Published in the Project Post-Gazette, January 2014
by Cheryl A. Wilson, PMP, PMI-RMP, CCEP
With the increased compliance and regulatory mandates organizations are responsible for today, the risk professionals’ role has increased in responsibility and complexity. Many organizations know they have to have a risk management function to comply with new regulations, but they are unsure where the risk professional fits into their organization and what this role actually encompasses.
From the risk professionals’ viewpoint, organizations are changing to meet the call for more transparency, tighter alignment with strategic objectives, and an increased IT footprint to comply with tighter reporting metrics. But senior leadership is not sure where to position the risk manager (RM) within their organizations. Many organizations are looking to fit the risk role into an already established position because they are not sure really where the best fit is. Are they a compliance teammate, or an arm of the auditing function, or should they roll under IT? To better understand where the risk position fits into an organization, this article will talk about the five core risk management principles all RM need to implement.
Due to the increase in compliance mandates, metrics reporting, and overall requirements organizations now must comply with, senior management is finding these new requirements so interactive with all department within their organization that the RM has to have their hand into the entire organization to meet these new mandates. If the senior manager or the project sponsor understands the outreach this position encompasses, the most enhanced benefit can be obtained.
An overall role description of a RM is to advise their project/organization/industry on any potential risks that could affect the production of fit for use deliverables or business objectives. RM specialize in a number of areas including enterprise risk, corporate governance, regulatory and operational risk, business continuity, information and security risk, technology risk, market and credit risk, or project management risk.
While there are several risk management professions the core principles of the RM remain similar. Below are five core risk management principles all RM to need to establish:
1. Communication of the RM role. The roles and responsibilities of the RM should be clearly communicated to the project team, employee’s organization, and stakeholders. As the RM will be managing risk across the portfolio, project, or organization, it is critical everyone knows their part in interacting within the risk environment. If senior management has not established the importance or the reason the RM is asking for information or reports, then the RM will meet with resistance. No one wants an outsider on their turf. The RM does not need to battle turf wars to get information required for compliancy.
2. Organizational understanding of core risk principles. All proactive risk programs should start with an internal risk assessment/audit to determine the status of the projects/organizations compliance mandates, regulations, project assumptions and constraints. The results of this assessment/audit will be the framework for the risk environment going forward. Transparency to the areas of concern is critical. From this initial risk assessment, the risk manager should develop the risk management plan, tools and techniques, processes and risk environment under which the risk program will be managed. Gone are the days that risk programs are managed in a silo by one person. Teams should work together at a regular timeframe to develop root cause analysis, mapping of risks to deliverables/objectives, trigger and issue management and the management of risks. Risk owners and Subject Matter Experts (SME) should all know their roles within the risk environment.
3. The RM should have support from the leadership team. The risk environment needs the tone at the top to provide support and structure. One area we covered was the risk function has tentacles into every area within the organization or project. This intrusion can be upsetting to those that are used to keeping information to themselves. Current mandates are requiring reports and metrics across the projects and organizations therefore establishing the need for cross pollination of information and the intermixing of databases to comply. This can only be done if the leadership team establishes the tone to encourage team collaboration.
4. Quarterly internal audits of risk program. PM and organizations on a fast track to project completion or meeting projected milestones will put RM into the category of overhead. The RM functions are not part of the fast pace to complete milestones or business objectives. It is human nature that if corners can be cut, they will do so to meet tight deadlines. However, if milestones or project success are tied to passing quarterly internal audits of the risk program, the dreaded steps to ensure pass/fail will become part of the process to complete the project or milestone. Risk management is time consuming, but managing a triggered risk, now issue can stop the clock.
5. Risk management training should be continual. The risk environment should be communicated through training either by monthly training sessions, or weekly training snippets. How I provided training on my teams was to provide an initial PowerPoint training to all new team members, with quarterly pulse checks. During each team meeting, if there was any area of concern, it was brought up as a training item to ensure there was a continual environment of understanding of the responsibilities of each person.
All organizations are now in the need of a well-defined, supported, and deployed risk management program given the new government regulations from not just the Dodd-Frank, but the Patient Protection and Affordable Care Act, Sarbanes-Oxley, and about 12 other mega-legislative enactments that have been passed over the past decade. Risk is not just dealing with the chance that your chief Java developer will not show up for work, but it now includes the real possibility that if your organization is not compliant with the hundreds or thousands of new regulations and requirements, it could stand to be both fined and/or censured thereby impacting both its future as well as it commercial or public reputation. Risk is about survival, not just checking off a box. Get with it!