VOICES In the Trenches
Beyond
Project Risks
To mitigate wider-ranging risks, organizations
take an enterprise-wide approach.
By Joel Crook, PMP, PgMP
FROM ROCKETS TO NATIONAL NUCLEAR
SECURITY, my work has shown me that risk
threatens far more than cost, scope and schedule.
Wider-ranging risks—including to an organization’s reputation, workers’ safety, a country’s
security and the environment—permeate everything defense and aerospace organizations do,
whether strategic or tactical. To proactively manage risk, organizations in these and other fields
are increasingly implementing enterprise risk
management (ERM).
ERM is a risk-based approach to managing
an organization in any industry, and it can be
highly effective in supporting strategic planning,
controlling risk exposure and achieving objectives. Managing risk at the organizational level
is very different from managing it at the project
level. Project risk management is concerned with
risks that arise from the project’s scope, but at the
portfolio or enterprise level, it is virtually impossible to separate risk considerations from most
organizational activities. For this reason, ERM is
designed to break through organizational silos.
It analyzes all risk across the enterprise, including operational risk, governance and compliance
risk, project and program risk, financial risk and
others. Risk management at this level plays an
essential role in strategic planning and the growth
of the organization.
ERM requires aggregating risk so that an
overall risk position can be determined for a
project, a program, a facility, a process, a site or
the entire enterprise. Without risk aggregation,
it’s difficult for stakeholders and decision-mak-ers to make a good comparison of alternatives.
Aggregating allows business leaders to compare,
for example, complex combinations of opportunities, expressed in dollars, and associated
threats, expressed in units of reputation and
units of environmental impact.
Normalizing Risk
But what is the common denominator that allows
a cost risk to be aggregated with an environmental risk? And how can one aggregate financially
tangible risks with financially intangible risks,
such as community relationships, reputation and
environmental impact? The answer begins with the
normalization of risk.
To normalize risk, one must view it in terms
of its cost impact. For example, a loss in corporate reputation can affect contract performance
incentives and future contracts. An environmental
impact risk could cause a cessation of operations
for a period of time, which would equate to a specific dollar impact to sales. Once risks have been
normalized in this way, they can be summed to
indicate an overall risk position.