ERM and Project Management

John Bugalla , Kristina Narvaez


November 1, 2011

In every industry, there are projects being designed, executed and ultimately evaluated. In the early stages, a great deal of time and effort is spent determining objectives, setting schedules and creating a budget. Unforeseen events always arise, however, and being able to anticipate those unknowns can be challenging.

One way to increase the odds is by embedding enterprise risk management (ERM) into project management. Although it may sound like a contradiction to use a concept designedto manage the risks facing an entire organization on a single initiative, many projects are complex enough to be considered ecosystems of their own. So, just as it does for the corporation, ERM offers a project manager a systematic approach to handle all the risks of any project.

The starting point for introducing ERM is the planning stage. A project manager should collaborate with all internal and external stakeholders to identify what can go wrong and how the project can be improved. Any risks should be considered in terms of their likelihood of occurrence, the potential financial impact and how quickly they could occur.

It is important to not only consider the impact that enterprise risks may have on the individual project, but to look at the impact that the project's success or failure may have on the entire organization. Because while some projects are relatively simple and routine, others may be so large and complex that, were they to fail, could have devastating consequences on the company's revenue and reputation.

Since they are in the best position to track risks, project managers need to develop a relationship with the organization's risk manager. The risk manager can then provide the project managers with the tools and techniques to manage these threats. By working together and sharing information, the risk manager and project manager can avoid some of the surprises that inevitably occur during every project.

At the Utah Department of Transportation (UDOT), Fred Doehring, deputy engineer of pre-construction, implements the ERM process for all new construction projects. Doehring facilitates a multi-day workshop that includes all internal and external stakeholders involved in the planning and execution of a given construction project. For a recent road expansion project, he invited a diverse group to attend the workshop. The team included a design engineer, drainage engineer, real estate coordinator, county representative, project manager, construction engineer, and traffic and safety engineer.

To start, the project manager gave the group maps, schedules and cost estimates for the expansion, and each stakeholder was then asked to identify any possible risks they could envision. Through a lively discussion, they were able to determine which risks were minor and which might be show-stoppers. By communicating with each other, the group was able to consider outcomes that were not immediately apparent.

For example, the need to move some utility lines for the road expansion was not thought to be a large problem until the county's representative explained to the group that the county was planning to move sewer lines at the same time. This meant that these two tasks had to be better coordinated with each other to avoid unnecessary delays. This risk would probably never have been considered without the feedback of the county representative at the workshop. There were no other stakeholders present who were aware of the sewer project.

After all risks were discussed, they were prioritized from those with the greatest potential impact to those with the least. This involved analyzing each risk and developing the likelihood of it occurring. They also had to examine how the schedule could be altered and gauge the possible financial fallout for the UDOT.

The next step was to determine how to respond to or mitigate the identified risks. Each was assigned to a "risk owner," typically the functional manager of that area, who was then tasked with developing a mitigation strategy for their risks. These strategies were reviewed and coordinated between disciplines at weekly team meetings.

The final task at the workshop was to identify a trigger for each risk. (A risk trigger is an easily identified event that indicates that the risk has occurred or that its occurrence is now inevitable.) By doing this, the UDOT was able to better predict the potential pitfalls of the construction project even before it was put out for bid.

This also gave the UDOT a view of how interconnected all the risks were. Knowing and understanding this critical information early on allowed the team to identify the project's vulnerabilities and develop solutions they could implement immediately to avoid some risks. At the same time, it helped them anticipate areas that required special attention to avoid long-term threats.

Another example of ERM embedded in project management can be found in the strategies employed by MassDevelopment, a Massachusetts finance and development agency. Kristen Drobris, the company's senior vice president of risk management, is in charge of implementing ERM in all of the organization's development projects. When starting a new project, she also gathers all stakeholders and asks the following questions:

  • Is there any compliance or legal concerns that will impact the project's budget or schedule?

  • Are the project requirements clear? Could the requirements possibly change and impact the budget or schedule?

  • How was the budget determined? If the sponsor provided the budget amount without consulting the project manager then changes can be expected.

  • Is this project a priority for the organization? If so, expect a lot of scrutiny. If not, expect that the project resources may not remain dedicated to the project.

  • How are the stakeholders assigned to the project? Are they dedicated to the project? Are performance reviews influenced by the project's outcome?

After these questions are answered and documented, the project manager can conduct a risk assessment. The risk assessment takes place with all key stakeholders. A chart is used to measure the likelihood of a risk occurring through a 1-to-9 scale (with 9 being the most likely to occur and 1 being the least likely). The impact side of the assessment is also based on a 1-to-9 scale, measuring the impact by cost, schedule, quality and scope.

In order to determine a risk's importance, its likelihood and impact scores are multiplied to determine the total risk score. The project manager, sponsor and key stakeholders then chart the risk scores in a heat map and set a risk tolerance threshold to determine what is deemed a critical risk. Critical risks are those that can have an impact not only on the existing project, but on the viability and reputation of the entire organization. These risks should be the main focus for the project manager in order to ensure the schedule and budget stay on track. He or she must also regularly review other risks to make sure they do not move up to critical status. Once a risk exceeds the project risk threshold, it becomes critical and must be prioritized.

After the critical risks are determined, each is assigned to a risk owner. This individual should send status updates to the project manager at least weekly. The risk owner must monitor the potential risk triggers, the likely range of the cost of the risk and the action plan to control the risk. From here, the team needs to develop a critical risk management plan to provide guidance to senior management on the cost of risk to the project (in both time and money) and the cost of mitigation.

Senior management can then determine whether or not a risk should be mitigated depending on cost, benefits and other factors, including safety, regulations and reputation. They may feel it is better to observe the risk and respond if there is any escalation of the risk exposure. Or, they may decide to implement risk mitigation measures but may need to provide additional funding. Either way, senior management must be committed to providing the resources (people, money and time) necessary for the project to succeed. Because of this, a representative from senior management should be the sponsor of the project and should be included as one of the key stakeholders.

As the project progresses, status reports should continually be issued to key stakeholders. Senior management must be included in the status review of milestones to determine if the project will meet the deliverables originally set forth. If there are fluctuations with the predetermined project goals, senior management will then be ready to approve expenses outside of the budget to implement mitigation or contingency measures needed to ensure the project's completion.

Finally, when the project is finished, stakeholders should have a follow-up meeting to discuss the lessons learned. Stakeholders can then see where the critical risks impacted the project and can evaluate if the proper risk controls and contingency plans were in place. This valuable evaluation provides insights on how to improve the outcome for future projects.

The Utah Department of Transportation and MassDevelopment have both successfully embedded ERM into project management. According to Drobris, this has provided many benefits, including increased risk awareness, better collaboration and stronger commitment on projects throughout the organization. The results have been increased customer and stakeholder satisfaction.

The goal of ERM is to embed risk recognition into every business decision. Too often, organizations have a static approach to risk management that deteriorates into a narrow, compliance-based effort that leads to underperformance. However, organizations that effectively unite ERM with project management can establish more reliable decision making, foster innovation and sustain peak performance. Combined, this will allow them to better serve their customers and achieve the ultimate goal of the project.
John Bugalla is a principal of ermINSIGHTS, an enterprise risk management consulting firm.
Kristina Narvaez is president of ERM Strategies, LLC, an enterprise risk management consulting and research firm.