A three dimensional prioritization model for projects in a political environment

Introduction

By evaluating projects on the three axes of monetary impact, political feasibility and communicability, these projects can be prioritized in a way which answers legitimate questions on best use of means. These questions can, should and will be asked by politicians. The model which we propose below allows such a prioritization.

Context

“Is this project the most relevant investment of my available resources, be these financial means, available people or my own limited time?” When prioritizing project in a political environment this is a legitimate question which a politician can, should and will ask of the public administration proposing a project. Whereas the question is legitimate, the answer needs an approach which is not readily available to administrations.

The administration can answer this question from its own perspective, but it then risks missing one or more key elements which do not play a role in its own decision taking but are highly relevant to the politician(s) involved.

Method

Based on a significant number of discussions with both politicians and public servants we have developed a straightforward and effective three dimensional model which an administration can use to transparently present different projects or project options to a politician or a group of involved politicians in order to develop a higher degree of buy-in for the proposed prioritization.

The first dimension – estimated monetary impact

This dimension provides a verifiable estimation of the monetary impact a project will have. It answers the question on how much the project will actually save, gain or result in, either for the public administration or for the constituency (either citizens or companies). This most traditional of measurements can be executed by means of different measurement systems, depending on the needs and nature of the project. For burden reduction projects for example, an analysis using a Standard Cost Model assessment of the situation before and after or the Regulatory Impact Assessment is most often used.

The second dimension – political feasibility

The second dimension assesses the feasibility of the project from a purely political point of view. Can we obtain an adequate level of support to realize all the relevant goals of this project? Even more importantly, are there no indications of any resistance to the realization of the project which can block it even before it gets started? This assessment requires a keen view on the current political reality or the expected political reality at the time of project approval and throughout the period of project execution. In order to correctly assess this, the administration will need the input and the support from the appropriate cabinet(s).

The third dimension – Communicability

This dimension is for a politician the most important, and legitimately so. After all, visibility ensures continued political relevance, and visibility is often a function of how well a project can be communicated. The purpose of this dimension is to evaluate the extent of the communicability of a certain project: how well can the purpose be communicated to a third party (citizen or company) and how large will the extent of political support be generated by this communication? Is it a viable news item? Will it be taken up by the news organizations, both written, spoken and/or tv?

Benefits

The proposed approach allows the public servants to be more proactive in their relationship with the politician(s) and member of the cabinet(s) as argued in a prior article on correctly treating politicians as stakeholders. It prepares the ground for decision for political appointees without forcing a decision on them.

Government as a true stakeholder to public administrations

Public administrations’ effectiveness, efficiency and economy is under threat of its current interaction model with the elected representatives of the people, its government and its ministers. I’m talking about a – changing but still quite present – reactive stance to ministerial of government decisions. I am quite convinced this issue can be partly resolved by a simple change in perception and related behavior at the side of the public administration, subject to acceptance of this changed approach by the elected representatives.

Public administrations and public servants look at government and ministers as active decision takers as regards their attributed areas of responsibility. After all, the minister is politically responsible. However, the political decision process that guides and directs the government and its ministers can be and often is a bottleneck. This bottleneck in turn influences the speed and direction of the public administration’s actions and thus its efficiency, effectiveness and as a result its economy. Whereas this a a very common and traditional situation, we need to dare ask the question whether this is the most optimal position of a public administration. I believe it is not.

Public administrations tend to see their ministers and government as CEO’s, whereas this is in essence not their role. They are chosen representatives out of an elected body. They are closer to a board of directors chosen out of the shareholders, and can significantly contribute to vision and mission. They should however not adopt a day-to-day role in the strategic or – worse – operational activities of a public administration. The administration, which in essence should be a-political in nature and staffed with a competent management team, needs to be able to continue to execute a long term vision, which is being “tweaked” or “influenced” but not or only in very few cases dramatically changed by the government or the ministers.

This is not necessarily different from what is happening today, other than the fact that the administrations spend too much time in limbo, waiting for direction from the government. After all, most of the (operational) activities of the administration will not significantly change no matter what the government’s direction is. Taxes need to be collected, whatever the tax rate or tax structure. Vehicles still need license plates, whether the number is associated with a person or with a vehicle. Food safety needs to be assured whether or not it incorporates the Commission’s REACH objectives or not …

Thus, an administration can commit to a long term action plan of improvement and change, designed by its president and managers, presented to its stakeholders (minister, government, parliament and even the wider population) and tweaked, fine-tuned in view of their feedback. However, and administration should not wait to take action in its areas of responsibility pending a ministerial decision which may be bogged down in heavy political negotiations. This delay is not acceptable to its stakeholders (enterprises and citizens alike) as they have limited to no understanding of or appreciation for this process.

I’m spending three days in Stockholm, attending the conference of the International Regulatory Reform Network, where effective and efficient government of stakeholders is high on the agenda. Possibly the most interesting conference I have attended in a long time.

De twee meest misbegrepen woorden in elke taal: “Interne Controle”

De woorden “interne controle” brengen diverse reacties teweeg bij een publiek: van verveling, over verbazing, over angst terug naar totale onverschilligheid. In dit artikel wil ik even op zoek gaan naar redenen voor deze reacties en naar een aantal concrete voorbeelden waarom en onder welke condities interne controle relevant wordt.

Een eerste verklaring voor de reacties heeft te maken met verwachtingen rond interne controle: interne controles invoeren kost tijd en middelen. Men verwacht een toegevoegde waarde, liefst een kwantificeerbare, liefst monetaire opbrengst van een bepaalde maatregel. De meeste interne controles leveren geen toegevoegde waarde op zich. Ze zijn enkel relevant als er iets mis gaat. Dan zorgen ze er in het beste geval voor dat de verliezen als gevolg van het probleem beperkt blijven. Dat is hun bedoeling, en meer niet.

Dat brengt ons op een tweede aspect: de kosten-baten verhouding. Het invoeren van interne controles gebeurt meestal onder druk van een controle instantie, zoals de interne of externe auditor, de inspecteur van financiën, het Rekenhof, de regeringscommissaris … Deze controle instanties zijn op zoek naar zo groot mogelijke zekerheden. Ze trekken zich weinig aan van de kost van het leveren van deze zekerheid.

Zo gebeurt het dat een management team dat verplicht wordt om te investeren in interne controle doet dit vaak tegen zijn zin, omwille van het feit dat de druk van derden komt (punt 2 hierboven) en dat er weinig direct zichtbare return on investment is (punt 1 hierboven). Dit soort investeringen wordt dan eerder stiefmoederlijk behandeld. Dit is erg spijtig, omdat zo interne controles vaak ingevoerd worden in incrementele pakketjes zonder dat een geheel van controles in processen wordt geïntegreerd en met elkaar verbonden. Controles zijn dan eerder gemakkelijk uit te schakelen of te omzeilen. De al contentieuze toegevoegde waarde wordt zo nog kleiner.

Uit ervaring weet ik dat er organisaties zijn binnen de publieke en de privé sector die ver weg blijven van interne controle omdat ze het idee gewoon niet verkocht krijgen aan hun achterban. Interne controle is zo de Assepoester van de aanpassingen in organisatieprocessen. Een gemiste kans.

Maar waar gaat het nu eigenlijk over? Uiteindelijk werken we rond de gezondheid van een proces binnen een organisatie. Het interessante is dat ook kwaliteitsbeheer dit al jaren doet. Waar kwaliteitsbeheer stamt uit de productieomgevingen, en heel kwantitatief gericht is, komt interne controle uit de traditie van financiën en rapportering en werkt meer rond risico’s en financiële blootstelling. Er is echter wezenlijk weinig verschil. Het gaat enkel om een ander perspectief op wat in wezen dezelfde problematiek is: hoe zorgen we ervoor dat we een zo goed mogelijk product of dienst maken met zo weinig mogelijk problemen, zodat onze betrokken partijen er (a) zo weinig mogelijk voor betalen of (b) onze aandeelhouders zoveel mogelijk geld verdienen.

De grootste uitdaging is het vinden van de juiste oplossing voor een specifiek probleem. We moeten daarom het perspectief van controle, kwaliteit of gelijk welke bril loslaten en kijken vanuit de realiteit van de gebruiker of de operationele verantwoordelijke. Nadien kan gekeken worden op welke manier een oplossing het best ontwikkeld wordt. De beste manier om volgens mij dit los te laten is het vanuit een overkoepelend perspectief van risico analyse te benaderen. Ik ben enorm blij dat ISO met zijn ontwerp standaard ISO 31000 in dezelfde richting evolueert.

Laten we dit heel concreet maken: ik geef hieronder een drietal voorbeelden van geïdentificeerde risico’s, met telkens een kwaliteit- en een controle insteek. Aan u om te bepalen wat volgens u de meest relevante is:

1. De risicoanalyse duidt op een belangrijke daling van de klantentevredenheid met onze diensten. Een kwaliteitsbenadering ontwikkelt standaard procedures waardoor de afwijkingen in dienstverlening zullen worden geminimaliseerd. De interne controle richt zich op het tijdig identificeren van onaanvaarbare afwijkingen zo snel mogelijk in het proces. U ziet dat deze twee methodes zeer complementair zijn en elkaar in belangrijke mate aanvullen.
2. De risicoanalyse duidt aan dat we als organisatie omwille van een verouderend personeelsbestand een belangrijk deel van onze competenties aan het verliezen zijn. Een kwaliteitsaanpak zal de competentievereisten om de jobs uit te voeren vatten in goede functiebeschrijvingen, interne controle ontwikkelt taakbeschrijvingen en procesbeschrijvingen. Beiden promoten ze de ontwikkeling van kennis captatie systemen, zoals kennisbeheer, maar elk vanuit het eigen perspectief …
3. De risicoanalyse geeft weer dat belangrijke strategische indicatoren ontbreken of gevoed worden met foutieve informatie. Een kwaliteitsgerichte aanpak ontwikkelt balanced scorecard indicatoren, terwijl de interne controle risico indicatoren ontwikkelen zal. Afhankelijk van wie eerst is of wie eigenaar is van een bepaald probleem, zal de ene of de andere aanpak eerst ingevoerd worden. Het is echter eenvoudig om een conversie uit te voeren.

Het pad voor De Padt – 6 belangrijke aandachtspunten voor de regeringscommissaris

De Belgische federale regering heeft midden dit jaar een interne herschikking doorgevoerd. Hierbij werd Guido De Padt (OpenVLD) als regeringscommissaris aangeduid. Zijn opdracht: het opstarten van interne audit in de federale overheidsdiensten. Pro memorie, het koninklijk besluit dat de interne audit op federaal niveau voorbereidde, werd reeds in het begin van deze eeuw geschreven … en in 2007 aangepast, tot op heden echter nog zonder uitvoering. Het pad dat de regeringscommissaris mag bewandelen is dan ook duidelijk geen eenvoudig pad. Wil hij verder gaan dan window dressing dan kan ie niet anders dan het minder betrede pad kiezen. It will make all the difference.

Ik zou een aantal aandachtspunten naar voor willen schuiven ter overweging in deze uitdagende opdracht. Deze willen zeker niet volledig zijn. Ze zijn echter wel gebaseerd op een combinatie van concrete ervaring in de federale publieke sector én ervaring met de realiteit van interne audit.

1. Behoud een a-politieke positie

Een succesvolle invoering van interne audit kan enkel indien dit vrij van politieke agenda’s kan gebeuren. Niet eenvoudig in een overheid, maar uitermate belangrijk omdat alle politieke families (en enige politieke weeskinderen hier en daar) betrokken partij zijn. Dit betekent dat voldoende erkende expertise – die overigens in de publieke sector zeker en vast aanwezig is – in de uitvoering van de opdracht moet meegenomen worden.

2. Leer van de lessen uit het verleden

Dit is niet de eerste keer dat een poging wordt ondernomen om interne audit op te starten (maar wel de eerste die zo in de aandacht komt.) De redenen waarom het in het verleden nooit volledig geslaagd is kunnen nog teruggevonden worden in diverse departementen die een of andere vorm van interne audit geïmplementeerd hebben, al dan niet onder die formele noemer. Het mag niet de bedoeling zijn om deze lessen opnieuw te leren. Zo gaat immers teveel tijd verloren. De regeringscommissaris zou daarom eerst alle relevante informatie bij elkaar moeten brengen om een totaalbeeld te krijgen, vooraleer er nieuwe initiatieven genomen worden.

3. Implementeer in een korte periode

Dit is een opdracht die in een zeer beperkt tijdsbestek moet worden uitgevoerd. Immers, de regeringscommissaris heeft maximum tot het formele einde van deze legislatuur om zijn resultaten voor te leggen. Nadat een volledig overzicht is opgemaakt van de bestaande situatie, idealiter op basis van een actualisering van reeds bestaande analyses moet worden overgegaan tot de snelle ontwikkeling van een realistisch plan van aanpak voor de implementatie.

4. Respecteer alle betrokken instanties, maar maak duidelijke afspraken om tot een single audit te komen

Interne audit heeft een duidelijk andere rol dan de Inspectie van Financiën en het Rekenhof. Immers, de rol van interne audit is het verstrekken van zekerheid naar in eerste instantie het management en het federale audit comité. Echter, in een omgeving die nu al klaagt van zware controleverplichtingen moeten duidelijke aflijningen gemaakt worden tussen de verschillende rollen, zodat een maximum van redelijke zekerheid kan verstrekt worden met een minimum aan controle-belasting van de processen: dit is een de facto realisatie van het single audit principe.

5. Verzorg de auditoren

Het probleem van verlies van experten is niet nieuw voor de overheid, maar zou voor de interne auditoren moeten opgelost worden. Een interne auditor moet gedurende een aantal jaren gevormd worden vooraleer ie echt productief is. Dit kost tijd en geld, en het risico bestaat dat de gevormde interne auditor de overheid verlaat voor een beter betaalde positie in de privé, zoals we nu zo vaak zien met door de overheid opgebouwde expertise. Dit zal zaker het geval zijn in een heroplevende economie, want het aantal actieve, gecertifieerde interne auditoren in België is beperkt (ik ga er hierbij vanuit dat om een sturende functie in interne audit uit te voeren men minstens een vorm van certificatie moet kunnen voorleggen). Dit betekent dat de door de regeringscommissaris ontwikkelde voorstellen rekening moeten houden met deze schaarste. Het gaat hier niet (enkel) om het zuivere financiële aspect, maar de overheid moet durven competitief zijn in de markt van deze profielen.

6. Sla de brug naar interne controle en risicobeheer

Deze laatste rol zal de meest moeilijke zijn om in te vullen. De regeringscommissaris heeft ook de opdracht gekregen om in nauwe samenwerking met de inspectie van financiën de transitie van ex ante controles naar ex post controles voor te bereiden. Een essentieel element hierin is de ondersteuning bij de invoering van het interne controle systeem dat de basis van deze transitie zal vormen. Geen adequate interne controle betekent geen ex post transitie. Dit betekent concreet dat de regeringscommissaris minstens een aantal modellen moet kunnen voorstellen die een voldoende voorwaarde zijn voor de transitie.

Zijn er voor u nog meer uitdagingen? Laat ze horen in de comments.

Beyond strategy and operations – New horizons for risk management

You know, strategic and operational risk management as concepts are all very well, but something is missing … and I’ve been meaning to put my finger on it. Reading through David Allen’s excellent “Making it all work”, I understood there were two levels missing.

I have adapted some of his concepts to function in an extended risk management context. Here goes:

First horizon – Activity Based Risk Management

First, we need to be aware that we practice very concrete risk management on a natural level every waking moment of the day (and probably the non-waking moments of our lives as well. This risk management occurs in our day-to-day activities, and involves very practical aspects such as “Did I make sure I put a lid on that saucer?” or “Did I make sure that person gave me all the required documents to process?” It’s mostly intuitive, but it comes to the foreground as a risk often when responsibility transfers go wrong, or when people trained for a task without understanding the purpose of the task need to deal with exceptions.

Applying risk management in this context would be below the traditional operational risk management level, which I’ll discuss below, and can be referred to as Activity Based Risk Management. If we make sure we do not overburden the process of risk management at this level, using ABRM can be very beneficial to optimizing the results of individual activities.

Second Horizon – Project and Process Risk Management (or Operational Risk Management)

This traditional risk management delves into issues which can be found in either processes (ongoing activities) or projects (one shot activities) … and is quite often blended with some aspects of Activity Based Risk Management. High level process flows are designed and analyzed for risks. In essence, this second horizon presents the link between the actual execution, the concrete next action, which is assessed for risk at the level of the first horizon, and the strategic level. This type of analysis is familiar for most traditional consultants. An example would be all potential risks threatening the correct registration of vehicles, or the risks related to the disposal of a license tag.

Third horizon – Strategic Risk Management

All processes and projects should be related to a set of strategic objectives to be reached. We execute processes and projects (each containing multiple activities) to make sure these strategic objectives are reached. Strategic risk management then focuses on risks which can interfere with achieving these objectives. Again, this horizon can be found in most ERM and integrated risk management texts.

However, it does not end there each strategic intent integrates and rolls up into an overarching vision.

Fourth horizon – Vision related risk management

At this high altitude level we aim to gain perspective on risks threatening the realization of our ultimate goal for the organization and even beyond the organization.

How does this translate to public sector?

Below you will find a table which gives you an overview of the four horizons, the responsibles at each level, what we aim to achieve with risk management at this level and what a suggested frequency interval for dynamic risk management would be.

Horizon	Responsible	Aim of risk management	Frequency interval	How formal?
Fourth	Minister and President of the FGS	Identify and manage risks related to the established political agenda	Yearly to ad-hoc	Very formal
Third	President of the FGS and management team (N and N-1)	Identify and manage risks related to the management plans	Every six months to yearly	Formal
Second	Members of the management team and operational leads (N-1 and N-2)	Identify and manage risks related to the processes and projects	Bi-weekly to every six months	Reasonably formal
First	Operational collaborators	Identify and manage risks related to the daily activities	Daily to bi-weekly	Informal

 

I will extend some more on this, since there is more to this, as it is the first time we can integrate top to bottom without starting from the assumption that all risks roll up to the higher or highest level or roll down from there to the lowest. Each horizon has its own risks and challenges.

Let’s hear for it in the comments.

MobiRisk – Why use a static and a dynamic phase?

People who have spent some time reviewing the MobiRisk methodology eventually arrive at the question on the difference between the static and the dynamic phases. The simple answer to this is that there are none. But in truth, the answer is a bit more complex than that. While there may not be significant differences in the steps to be executed in each of the phases, the context in which these steps are taken are significantly different, which impacts both the scope of the step and the duration and related investment in the step. Static steps are broad in scope, take a significant amount of time and therefore investment, whereas dynamic steps are narrower in scope and take significantly less time. This actually is the essence of the methodology.

Okay, let’s be more concrete and use an example I have been using since 2002 to illustrate this.

The Arctic illustration

Imagine yourself suddenly, magically transported to the coastal regions of the Arctic (North Pole area), with a large box and assurances that most of what you need to survive is present in that box. What do you do? Well, after screaming for a bit, you will eventually settle down and …

Static phase

… you will take a scan of your surroundings, making sure there are no immediate threats to your well being. You scan your environment and assess the situation and the event potential around you. Once you are fairly certain nothing can directly impact you, you will open the box. On top of a lot of other tools you find a wonderful, white, warm jacket and a pair of polar pants. There is also a cute little red hat and a pair of sunglasses. You put on the pants, the jacket and the red hat (remember, it’s freezing cold there) and you put on the sunglasses and do another 360° observation scan. Once assured nothing threatens you, you assess the contents of the box: you notice it’s a very large box, with in it a big gun, labeled ‘for shooting polar bears, only when life is threatened’ and a fold-up chair. It also contains some army meals which heat up when you pull the tab, and a large thermos of warm coffee or the stimulating drink of your choice. You take out the chair and decide to have a bite to eat … which you do.

In essence, you have assessed a new situation in which you have been put, as completely as possible with the available tools, and you have dealt with key concerns such as hunger, thirst, safety and comfort. You are in your chair, looking around and deciding the arctic region is, in effect, a very nice region to be in …

The static phase, whether used for an individual or an organization, entails an as complete as possible inventory of key risks which could threaten the objectives. In case of an individual, this would be survival, in case of an organisation, survival can be a key element too. After this time-intensive an first priority inventory and assessment, corrective actions need to be taken. Quite often these actions need to be developed from scratch, and this too requires time and effort. The static phase is therefore time and resource intensive.

Dynamic phase

… when suddenly, you become aware of the relative heat of the sun on you new jacket. It is getting hot … but you quickly figure out there are a number of zipper controlled ‘vents’ in the jacket which you can use to control airflow through the vest. Having dealt with this, you turn your attention to your surroundings once more, and you notice a small spec in the distance. You dig in the box for your binoculars, and focus on what appears to be … oh no, a polar bear with a very hungry and determined demeanor, at full speed, running straight at you. You intuitively check whether you consider your life to be in danger. The answer, alas, is positive, so you turn around, grab the gun, aim and fire at the polar bear …

But you are not a very good shot. You have missed. You aim again, pull the trigger again, and are rewarded with a small “snap” sound of the trigger hitting the backend of the trigger guard. You are out of bullets. Meanwhile, the polar bear is getting dangerously close. What now. You reassess your options and quickly scan the small letters on the side of the box. You have not read these small letters, which state “Will protect one (1) person from polar bear attack.” You jump in the box, slam the lid shut, but not before smelling the foul breath of the polar bear … but you are safe … and you fall asleep, happy to have survived this ordeal.

In essence, you have reassessed the known situation based on the changes in this situation, and focused only on dealing with the changes, not with the rest of your reality which remained unchanged and in essence under control.

The dynamic phase, whether used for an individual or an organization, entails an assessment of the changes in a known situation which is considered under control. Any change with a potential of threatening the objectives needs to be dealt with, but after the initial and significant investment of the static phase, the subsequent investment in dealing with these changes is significantly lower. The economy of using MobiRisk comes to bear (pun very much intended) only fully during the dynamic phase.

We will leave you in your safe box, and return to reality. Let’s hear it for the comments …

Implementing MobiRisk – Step 1 – 4 objectives of the preparatory phase

Jumping right into a MobiRisk implementation would be a rather foolish thing to do. Even taking in account the approach is not extremely complex, a number of preparatory steps are required and essential to get this type of project off to a good start. Each of the key steps which need to be executed in either the static or the dynamic phase needs to be adequately prepared. In addition, and as with any type of project, the requirements of the different stakeholders implicated in the exercise need to be taken into account.

Therefore, we suggest to fullfil at least the following four objectives in this phase:

1. Develop an overview of the current and the required situation regarding risk management in the area under scope. In essence, this comes down to querying the key stakeholders in the activity, subprocess, process, organisational unit or organisation as to their specific requirements with respect to risk management. What is their actual need. However, we often find that in order to provide a meaningful and relevant answer to this question, the stakeholders actually require a training on the advantages and disadvantages of risk management. In short, they need a very concrete answer to the question: “What’s in it for me?” An often used tool in this is the traditional maturity continuum. Whereas I believe it holds value, it remains too one-dimensional. I would rather execute a assessment on multiple dimensions and represent them as a spider web for both current and required risk management, and perform a limited gap analysis on the most significant differences.
2. In the course of the development and the implementation of MobiRisk, Van Waesberghe and I have come up with 13 critical factors determining whether or not the implementation will be a success. These are not necessarily complete, but they do give a good idea on whether or not there is more ground preparation to be done.
3. Determining the risk appetite of the key responsibles and their oversight, if any. There’s been a lot of discussion on how to determine risk appetite. I can refer you to a good KPMG publication on risk appetite which sets the scene. What we’re really striving for here is ERM conformity and getting a sense of what the management team is all about with respect to risks. Do they prefer a very risk averse approach, or are they willing to take a risk. In essence, this has no direct use here but gives you as an implementer a flavor on what can and cannot be done in the further phases.
4. Determine the required project and risk reporting standards. This goes two ways: first, we need to understand from the project leader what he or she wants in terms of information in the course of the project, but it also allows us to start developing risk reporting templates based on the information required by management and/or stakeholders. Adopting a first time right approach allows us to cover these requirements before major reinvestments later, due to missed requirement. Again, if management and/or stakeholders are not exactly aware what type of information can be reported in terms of risk related information, it will be valuable to provide a short training with key insights.

All in all, what is important in this phase is the development of key buy-in early in the project. In case the buy-in cannot be ascertained, it may just be wise to work a bit longer on ensuring the adequacy of this buy-in rather than to start and find along the way the support for the project is just not there. A more critical situation by far. Developing buy-in may also mean to recognize the sense of uniqueness some people have about their activities, even if they are, not in content but in process, significantly comparable to other responsibilities. It may pay to invest extra in separating certain initial assessments in different workshops and reïntegrate in one risk identification model if considered relevant.

What I would avoid in this phase is too many workshops, and rather go face to face with key stakeholders in the process. It may seem less efficient at first, but this investment will be a small price to pay for a significant increase in buy-in early on in the project. In the course of the project, because of issues but also become the novelty wears off, buy-in will reduce. We need to make sure we have adequate margin to a certain critical threshold before even starting the project.

In a next post, I will discuss possible approaches to the Event Identification.

If you have any comments, please do not hesitate to post them …

Three (simple) steps to the integration of opportunities in risk management

One of the questions we’re often confronted with is the question on how to integrate opportunity management into risk management. The reasoning goes something like this: "But an opportunity is a negative risk, isn’t it?" (Hint, no, it isn’t) "So why can’t you integrate it into the risk management methodology?"

To be honest, this one had me stumped for quite a while. After all, an opportunity is not always simply an inverted risk, or the upside to a risk, as it were. An opportunity is quite often the answer to the question "What could we (easily) do better?" or "What are we not optimally using/exploiting?" The cost of not exploiting an opportunity is, in English, quite literally the "opportunity cost." Clearly, that line of reasoning does not bring us closer to the solution. Because the opportunity cost is almost always skewed. For example, if I go out and buy a lottery ticket (Euromillions of course) that would cost me all of 6 euro. However, the pay-out last week was about 57 million euro. Hence, for the possible winner who decided against buying the ticket right before he put his 6 euro on the counter, his opportunity cost was 57 million euro minus the 6 euro he did not pay. The reasoning I see most often followed here is that we then multiply a probability ratio (often in percentages of likelihood) with the potential earnings … resulting in this extreme event, this ‘black swan’ to quote Nassim Nicolas Taleb, being undervalued and not taken into account when assessing risk and opportunity.

I recently got challenged by my boss to solve this issue. She was not aware of it when asking me to write a specific proposal, but the way in which the question in the tender was phrased suddenly turned the light on in my head: the solution, when working based on a Risk Identification Model and a Risk Control Matrix, as we do in our integrated risk management (IRM) solution, on which DIRM, MobiRisk and others are based, becomes very evident. So here we go:

Step 1 – Extend the risk identification model to a risk & opportunity identification model

Why? If we strive for completeness in identifying risks and opportunities to be assessed and managed, we need to make sure we have as optimal as possible situational awareness. I will write a separate blog post on situational awareness as a concept. For now, to understand the concept you need to be aware that every person filters reality through a set of filters to create his or her perception. No set of filters is the same, as everyone is unique. Therefore in order to create an as complete as relevant view of the reality which is being managed, we need to bring together the various points of view on this reality, be this an activity, a sub process, a process, an organisational unit or even an entire organisation. The way in which we have always approached this in our IRM approach is through interviews and workshops. We need to extend the lines of questioning in these interviews and workshops and not only query “What could go wrong?” but also open lines of questioning around “What could we (easily) do better? and “What are we not optimally using/exploiting”? Using this information in the development of the identification model, we can significantly extend its reach to encompass opportunities as well. Once we have a well developed risk & opportunity identification model (ROIM) we can use this to start evaluating both risks and opportunities. But in order to do that, we need to adapt the risk control matrix as well.

Step 2 – Extend the risk control matrix to a risk & opportunity preparedness matrix

Most risk management methodologies assess impact and likelihood. If you have read the blog, you know I am not a fan. However, making abstraction of whether or not this is a good method (Hint, no, it isn’t, believe me), whether or not you use it, you should at least also assess how ready an organisation is to deal with these risks. When extending this to opportunities, the same holds: the (inherent) risk exposure or opportunity potential – which can be a function of impact or influence of a risk or opportunity and its likelihood of occurrence over a given period – needs to be put in relation to the level of preparedness of the organisation to deal with the challenge, be it a risk or an opportunity. Therefore, we redefine the x-axis from level of current risk management to risk/opportunity preparedness, and the Y-axis to (inherent) risk exposure/opportunity potential.

Step 3 – Adapt the traditional risk control matrix quadrant approach to a more extended set of roles and responsibilities, incorporating opportunity

So, we have developed a new risk & opportunity identification model in step 1, making sure we get an as complete as relevant view on the risks and the opportunities with respect to the area under scope. Relevant here is a function of potential versus cost of further completeness. There is a Pareto optimal point, but given this is NOT rocket science, we suggest you err on the side of caution during your initial assessments. We have extended the assessment of these risks and opportunities to assessing the risk exposure and opportunity potential and the level of preparedness to deal with them … but what next. Well, next we need to identify roles and responsibilities with respect to the results of the assessment. What do we do with this information? An approach based on our current risk control matrix quadrant model seems relevant.

Quadrant I is the traditional management action quadrant. Here be risks and opportunities the organisation is not adequately prepared for. Management identifies this and recognizes its need to urgently take action. The approach to this quadrant is not necessarily different from our traditional approach, albeit that now there is even more competition for the use of the scarce resources: instead of using the available resources to manage risks, we now need to invest in opportunities as well, in function of their potential. This means that correctly assessing cost of preparedness will become even more relevant (and risk & opportunity based budgeting even more interesting).

Quadrant II is the quadrant in which internal audit provides assurances to management. The actual level of preparedness for high potential opportunities and high exposure risks which management evaluates as adequately covered are audited by internal audit. This extends the role of internal audit beyond its traditional controls assurance and asks the question whether or not the most optimal use has been made of the available resources. Not only risks need to be adequately covered, but opportunities need to be optimally exploitable should they occur. It requires an extended experience and knowledge build of internal audit, as it will also be charged to assess the relevance and the opportunity of management’s actions to ensure adequate preparedness for risks or opportunities.

Quadrant III remains a key efficiency quadrant. This traditional micro control area is the area where low potential opportunities and low exposure risks are overmanaged. These are often the less complex risks and opportunities, on which expenditure creates a false sense of security or achievement. Management may have the idea they are doing good, but they could be doing even better by shifting resources to higher risk and opportunity areas. It will be the challenge of internal audit to find ways to reduce the resource investment in risks and opportunities without sacrificing preparedness.

Quadrant IV is probably the most elusive of all four quadrants. Management identifies risks and opportunities as low, and therefore does not put too much effort in them. A correct approach as long as the evaluation of the risk exposure or opportunity potential is correct … therefore, a need exists to monitor the risks and opportunities identified in this quadrant. Monitoring is essential for two reasons … first, risks and opportunities may evolve and/or combine to become larger, this moving into quadrant I, where they need to be dealt with. Second, even if the risks or opportunities are low, the possibility remains that resources are diverted to manage them to create that false but satisfying sense of security. This type of preparedness creep needs to be adequately managed and when relevant handed off to internal audit the moment such a risk or opportunity enters or comes close to quadrant III.

 

This is very new, so, let’s hear it in the comments …

Site style update

Given the site had a very laid-back feeling to it, and we are really looking for something more dynamic, I’ve decided to update the lay-out. Hope you like it.

The risks in “measuring” impact and likelihood in risk assessment and management

More and more evidence emerges that any evaluation is necessarily subjective. I invite you to read Nassim Nicolas Taleb’s books which provide ample illustration. Contrast this to new risk management methodologies and applications which frequently tout new and improved ways and means of measuring impact of a risk on objectives and likelihood of occurrence of that risk as part of their process.

We need to raise the question: can subjectively assessed impact and likelihood be considered that relevant? Can we ensure that the evaluation of these two criteria is done in an as objective as possible manner?

I believe it cannot be done in an entirely objective and therefore relevant manner. I am convinced these criteria do not need to be evaluated to perform good risk management. Let me explain …

We frequently over-evaluate the likelihood of recent occurrences

When assessing likelihood of occurrence of a risk, we tend to over-evaluate risks which occurred recently or at all. If there is a reference point, people charged with evaluating will often attribute a higher likelihood to these recent events, even if the probability of occurrence has in effect been reduced by the (over)reaction to the event. Remember 9/11? People were more scared of terrorist events after the attacks on New York and Washington than before, whereas the actual likelihood of occurrence had diminished because of reactive measures taken.

The bottom line? If it has happened before, we think it more likely to happen again. Turning this around, we also tend to under-evaluate those risks we know little or nothing about. Often these risks won’t even show up in an assessment until they occur … after which they are over-evaluated in terms of likelihood of occurrence.

Abstract risk description leads to under-evaluating the impact of a risk

If we cannot imagine a risk occurring, we cannot assess the potential impact of it and we tend to underestimate its impact. On the contrary, the more informed we are, and the more concrete a risk is formulated, the better we are at assessing its impact.

This not only makes the case of a significant investment in a risk (identification) model, on which I’ve written in prior posts, which aims at translating a risk in as concrete as possible terms, but it also warns for risks in skewing assessments if risks are not appropriately described.

The bottom line? Inherent risk, as a function of impact and likelihood of occurrence will likely not be a correct representation of the actual inherent risk. Assessments are skewed as the evaluations are done by people, are always subjective and are very difficult to correct for as we have no insight in the motivation to vote one way or another.

Trusted collaborators skew our perception of current control level

The issues do not end there. Often, a third dimension is measured: the current control level or the current risk management level. In this assessment, the presence of known and trusted collaborators charged with working on internal controls will skew management’s assessment of the current level of internal control or current level of risk management, which they will tend to overrate. The better the measures functioned in the past, the more concrete the measures are to the manager evaluating them, the more likely he or she will actually overestimate their effectiveness.

 

First conclusions: is risk management doomed?

Not necessarily. The risk matrix, representing impact and likelihood on two separate axis will more than probably misrepresent the objective truth. When using a standard risk matrix, do so with caution.

The risk control matrix can be used as a good tool subject to certain preconditons:

1. Do not merely and blindly use impact and likelihood as this will create a false sense of security. Evaluate level of (inherent) risk as one evaluation instead. Inform participants in the assessment level of (inherent) risk is a function of their perception of impact and likelihood, but ask them to perform their own ‘integration’ of the two factors. Level of (inherent) risk remains an intuitive assessment.
2. Instead of assessing level of current control, reverse the question and ask participants to assess ‘exposure’ or ‘vulnerability’. Again, this is an intuitive assessment.
3. Develop the risk control matrix by combining level of (inherent) risk with exposure or vulnerability in a two dimensional representation.
4. Remain very aware the assessment is a subjective assessment at all times. The map is NOT the territory.
5. Correct quadrant III for under-evaluation of level of (inherent) risk due to the factors discussed above. Internal audit, in executing its assurance function, needs to focus on both quadrant II and III.