Read an Excerpt

CHAPTER 1

DEFINE THE CONCEPTS AND TERMS

It is generally good form to explain the concepts and define terms right up front. This chapter, and most of this book for that matter, addresses the inner workings of corporations, projects, and their associated problems with regard to risk. Therefore, I thought it prudent to get some fundamental definitions and conveyance of concepts behind us. To that end, the next few pages address some of the major terms and concepts that you will need to comprehend.

Because this is a business book, the fundamentally technical issues are given a relatively light treatment; concepts are explained, but the really juicy technical aspects are eschewed. A guy like me, who is a technical sort at heart, usually finds it frustrating, if not downright difficult, to avoid launching into diatribes focused on considerations that more business-oriented folks would find less than interesting.

Therefore, in the text that follows, I generally direct you to other texts in which myself and other authors have addressed the technical aspects of the terms and concepts presented here. In one of my previous books, Risk Assessment and Decision Making in Business and Industry: A Practical Guide, 2nd Edition (see Selected Readings at the end of this chapter), I explore and explain much of the technical nature of these terms and concepts. The reader is specifically directed to that text for more complete coverage.

Now, if I were the quintessential businessperson reading this chapter, I likely would not want to read any more text relating to technical and/or conceptual information than necessary. With that in mind, I recommend that if you are less technically inclined, you press on in this chapter until you have read the "What Is a Project" and "What Are Risk and Uncertainty" sections. Upon finishing those sections, you might want to skip to Chapter 2 and read on until, in later chapters and sections of this book, you are directed back to Chapter 1 to read about a concept. This way, the context in which the concept exists will have been explained and the description of the concept will make much more sense.

WHAT IS A PROJECT?

So when I write about projects, just what do I mean? Any number of dictionary definitions for "project" include the following attributes. A project is

• Planned

• Large and/or important

• Long term

I agree with all of these characteristics, but for the context of this book, I would add these attributes:

• Budgeted

• Time constrained

Certainly a project should be planned. Most projects in modern corporations proceed through some sort of stage-gate process that typically includes steps that address assessing, selecting, defining, "building," and executing the project. Of course, planning should be holistic and include areas such as security and logistics, as well as commercial, financial, technical, legal, environmental, cultural, organizational, political, and other aspects.

By virtue of being identified as a specific project (with a name, dedicated staff, etc.), these undertakings usually are either large undertakings relative to the size of the business, important in that they might have significant financial, reputation/other impact, or both. Many corporations choose to employ their entire suite of project management processes only on "major projects." Typically, a major project is defined as one that meets or exceeds a defined threshold — usually a monetary value or capital-spend metric.

Most projects are long-term relative to other business undertakings but not necessarily so. For example, the planning phase for a one-night corporate event might take months, but the event itself (i.e., the project) is almost instantaneous. In a case such as this, the planning for the project becomes the project. However, it is more the case that all of the stage-gate project preparation activities and execution of the project itself are long-term relative to other everyday activities in a business.

It is typical that a project has an associated dedicated budget. Line items in the budget address costs associated with specific project tasks. Just how probabilistic budgeting can be used to great advantage in projects and portfolios is discussed in detail later in this book.

Most projects are time-constrained. This is different and distinct from the "long-term" item above. It is not unusual for a project to be outlined on a Gantt chart on which are described the various critical project steps and their absolute and relative timings. Each phase or step on the chart can be time-constrained, and the "sum" of all steps shown delineates the total project time.

WHAT ARE RISK AND UNCERTAINTY?

These concepts and definitions regarding risk and uncertainty were first put forth by my earlier work, Risk Assessment and Decision Making in Business and Industry: A Practical Guide, 2nd Edition. "Risk" has been defined in many texts and by a host of people in various disciplines. An individual's perception of risk depends mainly on the contextual setting in which that person finds him- or herself.

For example, denizens of a corporate finance group or trading department typically think risk is great! In fact, they seek it out. Why? Because higher risk means higher rewards. Without getting into discussions of distribution tails and other such perceived caches of reward, folks who make their living in the aforementioned disciplines know perfectly well that they would like to take on as much risk as they can handle (hedging and all sorts of other tactics are used to help allay the negative side of risk, but exploration of those concepts is not pertinent to this discussion). Certificate of deposit (CD) interest rates at your local bank work this way. If you allow them to tie up your money for a relatively short time (i.e., low risk for you), then the interest rate you receive is relatively low. Conversely, longer-term CDs yield higher interest rates because you are allowing them to have your money for an extended period (i.e., higher risk for you).

So, these finance and trading people run around seeking risk — although not more risk than they think they can handle. However, it is their job to maximize return on investment and, therefore, to seek to maximize the manageable risk. Their attitude is that a maximum amount of manageable risk is a good thing.

Contrast that with the people who inhabit the health and safety section or security department of a typical corporation. Their main job is to identify and eradicate even the smallest pertinent risks. To their way of thinking, risk is a bad thing and the world would be a perfect place if all risk were eliminated.

These are just two examples of myriad ways people perceive risk. As if that weren't bad enough, it turns out that people express their perception of risk using a wide range of metrics and formats. Consider the weather forecaster on TV. Typically, this person expresses the risk of foul weather using percentages ("Yes, folks, I'm going to say that there's about a 60 percent chance of tornadoes tomorrow.") or maps on which various colors might indicate the relative severity of winds or other indicators of inclement weather.

Even though it makes me break out in hives every time I run across this, some people are prone to equate risk with probability. It is not unusual to hear: "Yup, the risk of this not working out is better than 50 percent." Over the years, I have worked much with law departments, helping them evaluate cases, contracts, and the like. While it is true that if you have come to the typical law department to have something calculated, then you have made a grievous error, it is also true that, in my experience, attorneys are among the best practitioners at explaining in textual form any perceived and pertinent risks. Engineers tend toward quantitative expressions of risk such as cumulative frequency plots, while people in quasi-quantitative areas of endeavor tend toward semiquantitative expressions such as red/yellow/green (high/medium/low) "traffic light" displays, Boston squares, and the like. Just some of the formats and metrics typically utilized to express risk are as follows (some already mentioned):

• Percentages

• Colored displays

• Textual descriptions

• "Traffic light" displays

• Meters (like a speedometer in a car)

• Bar charts

• Boston squares

• Probability versus impact charts

• Cumulative frequency curves (see the Monte Carlo section of this chapter)

• Risk registers

• Tornado diagrams

and many other means and mechanisms.

In a walk across any corporation you will quickly discover a population harboring a wide variety of views on risk and that uses a cornucopia of mechanisms and metrics to express its perception of risk. As will be demonstrated in later chapters, the value of any project can only be properly assessed when the impacts of all risks have been considered and applied. A holistic accounting of risks has to be taken. That is, for any given project, risks from

• Law

• Finance

• Commercial

• Security

• Logistics

• Engineering

• Science

• Health and safety

• Human resources

• Planning

• Environmental

and other areas must be identified and integrated so that the full and combined consequences of all risks properly impact the perceived project value.

Well, that's easy to say but not so easy to do. So, how do you even begin such an undertaking? It starts with language. Later in this book, I address in more detail the importance of generating a common and agreed-upon set of terms and definitions that will facilitate communication between the various factions and fractions of an organization. There are some caveats to this, however.

First, if a person in a given discipline has long viewed and defined risk in a particular way, I have discovered that it is folly to attempt to get those folks to change their ways and adopt a "common method." I am of German descent. Upon a visit to Germany some years ago, I discovered that there were many dialects that compose the "German" language. This is typical of many languages. I also discovered that newspapers and other forms of communication in the area I visited usually employed "High German," which was a "dialect" that most Germans could understand and shared as a common means of communication. I decided later in life that this model was just what risk communication within an organization needed.

In any organization, then, it is my advice to "let sleeping dogs lie," so to speak. For example, if the finance department views and uses risk in a way that is radically different from the view and use in the health and safety department, then so be it — leave them alone (don't try to change their dialect). However, what we can do is create a set of terms and definitions that we will all use when we communicate with one another (but not, probably, within our given discipline) and to management — the High German model. This advice regarding language will be, essentially, repeated in a subsequent section of this book, and it bears repeating because it is fundamental and important.

So, with regard to risk and uncertainty, I determined that there were actually four terms that needed to be universally addressed and understood:

• Risk

• Uncertainty

• Probability

• Impact (or consequence)

Many risk practitioners whom I have met tend, in my opinion, to "mix and match" the concepts of risk, uncertainty, and probability. I view these items as four distinct entities. Let's start with risk.

If I were to ask you, "What are the risks that might cause you to be late in getting home from work tonight?" I doubt that you would respond "high," or "25, 16, and 47," or whip out a pencil and paper and draw for me a curve or plot of some sort. I'd wager that you would respond with verbiage such as, "Well, I could have a flat tire, or I could run out of gas, or the battery in the car could be dead ..." and this is what makes sense and is what I would expect. Therefore, as a "universal" definition, I submit that risk should be defined as

A pertinent event for which there is a textual description.

The text describing a risk can contain numbers: "The plane could descend faster than 50 feet per second, thereby invalidating the experiment ..." In addition, risk can be viewed as either a positive or a negative effect (viewing risk in a positive way really upsets some folks). However, to accommodate our friends who see risk as a good thing, we have to allow that statements such as "There is a risk that our stock will increase in value and make us all rich" are a valid expression of risk, as would be the statement "There exists the risk that the price we will pay for raw materials will be 20 percent lower than the price we put in our base-case calculations, thereby increasing our profits."

Risks with negative consequences will be termed "threats." Those with positive impacts will be defined as "opportunities." So, there are, according to this definition, two distinct categories of risks.

Risks, according to the definition offered here, also have a recommended format of expression. I recommend that a risk be expressed thus:

If (express the threat or opportunity) happens, then it will have (express the consequence) on our (express the context).

For example, a threat might be expressed this way: If the price of raw materials rises more than 10 percent, it will cause a significant decrease in our profit margin." An opportunity could be phrased like this: "If we land the new contract, it will increase our chance of building the new headquarters."

As anyone who has suffered the torture of attempting to get large groups of people — in a risk identification/ranking session, for example — to adhere strictly to this format knows, you have to be flexible with regard to the text actually used to express any risk. However, each expression should include the following:

• A description of the threat or opportunity

• A description of the magnitude of the risk's impact

• A description of the entity impacted by the risk

Usually two parameters are associated with any risk:

• Probability (of occurrence)

• Impact (or consequence)

We might be "sure" about either or both of these parameters. I usually employ the coin flip scenario to demonstrate this. If we get a favorable flip of a coin, say, "heads," then we might win $1. An unfavorable outcome, "tails", costs us $1. In this game, there is no uncertainty about the probability of getting a "heads" — it is 50 percent. There also is no uncertainty regarding the consequence: we either win or lose $1. Now, there are those who would argue that there is inherent uncertainty built into this scenario because, by virtue of the probability not being 0 or 100 percent, we are uncertain whether or not we will get a "heads" or a "tails." This I term "inherent uncertainty," which is unit-free, reaches its "maximum" at 50 percent, and exists simply because the probability is neither 0 nor 100 percent. By the definition offered in this text, "relative uncertainty" — previously and from now on referred to simply as "uncertainty" — is related to a range of possible values (outcomes) for probability or consequence.

So, in another scenario, we might harbor uncertainty regarding the probability. For example, we might hear: "The probability of the train arriving late is estimated to be between 30 and 40 percent." In this case, the 10 percent range is our expression of uncertainty with regard to probability. Impact or consequence is defined in the same way. For example, we might hear: "This change in the tax code will decrease the average tax paid by middle-income workers by $1,000 to $3,000." In this case, the range $1,000 to $3,000 represents our expression of uncertainty.

This definition brings with it some interesting consequences. For example, if you adopt this definition, it is valid to speak of reducing uncertainty (i.e., "making smaller" the range). It is valid to speak of reducing the absolute probability or consequence coefficients (for example, reducing the impact of an uncertain consequence from $100 to $300 to an uncertain consequence of $50 to $150). However, it is not valid to speak of reducing a risk. By this definition, a risk is

A pertinent event for which there is a textual description.

Therefore, if we reduce the probability and/or the consequence (uncertain or not) associated with a risk to a point at which we consider one or both of these parameters to be below our threshold for consideration, then the risk is simply removed from the list of risks. Given that the risk is a textual description of a pertinent event, it can't be "enlarged" or "reduced" — only its attendant probability and/or consequence can be so treated. Therefore, we do strive to reduce the magnitude of the probability, the magnitude of the consequence, and possibly the uncertainty associated with one or both of these parameters, but we do not strive to reduce the risk — only to eliminate it from the list of risks.

An increase or decrease in uncertainty does not have to coincide with a concomitant and respective increase or decrease in the magnitude of the probability or impact. This fact, I find, often runs counter to the intuition of many people.

---

Excerpted from "Modern Corporate Risk Management"
by .
Copyright © 2007 Glenn Koller.
Excerpted by permission of J. Ross Publishing, Inc..
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---