When engineers think of risk management, it’s often in the context of events directly related to specific program elements—adequately addressing all design criteria, identifying and securing commitments for the necessary program resources, or executing the program plan within budget and schedule constraints. While risks specific to the engineering effort must be addressed and managed to support a successful program outcome, our increasingly complex and interdependent operating environments do not allow the luxury of assuming events beyond the scope of the program plan are either unlikely to happen, or if they do, will result in only minimal inconvenience. As recent catastrophic events associated with large public projects have shown—ceiling panel collapses in the Boston Big Dig tunnel, levee breaches in New Orleans—events beyond the direct control of the designer and contractor can greatly affect not only the successful implementation of the overall infrastructure program, but adversely impact professional reputations and raise questions of institutional bias and complacency. Such externally generated risks may be realized due to errors by an intermediate supplier, perhaps a subcontractor’s subcontractor, or lack of action or oversight by a customer or governmental representative, indirect risks that are easily overlooked when planning and executing in a complex, multifaceted environment.
Excessive focus on contract-specific internal risks can leave infrastructure implementation not only exposed to external uncertainties beyond the program scope, but give a false sense of security by not promoting awareness or provid-ing visibility into the existence of all contributors to risk exposure. The engineering community ignores, and by default accepts, these latent sources of uncertainty at their peril. While the contractual customer of the infrastructure-related goods and services may only be interested in risks directly associated with the specific undertaking, the community at-large is often not so willing to blindly assume all potential risks not constrained by program boundaries.
To successfully manage uncertainty in complex situations, it is essential to address the relationships between internal and external contributors and engage in a proactive, multi-disciplined risk investigation. Six overarching risk categories are discussed that clarify and isolate the root causes of risk from throughout the operating environment, both the tangible risks directly related to program execution and risks having a more judgmental or emotional component. Since lack of definitive information often constrains the inclusion of less tangible issues in a rigorous risk assessment, alternative means are explored for generating and deriving empirical information. Not only does accurate likelihood and impact/consequence information assist in a balanced and objective risk evaluation, but transparent and collaborative methods provide the insight required for meaningful risk prioritization without undo bias toward politically motivated or socially amplified issues.
Risk Management in Technical/Engineering Disciplines
Utilizing a Systems Perspective
Engineers and other technical professionals have traditionally addressed risk management issues as a component of program management—tasks are reviewed and designated as high, moderate, or low risk; a mitigation strategy is chosen; and the program plan is modified accordingly to include any additional risk combating efforts.
While this approach is effective in managing risk within a constrained system, such as within defined program scope, programs do not exist in isolation from the rest of the operating environment. Oftentimes, risk exposure is assumed via indirect associations—competitive pressure, reaction to geopolitical events, or secondary effects from fluctuations in the business cycle.
As opposed to having a rigid boundary defining program scope and thus potential risks, programs and organizations in reality operate in an interrelated system of systems. Internal operating environments are defined by the scope and influence of each participating organization, their immediate suppliers and subcontractors, any oversight authorities, and the direct customer(s) for the intended output. It is within these interrelated, bounded systems that the partners in an effort have the greatest ability to directly impact program outcomes. This includes the ability to identify and exert control over any direct associations between the fundamental sources of risk and the undesirable consequences.
Unfortunately, excelling at managing risks within the internal environment does not alleviate risk exposure concerns. While the contractor and customer may have complete confidence in their abilities to prevent and protect against undesired consequences within the program scope, the external operating environment adjacent to program boundaries is neither complacent nor static. While the affected internal program entities may maintain good insight into external environments (government agencies, competitors, international relationships) by being outside the decision-making and thought processes of these organizations, the ability to affect future actions and anticipate repercussions is limited. As the boundaries between the internal and external environments of each system continuously fluctuate due to changing alliances and market conditions, participants become exposed to risks that are both unanticipated and outside the direct influence of the affected parties.
Logically, the program management approach to risk management can make perfect sense.
•
Will the effort be completed within budget? If not, the program objectives may only be partially realized or have to be scaled back, or the customer may have to cannibalize another program in order to secure increased program funding. In either case, overspending or reduction in scope, the outcome would be less than originally desired. Cost overruns are a very real concern on complex, multiyear public works programs; one seldom hears of an effort that was completed at a significant savings.
•
Will the program be completed on or ahead of schedule? The weather-dependent nature of many construction efforts adds real risk to achieving desired schedules. Also the unique circumstances associated with engineering efforts—incorporating new technologies, combining proven solutions in novel ways—can require time-consuming processes to resolve unanticipated interactions. On a very time-constrained effort, hard choices in terms of original scope or desired features may have to be made when too much time is consumed addressing unforeseen problems.
•
Both the cost and schedule concerns expressed above have alluded to reducing performance criteria when problems arise—but is that always a wise decision or even an acceptable compromise? Often it is the performance criteria of a program that drive cost and schedule overruns—use of unproven technology, executing in an unknown environment, integrating components into a new configuration. However, it is often these same originally proposed performance criteria that are the justification and impetus for securing the budget and scheduling the program to start with.
The Program Manager’s Dilemma in Risk Management
Within the technical-professional community, the typical approach to risk management often takes a program management perspective, focusing on performing agreed upon tasks within cost, schedule, and performance constraints. These are items of primary concern to customers and are therefore of great interest to most engineers and other program personnel working to meet or exceed customer expectations.
As technical professionals, engineers are problem solvers, driven to find the most efficient, effective path to move an effort from point A to point B. Focusing on program management information and processes to counter potential program risks is, on the surface, quite logical—program goals are met by executing tasks; task plans define schedule, cost, and performance parameters; and if a problem develops on one task, the impact on achieving overall program objectives is readily determined. By taking into account the effort being executed by support functions (e.g., finance or safety) within the organization and the contributions of subcontractors and suppliers from outside the organization, all planned tasks associated with achieving program goals are visible and readily assessed as potential risk sources.
Task-based risk assessment often focuses on “what can go wrong” when executing the task:
•
Are resources available when required?
•
Can the effort be accomplished within the original cost and schedule estimates?
•
Are performance criteria achievable?
Some find the emphasis on unfavorable outcomes and less than desired performance depressing and demotivating. By concentrating on what could go wrong in attempting to execute each program task, feelings of incompetence or expectations of doom can develop. Alternatively, an overly positive perspective may have such high regard for the team’s abilities that a superior, and perhaps even arrogant attitude develops with expectations that success is guaranteed. Care is required to balance the emphasis placed on uncovering all potential problems with applying effort to prevent all possible problems. If too little emphasis is directed to risk identification, the program will dissolve into crisis management as the potential problems that could have been managed become issues demanding resolution. Too much emphasis on risk prevention and the program can become paralyzed by fear that all effort is for naught and any actions will be overtaken by undesirable consequences. Either scenario can complicate the path to a successful outcome.
Past experience is invaluable as an indicator of the magnitude of potential causes for concern and the most likely risk sources. Reviewing prior program results and deviations from plan gives program participants the opportunity to either define a revised, and hopefully more risk adverse, approach or put in place contingencies to alleviate any issue that is expected to reoccur. However, the focus on program tasks as the primary source of applicable risk does not address many of the external interactions that also contribute to uncertainty. Events completely unrelated to program tasks may have a profound impact on the ability to achieve desired results.
Program Perspective Overlooks Indirect Risk Contributors
While the attention to program tasks as risk contributors helps ensure all elements of program scope are reviewed for their potential to adversely affect results, prospective undesirable events are not constrained by the boundaries of participating organizations.
Program scope provides a starting point for identifying events that must be managed in order to achieve successful program completion. Many software tools used in program management have the ability to incorporate upper and lower bounds for programmatic inputs such as duration and cost. A most likely outcome can be determined for a series of tasks and balanced against known requirements and anticipated issues. In addition, knowledge of a range of likely results assists in identifying regions of program activity where the impact of risk realization is reduced due to cost or schedule slack or areas that are more critical to program success due to the lack of a buffer.
One benefit that is realized from investigating program activities is the ability to discern whether or not a task is value-added. While a defined task may be within program scope, it may not be necessary to achieve program goals, or it may not be an item of paramount interest to the customer. Removal of any unnecessary activities from program scope will also remove the potential for any risks related to the activity and will prevent diluting the resources and attention program participants have available to address issues more directly associated with the defined work effort.
While a customer may not be willing to directly compensate the infrastructure providers for addressing concerns beyond the defined program scope, there may be expectations generated that warrant consideration (see Table 1). When supporting any program that will be accessible to the public at large (including public infrastructure and commercial developments), the affected community is always an implied customer even if not a direct participant. If unmet expectations resulting from problems encountered with external issues will undermine customer satisfaction, the impact of blindly accepting sources of uncertainty in the external environment may drastically outweigh the effort required to actively address and mitigate such risks.
Table 1. Undesired Outcomes Originate beyond Program Scope
Source of risk is beyondprogram scope
Big dig tunnel construction
Gulf Coast flood controlinfrastructure
Consumer expectations not met
Area roadway congestion increases as traffic is diverted during tunnel construction
Flooding reduces available housing causing rents to skyrocket after storm
Adverse publicity is generated
Competitors and interest groups publicly critique and second guess design decisions
Recovery agencies and advocacy groups publicly critique and belittle results achieved
Global economy affects resource availability
China’s demand for steel cuts supply and raises prices for tunnel materials
Volunteers and aid for flood recovery are redirected to subsequent natural disasters
Impacts to political environment
Oversight agencies revise regulations
Conflicting agendas/allegiances exposed at local and national levels
Even after the proposal process has been successfully completed and a contract secured, the successes, failures, and interactions of peer organizations cannot be ignored. Not only is success winning the next program affected by a competitor’s achievements, but execution of the current program elements may be impacted by the competitor as well. Whether justified by performance or not, the potential for buyer’s remorse and second guessing by the primary customer and eventual consumers can require the infrastructure providers to shift expertise and effort away from performing required program activities and instead to continuous reselling of the agreed upon undertaking.
Due to the global nature of customer and supplier interactions, all programs, from the smallest internal project to the most complex global endeavors, are subject to real and imagined economic distortions. The constant flux in exchange rates, trading alliances, and government edicts means any assumptions or factual basis for decision making may already be invalid when applied. Despite the best intentions to remain informed or to limit external influences, every decision made or course of action taken is subject to global interference.
Political forces affecting desired outcomes are often as invisible and misunderstood as global economic effects. In organizations accustomed to measuring decisions and results against a profit motive, political obstacles may seem deceivingly simplistic or unimportant. However, to those intimately involved, the emotional reactions and value placed on appearances are very real and significant. In addition to undesirable publicity or character assassination, political infighting and electioneering can result in disruptions varying from contrived obstacles to full-blown civil unrest. Other undesirable consequences with public sector roots include laws not being enforced as expected, interruptions in public services, or services being allocated based on political affiliations.
Seeking Inputs from Nontraditional Sources
While a focus on the risks associated with program management tasks typically emphasize what can go wrong, the investigation of these potential problem areas can yield a positive impact that goes beyond merely preventing undesired outcomes. Considering issues from nontraditional perspectives allows a broader range of outcomes to be addressed with the potential for adding greater value to the final result.
Broadening the Definition of “Customer”
Immediate clients and all indirect program participants (e.g., oversight agencies, casual observers) have knowledge and experience that may add clarity to the prevailing views within a specialized discipline. Think of the child that incessantly asks “Why?” While the lack of specific, highly informed understanding of the issue at hand by the questioner may appear annoying at first, by looking at a situation from a slightly, or even dramatically, different perspective, a cognizant expert can utilize their prevailing knowledge to provide a unique resolution.
It was just such a thought process that spurred Edwin Land to invent the self-exposing film that created a miniature, portable dark room. When queried by a young child as to why pictures taken of her couldn’t be seen immediately, Land investigated solutions that did not assume photographic development must be accomplished in a distinct location. The potential risk of customers losing interest in cameras due to delays in sharing photographs was overcome by developing consumer-accessible instant photography.
Seeking input from nontraditional, indirect participants during the risk assessment process can be invaluable on complex, multifaceted efforts such as infrastructure programs. Since even non-public structures and concealed utilities affect the general population, casual observers can raise unanticipated concerns or add value to the risk mitigation process through their perceptions and experiences.
On public sector efforts, objections and protests often arise from unforeseen sources. When addressing environmental concerns, groups such as Greenpeace or the Sierra Club are often asked to provide inputs during the program definition process since these groups will seek to participate in the process whether requested to or not. Uncertainty arises when nontraditional participants in environmental issues, most recently population and immigration control organizations, demand that their views also be incorporated. By proactively soliciting input from diverse sources, the program can proactively counter risks associated with lack of broad-based customer satisfaction. The effort may also gain insights that improve the likelihood of receiving public praise or, at least, neutralize criticism.
Competitors and Suppliers
Visibility into potential risks and an understanding of external environments can be gained by staying attuned to the actions and intentions of suppliers, subcontractors, and competitors. While specific circumstances may differ, the increased knowledge of results and trends experienced in other environments can be used to justify internal risk management assumptions and provide insight into likely future scenarios.
By tracking the progress of a successful competitor in a losing competition, the organization can learn the lessons of the technical effort without direct participation or the assumption of program risk. The schedule, cost, and performance achieved during program execution can be compared to what was anticipated by the losing contractor. Any comments or concerns expressed by the oversight authority or setbacks realized in executing the program should be retained as part of internal lessons learned and applied to future efforts.
By not constraining experience-based knowledge to only internal results, a broader understanding of potential setbacks, and the means to thwart them, can be gained. This approach not only reduces uncertainty on future endeavors, but may provide the impetus to overcome an industry-wide concern by developing a revolutionary solution. While the winning contractor is concentrating on meeting day-to-day performance obligations, peer organizations, unconstrained by immediate program scope, are able to take a more inclusive perspective toward resolving overarching issues, potentially gaining an advantage in future competitions.
An additional external source of information is the long- term projections risk conscious organizations make regarding future expectations of uncertainty. While the results of these assessments are generally not made public, comments by the organizations in annual reports or publicity statements give insight into their risk projections and anticipated outcomes. As with comparing inhouse program estimates against results achieved by competitors, comparing internal risk and growth projections to areas of concern or optimism expressed by other organizations provides valuable feedback on internal assumptions and conclusions.
Impacts from Globalization
Every day it seems there are new fears raised related to interdependencies within the global economy—massive infrastructure improvements in one country (China) affect job creation in another (United States); a disputed election in another country (Kenya) causes inflationary pressures in essential commodities (petroleum products) across work markets; or a rogue trader at a single financial institution (Singapore) threatens international currency stability.
While the unforeseen consequences of international events on local circumstances are often not favorable, the constant flux in global relationships and relative values can create beneficial opportunities for organizations that are able to recognize the influence of indirect relationships on local outcomes. Changes in the relative values of process inputs (e.g., the cost of labor relative to material) can reverse conventional wisdom regarding high-risk courses of action. In many engineering disciplines, technological advances offer processing alternatives that would require the costly replacement of non-obsolete plants and equipment. Where substituting technology for labor may have been seen in the past as an issue to resolve rather than an opportunity to grasp, a change in global parameters may make the upgrade not only cost-effective but the low risk alternative. Even a stable process may benefit as the changes in absolute or relative values of inputs complement a prior decision. Without disruptions in the marketplace, technological improvements and capital investments are often delayed, to the long-term detriment of an organization’s competitiveness and the satisfaction of its clientele.
Disruptions are always painful to those affected personally, but many small disruptions (or upgrade opportunities) are more easily assimilated than a major disruption that leaves few immediate alternatives. Consider the disruption and havoc caused by flooding in New Orleans in the wake of Hurricane Katrina. Granted, it would have adversely affected the local economy to restrict building in tidal areas or close existing waterways either permanently or for upgrades, but it would have given the area the opportunity to improve flood prevention and other infrastructure in an orderly manner. Instead, the infrastructure is being modernized and upgraded but at a social cost of dislocating at least a third of the Gulf Coast population, in addition to massive repair and cleanup costs.
Other climate-related impacts also have the potential to manifest disruptions, or opportunities depending on one’s perspective. Warmer winters should result in less freeze-thaw damage to roadways, perhaps allowing for lower cost construction methods and less frequent maintenance. That is, unless these transportation routes are in the far north where permafrost is relied on to provide a permanent support structure (e.g., the Pan-Himalayan Railway). Within the United States, as “tornado alley” migrates, existing infrastructure may require reinforcement or redesign to withstand previously unanticipated weather forces while areas previously subjected to severe storms would experience reduced infrastructure costs. Since occurrences of weather events and other natural disasters are beyond the control of infrastructure providers and their customers, managing the risks associated with these events is limited to attempts to reduce the severity of the anticipated consequences.
As with seeking the experiences and predictions of competitors to gain an advantage on future competitions, investigating technology adoption in other countries can assist in predicting future infrastructure requirements. The social applications of cellular technology in Europe and Japan may foretell required design changes or future disruptions in the United States. While cell phones are used primarily as communications and entertainment devices in the United States, in Japan the cell phone has become a portable wallet. This impacts infrastructure required for purchasing goods and services—obsolescence of cash-dispensing machines including provisions for security and access, physical payment stations replaced by portable receiver modules, and a reduction in the need to produce and transport currency. Organizations that anticipate these changes and proactively incorporate approaches to capitalize on the disruption will gain not only an advantage over their rivals but will reduce their risk to resource revaluations and inappropriate customer support.
Closely aligned with global economic impacts are political disruptions. Ethnic squabbles in a far-off land can foretell a change in commodity prices or provide the impetus to implement a technological change (e.g., the substitution of biomass fuel for petroleum-based fuels). Change in the political climate, or party in power, can alter conventional trading alliances and the availability and cost of process inputs.
Beyond the pure changes in relative resource values, looking to overarching global trends can assist in identifying current processes that may be less desirable in the future or offer insight on advantages and risks that may accompany future scenarios. In recent decades, following the post-World War II rise of more socialistic-oriented governments, there has been a global rise of more conservative, and often more religious-based, political authorities. How this will affect infrastructure decisions or the risk associated with infrastructure efforts is currently unknown, but it is safe to predict that there will be an impact. The organizations and technical specialists that recognize and most accurately envision the future conditions and operate most effectively across multiple perimeters will have lower risk exposure than organizations that emphasize the status-quo.
An Integrated Approach to Risk Management
To adequately address and manage either program or organization-wide risk exposure requires attention to items often viewed as beyond the control, or even influence, of the infrastructure provider. Even though many external factors are unaffected by internal actions, there are still effective means for moderating the impact of external associations on program achievements. The challenge is to look beyond internal program plans and processes and consider instead what affects the immediate customer and the eventual consumer.
Public infrastructure programs are especially susceptible to differences in expectations for goal achievement. While the client specifies what constitutes successful program completion for the contracted effort, the public-at-large may form a different perception of the final product’s desirability. Both the Big Dig tunnel project and the Gulf Coast flood control efforts shared several common risk exposure factors resulting from unmet consumer expectations. A classic program management focused on shortfalls in task completion and resource allocation will overlook these risk sources, setting the stage for a potential crisis when external forces invalidate the client’s perception of success (Table 2).
Table 2. Instances of Projections Not Meeting Consumer Expectations
Proponent of original expectations
Big dig construction project
Gulf Coast flood prevention and recovery
Contracting of budgetary agency: Projects effort scope and cost
Overly optimistic initial cost estimates result in cost over runs
underestimated extent of damage and relief needed–extensive loss of life and property
Inspection and oversight authority: Guarantees effective program execution
Ceiling panel installation did not meet operational requirements resulting in a catastrophic failure
Levee inspection and maintenance dependent on community action despite lack of technical knowledge and ability to enforcement
Infrastructure customers, local community: Expect beneficial outcome
Breached public trust for competence and safety
Extensive delays in providing relief and clean-up
Autonomous interest groups: Promote outcomes supporting common goals
Expected beneficial result for all members of community, not bias to commuters
permanent change in communities affected due to rebuilding priorities
A major consideration in publicly funded efforts is the ability to satisfy the many conflicting viewpoints claiming ownership over the process. It is often the inability to accurately link expectations to the results achieved that causes efforts to be severely criticized. An otherwise successful outcome can be deemed a failure, or an unsatisfactory compromise, as a result of not managing the risk of unmet expectations, whether those expectations are reasonable or not.
The multiplicity of participants joined together for the purpose of confronting issues surrounding the proposed effort seldom have a common goal as the basis of their involvement. Motivations for participating include: seeking to expand the effort beyond the initial scope; modifying the scope to address other unmet need; thwarting the effort entirely; or some combination of the above. Even among groups with somewhat similar goals, expectations for the progression of the effort, the impact on the immediate locale during implementation, and acceptability of the final result may vary to the point of conflict.
Hiring and Budget Authorities
The contractual or budgetary authority involved in a public infrastructure effort generally functions externally to the direct program participants. In contrast to a privately funded endeavor, the approval process often is conducted in a series of open forums where it is not uncommon for participants to disagree on the overarching goals of the effort or lack sufficient insight and understanding of the myriad of issues that must be coordinated.
Holding public reviews and forums assists in program risk reduction by providing visibility and transparency into potential concerns, obtaining inputs from unconventional sources, and capturing novel approaches to problem resolution. However, the formality of the review process can greatly increase the time required to reach a decision, during which value relationships and information are continuously changing. To incorporate new information and participant feedback into the decision-making process, additional review and feedback sessions are often required, adding to the risk that when a decision is finally achieved, it will be best suited to a prior scenario and not be the optimal solution in the current environment.
Underestimating program scope or the required resources not only risks successful completion, but may increase risk exposure as participants envision a more perfect outcome than can be guaranteed. While the planning and review processes undertaken by the responsible agencies are not the primary cause of the undesired outcomes, neither did the processes prevent or counteract the realized outcomes. If there is a failure to recognize and counter the insufficient preparations, the consequences of unmet expectations can be more severe than if more moderate expectations had been initially promoted. Without a false sense of security or confidence in expected results, individuals and other organizations would have an incentive to take individual actions to moderate the most objectionable consequences.
Oversight, Review, Inspection Authorities
Infrastructure projects typically require review by an inspection agency prior to being granted an occupancy or operating permit. As a result, the risk related to not achieving required performance standards is at least partially transferred from the service provider to the oversight authority. While beneficial to the infrastructure provider, shared authority can promote confusion and lapses in accountability as roles and responsibilities cross organizational boundaries.
Guaranteeing performance levels in an independent entity is exceedingly difficult. While it is anticipated that the oversight authority would have considerable knowledge in the area being inspected and the infrastructure provider would employ a competent workforce, neither party has the ability to absolutely guarantee a sufficient level of expertise beyond its own perimeter. In addition to operational autonomy, each participating organization would be influenced by, or subjected to, the opinions and preferences of additional authorities and clients not necessarily within the operating domain of other program participants.
On the Big Dig program, inspections were successfully completed allowing the tunnel to open. However, latent construction problems that led to a catastrophic event were not discovered—expectations for public safety were not achieved using traditional program oversight and inspection mechanisms. In the aftermath of Hurricane Katrina, it became apparent that local citizens groups that had been expected to take the initiative in monitoring levee problems had not provided the necessary oversight needed to maintain levee performance. While local “eyes and ears” may have been seen as a preferred monitoring approach, the result did not meet user’s expectations to prevent a devastating flood.
The Ultimate Consumer, the Public
Public infrastructure consumers can be so numerous and diverse that it is unrealistic to anticipate a uniform set of expectations. In addition to the often unpredictable whims of the community at large, there may also be conflicting expectations of the sponsoring, funding, and inspection authorities as each group strives to achieve specific results. The political nature of many public infrastructure efforts can also precipitate adverse interactions due to favoritism and power imbalances.
In highly politicized environments, it becomes even more important to broaden the scope of the applicable risk assessment to obtain visibility into the actions and motivations of all participants. Unlike self-contained, privately funded efforts, the conflicting motives associated with the public oversight process cannot be easily predicated or directly controlled. The downside of an abundance of divergent perspectives is that a vocal few may influence the implementation plan to such an extent that the final result would not meet the expectations of the majority of eventual users. The possibility also exists for all reviews to be technically completed according to the established guidelines without achieving a successful conclusion in the eyes of the ultimate consumers.
Such incompatible expectations were realized when the Big Dig tunnel opened for use—the public consumer expected a safe, effective transportation route which was assumed to have been provided as a result of client and contractor oversight. Gulf Coast residents likewise assumed that drainage canals constructed and managed by the U.S. government were fully functional and that should a tropical storm strike, the area would receive sufficient disaster recovery assistance. In both instances, consumer expectations dramatically exceeded the responsible agency’s ability to perform. While either instance may still have resulted in catastrophic consequences, the breach in the sense of security felt by those affected will most likely continue to haunt infrastructure and support providers in those communities for some time to come.
Special Interest Groups and Autonomous Organizations
Autonomous groups (e.g., environmental organizations, citizen associations, government entities) participating in the public oversight and review process should be expected to simultaneously promote their internal objectives while providing feedback and alternative perspectives on the issue under study. The harm, from a risk perspective, is use of the review process as a forum for solving problems only indirectly related to achieving stated program goals. The introduction of additional objectives has the potential to increase program complexity, divert attention from pertinent issues or add superfluous tasks, all contributors to risk exposure.
Since funding and advocacy of public works efforts are linked to community and governmental purposes, coordination is needed to focus on common goals and expectations. The competing agendas and divergent expectations of elected officials, advocacy groups, and the general public may cause an otherwise successful outcome to be criticized when one or more groups experiences undesirable or unintended consequences.
Although the Big Dig program achieved stated goals to improve traffic flow and harbor area aesthetics, concerns have been expressed regarding the loss of parking beneath the former highway and impacts to air quality. Along the Gulf coast, the character of many communities was altered as residents were permanently displaced by rezoning designed to attract new industries and encourage growth. While each of these scenarios achieved a specified set of goals—improved traffic flow, an enhanced tax base, urban renewal—ancillary participants have been adversely affected by outcomes that either they did not anticipate or were not considered when addressing overall suitability. The loss of support by affected groups may not impact the current effort, but will often be realized as heightened resistance to subsequent infrastructure improvements.
Any Risk Not Specifically Addressed Is Assumed
Being technically or contractually successful does not necessarily guarantee a successful outcome due to the influence of risk factors from beyond defined program boundaries. A key, often overlooked, tenet of risk management is that the risks associated with any situation that are not specifically addressed are uncertainties that are accepted by default. There lies the danger in focusing risk management actions too heavily on events associated with internal activities and interactions constrained by program scope—limited knowledge of and ability to affect issues inherited by association with ancillary program contributors.
As was seen on the Big Dig project, risk exposure that was evidently accepted by a lower tier subcontractor (that the epoxy selected was sufficient to secure ceiling tiles) was inherited by the higher level contractors and their customers. Even though specific actions may have been taken to contain the potential hazard—additional reviews and inspections or use of contract language that legally transferred responsibility—the primary contractors and clients are still subject to adverse consequences resulting from unfavorable perceptions of product quality and technical performance.
While not all risk accepted by default will result in catastrophic consequences, even outcomes that are only annoying or inconvenient can cause major program distractions and disruptions. Effort must be expended to address misconceptions and unfilled expectations and counter unwarranted accusations and bad publicity, often by reallocating scarce resources away from required program elements and instead to crisis management.
A common rationale for not managing risk as an integrated issue across organizational and program boundaries is the lack of direct compensation for doing so. The real question is, can a contractor or agency associated with a complex effort afford not to? As lawsuits and adverse publicity have demonstrated, the cost both in monetary and societal terms—of accepting risk by default can be many times greater than the effort that would have been required to proactively lessen the probability or severity of the potential disaster.
Relationship of Internal to External Risks
Despite the perceived difficulty in obtaining non-programmatic information and the lack of compensation for addressing risk events that cross contractual perimeters, in ongoing efforts to effectively manage direct, internal risks, many organizations are already experienced in working across such boundaries. As illustrated in Fig. 1, even within the boundary of a specific internal environment, wholly and partially contained peripheral systems exist that overlap the internal operations of other programs, customers, suppliers, and subcontractors. The external environment is defined as including all competitors, future customers, and any other organizations or agencies not directly associated with the internal organization in the current timeframe plus all indirectly targeted end-users.
Fig. 1. Relationship of internal to external operating environments
While the concerns and perspectives of internal participants in an activity can be anticipated to differ from their external counterparts, there are additional difficulties that must be addressed when working across a perimeter—consistency in terminology and definitions; incompatible assumptions regarding expectations and preferred processes; even instances where accepted units of measure for transferring information differed but were not communicated. Where an organization shares a perimeter boundary both with its parent organization and multiple internal and external colleagues, the increased complexity of multilayered communications and coordinated activities is a major source of latent risk.
Although the representation in Figure 1 is from the perspective of an operating organization or public agency, the concept of interrelated associations can also be represented from a community viewpoint. While communities of users are less cohesive in their acknowledgement of their common internal and external boundaries, multifaceted groups are often unified in their overarching expectations of a desired outcome.
Relabeling the operating environments figure from a New Orleans perspective in Fig. 2 highlights the complex interrelationships and conflicting expectations that must be overcome to satisfy the community as a whole. Due to overlapping relationships and dependencies, an external organization providing relief aid to New Orleans after Hurricane Katrina flooding could not be successful unless expectations of all groups were addressed. While the majority of losses incurred from levee breaches may have been borne by local residents, the resulting impacts of the flooding risk were shared by all members of the community and organizations associated with the community, regardless of whether their property was directly damaged by the flooding.
Fig. 2. Internal and external environments from a community perspective
In the aftermath of the storm, all members of the community required the support services—clean water, shelter, safety—that local businesses and government agencies had difficulty providing. In addition to the entire community’s loss of basic infrastructure, businesses lost many of their customers and suppliers due to displacements after large areas were flooded.
On the surface, it may not seem that shipping companies using New Orleans ports would be affected by the destruction of local neighborhoods. However, loss of residential communities meant the loss of skilled workers who were forced to leave the area following the storm. An outcome of the residential flooding event has been a renewed effort to create a wetlands buffer between the city and the Gulf of Mexico by reducing waterway dredging and the number of shipping channels. As an additional consequence of storm recovery and flooding prevention activities, shipping companies may face limits on port access or experience longer delivery times.
While shipping companies may not have had the ability to directly control the likelihood of canal failure and flooding, it was not necessary for them to automatically accept the consequences of flooding risk generated in their external environment. Actions shippers could have taken to modify flooding probability or alleviate its consequences include changing their operating parameters by using smaller or lower draft vessels to avoid the need for larger and deeper navigation channels. This strategy could have reduced the volume of the storm surge reaching the city canals and assisted in mitigating the flooding risk. Shipping companies may still have suffered undesired consequences as a result of the hurricane, but the extent and longevity of those loses would most likely have been reduced.
In some instances, formal agreements or permissions are required before activities internal to specific segments of the operating environment can be modified to be more favorable to program participants. However, this handicap doesn’t limit an organization’s responsibility to actively address uncertainties that may be generated externally or are inherited as a result of having a shared or overlapping perimeter. Where the source of an undesired interaction cannot be directly managed across a boundary and there is no desire to assume the risk by default, indirect mechanisms such as transferring accountability become the most viable means for reducing event probabilities and/or moderating the likely consequences.
Emphasizing Root Causes
As noted in the interrelationships discussed above, managing risk to an acceptable level requires considering more than potential events linked to internal operations or defined program tasks. For comprehensive risk identification and management, a focus on the root causes of risk, both internal and external to the organization, is required.
So often in risk management, the focus of concern is the potential undesirable consequence—missing a deadline, exceeding costs, or not meeting performance goals. But attempting to manage risks only by managing the consequences is essentially accepting the prevailing likelihood that the risk event will occur. A more proactive response is to address the root cause of the potential problem and try to limit both its probability and severity.
If a situation causing workers to abandon their homes would create a labor shortage, a strategy addressing only the lack of available workers may not have the intended effect. Any additional workers imported to resolve the crisis would also have trouble finding a place to live, in addition to requiring time to become a fully proficient workforce. By taking actions that make it less likely that residents will need to relocate, it also becomes less likely that skilled labor will be lost. A strategy directed at reducing the likelihood of workforce displacement would not necessarily negate the need to have a plan in place to address anticipated consequences should the risk be realized. But by addressing the root cause of the potential risk, whether an increased likelihood of flooding or some other local disaster, the organization increases its chances of averting a crisis and its unpleasant side-effects.
In attempting to address sources of risk, both within program scope and beyond, it becomes apparent that collaboration across operating boundaries and insight into a broad range of concerns is required to fully understand the associations between undesirable events and their root causes. Without knowledge of the fundamental issues that promote a risk event, proactively determining a course of action that will either reduce event probability or limit the severity of anticipated consequences is extremely difficult.
Overarching Risk Categories Overlap Defined Boundaries
Focusing on program task outcomes, such as cost, schedule, or performance, to isolate potential risk events for identification and evaluation, can limit insight into the fundamental sources of events that precipitate undesirable outcomes. Six overarching risk categories are recommended to concentrate attention on overcoming related sources of uncertainty (Fig. 3). Each category addresses situations that cross internal and external boundaries that may be able to be affected by applying a targeted strategy. The classifications are applicable to both for-profit and nonprofit operations, including governmental agencies, though the proportion of risk events allocated to each category would be expected to vary according to unique program circumstances. In many organizations, these breakouts are equivalent to the classifications used for risk governance reporting.
Fig. 3. Risk categories address both internal and external sources of uncertainty
When assessing risk event likelihood and impact, each category is investigated from the perspective of the internal organization. However, due to the interrelated nature of most operating environments, the risks identified are not limited to internal activities or to information gained from internal sources. By addressing the root causes of risk from multiple perspectives, including those external to the operating environment, more in-depth coverage of the multidiscipline associations that contribute to undesirable outcomes can be realized.
Agreement Termination Risk
Potential instability in a shared opinion or arrangement, whether the agreement is implied or formal, is classified as agreement termination risk. From an organization’s perspective, labor strikes are a primary example of an agreement that is not fulfilled as expected. Other examples include: unethical employee conduct (assuming ethical behavior is expected); missing a schedule milestone that was agreed to as part of a program plan; overrunning an established budget; withdrawing from a contractual arrangement; or insufficient cooperation by a team member where there was an arrangement to share responsibility, costs, or some other aspect of the work effort.
In each of these examples, the activity covered by the agreement would be considered internal to each participant and would be within an area of overlapping boundaries. While each party to the agreement may have a different internal perspective of the arrangement, and possibly different motives for entering into the agreement, consensus on the ultimate outcome would be expected in the area of commonality. Visibility into each participant’s commitment to the agreement and the factors that support cooperation helps to sustain the commitment. Any event or situation that undermines even the perception of a mutually beneficial relationship can change the dynamics of the union and destabilize the cooperation required for a successful result.
While the consequences to both parties of a teaming agreement being terminated would be similar—cost, schedule, and performance impacts as the specific work effort is not executed as originally anticipated—knowledge of the anticipated consequence does not provide much assistance in defining a means to counteract the risk. By identifying the conditions and assumptions that form the basis of the agreement as possible risk sources, each participant can more readily visualize circumstances or events that could lead to a breakdown in the arrangement.
Knowledge of likely root causes of an undesirable outcome allows all participants to proactively address any circumstances, that left unattended, could cause agreement termination risk to be realized. Possible root causes may vary by participant depending on their respective internal circumstances and unique external interactions (Table 3).
Table 3. Scenarios That May Alter Internal Commitment to a Shared Agreement
A change in ownership or leadership of any participant’s internal environment may lead to revised priorities that are inconsistent with an existing agreement
Reactions to economic conditions could force modifications to internal operating structures and long range goals
Participants may cease to support an agreement if they believe the knowledge and insight being shared as part of the teaming arrangement is not being reciprocated
One party could have lost key resources (e.g., funding, expertise) required for successful activity completion and be unable to perform as promised
Either party may perceive they are carrying an unfair share of the burden or not being adequately compensated for the responsibility assumed.
It is possible for agreements to be one-sided with one party assuming the other participant is compelled to fulfill certain expectations. When residents assume the government will provide specific services or infrastructure (e.g., uncongested transportation routes), or public agencies expect to receive desired levels of compensation or other essential resources, the overlap in common expectations of cooperation or commitment may be minimal. The only portion of either environment in common could well be where the perimeters of each internal environment meet. While local users, fee payers, and voters may feel some ownership or right to dictate levels of government-provided services, expectations may not be compatible with the provider’s mandate or ability to perform. Likewise, public agencies may interpret levels of public financial support as a measure of services to be supplied. Where expectations are not met, by either party, even if the desired level of performance might be considered unreasonable (e.g., absolutely no flooding in areas below sea level, agencies in the disaster area being unaffected and able to provide relief), the implied or assumed agreement has been breached.
Due to the lack of coordinated expectations, these assumed agreements are the most likely to break down. Without a mutual understanding of the internal priorities and shared commitment of all participants, it is difficult to reach more than cursory agreement on common goals and expectations. Even though there may be other significant factors that impact the ability to maintain realistic expectations (e.g., differences in political affiliations, under-funded public services, a sinking landmass), the lack of coordinated ownership and responsibility for the issue is a primary source of the incompatible assumptions. When essentially all factors contributing to realization of a risk are external, the complexity associated with attempting to moderate or even isolate the root causes greatly increases. Not only does realizing the undesirable event become more likely, but the extent of any consequences are also likely to be more random and widespread.
Agreement termination risk was realized in the aftermath of the New Orleans levee breaches. The U.S. government, through the Corps of Engineers, had primary ownership of the system of canals and waterways along the Gulf coast. However, within New Orleans, local citizen councils were considered to have some level of responsibility for monitoring the condition of the drainage canals. Even if these citizen councils had the expertise to identify problems, they were still dependent on the government for any corrective action. Each group appears to have assumed that the other party was ensuring proper canal functioning. Without mutual agreement and cooperation on canal monitoring and maintenance, the likelihood of failures increased along with the potential for more severe consequences than if coordinated, proactive measures had been taken.
Customer Suitability Risk
Customer suitability risk focuses specifically on delivery of an inappropriate solution to the customer or ultimate user. Over time, the inappropriate solution would be expected to increase the recipient’s overall risk exposure and decrease their satisfaction with the result provided. While this may appear to be a risk assumed by the customer, it must also be addressed from the perspective of the infrastructure provider due to the potential impact of the risk on the provider’s reputation, their ability to attract future clients, and perhaps even the ability to retain certification credentials. Often this risk is not realized until some time following program completion after the customer has experienced multiple adverse outcomes resulting from the agreed upon course of action. The contractor may have met all technical requirements, and may even have provided exactly what the customer requested, but for some reason, the solution was inappropriate.
Customer suitability risk may have the same end result, a dissatisfied customer, as the specific example of agreement termination risk where an understanding is assumed but the commitment is one-sided. However, the root cause is different—since the parties to the agreement initially considered the course of action mutually acceptable, the provider is typically held responsible for the inappropriate solution. As the expert in the shared relationship, the provider should have a better understanding of the customer’s long-term, overarching needs and the most comprehensively appropriate means for meeting those expectations.
A case in point would be a community that is desperate for more local transportation capacity. Alternative solutions for supplying that need could include widening existing roadways, adding a different complementary form of transportation, or submerging the existing roadway to limit access and increase flow. The provider may be able to meet customer goals by utilizing any of the alternatives, but the overall appropriateness of the approach selected is the first step to maximizing suitability. If the area is already under air pollution sanctions, an alternative that decreased long-term air quality, even if it was the preferred customer solution in the short term, would be unsuitable. Selection of an alternative that required extensive customer retraining (e.g., getting customers to switch to mass transit from private automobiles) would add complexity and risk of failure to the implementation of the solution.
Alternatives that rely heavily on new technologies may be unsuitable for certain customers due to the inherent unknowns related to the performance, maintainability, and functionality of an immature application. A highly technical solution would be especially unsuitable if the client is not known for being flexible in unknown situations or as being an early adopter of new technology (Table 4).
Table 4. Examples of Inappropriate Infrastructure Solutions
Root cause of unsuitable solution
Example of less than desirable outcome
Over promising the benefits of an alternative approach
Initial project doesn’t result in desired follow- on efforts
Underestimating the long term ability of the community to support the alternative
Low cost implementation has unaffordable recurring costs
The practical implementation of a solution is inconsistent with local norms
Pedestrian-friendly community bisected by freeway; or mismatch in architectural styles (e.g., colonial versus Victorian)
Limited usefulness of the alternative selected
Depressed roadway only functions properly in good weather due to flooding
Complex restrictions prevent customers’ ability to realize benefits
Access by general public to publicly funded garage limited due to security concerns at site location
There is no requirement that clients be external to the provider’s operating environment to be adversely affected by customer suitability risk. Internal employees are customers of the human resources and payroll functions. While employees may make specific requests, such as low-cost health insurance, if the parent organization knows that certain conditions have a higher incidence among its employees necessitating a specific level of coverage, it would be unsuitable to provide an employee health insurance plan that did not meet anticipated coverage needs.
In many industries and communities, suitability is governed by industry-wide standards or acceptable practices. Often, failure to achieve customer suitability occurs when accepted performance standards are not completely met. The collapse of Enron is an extreme example of not performing to accepted standards by giving misleading information regarding solvency, lack of transparency in contractual arrangements, and encouraging employees to hold large amounts of company stock in personal retirement accounts. As a result, courses of action were taken that were not suitable, in the long term, for direct customers, employees, investors, suppliers, or business associates, even though many of these participants were quite satisfied with short-term results.
What happens if the customer insists on a solution that the provider judges to be unsuitable? The provider has to determine whether the risk exposure can be managed to an acceptable level by employing strategies that either modify the probability of realizing the undesired outcome or reduce the severity of any likely consequences. The following strategies could be employed to successfully manage suitability risk depending on the provider’s risk tolerance:
•
The risk, from the provider’s perspective, is accepted with the hope that the risk will not be realized;
•
Attempts are made to transfer ownership of the risk to the customer by making it evident that the customer has accepted responsibility for the chosen solution;
•
The provider attempts to control the risk by implementing a pilot project or performing a detailed simulation (as is done for disaster planning) to gain additional insight into risk mitigation alternatives; or
•
The risk could be avoided entirely by declining to participate in the endeavor.
Operations Risk
Operations risk includes all undesirable events associated with the processes required to create and deliver the final product. Most of these processing activities are accomplished within the internal environments of each active participant and are directly related to providing the final product (e.g., design, construction, and management support functions). Additional processing functions shared by customers, suppliers, and subcontractors may be included in overlapping internal boundaries that result from ongoing partnerships and alliances.
Not all sources of operations risk are under the direct control of the provider or even directly related to processing tasks. Weather events, natural disasters, pandemics, and fluctuations in the global economy are categorized as operations risks since these events disrupt required processes. While completely external events are beyond the direct control of internal actions, by examining the root cause of the anticipated disruption, strategies can be employed to reduce the likelihood of the event or the severity of any adverse impact.
For most organizations, the greatest source of risk, at least in terms of frequency, are events related to operational processes including threats to physical and intellectual property and process malfunctions. Adverse effects on physical assets are realized as infrastructure damage, processing equipment breakdowns, ruined inventories, and any other events, such as theft, utility outages, administrative errors or data loss, that disrupt normal operations. Operations risk can originate from internal sources—governance and oversight lapses, facility design or maintenance problems, employee errors and difficulties implementation process changes; or from external sources—natural disasters and pandemics, increased liability exposure, competitive pressures, customer demands, government regulations, and foreign trade and investment impacts.
Risk events that impact operations are often closely aligned with program activities. Program plans and other documentation are invaluable information sources regarding the resources, tasks, and conditions that must be coordinated for successful program completion. While many program activities are directly or indirectly associated with an organization’s internal processes and support functions, the root causes of operational risks may originate from either within internal boundaries or independently of program functions.
With expertise in specific program processes, technical professionals and discipline specialists have the ability to understand intricate operations and recognize problematic interactions. This detailed knowledge provides insight into not only operational uncertainty, but also into the situations that contribute to undesired outcomes.
Where these specialists are closely aligned with delivering program results, there is often a preference for addressing discipline-related symptoms over countering less obvious systemic root causes. A focus on symptoms is more prevalent when the organization or specialty has a tradition of established risk mitigation responses or if the underlying circumstance that initiates the risk event has an external origin. Standard means for alleviating risk exposure may also be part of an organization’s culture, such as testing to control quality or prototype development to improve technical innovation. While these methods have a historical basis in reducing the likelihood of an undesirable event or moderating its consequences, unless there is a direct impact on the root cause of the uncertainty, risk exposure is merely made more palatable, not dramatically altered (see Table 5).
Table 5. Risk Events Are Addressed Most Effectively by Targeting the Root Cause
Operations riskevent
Response tosymptom
Possible rootcause
Proactive strategy tocounter root cause
Hurricane damages building
Relocate operations away from coast
High winds and water damage building
Alter building design
Low quality workmanship
Conduct additional tests & reviews
Not accurately following instructions
Clarify instructions, test competence
Schedule slip
Mandate longer workdays, cancel time off
Subcontractor shipment delayed
Provide additional resources to subcontractor
Fraud, Theft
Install surveillance cameras
Hiring standards not enforced
Perform background check before hiring
Infrastructure efforts, as with any complex process having a large number of participants and multiple organizational boundaries, are highly susceptible to operations risk. Where program participants are accustomed to a program management risk focus (e.g., risk categories aligned with program functions or deliverables), it may be reasonable to subdivide the operations risk classification to be consistent with program divisions of responsibility, resources, or expertise. If results-oriented risk classifications (e.g., cost/schedule/performance, work breakdown structure, product deliverables) used are, care must be taken to address the underlying cause of potential risk events, rather than the symptoms, when assessing effective risk reduction strategies.
Proactively managing risk exposure, rather than merely dealing with its unpleasant side effects, requires investigating the direct and indirect contributors to every component of every process:
•
If resources are not available, why not?
•
Has an agreement termination risk been realized?
•
Has there been a change in an external relationship that previously had no impact on operations?
•
Was the situation caused by human error with a correctable cause?
•
If the risk was the result of a natural disaster, what prevented action from being taken that could have reduced the impact?
•
Did fraud or other deliberate deception promote the risk?
Legal (or Other Specialized Process) Risk
Because the operations risk category can be so broad, organizations having many high-probability or high-consequence issues that share a common process will often define separate risk categories to highlight distinct areas of concern. Specialized categories are typically used to assess and monitor processes that require high levels of expertise (e.g., legal, technical, or security knowledge), where the likelihood of latent errors is high, perhaps due to lack of transparency in or understanding of the process, and where any risk realized would have long-lasting or very detrimental consequences, such as death or the organization’s demise.
The main purpose of elevating an operations risk to a stand-alone category is to add visibility to a critical process that is not normally given widespread attention on a daily basis or may be overlooked in the haste to satisfy customer demands or achieve crucial goals. Legal and other specialized processes must often be initiated prior to the formal start of an endeavor when program-specific expertise may not be readily available for consultation and the risk focus of the organization is likely to be directed elsewhere. Coupled with the need to use exacting terminology to address specific provisions or concerns, risk events associated with specialized processes can expose the organization to severe consequences should errors be made. Instances abound of organizations rushing to secure agreements with customers or subcontractors without adequately venting and resolving potential legal issues or technical unknowns. Unless a clear understanding of mutual expectations and responsibilities regarding these processes is reached prior to the start of program activities, all participants may face increased risk exposure due to acting on incompatible priorities and objectives.
On large infrastructure efforts, any complex processing concern that requires specialized knowledge and could result in a catastrophic outcome would be a candidate for a distinct risk category. By segmenting such concerns from overall operational risks, these highly volatile issues gain notice within the organization. Since the quantity of experts in a highly specialized area can be relatively low and there may not be a widespread appreciation of the risk being generated, highlighting a critical area may be the best means of ensuring that areas of uncertainty are not overlooked or trivialized. However, care must be taken not to elevate too many processes to distinct risk categories. Not only is the potential for explicit attention diluted with more categories, but the addition of more boundaries and hierarchies to navigate within the processing scope adds complexity to the entire endeavor and increases the potential for misunderstandings, errors, and overlooked hazards.
Data and Methodology Risk
Risk events that may result from the inappropriate or invalid use of data or analysis tools is categorized as data and methodology risk. Until more recently, the misuse or misapplication of information was often a minor area of concern. However, as the workplace has become increasing automated and computer-driven, problems arising from inadvertent data corruption or use of unsubstantiated analysis methodologies have increased both in frequency and severity. Data centers and analysis sub-functions are typically segmented as ancillary organization functions which collaborate on an as-needed basis with the primary product and service providers. Although there is the expectation of shared goals and concerns by information and program specialists, integrating an additional organizational component into program activities increases operational complexity and thus the likelihood of miscommunications or other errors.
Data and methodology risk is frequently realized due to the assumption that data applicable to a specific situation (e.g., pothole frequency in concrete pavement), would be an accurate predictor for a more generalized concern (e.g., potholes in all pavement types) and vice versa. Where no other information is available, the imperfect data may have to suffice, however, it should be noted that the uncertainty in analysis results has been increased by doing so. As with any identified risk, a risk reduction strategy would need to be employed to counter the increased exposure.
Methodology risk includes not only events that may result from employing a prediction or evaluation approach developed for a different set of circumstances, but also from less than thorough development and implementation of analysis methodologies. A primary example of data and methodology risk is using industry data and prediction models without customizing either to reflect specific internal conditions or the current operating scenario.
When custom analysis tools and models are developed, data and methodology risk is generated when assumptions are used in lieu of factual evidence to define data trends and distributions. This commonly occurs when a nonlinear relationship, such as an exponential function, is defined using only two data points or when it is assumed that a relationship remains valid beyond the original data range. While there may be a good rationale for relying on a less rigorous methodology for program predictions and analysis, this should only be done with the understanding that risk exposure has been increased due to the possibility of inaccurate or misleading results.
If data processing errors are made involving the use of otherwise accurate information (e.g., the wrong data file is loaded, a valid methodology is used incorrectly, or the correct data is entered but in the wrong fields), then the resulting outcome is considered an operations risk since the outcome results from processing mistakes. While the overarching concern on any program should be to adequately identify all applicable risks, without regard to category, when care is given to correctly segmenting potential risks into analogous classifications, common strategies for overcoming multiple similar risks become more apparent. This allows the risk reduction effort to be conducted with greater efficiency and effectiveness.
Valuation Risk (Both Relative Change and Loss of Value)
Valuation risk may result from the change in relative values of two or more resources or a change in the absolute value of any resource. While this is primarily thought of as an impact to program costs, fluctuations in value relationships can also affect decision making related to optimal resource mixes or make-or-buy decisions.
The changes in value between like items is not an indication of differences in quality, quantity or the performance of the resource. As long as value differences remain either constant or at the same proportion, no valuation risk has been realized. However, when either the absolute value of a resource changes unexpectedly (e.g., a supplier increases prices) or the value of one resource changes with respect to another (e.g., material costs per unit increase while labor costs decline), a valuation risk event has been realized. If an anticipated cost increase has been included in program planning to account for inflation or it was anticipated that labor input per unit would decline over time, then any changes in absolute or relative values within the anticipated range would not constitute a risk event unless the magnitude of the deviation varied significantly from the plan.
Adjustments in value may be the result of changes in supply or demand for a resource, changes in component values for a resource, or due to changes in resource location (e.g., country of origin) or purchase timing. In a global economy, changes in the relative values of a resource such as labor, even in an unrelated application, can drastically alter both overall costs and resource availabilities on a current effort. As the demand for construction raw materials increases in a high growth economy such as China, the availability and cost of construction materials is affected around the globe. This can occur even though the materials required locally may not be identical to those required overseas or be from unrelated suppliers.
Addressing valuation risk requires anticipating changes in unrelated product sectors and understanding how the fluctuations in one sector can affect another. When decisions are made to take advantage of pricing differentials due to location (e.g., outsourcing), it is also necessary to consider the additional uncertainty that may be acquired by introducing another boundary between a required resource (labor) and the target effort (providing the desired product). When differences in timing are exploited to achieve a cost advantage (e.g., buying in bulk, taking early delivery of materials, front-loading an effort), there is a risk that circumstances may change. Introduction of improved products or services or changes in program schedules could render the pre-purchased material or effort as less valuable than originally anticipated or could even drive the value to zero if the supplies or effort expended are later deemed unnecessary (Table 6).
Table 6. Valuation Risk Realized and Possible Root Causes
Original program plan
Valuation risk
Actionable root cause
Inflation estimated at 3% per year
Inflation exceeds 3% per year
Rate increases for the program duration are not agreed to in advance
Hire experts in a new technology area
Assign experts to a position requiring a lower level of expertise but pay at higher expert rate
Use of the new technology delayed by the customer
Stockpile materials when supplier ceases production
Materials never needed or are unusable when needed
Materials superseded by a better product or degrade while in storage
Decide to automate a process to reduce labor required
Efficiencies realized in manual execution reverses the benefit of the change
Startup costs push payback period beyond current program life
Assessing the Significance of Each Root Cause
In the risk management planning process, the participating organizations must define criteria for classifying the significance of each identified risk. Typically, broad rating categories are defined that are consistent across the internal environment and correspond to accepted industry practice. At a minimum, all participants in the current endeavor need a common understanding of the significance of each defined risk level and of the level of attention and immediacy of action each requires. As part of the risk assessment process, an exposure rating based on the combined significance of both risk frequency and consequence severity is defined for each event. While this results in the significance of each risk being summarized at a gross level (e.g., high, moderate, or low exposure), the supporting probability and severity rating scales consist of multiple subcategories that add granularity to the rating process.
Using risk rating data, all potential events are then ranked according to predefined guidelines. Some organizations employ numerical methodologies (a potential source of data and methodology risk) or frequency counts to prioritize events while others rely on expert opinion or majority opinion to rank events by utilizing multi-voting techniques (Fig. 4).
Fig. 4. Risk assessment process yields prioritized risks contributing to risk exposure
In setting risk priorities it is essential to explore all possible root causes that could lead to an undesirable event since even the smallest discontinuity in working towards a goal can magnify rapidly. If any potential risk source or anticipated point of origin occurs beyond the immediate program boundary, even within either a customer’s or contractor’s internal environment, or is completely external to the program scope, additional significance should be assigned due to the potential impact of unknowns on overall risk exposure:
•
Information on risk likelihood is less concrete;
•
Instantaneous visibility into when the conditions for the risk are at their greatest is less immediate; and
•
The ability to affect a countermeasure to either prevent or control the risk event is constrained.
As experience in disaster prevention and containment has shown, a small issue can quickly escalate into a full-blown crisis. In the overall construction of a multimillion dollar tunnel, the installation of ceiling tiles could almost be seen as a cosmetic enhancement, and the choice of epoxy a fairly minor decision. However, as was experienced on the Big Dig effort, a seemingly routine decision set in motion a chain of events that resulted in a catastrophic outcome. While there are literally thousands of these repetitive decisions made on every complex effort, it is often such overlooked or less emphasized concerns that prove to be the most significant in terms of risk exposure.
Many organizations include an evaluation factor in their probability and severity ratings to account for the complexity of the risk-related activity (e.g., crossing organizational boundaries or requiring the coordination of separate entities) or to account for the risk associated with making rating and ranking decisions using less than complete information (Table 7). Aside from using risk rating inputs to capture situations where there are excessive unknowns, any risk event assessed with less than complete information or confidence, could be tagged for additional monitoring or periodic review to take into account updated information.
Table 7. Rating Factors That Measure Interactions across Operational Boundaries
Likelihoodlevel
Maturityfactor
Complexityfactor
Dependencyfactor
Stability factor
a
Remote
Technology exists and can be used as is
Simple relative to current environment
Entirely within project control
External factors will not make any changes
b
Unlikely
Technology requires minor change before use
Minor complexity relative to current environment
Depends on existing product supplied from outside
External factors will make minor changes
c
Likely
Technology requires major change before use
Moderately complex relative to current environment
Depends on supply and modification of existing product from outside organization
External factors will make major changes
d
Highly Likely
Technology requires significant design and engineering before use
Significantly complex relative to current environment
Depends on new development from outside organization
External factors will make significant changes
e
Near Certainty
State of the art, some research has been completed
Extremely complex relative to current environment
Depends on finding development from outside organization
External factors will make constant changes
Data Collection and Development
Lack of sufficient data is a major obstacle faced when attempting to establish a relationship between suspected root causes and the problems that can result. Ideally, empirical data will be available to succinctly define a cause–effect relationship based on event probabilities and the extent of any anticipated consequences. While organizations make an effort to collect many types of information on internal processes and external interactions, there is typically never enough pertinent data to conclusively determine that an enduring relationship exists, especially in a dynamic, global environment. While not as desirable, subjective inputs and highly correlated information often offer the best alternative sources of decision-making information.
The most respected subjective inputs come from subject matter experts—those professionals with in-depth knowledge of a specific topic or subject area. Experts are often included in risk management planning activities to assist program personnel in brainstorming potential obstacles to success. Due to in-depth knowledge of their specialties, these experts should be able to provide supporting data or insightful speculation on event probabilities and consequence severities and any probable secondary effects. These specialists are then consulted to provide advice and recommendations on strategies and alternatives to pursue either to prevent or reduce the impact of the identified events.
Internal experts typically provide the most assistance in addressing issues that are distinctly associated with the current undertaking due to their intimate knowledge of
•
Internal processes—both the virtues and shortcomings;
•
Concealed motives—is the overarching goal to satisfy customers or enhance the local power structure?
•
Cultural norms—if mistakes are tolerated, expect lots of errors, despite proclamations to the contrary.
The experiences and opinions of external specialists should also be sought due to their assumed lack of bias regarding internal politics or risk-obscuring mantras (e.g., “we don’t make mistakes”). An outside perspective will aid in including information that would otherwise not be available on events experienced in other environments and provide insight into how outside organizations, with differing viewpoints and cultural norms, respond to specific threats.
There are risks associated with relying on too small a pool of expertise to perform risk assessment activities. Inadequate coverage of the range of risks faced can result if dissenting viewpoints raised by other disciplines or non-expert personnel are not given sufficient consideration. In organizations having a flatter and less hierarchical communications structure, knowledge gained by working across internal boundaries and addressing issues from a multidiscipline perspective supplements limited expert input.
To supplement expert opinion, it is generally helpful to review performance successes and challenges on prior comparable efforts. These lessons learned provide insight not only into the problems that were realized, but also feedback on the success of any risk prevention or impact-reduction strategies that were employed. Depending on the level of detail provided, event frequency and severity data might also be able to be gleaned from the lessons-learned documentation.
One shortcoming of using expert opinion and past experiences to predict future events is that all are backward looking. Where there is extensive similarity between prior and current efforts, and little has changed in the affected environments, utilizing past experiences would be expected to greatly reduce the time and effort required to identify and classify potential risks. More effort could then be expended on the areas of concern that are not adequately addressed by past experience.
Where there is very little similarity in the detailed execution of the current effort compared with prior experience, relying on historical information and opinions can yield a false sense of security—in such instances the unknowns of the proposed effort would considerably outnumber the known outcomes in past efforts.
In addition to the experienced-based inputs from specific operating entities, it is also important to address any unique or previously experienced interactions along organizational and activity interfaces. In larger organizations or in environments where highly complex programs are the norm, there may be expertise in working across subject matter and organizational boundaries that can assist in identifying areas of concern. As interfaces are crossed during the course of the program, any item left to conjecture and not specifically defined or any activity intersection having multiple contributors or crossing numerous organizational boundaries is a potential focal point for uncertainty.
Subjective Inputs as a Source of Risk
Social amplification of issues, especially in subjective evaluations, can be an obstacle to thorough, unbiased risk prediction. Shared experiences, or in the case of catastrophic events, situations shared via media exposure can overemphasize both the significance and the potential likelihood of an event. Even an issue of limited consequence (a short delay in program completion) can be repeated often enough and stridently enough that the significance of the issue becomes exaggerated. As the attention paid to a less worrisome concern becomes disproportional to its overall significance on the program, awareness and effort is shifted from more deserving issues, increasing risk exposure in the non-amplified areas. Even where empirical data is available, social amplification can be difficult to overcome, so strong is the tendency to be blindsided by euphoria or despair.
Assumptions are often made regarding information value based on whether the information is presented in a numerical or non-numerical format (Table 8). When ordered data or other relative information is described using a non-calibrated numerical scale, the user is more likely to conclude that the information is empirical, numerically exact and mathematically continuous. If the user then performs mathematical operations on subjective labels, not only are invalid results obtained, but more rigorous subjective information may be overlooked in preference for apparently numerical data. Subjective information that is presented so that it appears more rigorous and factual than warranted is a primary source of data and methodology risk.
Table 8. Common Misrepresentations of Subjective Information
Subjective analysistechnique
Subjective data
Use as ifcontinuous
Fallacy
Simulation results expressed as cumulative probabilities
10% cumulative probability of A, 15% cumulative probability of B
Assumed combined 25% probability of A and B
Cannot add cumulative probabilities, must collect a combined simulated probability for A and B
Rating scales: 1 or A is low, 2 or B is moderate, 3 or C is high
Event rated as moderate probability and high consequence
Tendency to multiply to get “6” for risk exposure
Exposure scale is also discrete, must look up intersection of B and C; “6” is meaningless
Extrapolating trends from minimal data
Assume missing data is consistent with 1 or 2 known data points
Use 2 or fewer discrete data points to define a trend
Any relationship can be defined for 1 data point; only linear trends can be defined with 2 data points
With the assistance of mathematical tools, such as simulation analysis, it is possible to use subjective, expert opinion for parameter input ranges to generate apparently rigorous, statistically significant outcomes. The danger of this approach lies in misrepresentation of the significance of any simulated data since it appears objective but is actually a compilation of opinion. Additional risk is assumed if simulated cumulative frequencies are treated as continuous values or if simulated conclusions are used to refute empirically derived recommendations.
Discrete information, especially risk rating scales, should only be expressed using nonnumeric labels. The purpose of expending effort on risk assessment and management is to reduce overall risk exposure, not to give a false sense of security from apparently rigorous, but unsubstantiated analysis. Numeric values should only be used for ratings if sufficient information is available to verify and validate continuous relationships between parameters.
Alternatives for Generating Empirical Data
Two fundamental enablers of reduced risk exposure are visibility (i.e., capable of being discerned) and transparency (i.e., lack of distortion or ambiguity) especially when applied to risk identification and assessment information. While self-preservation encourages covering up errors or divergent viewpoints in most organizations, it is only by knowing all perspectives and what has not worked well in the past that sufficient action can be taken to avoid problems in the future. Since it is not possible for even rarified experts to know absolutely everything, allowing unobstructed visibility into information sources, thought processes, and decision-making motives is needed to stimulate discussion regarding potential risks that were not initially addressed or insights that counter conventional wisdom.
Several methods, described below, are effective for adding rigor to available information when program boundaries obscure detailed data or where information regarding a future event is not readily obtainable. Subjective data, including opinions, can be captured and extrapolated to provide additional clarity and less ambiguous conclusions as long as results are not treated with more precision than deserved.
Simulation Analysis
Simulation analysis is beneficial for assessing the possible ranges of outcomes that could be reasonably anticipated from limited inputs—where minimal objective data is available and must be expanded using subjective information and assumptions, or a range of plausible outcomes can be determined based on variations in initial assumptions and inputs.
Simulation analysis is often used to predict future operating scenarios. Multiple outcomes with differing frequencies and impacts can be combined to predict a composite long- term forecast. This allows the organization or program to gain an understanding of overall risk exposure and the magnitude of resources required to offset the anticipated exposure over time. Since simulations provide projections of cumulative frequencies, conclusions should not be made regarding specific event probabilities.
Evaluating the interactions of plausible ranges of information can provide insight into expected norms and the likelihood of realizing extreme outcomes, However, care must be taken in the presentation of the information gleaned from simulation results to prevent misconceptions regarding the preciseness of analysis results. Of special concern is using simulated data as if the information were from a verifiable, independent source.
Prediction Markets
Prediction markets capture opinions of a range of expertise regarding a single question (e.g., Will the levees be breached in the event of a hurricane?) The markets are essentially a dynamic version of multi-voting since participants can change their positions on the resulting outcome at any time until the market closes. A key component of prediction markets is the monetary stake participants have in the outcome. While participants may derive a sense of satisfaction from participating and having their opinion registered, the potential of a monetary payback if their prediction is correct is designed to elicit their true thoughts on the question, not just the outcome that they might feel obligated to support. Equilibrium is achieved in the market when the prices for both points of view stabilize. Based on the percentage of participants selecting one outcome over another, the probability of each outcome is determined.
Prediction markets gathered widespread attention when it was proposed that a market be used to help predict future terrorist attacks. While there is every indication that useful information would have been obtained, it was considered unsavory for the U.S. government to run essentially a betting pool on when massive destruction and loss of life would next occur. Since then, prediction markets have been used very successfully to forecast sales figures and election results with greater accuracy than outcomes predicted by experts or from sampling surveys. While participants in the prediction market should have some stake in the outcome other than just winning their bet, it is not necessary for participants to have detailed knowledge of the subject area under assessment. Even though all participants in a market would not have complete information on the subject addressed, the benefit of the system is that it has the ability to capture subjective information or information that may have been rejected by experts as being insignificant or contrary to conventional wisdom.
Use of prediction markets is advantageous in situations where:
•
It is not feasible to gather empirical data (e.g., predictions of catastrophic events);
•
Sampling does not yield definitive results (e.g., an election that is too close to call); or
•
A previously untried course of action is being attempted (e.g. demand for a revolutionary product such as wireless networks).
By soliciting inputs from a broad perspective, the prediction market may be capturing widespread perceptions of fundamental cause–effect relationships. As an example, residents of a low-lying area may combine information on lunar cycles, when higher tides are expected, with knowledge of storm formations and past experiences with flooding to support opinions on levee breaches. Participants in the likelihood of a levee breach market may be capturing previously untapped information and combining it in unique ways to form conclusions that might otherwise be considered trivial or politically unacceptable.
Analogy
Logical inference, reasoning that like occurrences have multiple similarities, can be used to build on basic observations to extrapolate a broader conclusion. Use of analogy allows the maximum benefit to be realized from a limited initial set of information. As with other data manipulation tools, using analogy to replace missing information introduces data and methodology risk due to the reliance on assumptions in lieu of factual evidence.
Analogies in the form of power functions occur throughout the natural environment: leaf vein patterns are similar to tree branch patterns; the shapes of rocks are analogous to the shapes of mountains. In the industrial world, uses of power functions to reduce risk include building scale models to test design properties and initiating pilot programs to validate new processes. If the attributes of a catastrophic event, such as a levee breach, are scalable to a more easily observable event (e.g., water flow exceeding the capacity of a field irrigation ditch), it may be possible to relate the physical properties of the events to assist in predicting risk event frequency and severity.
Often it is possible to use analogy and internal experience to develop usable data from less concrete publicly available information. Data on the time and effort required to implement an earlier process upgrade could be assumed to be proportional to information in a news article documenting a competitor’s timeframe for incorporating a new technology. While data and methodology risk is incurred by assuming past internal experience is proportional to an independent external event, having more current information that can be extrapolated into prediction factors provides balance to possibly dated internal projections.
Establishing relationships based strictly on orders of magnitude is a straightforward application of power functions—the ratio of millionaires to billionaires could be assumed to be similar to the ratio of billionaires to trillionaires. On infrastructure projects, order of magnitude relationships might be observed between the frequency of small debris (one inch in diameter) blocking storm sewer drains and larger debris ( in diameter) blocking flood control canal pumping stations.
Using analogy to support gross-level event predictions is not a substitute for seeking to understand the root cause of the anticipated risk. While information from an analogous situation may provide an early warning that an event is becoming more probable, acting on the highly correlated event will not affect the probability of the targeted risk. Correlations, while helpful, are not a replacement for knowledge of true cause–effect relationships.
When using empirical information to postulate properties of an unknown event, it is important not to conclude that a definitive relationship exists. Events can be highly correlated in specific situations and useful as indicators of an anticipated but unproven outcome, without being infallible predictors. In the northern hemisphere, the winter season is highly correlated with the formation of potholes in pavement, however, it is the expansion of frozen moisture that is a root cause of the cracking that eventually leads to pothole formation. A calendar can be used to assist in predicting an anticipated frequency in pothole occurrence, but a calendar date is not a fundamental cause of pothole creation. To affect either the probability or severity of potholes, temperature or moisture variations must be countered; altering the calendar would be irrelevant.
Taking this example a step further to illustrate the increased risk exposure when operating in an external environment, risk control mechanisms that may be valid for preventing potholes in internally-managed structures (artificially keeping temperatures above freezing, preventing moisture from touching the pavement), are less workable when dealing with many external participants and differing operating environments. While it may be easy to envision the difficulty of controlling the physical environment affecting pavement that is beyond internal operations, similar issues exist in all scenarios beyond internal boundaries: local residents may be put at risk for flooding due to national priorities for more and deeper shipping lanes; regional drivers are affected by the choice of ceiling bolt epoxy made by the subcontractor of a local agency.
Mathematical modeling techniques, such as simulation and data extrapolation, are employed to expand the comprehensiveness of limited data sources. Analogies and empirical data that apply to a wide range of circumstances are combined based on observations and assumptions to assess potential interactions that may either moderate or increase risk exposure. While model outputs need to be interpreted consistently within the constraints of the original data and any modeling assumptions, insight can be gained into the range of possible outcomes, and expected extremes of the relationship interactions can be defined.
Multiyear scenario models are frequently used to predict an expected range of risk exposure based on the combined frequencies and impacts of internal and external factors. Long-term risk exposure is projected based on both optimistic and pessimistic predictions with extreme events and potential counter measures included as variations. The organization can then develop plans to address the characteristics that contribute to risk exposure extremes with full knowledge of the conditions that contributed to the predicted outcomes.
Achieving a Balanced Risk Evaluation
The overarching goal of any risk assessment is to balance the effort expended on risk reduction activities, including investigations and proactive intervention, with the expected loss in value (in terms of labor, materials, or bad publicity) if less or nothing was done. After appropriate actions are taken, the risk exposure assumed by the organization and affected participants should be at a level that all find acceptable. In some organizations an acceptable level of risk is providing continuous crisis intervention due to being an early adopter of new ideas or operating at a level of exposure that puts survival at risk on a daily basis. Others are so risk adverse that changes are only made to stay current with mainstream participants in the global environment, never venturing beyond accepted norms. Organizations that refuse to change at all, often in the mistaken desire to be low risk, are actually assuming extensive risk exposure due to the possibility of becoming inconsequential or obsolete.
Effort Expended Must Be Value-Added
The risk assessment and mitigation process must be rigorous enough to provide confidence that an appropriate level of uncertainty, from both internal and external sources, has been accepted. The risk evaluation effort should not be so intensive that it outweighs the resource expenditures that would be required to counter the consequences participants seek to avoid. Nor should it be so lax that essentially no risk reduction value has been achieved for the effort expended.
Many risk management efforts become enslaved by established processes that require specific analyses, detailed documentation and set review cycles. While a standardized approach allows sharing of common data and information and helps ensure all participants achieve a mutual appreciation of risk tolerance, risk management is not a one-size-fits-all process. Use of a common framework provides process transparency and synergy; however, since the acceptable level of risk exposure will vary with program scope and complexity, the extent to which the process is applied must correspond to unique program needs.
Avoid Undue Bias Based on Experience
The need to rely on past experience and personal judgment to identify and assess uncertainty can introduce prejudice into risk evaluation conclusions. It is human nature to emphasize what one is most familiar with, either personally or via shared experience. The challenge in looking to the future is to learn from past experience without expecting the experience to provide a complete representation of all internal and external situations that contribute to risk exposure. Since risk management is primarily forward-looking, overemphasizing past experience can severely hamper efforts to anticipate and articulate unknown events.
Bias in risk identification is not limited to past experience, it can also result due to peer pressure and social amplification. Through exhaustive media reports or internal repetition of events, groups and individuals may assume event importance or significance is proportional to communication frequency. Placing unwarranted emphasis and extensive effort on addressing less significant issues leaves little effort available to address the events that contribute the most to risk exposure. Not only can significant risks be left out of the analysis, but the priority of the risks included may not realistically reflect the potential impact on successful results.
Past experience, without the expectation of repeating specific outcomes, does provide a valuable overview of a range of issues that may occur in the future. If past experience indicates problems with valuation risks, for example, the organization should understand past contributors to the erroneous value expectations and initiate the necessary countermeasures to limit future occurrences. To adequately address all probable areas of concern, expectations based on experience cannot be allowed to obscure awareness of new conditions affecting the internal and external environments such as technology upgrades, revisions to governmental policy, formation of new alliances or modified customer expectations.
Address a Broad Range of Potential Risks
The effort an organization expends on risk containment should address both internal situations that can be directly managed as well as external unknowns that may only be influenced indirectly. By considering common denominators of risk exposure originating throughout the global environment, infrastructure providers and their customers can have a greater impact on incidental and inherited risks than by addressing each potential source of exposure as an isolated occurrence.
Any bias among risk evaluation participants regarding emphasis placed on one risk category over another can result in invalid perceptions of total risk exposure. Mitigation actions will not have the desired impact on comprehensive risk exposure if the most consequential events are either not identified or are incorrectly prioritized. False and misleading assessment conclusions can result in the predicted exposure level differing significantly from what should be anticipated. An inaccurate perception of the magnitude and significance of expected risk events increases the likelihood that proper attention will not be applied where the most benefit would be obtained.
Constraints on the scope of risks considered—by limiting inquiries to only core operations or well-known risk sources—can result in an artificially low prediction of exposure. Lack of understanding of the realistic level of risk faced may encourage lax enforcement of risk management policy or lead to the acceptance of additional uncertainty beyond what the organization would normally consider acceptable. Either outcome may expose the participants to a magnitude of consequences that would overwhelm available resources.
Proactively Respond to Root Causes
Proper identification and investigation of the fundamental sources of risk is invaluable in determining the most effective actions for alleviating risk exposure. In instances where the probability of an event can only be marginally affected by use of control mechanisms (e.g., inspections or prototype development), measures must be implemented instead to moderate the severity of anticipated consequences.
Events that result from external factors are typically the least well-managed using internally initiated control strategies. If a construction crane failure is due to an internal factor such as human error, it may be feasible to prevent the root cause through proactive intervention such as performance reviews or reallocation of job tasks. If the root cause of the failure has an external source, such as severe weather, it is not practical to try to control or prevent the weather phenomenon. Instead, strategies would need to be employed to lessen the impact of the event—perhaps reducing the worst outcome to injury rather than death, or being satisfied with an extended delay in completion in lieu of project cancellation.
Program-initiated actions, including risk control mechanisms, are best applied to situations within the participants’ internal environments; external factors may be influenced by internal actions but can seldom be directly controlled. Where a cause–effect relationship can be established between an event and the ensuing outcome, the ability to affect a more desirable result has a greater possibility of success. The ability of program participants to initiate actions that directly counter identified root causes is dependent on explicit knowledge of event interactions.
Where there is less knowledge of reciprocal actions or the relationship is merely highly correlated rather than directly linked, indirect stimuli are required to modify the likely outcome. A decision must be made whether to focus on reducing the probability of an event or accept the event and attempt to reduce its impact. The choice depends on the anticipated ability of internal actions to influence independent external factors beyond program and organizational boundaries.
Continuously Seek Information
Although participants may have every confidence that the actions and strategies initiated will decrease event probability or limit risk impacts, the dynamic global environment does not allow the luxury of assuming the solutions implemented will remain optimal or effective throughout the program life. Globalization creates constant flux in the overlap and configuration of internal and external boundaries and in the makeup of peripheral alliances. Root causes of uncertainty change over time, additional fundamental risk sources are added, and previously actionable root causes become less effective in transforming vulnerabilities.
The primary means for overcoming or staying current with dynamic conditions is to continuously seek new and updated sources of information. Not only is discrete information needed, but trends associated with relevant parameters are required to give insight to future conditions. Effort expended monitoring the internal and external environments and collecting pertinent data assists in updating assessment conclusions as well as supporting on-going risk reduction efforts.
While expert opinion is invaluable in understanding technology-intensive situations, shared insight through subjective inquiry such as prediction markets and analogous comparisons provides multiple perspectives and may capture new perspectives and insights and incorporate previously unexplored connections or correlations. Where links can be defined across participant and peripheral boundaries, common root causes that can be addressed with synergistic actions may become apparent providing more efficient application of risk management effort. Even in instances where expert and broad-based opinions differ, the inconsistency in perspectives yields valuable insight into areas requiring more investigation or situations where there are perhaps multiple root causes necessitating a combination of mitigating actions.
Maintain a Global Perspective
Throughout design, development, and implementation, effective risk management requires not constraining risk event consideration to highly visible issues or traditional identification methods. Infrastructure providers must maintain a global outlook that encompasses all direct and indirect operating influences. Without sensitivity to the “unknown unknowns,” infrastructure providers run the risk of unintentionally assuming more risk exposure than can be successfully managed. By remaining open to unconventional sources of information, encouraging collaboration across disciplines, and aggressively seeking conflicting points of view, the risk evaluation process is more likely to address the most significant sources of uncertainty. The very nature of infrastructure efforts—operating across organizational and cultural boundaries, providing products and services expected to function without failure—increases the need for transparency and collaboration to contain uncertainty and satisfy end-user expectations.
Bibliography
Banks, E., and Dunn, R. (2003). Practical risk management, Wiley, West Sussex, U.K.Defense Systems Management College. (2001). Systemsengineering fundamentals, U.S. Dept. of Defense, Washington, D.C.Defense Systems Management College. (2002). Riskmanagement guide for DOD acquisition, 5th Ed., U.S. Dept.of Defense, Washington, D.C.Lyons, J. (2007). Risk management for technicalprofessionals, draft Ed., ⟨http://www.Lulu.com⟩.Senge, P. M. (1990). The fifth discipline, Doubleday, NewYork.
Biographies
Jan Lyons is an adjunct professor in risk management at Southern Methodist University in Dallas. She is the author ofRisk Management for Technical Professionalswritten to address the complexities of managing risk in global operating environments by integrating program and financial risk management approaches. She can be contacted by e-mail at [email protected].
If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download.
1532-6748(2008)8:4(231)/asset/95edba37-fb80-4c0f-b992-e47780ce3e3d/assets/images/large/1.jpg)
1532-6748(2008)8:4(231)/asset/e1e1c16c-79d4-4c98-a66d-356f6aebb122/assets/images/large/2.jpg)
1532-6748(2008)8:4(231)/asset/6e06f41c-e19c-4783-a4d8-bec4a5fd7272/assets/images/large/3.jpg)
1532-6748(2008)8:4(231)/asset/235abf34-bcc6-4994-9ae8-58ac0dbe235b/assets/images/large/4.jpg)
