The world got its first look at the 2010 Winter Olympics in Vancouver during its majestic Opening Ceremonies on February 12, 2010. But as the organizers know, preparations for that day -- and for everything else that transpired over the next 16 days as 258 medals were awarded -- had been underway for more than a decade. Since the formation of the Vancouver Bid Society in 1998 in an attempt to bring the 2010 games to Canada, something the city won in 2003, the main objective of elected leaders and government officials was to ensure that all Olympics-related functions, services and programs were ready on time and within budget.From the outset, they recognized the value of monitoring preparedness through an enterprise risk management (ERM) lens, asking the Risk Management Branch and Government Security Office (RMB) to lead the 2010 Winter Olympics Games ERM program on behalf of the provincial government. In the process, the Olympics risk initiative became the largest coordinated ERM effort undertaken by the province to date.
The RMB project team, which included Todd Orchard, Chris MacLean and Sharon White, compiled, collated and analyzed risks identified by dedicated staff within 29 provincial ministries, Crown corporations and central agencies. Together, they produced biweekly reports for ministry executives and financial oversight bodies and participated in weekly consultations with the Olympic Game Secretariat in its role as provider of project management oversight of the province's infrastructure and cultural commitments. They also liaised periodically with the Vancouver Organizing Committee (VANOC), which ran its own extensive and sophisticated risk management regime.
Illustrating the complexity of the endeavor, the reporting provided a rolled-up view of more than 300 risks and 400 mitigation activities. This process brought attention to critical vulnerabilities and created a mechanism to prioritize issues that required further action by the myriad government officials involved in the process.
According to Orchard, RMB was able to administer such a complex program by beginning with a clear understanding of the objectives. "All risk management efforts should link the goals and objectives of the organization to an event, project or program," he said.
The decision to focus first on objectives, before considering the risks was the key to the whole endeavor and resulted in two deviations from the way risk management had previously been handled in British Columbia. The first difference was to depart from the typical risk identification categories such as financial, reputational and legal. Instead, ministry officials were asked to organize their risks with regards to the province's core objectives, which included providing services for the games (e.g., food and water safety inspections to venues), creating Olympics-related programs (e.g., risks to community celebrations, business hosting activities), and delivering normal government service to citizens (e.g., child welfare). Instead, of starting with a risk category, they started with an objective -- the service that they needed to provide -- and later decided how it could be best categorized. From a risk perspective, this was a vital distinction.
The second difference was a move away from the more conventional "cause-and-effect" risk statement to a format that identified and separated the distinct elements of risk into risk event, cause and impact. Many of the initial cause-and-effect risk statements missed tying the risk to an objective, leaving officials to ask "so what?" If organizers cannot see how the risk could prevent them from achieving a specific purpose, it becomes difficult to establish why it is worth managing. But by using an "event, cause, impact" risk statement, objectives were explicitly incorporated into risk identification, allowing for an easier understanding of severity and a more natural progression to mitigation strategies.
Separating these risk elements improved the ability to analyze and report from an enterprise perspective. They could identify commonly occurring events, causes and impacts and relate mitigation efforts to specific causes. Reporting on the areas of biggest concern -- such as service delivery, privacy issues or budget constraints -- in both statistical and narrative format enabled the RMB to share information about the status of preparedness with decision makers in a more natural manner.
MacLean offered a real-life example of the benefits of such an approach. "One particular ministry has an office in Vancouver close to the venues and was worried about the effect of increased security and traffic congestion," he said.
One of their initial risk statements described this concern as "security and traffic prevents or delays employees from getting to work." It may seem like a low-level risk given all that was going on in Vancouver during the games, but part of what made hosting the Olympics so complicated was that, in addition to putting on an event that brought the whole word together, the ministry was also responsible for delivering regular services to the city. The real threat here was not the "security and traffic" aspect; it was about people not being able to get where they needed to be. The true risk was any situation that could prevent delivery of service (i.e., create gridlock). Concentrating on a specific cause rather than the objective to be accomplished could result in overlooking mitigation strategies that would allow service to continue despite the disruption.
For example, having employees work remotely from home or finding temporary workspace away from the events could mitigate the risk in this situation. It would allow the essential service to continue despite workers being unable to get to their usual office locations. The difference is subtle, but the change in thinking can open up new possible mitigation strategies.
To this end, one of the biggest challenges faced by the RMB project team was helping the various ministries think through the consequences of "what if" scenarios. Ministries were initially asked to consider impacts relative to the larger Games-related objectives, but few had enough information to accurately assess the value of their contribution to an event as large and far-reaching as the Winter Olympics. Understandably, individual ministries would often either exaggerate or underestimate the significance of their programs -- something that anyone who has tried to implement ERM at a company has likely seen from various departments.
In response to these difficulties, the RMB team asked ministries and agencies to consider the consequences in terms of impact on their program objectives. A catastrophic loss for a program was the total dissolution of that program. It was then up to the RMB team to assess how the loss of a program would impact overall Olympic objectives and adjust the severity rating accordingly.
The change was a call for increased reporting of mitigation implementation including target risk ratings and current risk ratings. Target risk was the predicted remaining level of exposure once all planned mitigation strategies were in place. Current risk involved re-rating their risks based on the mitigation implemented to date. This is where the risk register evolved from a risk identification tool to an objective assurance tool by providing senior decision makers with evidence that risks were being sufficiently managed and that the overall risk profile was improving.
By all accounts the ERM initiative was a success. Government officials were provided evidence and assurance of game readiness. The full risk register was updated monthly and contained the reporting information of all impacted ministries and agencies, including current risk ratings and the status of mitigation activities. The graphical representations provided an easy-to-understand status of mitigation activities. Narrative reports provided an explanation and context for decision making. And a biweekly "top 10" list highlighted the most-pressing issues. Having all ministry information on a single form provided an enterprise perspective and provoked some healthy competition as ministry executives sought to be the first to move their risk status from red to green.
There was significant value in identifying and analyzing inter-relationships and gaps from an enterprise perspective. "Our birds-eye view of risks allowed the team to see where the efforts of one group could create unintended consequences for another group," said MacLean. "For example, one government ministry was responsible for supporting a huge Olympic celebration in downtown Vancouver. The venue, however, was next to one of British Columbia's largest courthouses, and the Ministry of the Attorney General identified risks to the safe and secure transfer of prisoners to and from trial. By rolling up risks from across different ministries, government as a whole was better able to coordinate planning across organizations, set overarching priorities and allocate resources accordingly."
The reporting format supported rational and pragmatic decision making because impacts were clearly described. The economy was slowing so any decisions that could affect budgets received significant scrutiny. While these constraints might have extinguished some last-minute, big ideas, they also ensured that the province was prepared when the Olympic flame was lit.
Several agencies providing life-safety services identified potential capacity shortfalls due to the additional resources they needed to commit to the Games. By clearly identifying risks posed by this shortage of resources and by using the same methodology that other government agencies were using to identify and rate risk, they were able to communicate the urgency of their requirements to senior decision makers and secure the necessary resources.
The project was not without its challenges. Changing information needs became confusing at times. To Orchard, this was understandable, however. "With no precedent and because of the unique nature of this event," he said, "the team couldn't fully anticipate information needs and formats in advance." As such, both the information being sought, and the tools with which it was recorded, evolved over the duration of the project.
Compounding this situation was the introduction of a new approach to identifying risks. "Even for those agencies with a more mature risk management culture, this change in methodology -- segmenting event, causes and impacts -- sometimes required significant unplanned effort and adjustment," said Orchard.
Reporting agencies said they were frustrated on occasion by a seemingly one-way information flow. "We didn't do as well as we could at informing agencies who reported significant risks about the steps being taken at higher levels to mitigate those risks," said Orchard. "For example, risk related to protests, shared funding, extreme weather or catastrophic events were often beyond the scope of an agency to handle, but steps were being taken at more senior levels of government or responsibility for the mitigation was assigned to a different department."
As such, not everyone was aware of what was being done by others to mitigate risks they had identified. "A fair complaint...was the provision of timely, accurate and useful information to executive government," said Orchard. "We sometimes failed to report back to the risk owner on the status of the actions they sought and could have done a better job of that."
Managing a large amount of data via spreadsheet was time-consuming, error-prone and constraining. Significant effort went into organizing information and formatting the spreadsheet for presentation to executives. Orchard and MacLean recommend a system solution for a project of this size or for a unit performing a chief risk function. A relatively simple database would suffice for the collection, collation, analysis and reporting of information. They came away believing that commercial risk management software, if used, should be well-tested and familiar to users beforehand.
The branch provided risk identification assistance initially at bid development but did not become significantly re-involved until this project was initiated a number of years later. In the intervening years, the risk environment changed, including significant changes to the global security scene, games delivery, programming, venues, economic conditions and so forth.
The cross-governmental approach to risk management was new to many of the executives and senior managers receiving the reports. In addition, the Olympics were a unique, complex, one-off event for the province. In short, executives didn't know what they didn't know. As such, they initially didn't know what information to request. In the absence of such guidance and feedback, the team often assumed that no news was good news.
Many of the practices developed through the risk management initiative of the 2010 Winter Olympic Games have become regular practice for the RMB. Orchard and MacLean host risk management workshops and assist BC public entities with risk identification projects, processes and programs. Identifying discrete events, causes and impacts improves reporting, particularly from an enterprise perspective because it allows risk managers to see common root causes, even if the events are seemingly unrelated. In addition, by closely linking risk identification to the organizations' goals and objectives, the objectives themselves are reinforced.
"Sometimes we're so busy doing what we do that we forget why we're doing it," said MacLean. "By identifying risk events in terms of organizational objectives, it reminds us about our goals -- about why we're in the public sector."