Module 4: Operational Excellence – Delivering and enhancing organisational outcomes
Topic 4.3: Risk Management Processes and Challenges
Risk and uncertainty are themes that underpin all activities within organisations. Strategic initiatives often experience unacceptable failures and if the failures were avoidable, there has been a failure of risk management. It is important that we understand and accept this. Risk management and decision making are related processes. Effective decisions make success more likely, which also means that they reduce the risk of failure. Risk assessment, risk analysis and other specific risk tasks are simply tasks to help us to make good decisions.
Increasingly, public sector managers must prepared for managing for the unexpected.
Required
20 mins
Explore the concept of risk and risk management in your context. Here are two starting documents for your investigations.
Spend 10 minutes reading this ANAO document and focus on areas of risk that relate to your public value context.
Spend 10 minutes reading by selecting sections of the Risk Management Toolkit that relate to your role. If you are unsure start with the Executive Guide.
The nature of risks
There are three types of risk to consider. Most often, organisations (whether projects or otherwise) concern themselves with the management of two levels of risk – operational and strategic. However, organisations typically face all three types of risk – organisational, strategic, and operational. Consider this a hierarchy of risk.
We define risk as a threat to strategic success, where the final impact on the strategy or project is not certain.
- Internally generated risks are those that have their origin with the organisation, arising from their rules, policies, processes, structures, actions, decisions, behaviours or cultures.
- Strategic risks are those risks that require the active attention and intervention of executive leaders over a long period of time.
- An organisational risk is a relatively low-level risk that might be pervasive, long term and only manageable by senior leaders.
- Operational risk is a risk that either emerges or is embedded in the ongoing set of activities that deliver the strategy, initiative or project.
A way to devise a risk mitigation strategy is to explore who is responsible overall for risk within an entity or project, and whether executives or project governance roles focus. Questions include:
- How are risks ‘selected’ to be reviewed at a Project Review Board?
- Who identifies those risks, analyses them, proposes responses?
- Are they likely to be strategic risks, using the definition provided above?
The additional value of this approach is that it locates risk management accountability where it belongs. This contrasts with common practice – where the risks that come to executive attention are usually those that are rated as high or extreme. However, such risk ratings do not say anything about where a risk should be managed. A relatively low-level risk might be pervasive, long term and only manageable by senior leaders. We might consider this to be an organisational risk. A high or extreme risk might, despite its obvious importance, be able to be managed by an operational leader such as a project manager.
Organisational risks are of particular interest because while they may need to be managed across the whole organisation they are otherwise essentially operational in nature. Experience working in many different organisations shows that significant operational risks are often either escalated to be managed by the executive (despite often being operational in nature) or are poorly managed because nobody accepts responsibility.
Building an effective risk management strategy
A number of factors need to be taken into account when developing a risk management strategy suitable for a complex environment. For example, any effective strategy must deal with sensitive, difficult to report risks as well as technical risks, risks that are yet to emerge and risks that arise from biases in decision making.
When a system thinking view is taken, a risk management strategy is not just about creating a set of strategic risk management objectives and then simply building a plan to deliver them. Truly systemic interventions tend to be focused around building capability – since doing so has pervasive benefits over time.
The challenges of risk management strategy implementation
Implementing an effective approach to risk management is challenging work. That is because it involves building organisational capability and includes projects that are built around complex systems.
The challenges are increased when the project is unusual, ahead of the game or perhaps even contrary to accepted policies, rules beliefs and practices. Tension with others is likely, including from people with the authority to stop or block the project. This may be amplified if teams attempt to implement a truly systemic risk management strategy.
Required
20 mins
- What is your view of risk and risk management?
- How should you, in your current role, conceptualise risk and risk management?
- How do your views overlap with those of your immediate context of your agency?
Recommended
60 mins
Mindfulness is the rich awareness of discriminatory detail, which suggests that meaning that when we act, we do so being aware of our context, of how details differ, and of the degree to which expectations are met. In this management mindset, we continually refine our expectations based on new experiences, to create new expectations that help us deal with the unexpected events, and refine our ‘foresight’ and sensing abilities (Weick & Sutton 2007)[1].
Unexpected events test managers’ resilience, enable them to be sensitive to operations, and encourage system functioning. As you explore the concepts of complexity and systems thinking, you will notice the power of being equipped to deal with uncertainly, ambiguity and system change.
This might be called our thinking journey – from understanding the true nature of uncertainty as experienced, to tools and methods for dealing with different types of uncertainty. Ultimately this should shape management activities and the work of leaders as part of an overall strategy for the management of uncertainty (Lueg & Borisov 2014)[2].
The topics of risk and risk management are littered with differing approaches, terms, systems and perspectives. The readings in this module will help you to understand at least some of these perspectives, and also help you to explore your own thinking around risk and risk management.
The final part of the Coutu reading provides a set of principles. Some of these are likely to be new to you, at least in the way in which they are expressed. As with all principles they are a matter of choice – we could decide to apply different principles. Which of these seven principles are in your view very clearly appropriate – and which are less so? Would you add any others, or propose changes?
Given the ample evidence that for many initiatives, it is the intangible, unmeasurable factors that are almost always the root causes of failures, we need to understand what that means in a practical sense. Clearly a more capable, effective organisation will tend to have more success (less failure) than ineffective, less capable organisations. Two key things are evident:
- More capable teams respond more effectively to things as they emerge – both threats and opportunities. They will deal with crises better and will manage risk more effectively.
- More capable teams will not create avoidable risks for themselves. They will tend to make more balanced and effective decisions and to set up more coherent and robust processes, contracts and inter-personal relationships.
Over time, the capabilities of the organisations and especially of the people involved are the single greatest determinant of the risks faced and whether risks are managed well.
Capability and risk are inversely related in a very powerful way, and it does matter. It follows that in the long term the most powerful way to manage risk is to ensure that the people involved are truly capable of all aspects of their role.
Weick & Sutton (2007) suggest that you should not be surprised by the claim that the capabilities, culture and behaviour of leaders is the root cause of many disasters. When a leader does not listen, applies an inappropriate heuristic or fails to deal effectively with performance issues in the team, this behaviour has both direct and second-order implications. Refer to the decision making discussions in Module 2.
The importance of this is not limited to obviously ineffective or poor leadership behaviour. The way in which a leader makes decisions is not only about relationships and how they interact – decision making can also be a seen as a process (a series of steps) that can be more or less effective. Note that these steps are more effective when people are trained to solve problems and make decisions using accepted and ‘proven’ methods.
Activity
- In your immediate environment, is there a consistent, well understood and practiced way of making decisions?
- Have you observed strong performers making decisions in ways that are not fully effective?
- If this is a problem, how might you improve the quality of decision-making across your project or program?
Spend 10 minutes reading sections relating to your role.
Deeper Learning
20 mins
For additional insights, visit the website of the Australian National Audit Office and look for documents and tools that are relevant to your agency.
- Weick, K.E. & Sutton, K.M. (2007). Managing the Unexpected: Resilient Performance in an Age of Uncertainty. Jossey-Bass. ↵
- Lueg, R. & Borisov, B. G. (2014). Archival or perceived measures of environmental uncertainty? Conceptualization and new empirical evidence. European Management Journal 32, pp.658-671. ↵