Strategies for Value-Protecting

Value-protecting strategies aim to prevent the loss of business value, or at least to preserve it. Value can be found in many diverse areas of business activity and varies from organisation to organisation and between industries. In the IT project field, for example, potential loss of business value is attributed to four types of risk: market risk, credit risk, operational risk and compliance risk (ISACA 2009). Illustrations for each can easily be found. Market risks materialise when the delivery of an inferior product or service causes the organisation's reputation to suffer. A project that consumes substantially more funds than originally estimated brings about financial hardship and a deteriorating overall credit rating. Operational risk can occur when project staff suddenly leave and there is no contingency plan to replace them. The project may have to be abandoned, creating the perception of unreliability. Compliance risks are brought about by ignorance of current laws and legislation and could result in penalties being imposed.

A generic approach to value-protection was recommended by Renn (2010). He identified four classes of risk problems and strategies to address them: linear (routine) risk, complex-induced risk, uncertainty-induced risk and ambiguity-induced risk. With linear or routine risks, value is protected by applying methods that are non-controversial and the remaining uncertainties are therefore low. An example is food risk. To protect food from deteriorating, the standard practice of storing it under refrigerated conditions should be adopted. There is little risk that the quality of food will be affected with this precaution.

With complex-induced risk, complexity is associated with the risk event and a possible cause-and-effect situation. Risk can only be reduced by receiving and processing complete information about its characteristics. An example is assessing the risk in building construction. Information is collected about events or conditions that can go wrong during construction through a cause-and-effect approach. Defective material, for example, may cause walls to crumble under extreme weather conditions. This information is used to establish building codes that, if followed, will protect the value of the completed building.

With uncertainty-induced risk, as the name implies, uncertainties are high and the full extent of the remaining risk is unknown. These risks require a cautionary approach, such as containment and making systems resilient, rather than seeking to remove risk entirely. Emergency systems have these characteristics since future risks are impossible to predict with certainty and may or may not be successfully managed during the emergency. For example, consideration is given to protecting infrastructure against extreme flooding, but this may only occur once in a hundred years. Despite raising dam levels and building bridges there is no assurance that these measures will be adequate when the emergency arises.

With ambiguity-induced risk, differing views are expressed about the nature of risks, i.e. their relevance, meaning, consequences and so on. These conflicting viewpoints need to be explored and reconciled. The example given by Renn (2010) is genetically modified agricultural products about which different opinions exist, from positive (e.g. improving the yield of products) to negative (e.g. the long-term impact of new technology being used). Farmers may be given the choice of adopting or not adopting genetic modification according to their risk appetite and tolerance levels.

Kaplan and Mikes (2012) identified three categories of risk that were, according to them, related to strategic choices and should be considered by organisations in their strategy formulation and implementation processes. The first two are value-protecting while the third is value-creating. Value- protecting strategies deal with preventable risks which arise from within the organisation and are controllable, and external risks that arise from events outside the organisation and hence are beyond its influence or control. However, their influence can be mitigated. Value-creating strategic risks are those where an organisation voluntarily accepts some risk in order to gain superior performance. They are not inherently undesirable and are key drivers to capturing potential gains.


Preventable risks are defined as controllable and offer no strategic benefit from leaving them as they are. They are perceived as negative risks, can take many forms and can cover a wide range of activities as outlined above. Strategies that are effective in risk prevention focus on avoiding or eliminating them in a cost- effective manner. Kaplan and Mikes (2012) identified four value-protecting strategies: rules, standard operating environment, values and compliance.

Applying rules requires mapping the likelihood and impact of the risk and eliminating those that exceed a boundary value. An example of the approach is reflected in the cause-and-effect diagram.

Cause-and-effect diagram

Figure 2.5 Cause-and-effect diagram

Figure 2.5 shows how various causes can be identified as causing a problem. 'Defects' with material, staff experiences and so on have caused the 'problem' with the project to occur. If the causes are judged to have a severe effect, the project would not be approved. To avoid a negative effect on the project, causes have to fall within established borders or rules. Material, for example, will have to meet certain quality specifications.

By introducing a Standard Operating Environment (SOE) it is possible to disallow operations outside the environment. This is especially effective in standardising computing hardware and software across projects within the organisation. Only nominated brands and models, carefully evaluated by an expert group, are approved and supported for use by the project team. Acquisitions outside the SOE require justification and approval by a higher- level authority. Problems, should they occur, remain the responsibility of the requisitioning body rather than that of a central body.

Another strategy is to develop a mission statement and value and belief systems that educate management and staff to be aware of and avoid preventable risks. The aim is to develop an organisation culture that clearly indicates to everyone 'what is not allowed'. Risk-averse attitudes are created through a programme of education, training and awareness. By improving risk awareness and developing skills and knowledge, preventable risks are recognised and responded to as a matter of urgency.

Compliance is achieved through implementing a system of internal controls and conducting regular audits. There are two types of control: managerial and operational. The former addresses the design and implementation of risk planning and risk management. Operational controls cover management activities such as responding to risks related to personnel and the physical environment and require lower-level planning, such as disaster recovery and incident response planning. Audit carries out risk management reviews to ensure that risk response processes are being followed correctly.


External factors relate to the market/economy in which the organisation operates. They include the industry, its rate of change and latent competition, regulations and compliance requirements, and technology developments. Since their occurrence cannot be controlled, their impact should be reduced in a cost-effective manner when the event occurs. Risk response is in line with the defined risk tolerance of the enterprise and residual risk falls within risk tolerance limits. Strategies to manage external risks are described below.

Kaplan and Mikes (2012) recommend 'envisioning' external risks through tail-risk assessments and stress testing, scenario planning, wargaming and acting as devil's advocate. The approach of developing risk scenarios is well established in IT project management. 'It is a core approach to bring realism, insight, organisational engagement, improved analysis and structure to the complex matter of IT risk' (ISACA 2009: 51). Risk scenario components as they may apply to project risks are shown in Figure 2.6.

Developing project risk scenarios

Figure 2.6 Developing project risk scenarios

A risk event or condition is one that, if it occurs, has a positive or negative effect on the project objective. It is usually assumed that risk is negative in that it is harmful to the project. However, risk can be positive and therefore supportive of project objectives. Project risks are strategically managed so that they support business outcomes in the form of new or improved products and services. The above components are considered by senior management in scenarios of various levels of organisational risk appetite and tolerance over different time periods. The longer the time, the greater is the uncertainty of the developed scenario. Risk appetite is the amount of risk an organisation is willing to accept in the pursuit of its mission, while risk tolerance is the acceptable variation caused by risk when accomplishing the mission.

Risk avoidance means not undertaking activities or bypassing conditions that give rise to risk. The strategy should be applied when no other risk response, such as sharing or transferring the risk, is adequate. Avoiding certain events or conditions reduces flexibility as there are fewer options available. A strict cost-benefit approach should be applied. The cost of implementing the response should not exceed the cost of repairing the damage. When the risk is being located in a flood-prone area, it can be avoided by changing the project location away from the area. This will eliminate the impact of a natural disaster event and protect the project objectives. Not every risk, however, can be avoided, and any residual risk should fall within the organisation's risk tolerance limit.

Under risk reduction or mitigation, strategies are followed that reduce the probability and/or consequences of an adverse risk event to an acceptable threshold. The more flexibility the project team has, the more valuable is this approach. A risk reduction strategy for projects in flood-prone areas is to have strong recovery procedures that will ensure that project activities resume quickly after a flood event. For example, the project team is relocated to alternative premises when the flood occurs.

The risk transfer/sharing strategy seeks to shift the consequence of a risk or portion thereof to a third party together with ownership of the response. It does not eliminate the risk, it just transfers/shares responsibility for the risk. Taking out an insurance policy or outsourcing project work are common examples of the strategy. The strategy protects the organisation against the financial consequences of an adverse risk event.

When no action is taken in response to the risk, a consequential loss is accepted if/when it occurs. It does not mean that the risk is ignored; an informed decision is made to accept the risk. Organisational management, both business and project, carefully consider this strategic option to managing risk. They have decided that the occurrence of a disruptive flood is 'a one-in-a-hundred- years' event and hence the risk should be accepted.

Contingency planning provides a response to risks that have not been identified and have no value-protecting strategies. In other words, an unforeseen risk event or condition occurs and the organisation activates its contingency plan. The main goal is restoration to normal modes of operation with minimum cost and disruption to normal activities. Contingency planning covers incident response planning, disaster recovery planning and business continuity planning.

Checklist: Do Project Risk Strategies Protect Organisational Value?

• Can values be identified for different organisational project activities?

• Are the sources and nature of these risks known?

• Have generic approaches been identified to respond to project risks?

• Is a distinction made between strategies for preventable and external project risks?

• Is there familiarity with strategies for preventable project risks?

• Are strategies for external project risks cost effective?

• How are external project risks envisioned?

• Are all potential project risk response strategies considered?

• Is there a contingency plan for unidentified project risks?

< Prev   CONTENTS   Next >