Risk and Crisis Management

MGMT 6060 Module 8

Instructor: David Sumpton

Contact: [email protected]
Office hours: By appointment
Objectives:

- Define the ideal Risk and Crisis Management

processes
- Prepare to apply them in your Course Projects

Class discussion / Online self-reflection

- What is a “Risk”?
- What is a “Crisis”?

Examples ….
Risk management: the basics
 Risk mgmt
process
Engineers Canada: Public Guideline on Risk Management
• “A constant awareness of the risk management process, and some degree of
competence in its application, are essential for all engineers.
– The practice of engineering carries with it an inherent level of risk that
engineers must seek to understand and manage.”
• “Managing the risk … is arguably the most important step in the process as
responsibility has now been taken for assuming the risk & preventing any
undesirable incident from occurring …
– A key engineering tool employed in this stage is a management system
appropriate for the risks being managed.
• “Once a risk is accepted, it does not go away
– It is there waiting for an opportunity to happen
– Unless the management system is actively monitoring engineering and
…operations for concerns, and taking proactive actions to correct or mitigate
potential problems.”

What is the Risk Management System in your Project?

4 • https://engineerscanada.ca/public-guideline-on-risk-management
• Mastromatteo, M. “Shedding new light on the nature and availability of risk”, Engineering Dimensions, January/February 2013
© David Sumpton 2020
 Risk mgmt
Risk management: summary process process
Usually focused on engineering & operations; could just as readily be applied to product lifecycle

Minimize negative outcomes, through anticipating what can go wrong,

Goal and taking steps to manage trouble – during the project,

1. Identify what can go wrong

Process 2. Assess risks
3. Determine response plan
4. Determine contingency plan

• Any cognitive biases that may cause risk management efforts to fail
Recommended
• Any event that, should it occur, may result in high negative impact
focus
– Regardless whether it has a low probability of occurrence

• Define alternatives in rank-order with ‘business case’ for resolution

Overall action – Emotion: Decision-makers would like to see some alternative
action plans: ~ 3 scenarios, and recommended scenario
– Logic: provide the evidence; consequences for each scenario
• Larson/Gray, Project Management- the Managerial Process, 7th ed, 2018, Chapter 7
5
• Andrews, Engineering & Geoscience, Practice & Ethics, 6th ed, 2019, Chapter 6
• www.theiam.org, Academic/Research Network
© David Sumpton 2020
 Risk assessment
• Probability and magnitude of a loss or some other negative
Risk: definition outcome from an undesirable event.
• The outcome of the undesirable event; not the event itself.

• The amount of risk an organization is willing to accept in light of

Risk acceptance
potential benefits; must evaluate through benefit/cost analysis.

• The amount of risk an organization can withstand if an undesirable

Risk tolerance
event occurs; must be a hard constraint on all decisions.

Project Risk Assessment Matrix Project Completed by Date

Risk Assessment Risk Response

Undesirabl Mitigate,
Probability
e event Severity of Inability to Avoid, Contingency
of Rationale Who Where Why
impact detect Transfer, plan
occurrence
Accept
 Risk mgmt
1. Identify hazards, events and risks process
Events may give rise to different outcomes: negative outcome = risk; positive outcome = opportunity

• Hazards: physical situations which have potential to cause harm

Identify what
• Events: actions which may result in different outcomes
can go wrong
• Risk: negative outcome which may result from an event occurring

Might something • Given a particular event: might there be a positive outcome?

go “right”? – Opportunity management: the process to realize opportunities

1. Informal discussion
Process tools 2. Review of past projects & process
3. Formal Risk Breakdown Structure
– Created with a project’s Work Breakdown Structure
– Risks are matched to major engineering & project activities
4. Formal “failure mode and effects analysis”
– Mode: Identify possible ways in which something might fail
– Effects: consequence of failure

• Baker K., Capital Budgeting Valuation, Hoboken, NJ, USA: John Wiley and Sons, 2011.
• Hubbard D., The Failure of Risk Management, Hoboken, NJ, USA: John Wiley and Sons, 2009.
7
• Larson/Gray, Project Management- the Managerial Process, 7th ed, 2018, Chapter 7
• www.theiam.org, Academic/Research Network
© David Sumpton 2020
 Risk mgmt
2. Assess & measure risks: starting point for discussions process
‘Risk’, by definition, cannot be ‘positive’. ‘Risk’ = negative outcome.

Assess in three different and unique dimensions

Assess risks a) Determine probability (or frequency) of the event occurring
b) Determine magnitude of the negative outcome, if the event occurs
c) Assess extent to which the event can be detected, and how

• May be measured in absolute, quantifiable terms

Assessment
measures – Probability
– Frequency
– Cost
– # people affected, acres of land …
• Or subjective measures
– Scale of 1-10, with 1 being ‘low’ and 10 being ‘high’
– Green, yellow, red (high)
– Caveat: this method may obscure facts, hide assumptions

8
• For example: what is a ‘medium’ or ‘yellow’ risk ??
© David Sumpton 2020
 Risk mgmt
2. Assess & measure risks: Risk Priority tool process

• The following example applies a scale of 1-5, in two dimensions

Risk Priority
Number (RPN) – Probability or frequency of event occurrence
– Multiplied by the consequence or ‘severity’ of a possible
negative outcome

High RPN = High Consequence / severity

priority to resolve
1 2 3 4 5
5 5 10 15 20 25
Probability /
Frequency

4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5

• Subjective and potentially very misleading….

– However, it is a good way to start the conversation about risks
9 – Followed by more quantitative analysis.
© David Sumpton 2020
 Risk mgmt
2. Assess & measure risks RPN, continued P 2 of 4 process

High RPN = High Consequence / severity • Original matrix

priority to resolve
1 2 3 4 5
– RPN 1-5: green
5 5 10 15 20 25
– RPN 6-14: yellow
Probability /
Frequency

4 4 8 12 16 20
3 3 6 9 12 15
– RPN ≥ 15: red
2 2 4 6 8 10
1 1 2 3 4 5

• Same matrix, different colour

High RPN = High Consequence / severity
priority to resolve
1 2 3 4 5 – Severity ≥ 4: yellow
5 5 10 15 20 25
– Severity ≥ 5: red
Probability /
Frequency

4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5

High RPN = High

priority to resolve
Consequence / severity • Same matrix, different colour
1 2 3 4 5
5 5 10 15 20 25 – Severity ≥ 3: yellow
Probability /

– Severity ≥ 4: red
Frequency

4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
10

© David Sumpton 2020

 Risk mgmt
2. Assess & measure risks RPN, continued P 3 of 4 process

High RPN = High Consequence / severity

priority to resolve
1 2 3 4 5
• Normal vision
5 5 10 15 20 25
Probability /
Frequency

4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5

High RPN = High Consequence / severity

priority to resolve
1 2 3 4 5
5 5 10 15 20 25
• Deuteranopia (simulated)
Probability /
Frequency

4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5

High RPN = High Consequence / severity

priority to resolve
1 2 3 4 5 • OR … does it look like this?
5 5 10 15 20 25
Probability /
Frequency

4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
11

© David Sumpton 2020

 Risk mgmt
2. Assess & measure risks RPN, continued P 4 of 4 process

• Probability: extent to which an event might occur; OR

RPN in three
dimensions – Frequency: how often the event occurs
• Negative outcome of the event
• Inability to detect the event

• If we apply the same scale of 1-5 in each dimension, using the

RPN range previous example, the RPN ranges from 1 to 125

• As noted, the entire process is subjective

RPN ‘score’
obscures facts – What does a ‘1’ or ‘5’ really mean?
– What does green, yellow or red mean? Does everyone see
colours the same way?

• If consequence of event is negative, how much negative impact can

Must determine we physically or financially withstand?
– Cost of repair, time, lost income, and irrecoverable losses
– Criminal liability, legal liability
12
– Health & safety, emotional trauma
© David Sumpton 2020
 Risk mgmt
process
3. Determine risk response
• Reduce probability (or frequency) of event occurrence
Mitigate • Reduce size of negative outcome

• Change planned actions to eliminate the risk entirely

Avoid • Do not start any ‘risky’ activity: requires self-control

• Pay a premium to transfer the risk to another party (e.g. insurance)

Transfer – This does not reduce or eliminate risks
– Must still mitigate or avoid events within one’s control

• Make a conscious decision to accept the risk

Accept – If it happens, we will deal with it then

13

© David Sumpton 2020

 Risk mgmt
process
4. Determine Contingency plans; and where to begin
• “Plan B”: Define the actions to take, if the above response plans fail
Contingency
plan – When bad things happen, we already know what to do
– We are more likely to act ‘rationally’ under the circumstances

• Events with a negative consequence that the business cannot

Begin with … physically or financially tolerate
– Group similar events together
– Group similar negative consequences together
– Match events, and consequences, to the WBS tasks
– Examine WBS tasks; AND examine overall scope of project

14

© David Sumpton 2020

 Risk mgmt
process
Selecting risk response/contingency solutions: the process
• To what extent might solutions work as intended, and be effective?
Assess potential
solutions – Cost
– Feasibility
– Probability of success
– Expected benefits and likelihood of realizing benefits

• Prioritize the various solutions; create rank-order list

Consider
tradeoffs – Benefit/cost analysis
– Risk acceptance: how we might feel about this; subjective
– Risk tolerance: ability to withstand negative outcome; objective

• Propose recommended solution, with 2 or more alternatives

Make a decision – Appeal to emotions of decision-makers; give them a choice
• Explain why particular solutions are recommended: show the logic
– Write the business case to request formal approval

15

© David Sumpton 2020

 Risk mgmt
process
Risk Management: overall focus
• Desires to avoid ‘negativity’
Avoid cognitive
biases • Misplaced strategic incentives
• ‘Groupthink’ and pressure to deliver results
• Staff changes over time may affect accountability for actions
• Over-reliance on numbers and ranking can hide real problems
– E.g. Low-probability events with high negative impact
• Risk may be underestimated when level of understanding is low

1. Iterate through various alternatives and action plans. Consider:

Action plan – Possible trade-offs among resultant outcomes
– Financial, technical, environmental, social, community
2. Create a business case to recommend preferred action plans
– Once the business case is approved: commit to implementing it
3. Update plans as part of scheduled budgeting & reporting activities
– Integrate with operations: daily, weekly, monthly
16

© David Sumpton 2020

 Opportunity
management
Opportunity Management: opposite of Risk Management
• Take action to increase the probability of a (positive) event
Enhance occurring, and to increase the resulting positive benefits

• Eliminate the uncertainty associated with a (positive) event’s

Exploit
outcome, to ensure that it definitely happens

• Allocate some or all of the ownership of a positive outcome, to

Share
another party who is best able to realize it

• Be willing to take advantage of a positive situation if it occurs, but

Accept not take any explicit action to pursue it

• Revenues before Cost: cost savings are important; but revenues are
Focus more important. Need cash flow to sustain & grow the business.

17 Enhance, Exploit, Share, Accept: Definitions based on Larson/Gray, Chapter 7; and Hubbard op cit
Focus: adapted from Raynor, M and Ahmed, M: “The Three Rules: how exceptional companies think”, The Penguin Group, 2013
© David Sumpton 2020
 Opportunity
management
Opportunity Management
Revenue
Money
• Social equity and community benefits
• Interest & appreciation, as intended
when the business case was approved
• Environmental / climate solutions
• Delivered, as per scope
• Net cash flow is positive Cost
• Sufficient funds to meet expenditures
• Plus cash which can be
+ redirected elsewhere
Profit

☺
Time

18

© David Sumpton 2020

 Opportunity evaluation

Opportunity: • Probability and magnitude of a financial, operating, or other

definition positive benefit from a desirable event

• The opportunity evaluation and response process emulates the risk

assessment process, with a focus on desirable events

Project Opportunity Assessment Matrix Project Completed by Date

Opportunity Evaluation Opportunity Response

Desirable Enhance,
Probability
event Ability to Exploit, Alternate
Benefit of Rationale Who Where Why
realize Share, plan
occurrence
Accept
 Opportunity
management
Opportunity / Risk management: relevance to Projects
• What product/service should we introduce, maintain, grow, stop?
Business
decisions • What are the considerations for similar programs and projects?
• When and where? With whom? For whom? How? How much?

• Generally straightforward to estimate, based on past practices,

Costs supplier quotations etc; affordability (budget) may also be fixed
• Upward pressure from ‘unforeseen surprises’, unspecified
maintenance & upgrade costs; most of which can still be estimated
• Leaders may state benefits are ‘strategic’ (i.e. no immediate profit)

• Significant uncertainty
Revenues • Forecasts may be over-optimistic; do a sensitivity analysis

• Quantify the benefits: economic, social, environmental

Focus • Sensitivity analysis: different forecasts = different outcomes
• Risk tolerance: what we can afford to commit, before seeing any
20 positive return
© David Sumpton 2020
 Risk mgmt
Risk Mitigation Example: Ontario Building Code process
Building code act 1992, current to January 1, 2018; Ministry of Municipal Affairs & Housing

• Standards for construction, maintenance & occupancy of property

Municipalities
enforce it • Property that does not conform, must be repaired and maintained to
Ensure your contractors conform; or site to be cleared, graded and levelled
comply with code!!

• Building officials: chiefs, managers, planners, inspectors etc.

Practitioners
must be licensed • Certain classes of designers
May use products & • On-site sewage system installers
services of Software • Private companies hired by municipalities to conduct inspections
Engineers

Required • Land: lot, grading, zoning, conservation authority etc.

designs • Architectural: foundation, floor plans, specifications etc
Structural engineering: • Structural: foundation, framing, floor, roof, wall, details of connections
keep documentation!
• Equipment: HVAC, machinery etc

No time • Inspector can decide whether building complies with prior code
limitations
21
– Eg. No inspection done 30 years ago; they can insist on it now
www.mah.gov.on.ca/Page8591.aspx , www.ontario.ca/laws/statute/92b23 , www.london.ca/business/Permit-Licences/Building-Permits/Pages/Building-Permits.aspx© David Sumpton 2020
Case discussion – BP Gulf Oil Spill (optional)
 Crisis Management –

A subset of Risk Management:

Avoiding & mitigating the outcomes of low-

probability, high-negative-impact events

The framework is based on the following sources:

• Baker K., Capital Budgeting Valuation, Hoboken, NJ, USA: John Wiley and Sons, 2011.
• Hubbard D., The Failure of Risk Management, Hoboken, NJ, USA: John Wiley and Sons, 2009.
• Larson/Gray, Project Management- the Managerial Process, 7th ed, 2018, Chapter 7
• www.theiam.org, Academic/Research Network
• Kerzner, H., Project Recovery, Hoboken, NJ, USA: International Institute for Learning, Inc,; John Wiley and Sons, 2014.
• Coggins, A Framework for Crisis Management, Sage Publishing, 2009
• https://engineerscanada.ca/public-guideline-on-risk-management
 Crisis
management
Crisis management: a seven-step framework
• Define values, decision making process
Apply past process – Implement training, risk planning
Risk mitigation
& anticipation
• Hands-on executive & media contact
Appoint senior leaders – With a competent, autonomous team

• Esp. low-probability, high impact events

Monitor daily Look for early warnings – Apply technology AND people
operations
• Realize a problem exists
Understand the problem – Invoke risk management plans
When ‘stuff
happens’
• It’s likely bigger than you think
Assess the damage – Ask for help

• Fix it, own it, help the victims

Resolve crisis – Moral decisions are better than legal

Plan for the • Now: document events, thank people

24 Move forward • Later: update process, plans, teams
future
© David Sumpton 2020
Crisis management framework - details
 Crisis
definition
Crisis: people & property at risk; organization must fix it
• Personal concerns and life events within one’s ability to solve or
Individual crisis
seek help, are generally not seen by organizations as a ‘crisis’
• The better organizations have processes to anticipate and help
individuals eliminate or reduce their personal crises
– When individuals are healthy, safe, and contributing to the
extent they are able; society benefits

Organizational • Individuals generally do not have the personal accountability or

crisis capacity to solve such matters as:
– Environmental, wildlife and property damage
– Train derailments, fires, floods, explosions, wars, epidemics
• Organizations, such as business, government, and society itself,
generally do have the power to solve or mitigate such matters
• Therefore, organizations must define ‘crisis management’ plans
Adapted from ENGSCI 9501, 2017 Section Two, “Business and
26
Management: A Global Perspective”, David Sumpton;
© David Sumpton 2020
 Crisis
mitigation
Preparing, anticipating

1. Apply past Establish values, especially social values

process • Define hierarchy
– Need a Top Management decision making process
– Open, transparent management style is essential
• Implement process
– Risk planning, staff training, process improvement, safety

2. Appoint Must be an executive leader in charge

senior leaders • Someone engaged and collaborative with a hands-on style
• Crisis team must be appointed
– Trusted, competent experts who can get things done
– Generally consists of ‘operational staff’ and ‘working
professionals’

27

© David Sumpton 2020

 Crisis
detection
Monitoring: find trouble before it finds you

3. Look for early There may be a warning that something bad is happening, or about to
warning signals happen
• No matter if low probability OR low frequency of occurrence
– If higher impact; then invest more in monitoring
• If limited ability to detect problems
– Warning systems and (working) technology can help

Leadership Consider the ‘behaviour’ of people (including top management)

perspective • What are people saying?
• What are people NOT saying?
• How might people actually behave under pressure?

28

© David Sumpton 2020

 Crisis
resolution
Things are happening, now what?!

4. Understand Once something is detected and is beginning to happen…

the problem • Realize that a problem really does exist … what, where, when
• All facts will eventually become public; problems can’t be hidden
• Decide which plans and risk mitigation processes to invoke
– Who, what, where, when, how, and why (if known)

5. Assess Physical and emotional trauma is likely much bigger than it appears …
damage • How does crisis affect needs, interests, and perceptions?
– There is usually an immediate problem to solve
– And a less urgent, but possibly larger and longer-term problem
• Invoke risk mitigation process
– Determine causes of problems
– Ask for help from other people and organizations

Adapted from ENGSCI 9501, 2017 Section Two, “Business and

29
Management: A Global Perspective”, David Sumpton;
© David Sumpton 2020
 Crisis
resolution
Solve the immediate problem; and move forward
Be at the scene, fix it, and be seen to fix it -- NOW
6. Resolve crisis
• Announcements: contain the crisis and help others help themselves
– Own it & assume responsibility: by resolving it (not accusing or
blaming)
• Show compassion
• Moral decisions are usually better than legal decisions

Now: complete all documentation, perform ‘crisis post mortem’

7. Move forward • Thank everyone who helped
Later: Update and apply process, and risk mitigation plans (step 1)
• Focus on technical innovation, and knowledge transfer to others

30

© David Sumpton 2020

Conclusion:

What might the project manager do?

 Ideas for
success
What might the ‘project manager’ do?
• What would you like the ‘stakeholder’ perceptions to be?
Assess
perceptions ‒ How will you influence their behaviour?

Conduct a • Imagine three future outcomes

Pre-Mortem ‒ How can they be assured or prevented?

Build a • Identify scenarios with cash flows and decision points

decision tree ‒ Intentionally introduce conflicting alternatives and outcomes

Calibrate • What is the probability of success?

yourself ‒ Why? When?

Create thinking • The first hour of the day is for reflection

opportunities ‒ Watch for Confirmation Bias

32
Hubbard D. (2009); Various HBR (2015)
© David Sumpton 2020