Font Size

- Aa +

Sat 14 Mar 2009 04:00 AM

Font Size

- Aa +

Risky business

This month John Cowling, risk and value management consultant at F+G, looks at why and how risk should be identified on both a human and financial level.

This month John Cowling, risk and value management consultant at F+G, looks at why and how risk should be identified on both a human and financial level.

So why should we identify risks? If we accept that a broad definition of a risk is ‘a possible threat or opportunity which will in some way affect the outcome of a project or objective', then we allow ourselves to begin the process of managing the ‘known unknowns'. This flows into the concepts of business continuity plans and how our business could recover from potentially disastrous events.

It is important to note that risks are not issues, risks are future phenomenon that may occur, and issues are an event that it is happening here and now.

An example of the formal statement could be: ‘As a result of definite cause, an uncertain event may occur, which would lead to an affect on our objectives.

So, before we can implement recover/response plans for risks, we first need to identify the risks. Then we consider multiple options (analyse), evaluate these options and select the most appropriate to suit the business need, implement the response/mitigation plans and monitor and review the plans.

Why we should identify risk

We can approach this process from one of two concepts: ‘doom and gloom' or that the ‘glass is half full'. Our perspective at F+G is that we should be creating opportunities to improve our client's operations, and thus their overall business. Ideally we are allowing their business to operate with an eyes wide open approach.

When an organisation implements a risk management system, careful consideration needs to be given as to how it will formally identify its risks, and then follow through the process with the aim of mitigating risks to an acceptable outcome.

Simple approaches are often the most effective. Using a standardised approach to the identification phase will allow personnel to more easily understand and thus utilise the system, with the benefits of increased usage, reporting and thus an earlier response.

Using a formal statement allows those personnel to easily grasp the complexity of the process, without having to be an expert in the entire process, and would allow more junior team members to escalate the risks to the appropriate level. So we need a balanced approach.

An example of the formal statement could be: ‘As a result of definite cause, an uncertain event may occur, which would lead to an affect on our objectives."

Then a scenario could develop where by the statement is: ‘As a result of unanticipated failure in the building's air conditioning system, stoppage of tenant's business operations may occur, which would lead to a reduction in our revenue and damage to our reputation (against our objective of providing a 24/7 operational facility, etc).'

A junior team member may not be able to grasp all of the complex revenue implications of disruptions to a tenant's operations, and escalating this upwards in a formal manner, will ensure senior management deal with the issue.

Legionnaire's disease

Let's consider the case of the Melbourne Aquarium where, in simple terms, the maintenance of the cooling towers by an external contractor was not carried out to the required standard. Subsequently, a number of visitors became ill, of which 125 people were diagnosed with Legionnaire's disease. From these 125 confirmed cases, 95 patients (76 percent) were hospitalised and four (3.2 percent) died.Scratching at the surface of this case exposes claims that the contractor had stopped performing the ongoing work, as the aquarium management had not processed their earlier invoices for previously completed work, and yet they had not formally advised either of these points to the aquarium management.

Now many would ask who is responsible for the consequences of this event (illness, death, loss of revenue, replacement of cooling towers, increased insurance premiums, class litigation from victims, and its associated loss of reputation, etc) and that is like closing the stable door after the horse has bolted. At this stage only those involved in the litigation will be the financial winners. Surely prevention is better then the cure and this is the concept of risk management.

One hundred and twenty five people were diagnosed with Legionnaire’s disease. From these 125 confirmed cases, 95 patients (76 percent) were hospitalised and four (3.2 percent) died.

Consider our scenario above: had a facilities risk management system identified the risk of not adequately managing their external contractors, with their respective consequences, then they could have implemented a system to ensure the contractor's performance was benchmarked and audited to the required standard/frequency.

Another mitigation strategy could have been maintaining a closer liaison with their contractors to ensure that when a problem arises (i.e. not processing contractor's invoices) they can be resolved before it leads to a bigger event.

From the other side of the coin, a contractor in a similar position could identify the cause of non payment may result in the risk of stopping the contract, with the affect of reduced revenue, cash flow and be ultimately out of business. Their primary mitigation strategy should be open communication with their client.

At the worker/specialist level, the cause of equipment not being maintained, may result in the risk of illness to persons in the facility, with the affect that serious injury/death may result. This should be then escalated up through a risk register to the contractor's management team, who should then ensure the matter is brought to the attention of the client.

So how would a team member have identified this risk? Typically risk identification will only be initiated after several factors have been addressed including: senior management commitment to the process allowing delegation of risk management methodologies to flow through to lower levels, training and awareness in the process and the belief that this will produce positive, tangible results.

How we should identify risks

Now that we have covered why we should identify risks, let's look more closely at how we should identify the risks.

While there are several methods for risk identification, including; questionnaires, checklists, past data, interviews, and brainstorming, we have found that we continue to produce very effective and tangible results from our facilitated risk and value management workshops.

Workshops held on a regular basis, attended by all stakeholders, and combined with a continuously managed documented risk management process should ensure the likelihood and impact of negative business disruptions are kept to a minimum.

Checklists, questionnaires and audits have effective application at lower levels where risks can be grouped together within classifications for escalation to senior management. Risk identification tools should offer the risk identifier an opportunity to become part of the solution, as if they are employed in a specialist role, they may also have knowledge of a range of positive outcomes.

Often through the process of risk identification and subsequent management, additional risks are identified and they will also require management. As this process will be dynamic, it should be maintained continuously. For just like facilities management, risk management is a process, not a single event.

Without implementing and maintaining a structured and ongoing risk management system, businesses may find themselves flying blind as the threats and opportunities may not be obvious, or may not be communicated within their organisation to the right level.

The consequences of ignoring risks are a recipe for significant disaster.

For all the latest construction news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.