AROP: ACTIVE RISK ASSESSMENT OF BUSINESS PROJECTS (STEP 3)
When the LEGO organization implements business projects of a defined minimum size or level of complexity, it's mandatory that the business case includes an explicit definition and method of handling both risks and opportunities. Hans says that the LEGO Group has created a supporting tool (a spreadsheet) with which to do this, and it differs from the former approach to project risk management in several areas. Hans has the following to say on each:
• Identification, "where we call upon more stakeholders, look at opportunities as well as risks, and look at risks both to the project and from the project (i.e., potential project impact on the entire business system)."
• Assessment, "where we define explicit scales and agree what 'high' means to avoid different people agreeing on an impact being high without having a shared understanding of the exposure."
• Handling, "where we systematically assign risk owners to ensure action and accountability and include the use of early warning indicators, where these are relevant."
• Reassessment, "where we explicitly define the net risk exposure to ensure that we have an exposure we know we can accept, the reason being that we have seen people ignore this step, and hence do too much or too little to a particular risk; here, we ask them to deliberately address whether or not they can and will accept the residual risk – and know what it is they accept. From time to time we see the individual risks being accepted, but then, when we do the Monte Carlo simulation on the project (yes, we use it here as well), we see that the likelihood of meeting the target is still too low – and more risk mitigation or opportunity pursuit is called for and included in the project."
• Follow-up, "where we keep the risk portfolio of the project updated for gate and milestone sessions."
• Reporting, "which is done automatically and fully standardized based on the data."
Common Language and Common Framework
The most important point is that the people who address and work with risks get a systematic approach so they can use the same approach from Project A for Project B. The one element that project managers really like is having the data in a database. They don't receive just a spreadsheet model. Data are entered into the spreadsheet as a database, and all the required reporting on risk management is collected from that data, so project managers don't have to develop a report – they can just cut and paste from one of the three reporting sheets that are embedded in the tool. All the reports are standardized. That's good for the project managers, but it's also good for the people on the steering committees because they now receive a standardized report on risks. They don't have a change between layouts of probability/impact risk maps or somebody comes up with severity or whatever from project to project. Everyone has the same kind of formula, the same way of doing it.
Strategic Risk Management Lab Commentary
The AROP process is a great example of integrating risk assessment in terms of upside and downside risks in the strategic decision-making process. This balanced approach to strategic risk management allows organizations to create more stakeholder value while intelligently managing risk.