Companies delivering a portfolio of capital projects need to manage three risk vectors.
- Project risk - delivery
Known risks impacting successful project delivery, managed via project controls.
- Project risk - operational
Either existing risks the project is helping to address, or new operational risks the project is introducing.
- Project risk - enterprise
Events that could stop you from accomplishing your strategic objectives.
"We recommend project enterprise risk is assessed by the risk committee prior to the CapEx approval gate in the development phase for small projects and the final devlopment phase for large projects"
Despite the large body of risk assessment work associated with capital projects, few organisations have a clear view of project risks. While project delivery and operations are subject to rigorous risk management, a project's enterprise risks are not always measured. And, even if they are, who oversees them?
Here's the problem: individual project delivery risks are rarely a proxy for the enterprise risk associated with a project.
And, even if they were, project delivery risk assessments vary according to:
- Human subjectivity
Measuring risk is highly subjective. Although organisations have a corporate risk matrix, its interpretation relies on the individual opinions and experience of different project managers. As a result, risk identification and classification can vary from project team to project team.
Project risk changes over time, from risk identification, to designing operational risk at the development stage, to pricing risk, to construction risk. This creates potential for considerable risk level variation at each project stage.
Mitigate project risks: We recommend project enterprise risk is assessed by the risk committee prior to the CapEx gate in the development phase for small projects and the final development phase for large projects. This will help to identify risks early in project management for effective risk management.
Classify project risk management on a centralised platform
Organisations need a more sophisticated approach to assess enterprise risk. Using project management tools that have an organisation's risk management processes embedded into the project management lifecycle will ensure that adequate risk analysis is undertaken to navigate any project risk before executing.
A consistent method – based on existing corporate risk frameworks – to classify a project's enterprise risk profile is critical to set project managers up for success. This entails the enterprise allocating a single risk score that supports ‘apples for apples' comparisons at the portfolio level and enables managers to assign appropriate governance to each project.
A centralised risk detection platform that identifies potential risks by prompting project managers to conduct an assessment is the best way to classify enterprise risk. The process should be:
- Based on your corporate risk matrix
Overall project risk is assessed in terms of the enterprise risk universe and based on ISO 3100, with appropriate weightings based on organisational drivers and priorities.
- Fast and easy
Compliance depends on simplicity. On a small project, it should take a project manager no more than 20 clicks to complete the assessment and identify potential risks.
Exercises for identifying risks should be conducted at the end of the development phase before capital approval. If the assessment is conducted on a project management platform, the risk analysis should be immediately available on a dashboard.
Seeing it in the platform makes it easy for portfolio managers to compare risk between projects – and understand the shape and profile of the capital portfolio.
When a portfolio manager understands how much risk the organisation is taking on by implementing any given project in the context of the broader portfolio, they often make different, smarter decisions around portfolio build.
Risk committees for certain project risk profiles
Once you have an enterprise risk score, the platform can assign projects the appropriate level of governance, which may include involvement of a risk committee to oversee project risk management.
All projects require project delivery governance. Complex projects typically use project steering groups with cross-functional representation. Simple projects with the most common project risks can be managed by the local engineering manager.
Typically, high value projects are rigorously governed for potential risks. But, sometimes, a simple project also presents a high enterprise risk. All high-risk projects need to be considered in aggregate through an enterprise risk lens.
This is why capital portfolios need risk committees. Not every project needs oversight by a risk committee - but many do.
Depending on its project enterprise risk score, a project might be assigned as follows:
A risk committee's job is to:
- Review a project's enterprise risk profile
- Recommend ways to manage this risk using the organisation's collective wisdom
- Assess the project management's capability.
"Unlike steering groups, risk committees have representatives from engineering, finance, legal, safety and supply chain - and very narrow terms of reference"
The committee then passes its recommendations to the Project Manager and group responsible for project delivery governance. Their remit is to oversee the project's enterprise risk.
This overall risk analysis score can be also used when assessing the business case at the capital approval stage gate, expanding the project risk questions from “is the project ready to proceed?” to include “...and under what conditions?”
Typically, risk committees only see projects once. But if committee members are particularly concerned about a project risk, or lack faith in project management, they sometimes request regular reviews until they are comfortable risk management is under control.
Using a centralised risk assessment platform and risk committees in this way gives executives and portfolio managers comfort that project risk, in particular enterprise risk, is tracked and managed throughout the capital project portfolio. Otherwise, enterprise risk will continue to remain undetected and uncontrolled.