How to identify and control capital project enterprise risk.
Companies delivering a portfolio of capital projects need to manage three risk vectors.
- Project delivery risk
Known risks impacting successful project delivery, managed via project controls.
- Project operational risk
Either existing risks the project is helping to address, or new operational risks the project is introducing
- Project enterprise risk
Events that could stop you accomplishing your strategic objectives.
We recommend project enterprise risk is assessed by the risk committee prior to the CAPEX gate in the development phase for small projects and the final devlopment phase for large projects.
Despite the large body of risk assessment work associated with capital projects, few organisations have a clear view of project enterprise risk.While project delivery and operations are subject to rigorous risk management, a project’s enterprise risks are not always measured. And, even if they are, who oversees them?
Here’s the problem: individual project delivery risks are rarely a proxy for the enterprise risk associated with a project.
And, even if they were, project delivery risk assessments vary according to:
- Human subjectivity
Measuring risk is highly subjective. Although organisations have a corporate risk matrix, its interpretation relies on the individual opinions and experience of different project managers. As a result, risk identification and classification can vary from project team to project team.
Project risk changes over time, from risk identification, to designing operational risk at the development stage, to pricing risk, to construction risk. This creates potential for considerable risk level variation at each project stage.
CAPEXinsights recommends project enterprise risk is assessed by the risk committee prior to the CAPEX gate in the development phase for small projects and the final development phase for large projects.
Classify project enterprise risk with a single risk score on a centralised risk detection platform
Organisations need a more sophisticated approach to assess enterprise risk.
A consistent method – based on existing corporate risk frameworks – to classify a project’s enterprise risk profile, the enterprise giving it a single risk score that supports ‘apples for apples’ comparisons at the portfolio level and enables managers to assign appropriate governance to each project.
A centralised risk detection platform that prompts project managers to conduct the assessment is the best way to classify enterprise risk. The process should be:
- Based on your corporate risk matrix
Overall project risk is assessed in terms of the enterprise risk universe and based on ISO 3100, with appropriate weightings based on organisational drivers and priorities.
- Fast and easy
Compliance depends on simplicity. On a small project, it should take a project manager no more than 20 clicks to complete the assessment.
Conducted at the end of the development phase before capital approval. If the assessment is conducted on a platform, its results will be immediately available on a dashboard like this:
Seeing it in the platform makes it easy for portfolio managers to compare risk between projects – and understand the shape and profile of the capital portfolio.
When a portfolio manager understands how much risk the organisation is taking on by implementing any given project in the context of the broader portfolio, they often make different, smarter decisions around portfolio build.
Use risk committees to oversee capital projects with a certain risk profile.
Once you have an enterprise risk score, the platform can assign projects the appropriate level of governance, which may include oversight by a risk committee.
All projects require project delivery governance. Complex projects typically use project steering groups with cross-functional representation. Simple projects can be managed by the local engineering manager.
Typically, high value projects are rigorously governed. But, sometimes, a simple project also presents a high enterprise risk. All high-risk projects need to be considered in aggregate through an enterprise risk lens.
This is why capital portfolios need risk committees. Not every project needs oversight by a risk committee - but many do.
Depending on its project enterprise risk score, a project might be assigned as follows:
A risk committee’s job is to:
- Review a project’s enterprise risk profile
- Recommend ways to manage this risk using the organisations collective wisdom
- Assess the project management’s capability.
Unlike steering groups, risk committees have representatives from enginnering, finance, legal, safety and supply chain - and very narrow terms of reference.
The committee then passes its recommendations to the group responsible for project delivery governance.
This overall risk score can be also used when assessing the business case at the capital approval stage gate, expanding the questions from “Is the project ready to proceed?” to include “...and under what conditions?”
Unlike steering groups, risk committees have representatives from engineering, finance, legal, safety and supply chain – and very narrow terms of reference. Their remit is to oversee the project’s enterprise risk.
Typically, risk committees only see projects once. But if committee members are particularly concerned about a risk factor, or lack faith in project management, they sometimes request regular reviews until they are comfortable risk is under control.
Using a centralised risk platform and risk committees in this way gives executives and portfolio managers comfort that enterprise risk is tracked and managed throughout the capital project portfolio. Otherwise, enterprise risk will continue to remain undetected and uncontrolled.