S w

907M43

A TECHNICAL NOTE ON RISK MANAGEMENT

Donna Fletcher and Susan Newell wrote this case solely to provide material for class discussion. The authors do not intend to
illustrate either effective or ineffective handling of a managerial situation. The authors may have disguised certain names and other
identifying information to protect confidentiality.

Ivey Management Services prohibits any form of reproduction, storage or transmittal without its written permission. Reproduction of
this material is not covered under authorization by any reproduction rights organization. To order copies or request permission to
reproduce materials, contact Ivey Publishing, Ivey Management Services, c/o Richard Ivey School of Business, The University of
Western Ontario, London, Ontario, Canada, N6A 3K7; phone (519) 661-3208; fax (519) 661-3882; e-mail cases@[Link].

Copyright © 2007, Ivey Management Services Version: (A) 2007-05-24

Many question the point of new government-sponsored corporate governance codes and tighter standards
for accounting and banking when the strategic errors made at the top of an organization can easily ruin the
company. None of the existing regulations governs how a company should cope with the specter of
strategic risk. Company strategy needs to be checked, but it can only be managed effectively if the
management structure for monitoring and tackling strategic risks exists in the first place.

Business risks may arise from either internal or external influences and may be more or less under the
control of the organization. For example, an unscrupulous employee may embezzle company funds; an
information technology (IT) project may be significantly delayed, causing a massive spending over-budget;
or major flooding may cause a plant to have to shut-down and thus lose customer orders. Although nothing
we do is risk-free, these problems are more likely to occur when lack of management awareness and/or
lack of control of the potential risks is associated with a particular type of business. Safeguarding against
these types of risk requires both financial and non-financial control systems that support risk self-
assessment, early warning and timely issue escalation. Furthermore, critical information must be delivered
in sufficient time for management to take action to either protect or enhance stakeholder value.

Given the importance of managing risks, then, the focus of the background literature provided in this note
is the application of risk management from the narrow project level broadening to the organizational level,
within the context of project-oriented firms. We begin first with the challenges faced by project-based
organizations. In the process, the components of effective corporate strategy through risk management are
considered.

The focus of this note is risk management in a project-based organization, that is, in an organization where
the project is the primary business mechanism for coordinating and integrating all the main business
functions of the firm.1 The knowledge, capabilities and resources of the firm are built up through the
execution of major projects. The project-based organization is intrinsically innovative and therefore able to
cope with the evolution of production properties and respond flexibly to changes in client needs. However,
project-based organizations face difficulties in capturing and transferring knowledge and learning across
1
Mike Hobday, “The Project-based Organisation: An Ideal Form for Managing Complex Products and Systems?” Research
Policy, August 2000, pp. 871–893.
Page 2 9B07M043

projects,2 with each project having a tendency to “reinvent the wheel,” rather than learn from what has
happened in previous projects.3 This difficulty in learning from previous projects exists because the
autonomy of a project from bureaucratic structures and processes provides its flexibility and at the same
time limits the extent to which efficiencies can be effectively shared. This autonomy and independence can
also work against the interests of corporate strategy and business coordination. For example, in his research
comparing project-based organizations to the more traditional matrix or functional-based organizations,
Mike Hobday found that the project teams felt they had achieved a highly effective and professional
approach to project management and implementation with strong team coherence and close identity with
the project.4 Project leadership and management were viewed as strong by team members, and internal
communications proceeded well. However, Hobday also found that the lack of regular reporting to senior
management created some tensions between project progress and corporate-wide strategies and goals.
Lessons learned from particular projects were not shared formally because there were no structures or
incentives for cross-project learning or communication. For a visual representation of the isolating barriers,
see Exhibit 1.

Given this potential isolation of projects from the broader organizational goals, a need clearly exists to
have effective risk management processes in place at both the project and the organizational levels to
ensure that project team members do not engage in excessive risk-taking behavior that could have
disastrous implications for the organization as a whole. In this literature review, therefore, we consider the
literature on project and organizational risk management. We then present the findings from our case
analysis to develop a broader conceptual framework for approaching risk management in project-based
organizations.

RISK MANAGEMENT AT THE PROJECT LEVEL

The literature on risk management at the project level is discussed within the framework of project
management. The major steps involved in risk management of a project are risk identification, risk
assessment and the processes of prioritization and response to the risks.5 The authors note that risk
communication is also very important in successful project risk management. In a study of construction
design management, Chapman6 states that the way the identification process is conducted will have a direct
influence on the contribution that risk analysis and management make to the overall project management of
construction projects. The risk analysis stage of the project risk management process can be divided into
two stages: a qualitative analysis sub-stage that focuses on identification together with the assessment of
risk; and a quantitative analysis sub-stage that focuses on the evaluation of risk. The risk management
phase is concerned with the monitoring of the actual progress of the project and the associated risk
management plans. It specifically involves identifying, implementing and tracking the effectiveness of the
planned responses, reviewing any changes in the priority of response management and monitoring the
status of the risks.

2
Harry Scarbrough et al., “Project-based Learning and the Role of Learning Boundaries,” Organization Studies, November
2004, pp. 1579–1600.
3
Laurence Prusak, Knowledge in Organizations, Oxford: Butterworth-Heinemann, 1997.
4
Mike Hobday, “The Project-based Organisation: An Ideal Form for Managing Complex Products and Systems?” Research
Policy, August 2000, pp. 871–893.
5
A. V. Thomas et al., “Modeling and Assessment of Critical Risks in BOT Road Projects,” Construction Management and
Economics, April 2006, pp. 407–424.
6
Robert C. Chapman, “The Controlling Influences on Effective Risk Identification and Assessment for Construction Design
Management,” International Journal of Project Management, 2001, pp. 147-160.
Page 3 9B07M043

Given the myriad categorizations of the elements of risk management at the project level, for the purposes
of our focus study, we have organized them into three components:
1. Risk assessment (including risk identification and analysis)
2. Risk management plan (including risk response and controls)
3. Risk monitoring (including monitoring of the risk management plan, controls effectiveness and
communication)

Studies of the application of project risk management have focused on one or several of these three
components. Terry Williams7 provides a bibliography of project risk management research and notes that
historical evidence on projects show failure to achieve targets. Research in this area tends to focus on the
contract, since it determines who is liable for the risk and therefore has the motivation to vitiate the risk.8
Success of project participation depends on who bears the risks, and on the vital role of risk analysis in
informing the contractual allocation of risk. Similarly, authors Alquier and Tignol9 focus on bidding by
small- and medium-sized companies through the European Project Risk Management (PRIMA) project and
find that risk knowledge captured at the bid phase supported by a precise definition of internal risk, project
and enterprise performance measures and a decision support system leads to more success. Vrassidas
Leopoulos et. al.10 also studied the bidding process in construction firms and conclude that those firms who
strategically integrate risk management during the bidding process to determine whether or not to invest in
bids end up with profitable projects.

According to Schwab and Schwab,11 the most challenging aspect of project management is the proper
management of risk, or the balancing of potential opportunity against possible loss. The major causes for
problems in project management include inadequate controls that do not signal potential difficulties early
enough and clearly enough, continuing incorrrect assessment of the remaining potential risks or of risks
based on wishful thinking, and management’s unwillingness to take swift and appropriate corrective
action, even when a problem is apparent.

Exhibit 2 summarizes the prescriptive results of the literature on project risk management. Project risk
management should begin at the bid phase of the project, continue throughout the life of the project,
emphasize communication and training in risk assessment, reward innovation and include lessons learned
in performance appraisals and the evolving risk management process. Finally, it is essential that the risk
management structure fit within the overall project management infrastructure.

RISK MANAGEMENT AT THE ORGANIZATIONAL LEVEL

Organizations face multiple risks, specific to their business and general to the global markets in which they
operate. That said, some industries are more prone to risk (e.g. financial services, environmental services
and petroleum exploration) and some firms within these industries take on more risk than their
competitors. Michael Walls and James Dyer12 studied petroleum firms’ risk taking and performance. They
7
Terry Williams, “A Classified Bibliography of Recent Research Relating to Project Risk Management,” European Journal of
Operational Research, August 1995, pp. 18–39.
8
Ibid, p. 28.
9
A. M. Blanc Alquier and M. H. Lagasse Tignol, “Risk Management in Small- and Medium-Sized Companies,” Production
Planning and Control, April 2006, pp. 273–282.
10
Vrassidas Leopoulos et al., “An Applicable Methodology for Strategic Risk Management during the Bidding Process,”
International Journal of Risk Assessment and Management, Vol. 4, Iss. 1, 2003, pp. 67–72.
11
Bernhard Schwab and Helmut Schwab, “Better Risk Management: A Key to Improved Performance,” Journal of General
Management, Summer 1997, pp. 67–75.
12
Michael Walls and James Dyer, “Risk Propensity and Firm Performance: A Study of the Petroleum Exploration Industry,”
Management Science, July 1996, pp. 1004–1021.
Page 4 9B07M043

note that although the finance theory of risk taking by firms posits return (i.e. shareholder value) for taking
on non-diversifiable risk, in the presence of asymmetric or incomplete information and other market
imperfections, firms will act in a risk-averse manner, at times avoiding risky opportunities. Consequently,
rather than focus solely on maximizing shareholder value, managers attempt to reconcile the interests of all
stakeholders, including themselves, employees, suppliers, customers and the communities in which they
operate.

The risk appetite of a firm is thus dependent on its risk culture. Kendrik13 points out that a firm’s risk
appetite is not static and is dependent on the organization’s risk culture. Managers are challenged by the
risk attitude of the organization in its environment and whether the employees share the same risk attitude
as the organization.

Until recently, risk management at the organizational level has largely focused on financial risks and their
management (e.g. hedging through derivatives and insurance). In a seminal article appearing in Harvard
Business Review, Kenneth Froot and his colleagues14 state that the role of risk management is to ensure that
companies have the cash available to make value-enhancing investments, regardless of competitor strategy
vis-à-vis hedging. Increasing long-term value (or earnings growth) is reliant on financial risk management.

A broader view of organizational risk management is currently referred to as enterprise risk management
(ERM). According to Schneier and Miccolois,15 ERM is a systematic approach to managing risk, which
means that risk factors and mitigation programs must be considered on a business-wide basis, internally
and externally. “Enterprise risk management provides an enhanced ability to identify and assess risks and
establish acceptable levels of risk relative to growth and return objectives.”16

The Committee of the Sponsoring Organizations of the Treadway Commission (COSO) provides a
framework for ERM that views objectives at the entity, division, business-unit and subsidiary levels, in
four key categories: strategic, operations, reporting and compliance. At the same time, the framework
focuses on eight interrelated components that are integrated with the management processes used to run a
business: internal environment (mission, firm culture, corporate and governance policy), objective setting
(strategic, operational, reporting and compliance goals and objectives), event identification, risk
assessment, risk response, control activities, information and communication, and monitoring. Exhibit 3
provides a useful cross-reference for the three elements of risk management at the project level, previously
discussed, as they relate to the eight ERM components.

ERM has taken on renewed interest due to the Sarbanes Oxley Act of 2002, which imposes regulations on
public companies with respect to internal controls. Both COSO and the Public Company Accounting
Oversight Board (PCAOB) advocate linking the internal control efforts required by the act to specific risks
a company faces to better focus its compliance efforts, thereby reducing implementation costs.17

13
Terry Kendrick, “Strategic Risk: Am I Doing OK?” Corporate Governance, Bradford, 2004, pp. 69-77.
14
Kenneth Froot et al., “A Framework for Risk Management,” Harvard Business Review, November/December 1994, pp.
91–102.
15
Robert Schneier and Jerry Miccolis, “Enterprise Risk Management,” Strategy and Leadership, March/April 1998, pp. 10-
16.
16
“Enterprise Risk Management — Integrated Framework,” COSO, September 2004, p. 2.
17
In August 2005, COSO released its exposure draft, “Implementing the COSO Control Framework in Smaller Business” for
public comment. The guidance states, “A thorough and well thought-out risk assessment is a precursor to ensuring effective
and efficient control activities.” In practice, then, implementation of 404 for small- and medium-sized companies appears to
have a strategic risk focus. On May 19, 2006, panelists for the SEC/PCAOB Roundtable on Internal Control Reporting noted
that external auditors improved their process with a top-down, risk-based approach and increased reliance on the work of
others. See Exhibit 4 for a summary of Section 404.
Page 5 9B07M043

Stephen Gates and Ellen Hexter18 surveyed 271 executives from a variety of industries on their use of
ERM and found that companies tend to begin measuring operating risks before they contemplate strategic
risks. Financial risk comes first, most likely because it can be quantified. Yet, practitioners report in the
survey that engaging in strategic risk management gives a sense of the risk likelihood, the potential impact
and the extent to which an issue is critical to a company. According to Adrian Slywotsky and John Drzik,19
even among the more advanced practitioners of ERM, the focus of enterprise risk management rarely
encompasses more than financial, hazard and operational risks (or those risks that can be quantified). Most
managers have not yet systematically addressed the strategic risks that can be a much more serious cause
of value destruction.

Laurie McWhorter and colleagues20 surveyed members of the Institute of Management Accountants
Controllers Council and found respondents that use a strategic performance measurement system realize
improved organizational performance, employee efficacy and an enhanced ERM system. The researchers
define the strategic performance measurement system as a management tool combining financial and non-
financial performance measures to reflect organizational strategy. It appears, then, that a hindrance to full
implementation (and effective utilization) of ERM is the lack of performance measurement of
organizational strategy and strategic risk management.

Jan Emlemsvag and Lars Kjolstad21 define strategic risks as risks that arise during the pursuit of business
objectives. They emphasize that risk refers to not only bad things happening but also good things not
happening. The authors also state that many companies fail from not capitalizing on their opportunities.
Strategic risk management is ultimately about being proactive — the effective business focuses on
opportunities rather than problems. Combining firm characteristics and risks is a crucial aspect of risk
management as well as strategy, yet is often not done in practice.

Similar to the lack of practitioner scrutiny of strategic risk management, Morris and Jamieson22 find that
there is a dearth of literature regarding the translation of corporate strategy into implementation,
particularly at the program or project level. The authors note that strategic management is dynamic,
ambiguous, complex, organization-wide and has long-term implications, hence both the need for further
study and the deficiency.

Linking the literature on project and organizational risks, Slywotsky and Drzik23 discuss project risks as
one of seven major classes of strategic risk. The authors suggest that the best protection against project risk
begins with a clear assessment of the project’s chance of success before it is launched, verifying the
importance of risk identification and assessment.24 However, they also argue that the risk of taking on each
new project is reduced by incorporating the knowledge and customer relationships the company developed

18
Stephen Gates and Ellen Hexter, “From Risk Management to Risk Strategy,” Conference Board Research Report, No. R-
1361-05-RR, 2004.
19
Adrian Slywotsky and John Drzik, “Countering the Biggest Risk of All,” Harvard Business Review, Vol. 83, No. 4, 2005, pp.
78–88.
20
Laurie McWhorter et al., “The Connection between Performance Measurement and Risk Management,” Strategic Finance,
February 2006, pp. 50–55.
21
Jan Emblemsvag and Lars Kjolstad, “Strategic Risk Analysis — A Field Version,” Management Decision, Vol. 40, No. 9,
2000, pp. 842–852.
22
Peter W. G. Morris and Ashley Jamieson, “Moving From Corporate Strategy to Project Strategy,” Project Management
Journal, Vol. 26, No. 4, December 2005, pp. 5-18.
23
Adrian Slywotsky and John Drzik, “Countering the Biggest Risk of All,” Harvard Business Review, Vol. 83, No. 4, 2005, pp.
78–88.
24
A. V. Thomas et al., “Modeling and Assessment of Critical Risks in BOT Road Projects,” Construction Management and
Economics, April 2006, pp. 407–424.
Page 6 9B07M043

in the previous project, suggesting a crucial link between the project and the organizational levels, a link
that in practice is often difficult to forge.25

Performance outcomes, as a feedback to both project management programs and strategic risk management
thus appear to be essential to successful corporate strategy. Project risks can only be effectively
ameliorated if the risk management process is linked to the broader strategic goals and if there is learning
from past experiences of situations in which risks were not mitigated. At the same time, a key problem in
project-based organizations is that the autonomy of each project isolates it from the broader organizational
context, making the sharing of lessons across projects often very problematic.

25
Harry Scarbrough et al., “Project-based Learning and the Role of Learning Boundaries,” Organization Studies, November
2004, pp. 1579–1600.
Page 7 9B07M043

READINGS

Jan Emblemsvag and Lars Kjolstad, “Strategic Risk Analysis — A Field Version,” Management Decision,
Vol. 40, No. 9, 2002, pp. 842–852.

Stephen Gates and Ellen Hexter, “The Strategic Benefits of Managing Risk,” MIT Sloan Management
Review, Spring 2006, 6–7.

Kenneth Froot, et al., “A Framework for Risk Management,” Harvard Business Review,
November/December 1994, pp. 91–102.

Mike Hobday, “The Project-based Organization: An Ideal Form for Managing Complex Products and
Systems?” Research Policy, No. 29, 2000, pp. 871–893.

Alan Levinsohn and Kathy Williams, “How to Manage Risk — Enterprise-Wide,” Strategic Finance,
November 2004, pp. 55–56.

Thomas Peltier, “Risk Analysis and Risk Management,” EDPACS, September 2004, pp. 1–17.

Laurence Prusak, Knowledge in Organizations, Oxford: Butterworth-Heinemann, 1997.

Bernhard Schwab and Helmut Schwab, “Better Risk Management: A Key to Improved Performance,”
Journal of General Management, Summer 1997, pp. 65–75.

“Sentencing Guidelines,” Chapter 8, Guidelines Manual, November 1, 2004, available at

[Link] accessed January 2005.

Adrian Slywotsky and John Drzik, “Countering the Biggest Risk of All,” Harvard Business Review, Vol.
83, No. 4, 2005, pp. 78–88.

Michael Walls and James Dyer, “Risk Propensity and Firm Performance: A Study of the Petroleum
Exploration Industry,” Management Science, July 1996, pp. 1004–1021.

Terry Williams, “A Classified Bibliography of Recent Research Relating to Project Risk Management,”
European Journal of Operational Research, August 1995, pp. 18–39.
Page 8 9B07M043

Exhibit 1

CHALLENGES TO PROJECT-BASED ORGANIZATIONS

Source: Mike Hobday, “The Project-based Organization: An Ideal Form for Managing Complex Products and Systems?”
Research Policy, No. 29, 2000, pp. 871–893.
Page 9 9B07M043

Exhibit 2

PROJECT RISK MANAGEMENT: PRESCRIPTIVE GUIDELINES

FOR SUCCESS BASED ON THE LITERATURE

Source: created by author from research and interviews at Tetra Tech.

Page 10 9B07M043

Exhibit 3

RISK MANAGEMENT PROCESSES RELATIONSHIP TO THE COMMITTEE OF THE SPONSORING

ORGANIZATIONS OF THE TREADWAY COMMISSION (COSO) ENTERPRISE RISK MANAGEMENT
(ERM)

COSO ERM Risk Risk Risk

Assessment Management Monitoring
Plan
Internal ×
environment
Objective setting ×
Event ×
identification
Risk assessment ×
Risk response ×
Control activities ×
Information and × ×
communication
Monitoring ×

Source: created by author from research and interviews at Tetra Tech.

Page 11 9B07M043

Exhibit 4

SUMMARY OF THE PROVISIONS OF THE SARBANES-OXLEY ACT OF 2002

Section 404: Management Assessment of Internal Controls.

Requires each annual report of an issuer to contain an “internal control report,” which shall:
state the responsibility of management for establishing and maintaining an adequate internal control
structure and procedures for financial reporting; and
contain an assessment, as of the end of the issuer’s fiscal year, of the effectiveness of the internal control
structure and procedures of the issuer for financial reporting.
Each issuer’s auditor shall attest to, and report on, the assessment made by the management of the issuer.
An attestation made under this section shall be in accordance with standards for attestation engagements
issued or adopted by the Board. An attestation engagement shall not be the subject of a separate
engagement.
The language in the report of the Committee which accompanies the bill to explain the legislative intent
states, “. . . the Committee does not intend that the auditor’s evaluation be the subject of a separate
engagement or the basis for increased charges or fees.”
Directs the SEC to require each issuer to disclose whether it has adopted a code of ethics for its senior
financial officers and the contents of that code.
Directs the SEC to revise its regulations concerning prompt disclosure on Form 8-K to require immediate
disclosure “of any change in, or waiver of,” an issuer’s code of ethics.
Source: Center for Public Company Audit Firms, [Link]