A friend of mine (we’ll sonoma county rental homes him Al) was out looking at daycare centers with his wife. Their two year old daughter was ready to expand her horizons and learn the intricacies of social behavior and all the risks inherent in her new world. To Al’s dismay, no daycare center met the standards of control he would have expected in a daycare. This new world was fraught with risk. Doors weren’t locked and children could escape. Gates were not on the stairwell and children could fall and injure themselves. Peanut butter was in the fridge and children could access it. Al wasn’t willing to run the risk of introducing his daughter to this environment. Oddly enough, Al didn’t have similar controls in his own house. No childproof door locks, no stair gates, and peanut butter in his fridge – sometimes on the counter!!
It was clear to me that a person will hold an unknown environment to a higher level of scrutiny than a person who is familiar with the same environment. It also became clear that a person’s experience will determine the amount of risk they are willing to tolerate. For example, if I put three people in Al’s deficient daycare and put a jar of peanut butter on the counter, the first person with no children may shrug their shoulders. The second person with a child may say, “Maybe we should remove the jar of peanut butter.” While the third person who has a child with a peanut allergy may say, “I need a peanut free environment for my child. This is unacceptable.” This dependency on individual experience and individual risk tolerance becomes a greater issue to organizations. When trying to ascertain the level of risk inherent in a project portfolio at an enterprise level, it is difficult to compare like with like without a risk management process and model that will represent the enterprise’s willingness to accept risk.
The Problem
Risks that are not identified cannot be assessed. While an organization is dependent on a project manager to identify risks associated with a point in time project, there is no clear way to determine inherent risks to the organization. Organizations that have made the move to portfolio management have been successful at time management, resource management and time and budget status reporting at the portfolio level. While each of these advancements is a major achievement on its own, an organization that makes decisions on this data does so without a sense of risk associated with the performance of the portfolio. Decisions get made and risks are reacted to. Many issues are created due to unforeseen risks.
So what is wrong with this picture? After all, risk is an accepted part of business and life for pretty much everyone.
Risk is inherently a function of value and as such the more value at stake the more risk one is exposed to. Therefore, the notion that risk is a negative situation to be entirely avoided is a flawed argument, as this can only be guaranteed if/when an organization invests in cash cow initiatives where high value can be attained with no risk. We all know that cash cow initiatives are not sustainable and are the exception, not the rule.
The ultimate argument is found in the financial market where stocks and bonds are valued by level of risk tolerance. Bonds are considered safer bets and therefore yield lower returns while stocks are considered risky investments and are expected to yield higher returns. Over the past 100 years the financial market has designed numerous mechanisms to manage the dynamics of risk and reward with continued lessons learned along the way.
Independent of industry, size and source of funding (i.e. capital market, private equity, tax dollars), organizations must be well versed in balancing risk and reward if they are to survive and succeed in the competitive and volatile economy of the 21st century.