Sr IT Manager | Digital Transf. Expert | Proj & Prog Mgmt | IT Strategy, Emerging Technologies | Corporate Governance | Independent Director | Startup Advisor | MBA IIMB
Strategic risk management is the process of identifying, assessing, and responding to the uncertainties and threats that may affect the achievement of an organization's strategic objectives. Strategic risks can arise from external factors, such as market changes, technological disruptions, regulatory shifts, or geopolitical events, or from internal factors, such as poor governance, ineffective leadership, or misaligned incentives. Strategic risks can have significant impacts on the performance, reputation, and sustainability of an organization, and may require changes in the organization's strategy, structure, or culture.
One of the key challenges of strategic risk management services is to safeguard projects at the executive level, especially when the risk environment is dynamic, complex and a moving target in the ever-evolving landscape of the business world. Projects are the means by which organizations execute their strategies and deliver value to their stakeholders. However, projects are also exposed to various sources of uncertainty and volatility, which can affect their scope, schedule, budget, quality, and outcomes. Moreover, projects often involve multiple stakeholders, with different interests, expectations, and perspectives, which can create conflicts and misalignments. Therefore, managing project risks effectively is essential for ensuring the success of the organization's strategic initiatives and goals.
In this article, we will discuss how board members, as the ultimate decision-makers of the organization, should address risk when we have moving targets of risk mitigation. We will explore the following topics:
Why board members need to be involved in strategic risk management and project oversight
What are the key principles and practices of effective project risk governance
How board members can monitor and evaluate project risks and performance
How board members can support and challenge project managers and teams
How board members can foster a culture of risk awareness and learning
Why board members need to be involved in strategic risk management and project oversight
Board members have a fiduciary duty to act in the best interests of the organization and its stakeholders. They are responsible for setting the strategic direction, approving the strategic plan, and overseeing its implementation and outcomes. They are also accountable for ensuring that the organization has an effective risk management framework, that the risks are properly identified, assessed, and managed, and that the risk appetite and tolerance are aligned with the strategy and objectives.
As part of their strategic oversight role, board members need to be involved in project governance, which is the set of policies, processes, roles, and responsibilities that define how projects are selected, prioritized, planned, executed, controlled, and closed. Project governance provides the structure and guidance for project decision-making, communication, reporting, and escalation. It also ensures that the projects are aligned with the strategy, deliver the expected benefits, and meet the quality standards and stakeholder expectations.
Board members need to be involved in project governance for several reasons. First, projects are the main vehicles for implementing the strategy and creating value for the organization and its stakeholders. Therefore, board members need to ensure that the projects are aligned with the strategic priorities, that the resources are allocated efficiently and effectively, and that the benefits are realized and sustained. Second, projects are inherently risky and uncertain, and may encounter various challenges and issues that can jeopardize their success. Therefore, board members need to ensure that the project risks are identified, assessed, and managed, that the risk mitigation actions are appropriate and timely, and that the risk exposure is within the acceptable limits. Third, projects are complex and interdependent, and may involve multiple stakeholders, both internal and external, with different interests, expectations, and perspectives. Therefore, board members need to ensure that the project stakeholders are engaged, informed, and satisfied, that the conflicts and disputes are resolved, and that the collaboration and cooperation are fostered.
Volkswagen Emissions Scandal (2015): Volkswagen's emissions scandal serves as a critical example of strategic risk management failure. The company faced significant reputational and financial damage due to a lack of oversight and governance at the executive level. The scandal resulted in over $30 billion in fines, legal settlements, and recall costs. Volkswagen: The scandal explained - BBC News
Statistic: In a Global survey - Two thirds (67%) of the surveyed companies say the CEO, board or board risk committee has oversight over strategic risk. In EMEA, CEO direction is much lower than average and board direction is higher. Top-level oversight is particularly common at consumer companies, followed by companies in financial services and TMT. 1016744 Strategic risk_A view of the risk universe_Survey Report.indd (garp.org)
What are the key principles and practices of effective project risk governance
Project risk governance is the subset of project governance that focuses on the management of project risks. Project risk governance provides the framework and guidance for identifying, assessing, and responding to the uncertainties and threats that may affect the project objectives and outcomes. Project risk governance also ensures that the project risk management processes are integrated with the project management processes, and that the project risk information is communicated and reported to the relevant stakeholders.
Effective project risk governance is based on the following key principles and practices:
Define and communicate the project risk strategy. The project risk strategy is the set of objectives, policies, and guidelines that define how the project will approach and handle the risks. The project risk strategy should be aligned with the organization's risk strategy and appetite, and should reflect the project's characteristics, context, and stakeholders. The project risk strategy should also be communicated and agreed upon by the project board, the project manager, and the project team, as well as the other key stakeholders. Address both internal risks (e.g., team capabilities, resource allocation) and external risks (e.g., market changes, regulatory shifts).
Establish and empower the project risk committee. The project risk committee is the group of senior stakeholders who are responsible for overseeing and directing the project risk management activities. The project risk committee should include representatives from the board, the executive management, the project sponsor, the project manager, and the project team, as well as the other key stakeholders. The project risk committee should have the authority and accountability to approve the project risk strategy, to monitor and evaluate the project risk performance, to review and approve the project risk reports, and to escalate and resolve the project risk issues.
Assign and clarify the project risk roles and responsibilities. The project risk roles and responsibilities are the tasks and duties that the project stakeholders have to perform in relation to the project risk management processes. The project risk roles and responsibilities should be defined and documented in the project risk management plan, and should be aligned with the project governance structure and the project management plan. The project risk roles and responsibilities should also be clarified and communicated to the project stakeholders, and should be reviewed and updated regularly.
Implement and monitor the project risk processes. The project risk processes are the steps and activities that the project stakeholders have to follow and execute to manage the project risks. The project risk processes include risk identification, risk analysis, risk response, risk monitoring, and risk reporting. The project risk processes should be consistent and compatible with the project risk strategy, the project risk management plan, and the project management plan. The project risk processes should also be implemented and monitored by the project risk committee, the project manager, and the project team, and should be audited and reviewed periodically.
Report and escalate the project risk information. The project risk information is the data and knowledge that the project stakeholders have to collect and share about the project risks. The project risk information includes the project risk register, the project risk profile, the project risk indicators, and the project risk issues. The project risk information should be accurate, relevant, and timely, and should be aligned with the project risk strategy, the project risk management plan, and the project management plan. The project risk information should also be reported and escalated to the project risk committee, the project board, and the other key stakeholders, according to the project risk reporting and escalation plan.
How board members can monitor and evaluate project risks and performance
Board members, as the ultimate overseers and decision-makers of the organization, have the responsibility and authority to monitor and evaluate the project risks and performance. Board members need to ensure that the projects are delivering the expected benefits, that the project risks are within the acceptable limits, and that the project issues are resolved and mitigated. Board members also need to provide feedback and guidance to the project managers and teams, and to approve any changes or deviations from the project plans and objectives.
To monitor and evaluate the project risks and performance, board members can use the following tools and techniques:
Project risk reports: Project risk reports are the documents that summarize and present the project risk information, such as the project risk register, the project risk profile, the project risk indicators, and the project risk issues. Project risk reports provide the board members with an overview and an insight into the project risk situation, the project risk performance, and the project risk actions. Project risk reports should be prepared and submitted by the project risk committee, the project manager, or the project team, according to the project risk reporting plan and schedule. Project risk reports should be reviewed and approved by the board members, and should be used as the basis for project risk discussions and decisions.
Project risk dashboards: Project risk dashboards are the visual tools that display and highlight the project risk information, such as the project risk status, the project risk trends, the project risk alerts, and the project risk actions. Project risk dashboards provide the board members with a quick and easy way to monitor and assess the project risk situation, the project risk performance, and the project risk actions. Project risk dashboards should be designed and developed by the project risk committee, the project manager, or the project team, according to the project risk dashboard plan and specifications. Project risk dashboards should be updated and maintained by the project risk committee, the project manager, or the project team, according to the project risk dashboard update and maintenance plan. Project risk dashboards should be accessed and viewed by the board members, and should be used as the basis for project risk discussions and decisions.
Project risk reviews: Project risk reviews are the meetings and sessions that involve the project risk committee, the project board, and the other key stakeholders, to discuss and evaluate the project risk information, such as the project risk reports, the project risk dashboards, and the project risk issues. Project risk reviews provide the board members with an opportunity and a platform to exchange and share their views and opinions on the project risk situation, the project risk performance, and the project risk actions. Project risk reviews should be planned and organized by the project risk committee, the project manager, or the project team, according to the project risk review plan and agenda. Project risk reviews should be conducted and facilitated by the project risk committee, the project manager, or the project team, according to the project risk review guidelines and procedures. Project risk reviews should be attended and participated by the board members, and should be used as the basis for project risk discussions and decisions.
Quantitative Risk Analysis: A key component of effective risk governance, quantitative risk analysis uses numerical methods to evaluate the likelihood and impact of risks. This technique helps board members to Prioritize risks based on their potential financial, time, or resource impact. Assess aggregate risk exposure across multiple projects. Model different risk scenarios using tools like Monte Carlo simulations to predict project outcomes under varying conditions. Make data-driven decisions regarding risk responses, such as allocating contingencies or adjusting project timelines.
How board members can support and challenge project managers and teams
Board members, as the ultimate sponsors and supporters of the organization, have the responsibility and authority to support and challenge the project managers and teams. Board members need to ensure that the project managers and teams have the necessary resources, skills, and capabilities to execute and deliver the projects successfully. Board members also need to ensure that the project managers and teams are accountable, responsible, and transparent for their project decisions and actions. Board members also need to provide feedback and guidance to the project managers and teams, and to recognize and reward their project achievements and contributions.
To support and challenge the project managers and teams, board members can use the following tools and techniques:
Project risk coaching: Project risk coaching is the process of providing advice, guidance, and feedback to the project managers and teams on how to improve their project risk management skills and capabilities. Project risk coaching helps the project managers and teams to identify and address their project risk management gaps and weaknesses, to develop and enhance their project risk management competencies and confidence, and to learn and apply the best practices and lessons learned from the project risk management experiences. Project risk coaching should be provided and conducted by the board members, the project risk committee, or the project risk experts, according to the project risk coaching plan and objectives. Project risk coaching should be requested and received by the project managers and teams, according to the project risk coaching needs and expectations.
Project risk mentoring: Project risk mentoring is the process of providing support, encouragement, and motivation to the project managers and teams on how to overcome their project risk management challenges and issues. Project risk mentoring helps the project managers and teams to cope and deal with their project risk management pressures and difficulties, to resolve and mitigate their project risk management conflicts and problems, and to achieve and celebrate their project risk management successes and outcomes. Project risk mentoring should be provided and conducted by the board members, the project risk committee, or the project risk mentors, according to the project risk mentoring plan and objectives. Project risk mentoring should be requested and received by the project managers and teams, according to the project risk mentoring needs and expectations.
Project risk appraisal: Project risk appraisal is the process of assessing and evaluating the project risk management performance and results of the project managers and teams. Project risk appraisal helps the project managers and teams to measure and demonstrate their project risk management achievements and contributions, to identify and acknowledge their project risk management strengths and opportunities, and to receive and act on their project risk management feedback and recommendations. Project risk appraisal should be performed and conducted by the board members, the project risk committee, or the project risk appraisers, according to the project risk appraisal plan and criteria. Project risk appraisal should be participated and accepted by the project managers and teams, according to the project risk appraisal standards and expectations.
Risk Identification Techniques: To challenge and guide teams effectively, board members must ensure robust risk identification techniques are in place. These include:
Brainstorming: Encouraging the project team to generate a list of potential internal and external risks.
SWOT Analysis: Examining the project's strengths, weaknesses, opportunities, and threats to uncover hidden risks.
Delphi Technique: Engaging multiple experts to provide risk insights anonymously, then aggregating responses to identify common threats.
Cause-and-Effect Diagrams (Fishbone Diagrams): Helping teams visually map out potential causes of risks and underlying issues.
Checklists: Creating a predefined checklist based on prior project risks to ensure no common threats are overlooked.
By applying these techniques, board members ensure that project teams are proactive in identifying risks and planning for mitigation early in the project lifecycle.
How board members can foster a culture of risk awareness and learning
Board members, as the ultimate leaders and influencers of the organization, have the responsibility and authority to foster a culture of risk awareness and learning. Board members need to ensure that the organization has a positive and proactive attitude and approach towards risk management, that the organization values and respects the importance and benefits of risk management, and that the organization learns and improves from its risk management experiences and practices. Board members also need to ensure that the organization has a clear and consistent vision and mission for risk management, that the organization communicates and promotes its risk management policies and objectives, and that the organization rewards and recognizes its risk management achievements and contributions.
To foster a culture of risk awareness and learning, board members can use the following tools and techniques:
Project risk vision and mission: Project risk vision and mission are the statements that define and describe the purpose and direction of the project risk management activities and initiatives. Project risk vision and mission provide the organization with a common and shared understanding and expectation of what project risk management is and why it matters, and how project risk management can help the organization to achieve its strategic goals and objectives. Project risk vision and mission should be developed and defined by the board members, the project risk committee, or the project risk experts, according to the organization's risk strategy and appetite. Project risk vision and mission should be communicated and disseminated by the board members, the project risk committee, or the project risk experts, according to the organization's communication and dissemination plan.
Project risk policies and objectives: Project risk policies and objectives are the rules and guidelines that regulate and direct the project risk management activities and initiatives. Project risk policies and objectives provide the organization with a framework and guidance for how to implement and execute the project risk management processes and practices, and how to measure and monitor the project risk management performance and results. Project risk policies and objectives should be developed and defined by the board members, the project risk committee, or the project risk experts, according to the organization's risk strategy and appetite. Project risk policies and objectives should be communicated and disseminated by the board members, the project risk committee, or the project risk experts, according to the organization's communication and dissemination plan.
Project risk rewards and recognition: Project risk rewards and recognition are the incentives and acknowledgments that motivate and appreciate the project risk management activities and initiatives. Project risk rewards and recognition provide the organization with a way to encourage and support the project risk management behaviors and actions, and to celebrate and commend the project risk management achievements and contributions. Project risk rewards and recognition should be designed and developed by the board members, the project risk committee, or the project risk experts, according to the organization's reward and recognition plan and criteria. Project risk rewards and recognition should be granted and delivered by the board members, the project risk committee, or the project risk experts, according to the organization's reward and recognition plan and schedule.
Conclusion
Strategic risk management is a vital and valuable practice for any organization that wants to achieve its strategic objectives and goals. However, strategic risk management is not only a technical and operational activity, but also a strategic and governance activity. Therefore, board members, as the ultimate decision-makers and overseers of the organization, need to be actively and effectively involved in strategic risk management and project oversight. Board members need to ensure that the projects are aligned with the strategy, that the project risks are managed and mitigated, and that the project benefits are realized and sustained. Board members also need to support and challenge the project managers and teams, and to foster a culture of risk awareness and learning. By doing so, board members can safeguard the projects at the executive level, and enhance the organization's performance, reputation, and sustainability.