Chris Chilton CMIRM
Registered Chartered Project Professional
If you do not consider risk, you are in a risky business.
Risk is the stuff we don’t know enough about. Risk management is how we deal with the stuff we don’t know enough about. Uncertainty is the measure of just how short of enough our knowledge is.
This may seem terribly simple in the face of the growing complexity of the world around us, but simple appears to be as difficult to achieve as it is beautiful.
There is something called Occam’s Razor. This is the imperative that if there are two ways of doing something, the simplest will generally be the best way.
And that’s how I got into risk: A simple approach to an often overwhelmingly “complexicated” world. Over the years as an engineer, project director or barrister (I can lay claim to all three), risk well done has been presented to me as a risk register. This presupposes so many things. That all the risks are captured in the register. That the data is good. That relationships between operational and hazard, tactical and strategic risk have been captured. That “swarms” of risk have been identified. That the risks have been attached to strategic objectives, constraints or work breakdown structure. Often, what I have found, is that the risk register is an accurate representation of bad data. So, I became involved with risk to develop a true feel for extended enterprise risk management, majoring on the impact of context on qualitative risk analysis, measuring that context in terms of volatility, uncertainty, liability, complexity, ambiguity, novelty and outcome, “VULCANO”.
As a lawyer one deals with liability before quantum: why work the detail before you know your argument? And the same applies, or should apply, to risk. So as a risk manager, an understanding of the context, both internal and external is the kernel of good risk leadership: anyone can run the numbers.
So, I got started in risk by focussing on strategic risk information. The identification of risk to strategic objectives and the influence on risk imposed by business constraints. And whether an engineer, project executive or lawyer, risk is about everything you do. So, I didn’t ignore risk one day and take notice the next. I moved from an instinctive evaluation of risk to an explicit understanding that risk has to be top dead centre of everything we do.
Dealing with risk, the only thing that is consistent is that nothing is consistent. Risk management has to reflect the enterprise: it needs to by dynamic. No longer the fly blown register attached to the wall with now rusty drawing pins. The register (if that’s the way one chooses to represent risk) has to be a breathing document that moves and flexes and changes with the development of the business or the project or the enterprise. This is what makes good risk management exciting. One moves from strategic risk to operational risk and back again, compliance risk to hazard and control risk and always looking for the flip side: Can I use my risk to grow my margin? Back to Occam and his razor. The simplest irreducible delivery life cycle is definition, acquisition and execution. Risk and opportunity at each stage is so different.
This variety is exciting. If the business is doing well, by definition the office should be changing every day.
What I enjoy most in my work in risk and at the same time presents the greatest challenge is, simply, how we buy stuff, the central phase of my three-phase life cycle, acquisition, and the impact of that on how we build things.
Over time, how has the way we build things changed? And how has risk moved around because of that change.
In the middle ages, things were built by groups of craftsmen, almost always living in the same village and being related (think about the family names – Carpenter, Joiner, Smith, Mason and so on). The joiners, stonemasons, cabinet makers, iron-workers, glass- workers and the like would work on property after property throughout the village. This was a trades collective with each trade carrying the risk of its performance but with the risk of the whole being carried by the owner.
As transport changed and workers could travel, companies started to form, and two things happened. Tradesmen were employed by an entity and these workers could travel beyond the village to ply their trade. This was the beginning of the enterprise (discussed later) and risk could be carried by the enterprise or the owner or both. The enterprise provided a single point of contact for the owner. Over time risk shifted from the owner to the enterprise on the basis that the enterprise was best placed to deal with the inevitable riskiness of its operations.
When recession or downturn hit, then the advantages of all the labour being employed by one company and therefore accessible through and controlled by that company became a burden. This led to the widespread increase in the use of subcontractors, on call when required. But still, there would be a main contractor carrying out much of the work. This might still be described as an enterprise: still a single point of contact and all payments flowing through the main contractor.
In line with the wider use of project managers, main contractors and subcontractors were replaced by management contractors and works contractors. Often the management contractors do little physical work, sometimes enabling works building, facilities, communication infrastructure, accommodation camps and the like. Often payments flow between the owner and the works contractors so the concept of single point of contact is more difficult. This is the start of the extended enterprise, discussed further below. Risk now becomes far more complicated and its application more variable.
Now? We are in the world of early contractor engagement, early contractor involvement, collaboration, JV, alliancing, partnering.
I think these words hide something else. A pandemic lack of trust and an almost care-less attitude to commitment. The mobile internet lets us cancel, or set up, meetings at the very last minute, both activities evidencing a lack of respect. And in the aggregate as a behaviour, increasing delivery risk.
As the internet becomes ever more pervasive, counterintuitively or some would say axiomatically the demand for paperwork increases. Ostensibly to provide evidence for proper business activity and a defence against vice and wrong-doing but also to pander to our need to “get it in writing”.
So, what has changed? Procurement based on a degree of trust has changed to procurement bedevilled by suspicion and doubt.
What was once a clear allocation of risk has become a miasma of interlacing and interlocking roles, responsibilities, accountabilities and authorities.
We have multiple funding agencies
We have multiple main contractors – JVs, alliances and the like
We have multiple layers of contracts and subcontracts
The supply chain is multi-tiered. Tier 1s supplying Tier 4s, Tier 4s supplying Tier 2s and Tier 2s supplying Tier 3s and so on. And in particular we might have a fragile Tier 4 that is supplying all of our Tier 1s. Our vulnerability is off the scale and our susceptibility to supply chain failure increases along with overall supply chain “Riskiosity”.
But risk always comes back to the owner in the long-term.
I believe that any form of professional assessment or examination should never be a test of knowledge but must be a confirmation of expertise. Although I am midway through IRM’s International Diploma in Enterprise Risk Management, I felt that SER was the opportunity to confirm my expertise in risk. The Diploma thoroughly assesses the knowledge necessary to support professional practice. But SER confirms that practice.
The SER process is clearly articulated and is augmented by the excellent TITLE (professional standards code). It is the professionalism of IRM that makes its qualifications relevant and it is the quality of the documentation supporting the attainment of those qualifications that drives up the professionalism of the Institute. The acid test is one of relevance; have I used the material covered in SER and the Diploma in my practice? Everyday.
So why become certified?
Subjectively, if you are as good as you say you are, why not?
Objectively, more and more employers are citing IRM as the accrediting body for risk practitioners. I think we can learn from the established engineering institutions but if by quality not (yet) quantity, the publications of the Institute are internationally leading matching for example, the quality of the World Economic Forum’s Annual Risk report.
The extended enterprise has been with us for decades and the risk around such enterprises must be seen of at least equal importance to the other strategic drivers of cost, quality and economic and social impact. Joining the IRM as a member will enhance your knowledge and understanding.