inherent uncertainty which requires attention as part of an effective project management process.

The roots of this uncertainty are worth clarification. Careful attention to formal risk management processes is usually motivated by the large-scale use of new and untried technology while executing major projects, and other obvious sources of significant risk.

A broad definition of project risk is ‘the implications of the existence of significant uncertainty about the level of project performance achievable’ (Chapman and Ward 1997).

Uncertainty attached to a high-risk impact event represents a greater unknown than a quantified risk attached to the same event. Rafferty (1994) developed a ‘risk-uncertainty continuum’ as given in Table 2.1.

There are many sources of risk that an organisation must take into account before a decision is made. It is therefore important that these sources of risk are available, thus allowing the necessary identification, analysis and response to take place. Many of the sources of risk summarised in Table 2.2 occur at different times over an investment. Risks may be specific to the corporate level, such as political, financial and legal risks. At the strategic business level, economic, natural and market risks may need to be assessed before a project is sanctioned. Project risks may be specific to a project, such as technical, health and safety, operational and quality risks. At the project level, however, the project manager should be confident that risks associated with corporate and strategic business functions are fully assessed and managed. In many business cases risks assessed initially at corporate and strategic business levels have to be reassessed as the project progresses, since the risks may affect the ongoing project.

Table 2.2 Typical sources of risk to business from projects (Merna and Smith 1996)

HeadingChange and uncertainty in or due to:PoliticalGovernment policy, public opinion, change in ideology, dogma, legislation, disorder (war, terrorism, riots)EnvironmentalContaminated land or pollution liability, nuisance (e.g., noise), permissions, public opinion, internal/corporate policy, environmental law or regulations or practice or ‘impact’ requirementsPlanningPermission requirements, policy and practice, land use, socio-economic impacts, public opinionMarketDemand (forecasts), competition, obsolescence, customer satisfaction, fashionEconomicTreasury policy, taxation, cost inflation, interest rates, exchange ratesFinancialBankruptcy, margins, insurance, risk shareNaturalUnforeseen ground conditions, weather, earthquake, fire or explosion, archaeological discoveryProjectDefinition, procurement strategy, performance requirements, standards, leadership, organisation (maturity, commitment, competence and experience), planning and quality control, programme, labour and resources, communications and cultureTechnicalDesign adequacy, operational efficiency, reliabilityRegulatoryChanges by regulatorHumanError, incompetence, ignorance, tiredness, communication ability, culture, work in the dark or at nightCriminalLack of security, vandalism, theft, fraud, corruptionSafetyRegulations (e.g., CDM, Health and Safety at Work), hazardous substances (COSSH), collisions, collapse, flooding, fire and explosionLegalThose associated with changes in legislation, both in the UK and from EU directivesThe above list is extensive but not completeReproduced by permission of A. Merna

A source of risk is any factor that can affect project or business performance, and risk arises when this effect is both uncertain and significant in its impact on project or business performance. It follows that the definition of project objectives and performance criteria has a fundamental influence on the level of project risk. Setting tight cost or time targets with insufficient resources makes a project more cost and time risky by definition, since achievement of targets is more uncertain if targets are ‘tight’. Conversely, setting slack time or quality requirements implies low time or quality risk.

However, inappropriate targets are themselves a source of risk, and the failure to acknowledge the need for a minimum level of performance against certain criteria automatically generates risk on those dimensions. If, for example, a corporate entity sets unachievable targets to an SBU then it is highly likely that the projects undertaken by the SBU will suffer owing to the risk associated with meeting such targets.

Morris and Hough (1987) argue for the importance of setting clear objectives and performance criteria which reflect the requirements of various parties, including stakeholders who are not always recognised as players (regulatory authorities, for example). The different project objectives held by interested parties and stakeholders and the interdependencies between different objectives need to be appreciated. Strategies for managing risk cannot be divorced from strategies for managing or accomplishing project objectives.

Whatever the underlying performance objectives, the focus on project success and uncertainty about achieving it leads to risk being defined in terms of a ‘threat to success’. If success for a project, and in turn the SBU, is measured solely in terms of realised cost relative to some target or commitment, then risk might be defined in terms of the threat to success posed by a given plan in terms of the size of possible cost overruns and their likelihood. This might be termed ‘threat intensity’ (Chapman and Ward 1997).

From this perspective it is a natural step to regard risk management as essentially about removing or reducing the possibility of underperformance. This is unfortunate, since it results in a very limited appreciation of project risk. Often it can be just as important to appreciate the positive side of uncertainty, which may present opportunities rather than threats.

On occasion opportunities may also be very important from the point of view of morale. High morale is as central to good risk management as it is to the management of teams in general. If a project team becomes immersed in nothing but threats, the ensuing doom and gloom can destroy the project. Systematic searches for opportunities, and a management willing to respond to opportunities identified by those working for them at all levels (which may have implications well beyond the remit of the discoverer), can provide the basis for systematic building of morale.

More generally, it is important to appreciate that project risk by its nature is a very complex beast with important behavioural implications. Simplistic definitions such as ‘risk is the probability of a downside risk event multiplied by its impact’ may have their value in special circumstances, but it is important to face the complexity of what project risk management is really about if real achievement is to be attained when attempting to manage that risk at any level in the organisation.

The requirement is not only to manage the physical risks of the project, but also to make sure that other parties in the project manage their own risks. For example, the International Finance Corporation (IFC) division of the World Bank has a project team which travels round the locations in which the IFC has an interest and ensures not only that risks are controlled effectively, but that responsibilities are allocated and risks transferred by contract or insurance as appropriate. In this example the IFC would be similar to the corporate entity checking on its various projects undertaken by SBUs.

Risk and uncertainty are inherent to all projects and investors in projects or commercial assets are exposed to risks throughout the life of the project. The risk exposure of an engineering project, for example, is proportional to the magnitude of both the existing and the proposed investment. Generally, the post-sanction period up to the completion of construction is associated with rapid and intensive expenditure (cash burn) for the investor(s), usually under conditions of uncertainty, and consequently this stage of the process is particularly sensitive to risks. The subsequent operational phase is subject to risks associated with revenue generation and operational costs. Hence the two phases that are most susceptible to risk are:

The most severe risks affecting projects are summarised by Thompson and Perry (1992) in project management terms as:

Many project management practitioners suggest the following influence the risk associated with projects:

In effect the larger the project the greater the risk. Increase in size usually means an increase in complexity, including the complexity of administration, management, communication amongst participants and so on; for example, inaccurate forecasts, late deliveries (supply chain), equipment break downs and the like.

Figure 2.3 illustrates the financial risk timeline. The maximum point of financial risk is when the project is near completion when debt service is at its highest. As the project moves through its life cycle and starts to generate regular revenues, the financial exposure is reduced considerably.

The risks which influence projects can also be categorised as global and elemental risks.

Figure 2.3 Financial risk timeline

Global risks originate from sources external to the project environment and although they are usually predictable their effect on the outcome may not always be controllable within the elements of the project. The four major global risks are political, legal, commercial and environmental risks (Merna and Smith 1996). These types of risk are often referred to as uncontrollable risks since the corporate entity cannot control such risks even though there is a high probability of occurrence. Normally these risks are dealt with at corporate level and often determine whether a project will be sanctioned.

Elemental risks originate from sources within the project environment and are usually controllable within the elements of the project. The four main elemental risks are construction/manufacture, operational, financial and revenue risks (Merna and Smith 1996). These types of risk are usually considered as controllable risks and are often related to the different phases of a project and mainly assessed at SBU and project levels.

Many organisations have developed risk management mechanisms to deal with the overt and insurable risks associated with projects. In most cases risk identification, analysis and response are seen to be the most important elements to satisfy clients and other project stakeholders.

There are, however, risks associated with intangible assets such as market share, reputation, value, technology, intellectual property (usually data, patents and copyrights), changes in strategy/methods, shareholder perception, company safety and quality of product. These are extremely important for organisations operating a portfolio of projects or business assets (Davies 2000).

Holistic risk management is the process by which an organisation firstly identifies and quantifies all of the threats to its objectives, and having done so manages those threats within, or by adapting, its existing management structure. Holistic risk management addresses many of the elements identified in the Turnbull Report (1999), and attempts to alleviate many of the concerns of shareholders.

This relates only to potential losses where people are concerned with minimising losses by risk aversion (Flanagan and Norman 1993). A typical example would be the risk of losing markets for a particular product or brand of goods by not risking the introduction of new products or goods onto the same market. Many established organisations have tried to mitigate this risk by entering into joint ventures with more dynamic companies, often from booming economies.

This is concerned with maximising opportunities. Dynamic risk means that there will be potential gains as well as potential losses. For example, Marconi tried to gain by changing from a well-established market in the defence industry to new uncertain markets in the telecom industry. Dynamic risk is risking the loss of something certain for the gain of something uncertain. Every management decision has the element of dynamic risk governed only by the practical rules of risk taking. During a project, losses and gains resulting from risk can be plotted against each other and compared (Flanagan and Norman 1993).

The way in which risk is handled depends on the nature of the business and the way that business is organised internally. For example, energy companies are engaged in an inherently risky business – the threat of fire and explosion is always present, as is the risk of environmental impairment. Financial institutions on the other hand have an inherently lower risk of fire and explosion than an oil company, but they are exposed to different sorts of risk. However, the level of attention given to managing risk in an industry is as important as the actual risk inherent in the operations which necessarily must be performed in that industry activity. For example, until very recently repetitive strain injury (RSI) was not considered to be a problem, but it is now affecting employers’ liability insurance (International Journal of Project and Business Risk Management 1998).

Figure 2.4 The effective bid process

This occurs when an organisation is affected directly by an event in an area beyond its direct control but on which it has a dependency, such as weak suppliers (International Journal of Project and Business Risk Management 1998). Normally a percentage of the overall project value is put aside to cover costs of meeting such risks should they occur.

The problem with assigning a contingency sum arises when such a sum is assigned to every supplier, irrespective of whether supply is considered as a risk.

Figure 2.4 illustrates how organisations bidding for a tender simply apply a 10% risk contingency. However, organisations may lose out to competitors assessing supplier risk for each individual supplier. In the example above it is no surprise to find that Bid 4 won the tender.

Hussain (2005) proposes that all bids should be accompanied by a risk envelope so that clients can assess the risks identified by each bidder to determine potential additional costs or savings. The risk envelope is developed on the basis of:

The risk envelope can be used by clients to identify worst case scenarios and help in realising a realistic budget. The cost of managing each risk identified by bidders can be compared by the client in a similar way to that for other items identified in the bid such as the cost of concrete, falsework, excavation and the like. Hussain (2005) suggests that the risk envelope should form an essential part of the bid award process.

Dependency on one client creates vulnerability because that client can take its business away, or be taken over by a rival. The risk can be managed by creating a larger customer base (International Journal of Project and Business Risk Management 1998).

Only by keeping abreast of potential changes in the environment can a business expect to manage these risks. Recent examples in the UK include awards to women for discrimination in the armed forces, RSI and windfall profits tax in exceptional years (International Journal of Project Business Risk Management 1998). In October 2001, Railtrack Plc, a company listed on the London Stock Exchange, was put into administration by the UK Transport Secretary without any consultation with its lenders or shareholders. Shareholders taking the usual risks of rises and falls in stock market value were quickly made aware of this risk.

Purchasing risk is a vital part of modern commercial reality but recently the subject has gained prominence in the work of leading academics and management theoreticians. Many businesses are designing and implementing new performance measurement systems and finding a particular challenge in developing measures for some key elements of purchasing contribution which are now regarded as strategic but which have not been historically analysed and measured in any serious way. The area of commercial risk is a prominent example of such a challenge. In the past, effective risk management has been cited as one of the key contributions that effective purchasing can make to a business, but its treatment has been largely a negative one; the emphasis has been on ensuring minimum standards from suppliers to ensure a contract would not be frustrated. The issues now being addressed by leading-edge practitioners in the risk area are much broader and are perhaps more correctly identified using terminology such as management of uncertainty (International Journal of Project Business Risk Management 1998).

This is not a risk in its own right but rather the consequence of another risk, such as fraud, a building destroyed, failure to attend to complaints, lack of respect for others. It is the absence of control which causes much of the damage rather than the event itself. In a post-disaster situation a company can come out positively if the media are well handled (International Journal of Project Business Risk Management 1998).

A poor infrastructure can result in weak controls and poor communications with a variety of impacts on the business. Good commu-nication links will lead to effective risk management. This can only be performed if members of teams and departments are fully aware of their responsibilities and reporting hierarchy, especially between different organisational levels.

This occurs where management and staff in the same organisation cannot communicate effectively because of their own professional language (jargon). Engineers, academics, chemists and bankers all have their own terms, and insurers are probably the worst culprits, using words with common meanings but in a specialised way. Even the same words in the same profession can have different meanings in the UK and the USA.

The IT industry is one of the fastest growing industries at present. Huge amounts of money continue to be invested in the IT industry. Owing to pressures to maintain a competitive edge in a dynamic environment, an organisation’s success depends on effectively developing and adopting IT. IT projects, however, still suffer high failure rates (Ellis et al. 2002).

IS (information software) development is a key factor which must be considered. Smith (1999) identifies a number of software risks. These include personal shortfalls, unachievable schedules and budget, developing the wrong functions, wrong user interface, a continuing stream of changes in requirements, shortfalls in externally furnished components, shortfalls in externally performed tasks, performance shortfalls and strained technical capabilities. In addition, Jiang and Klein (2001) cite the dimension of project risk based on project size, experience in the technology, technical application and complexity.

Software risks which are regularly identified include:

OPEC was founded at the Baghdad Conference on September 1960, by Iran, Iraq, Kuwait, Saudi Arabia and Venezuela. The five founding members were later joined by nine other members: Qatar, Indonesia, Socialist Peoples Libyan Arab Jamahiriya, United Arab Emirates, Algeria, Nigeria, Ecuador, Gabon and Angola. OPEC’s member countries hold about two-thirds of the world’s oil reserves. In 2005, OPEC accounted for c. 41.75% of the world’s oil production, compared with 23.8% by Organisation for Economic Co-operation and Development (OECD) members and 14.8% by the former Soviet Union. OPEC member countries have, on a number of occasions, tried to adjust their crude oil supplies to improve the balance between supply and demand. OPEC’s mission is to coordinate and unify the petroleum policies of member countries and ensure stabilisation of oil prices. OPEC has, however, had mixed success at controlling prices.

OPEC first sent shock waves throughout the world economy in 1973 by announcing a 70% rise in oil prices and by cutting production. The effects were immediate, resulting in fuel shortages and high inflation in many parts of the world. This brief example illustrates that risks associated with the oil price cannot be dismissed at any time when assessing the economic viability of an investment (Merna and Njiru 2002).

From 1982 to 1985 OPEC attempted to set production quotas low enough to stabilise prices. These attempts met with repeated failures as various members of OPEC produced beyond their quotas. During most of this period Saudi Arabia acted as the swing producer cutting its production to stem free falling prices. In August of 1985, the Saudis tired of this role. They linked their prices to the spot market for crude and by early 1986 increased production from 2 million barrels per day (MMBPD) to 5 MMBPD. Crude oil prices plummeted below $10 per barrel by mid-1986.

During the Gulf War, the United Nations announced a trade embargo against Iraq. The squeeze on the market strengthened OPEC’s position. In 1997, OPEC raised production by 10% without taking account of the Asian crisis. As a result, prices fell by 40%, to $10 per barrel. OPEC reacted to the global economic crisis, which had caused the price of oil to fall below $20 per barrel, by reducing production for six months in the hope of forcing it up in 2002. Increasing oil demand in the US, China and India sent the price soaring to a historic high of more than $50 per barrel. It reached $70 in April 2006.

At the time of writing this book, oil prices have risen to approximately $93 per barrel (Brent Crude), a consequence not only of the current situation in the Middle East, but of uncertainty in other oil-producing countries. Although ‘buying forward’ is a common response to this risk, the large fluctuations in oil price make this technique a very risky option.

Other commodities such as steel, aluminium, timber and cement, common materials used in the construction industry, have also increased in cost as a result of greater demand by booming economies. Many construction companies are now ‘buying forward’ such materials to mitigate the risk associated with price and availability.

This arises from the project management process itself. Process risks arise when the fundamental requirements for running a project are established. The management and decision-making process for operating the project, including the communication methods and documentation standards to be adopted, will also be areas of risk.

The early stages of concept and planning are when project objectives are at their most flexible. The formation of a project’s scope and the iterations of its requirements through feasibility studies provide the greatest opportunity for managing risks. This is the case because the early stages of a project have the option of ‘maybe’ alternatives through to the ‘go/no go’ decision, an option which is less available after a contract has been signed. When risks arise at a later stage in the project life cycle, the impact may generally be greater.

It is also important to note that there is an inherent risk in moving through the project life cycle, for example moving on to the design and planning phase before the basic concept has generally been evaluated.

Chapman and Ward (1997) believe that a thorough risk analysis should be part of the project process. For example, a review at the design stage may initiate consideration of the implications for the design further in the project life cycle. A change in design may reduce the risks associated with the manufacturing process/phase. Similarly decisions made at the corporate level may have implications at SBU and project levels.

Regardless of the industry, type of organisation or style of management, the control of risks associated with human factors will affect project and portfolio success. The human contribution to project success, or failure, encompasses the actions of all those involved in the planning, design and implementation of a project. Obviously there is potential for human failure at each stage of the project life cycle. Managing the risks associated with human failure remains a challenge for successful project management.

There has been a considerable amount of work done in the area of heuristics to identify the unconscious rules used when making a decision under conditions of uncertainty. Hillson (1998) argues that if risk management is to retain its credibility, this aspect must be addressed and made a routine part of the risk management process. A reliable means of measuring risk attitudes needs to be developed, which can be administered routinely as part of a risk assessment in order to identify potential bias among participants.

A number of studies have been undertaken to identify the benefits which can be expected by those implementing a structured approach to risk management (Newland 1997). These include both ‘hard’ and ‘soft’ benefits. Hard benefits include:

Soft benefits include:

The purpose of decommissioning is often to return a former operational plant back to brown- or greenfield site status. Over the course of operations, many industries (mining, quarrying, chemical industries, nuclear) have to plan for the end of lifetime costs for their plants, whether dismantling or reconditioning the sites. These characteristics of the project have financial consequences in regard to cost estimating and financing, for which there does not exist one single answer to date, and thus by definition creates risk. In today’s economic climate it is essential that these risks are taken into account before a project is sanctioned.

The term ‘institutional’ is used to summarise risks caused by organisational structure and behaviour. These risks occur in organisations and state bodies and affect projects both large and small (Kahkonen and Artto 1997). Typically dogma, beauracracy, culture and poor practice can lead to increased risks, usually pure risks.

The extent to which a person feels threatened by a particular risk, regardless of the probability of the risk occurring, is subjective risk. Subjective risk may, amongst other things, be affected by an individual’s personal level of risk aversion or risk preference. The severity of the consequences of the individual should the risk occur, the psychological factors and familiarity of the risk will all contribute to subjective risk.

Acceptable risk is the amount of subjective risk an individual or organisation is prepared to accept. In most cases acceptable risk is treated by organisations in such a way that should it occur the existence of the organisation is not threatened.

Pure risks are those risks which only offer the probability of loss and not profit. Pure risks only present the possibility of undesirable consequences. The majority of pure risks, but not all pure risks, can be insured against.

In contrast to pure risks, speculative risks produce either a profit or a loss and can be expected to offer either favourable or unfavourable consequences. Business risks which are voluntarily and deliberately undertaken fall into the category of speculative risks.

Fundamental risks are risks such as natural disasters that affect whole or significant proportions of society which organisations and individuals have little or no control over. Management of these risks often only permits reducing the effects of such risks.