Risk Management: On Project and Enterprise Level

Successful project managers recognize that risk management is important, because achieving a project’s goals depends on planning, preparation, results and evaluation that contribute to achieving strategic goals. As a project manager, you often deal with the unexpected events that impact your project objectives. Thus, to ensure your project’s success, you have to define how you will handle potential risks so you can identify, mitigate or avoid problems when you need to do.

As any other process in project management, risk management has to be planned in order to forecast the total effort required by the project team for developing the full scope of risk management.

The roles of the Project Manager (PM) and the Risk Manager (RM) are critical for developing a realistic implementation plan. In addition, before starting working with the Risk Management Process, the PM and RM should ensure that important project data is available. For example the project report, cost estimate, project plan, etc.

The figure above explains the step of to create risk management plan. It is ideal to have the project charter for developing the risk management plan, since in the charter it is possible to identify critical information about the project like scope, conceptual cost estimate, delivery milestones, conceptual risks, stakeholders, etc.

It is important to notice, that the risk assessment is responsibility of the PM and the project team. Nevertheless, it is recommended to use whenever is possible a RM. The RM is a neutral element of the project team and can reduce the bias, which can seriously affect the outcome of the risk management study.

The RM as a risk expert should be able to lead, coordinate, educate, explain, convince, propose, monitor and evaluate the entire process; plus he or she needs to be able to have experience in leading teams from different backgrounds and coming from different functional units and agencies. Some characteristics of the risk analysts, i.e.: creative thinkers, confident, modest, thick-skinned, communicators, pragmatic, able to conceptualize, curious, good at mathematics, a feel for numbers, finishers, cynical, pedantic, careful, social and neutral (Vose, 2008). S/he should be a good communicator, must have an analytical mind and needs to be able to think outside the box. The skills of a risk manager are somehow related to the project manager’s, in the sense of managing and controlling. However, the risk manager needs to deal with risk assessment that in the quantitative arena requires analytical modelling skills that the project manager is usually not trained for.

Risk management has to be implemented for projects or within projects, but this is only the first step. Risk management means a change of doing business. Furthermore, risk management at the project level is not good enough. The most effective risk-management processes go beyond individual projects and take root at the portfolio level. For that reason, the culture of implementing Risk management should be brought by the executives and the company’s policies. Risk management has evolved into the “Enterprise Risk Management (ERM)”

In enterprise level, like project managers, directors and CEOs also face many challenges. They must focus their organizations to capitalize on emerging opportunities. They must continually invest scarce resources in the pursuit of promising – though uncertain – business activities. They must manage the business in the face of constantly changing circumstances. And as they do all of these things, they must simultaneously be in a position to provide assurance to investors, directors and other stakeholders that their organizations know how to protect and enhance enterprise value. Amid constantly changing risk profiles, directors and CEOs need a higher level of performance from every discipline within the organization, including risk management.

Most companies have implemented the risk management approaches, however, most of them use traditional risk management approaches. Under traditional risk management approaches, the process is fragmented, risk is viewed as a negative (something to be avoided), reactive and ad hoc behavior is accepted, and the risk management activity is transaction- oriented (or cost based), narrowly focused and functionally-driven. The traditional risk management model is focused on managing uncertainties around physical and financial assets.

On the other hand, Enterprise Risk Management (ERM), the process is integrated, risk is also viewed as a positive (recognizing that successful companies must take on risks when seizing opportunities), proactive behavior is expected, and the risk management activity is strategic (or value-based), broadly focused and process-driven. ERM is focused on the enterprise’s entire asset portfolio, including its intangible assets such as its customer assets, its employee and supplier assets, and such organizational assets as its differentiating strategies, distinctive brands, innovative processes and proprietary systems.

ERM will help directors and CEOs meet these challenges by establishing the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a changing operating environment. ERM redefines the value proposition of risk management by providing an organization with the processes and tools it needs to become more anticipatory and effective at evaluating, embracing and managing the uncertainties it faces as it creates sustainable value for stakeholders. By continuously improving the risk management capabilities that really matter to the successful execution of the business model, ERM elevates risk management to a strategic level.

As ERM is deployed to advance the maturity of the organization’s capabilities for managing the priority risks, it helps management to successfully enhance as well as protect enterprise value in three ways. First, ERM focuses on establishing sustainable competitive advantage. Second, it optimizes the cost of managing risk. And third, it helps management improve business performance. These contributions redefine the value proposition of risk management to a business.

To know more why the ERM is highly important to be implemented in your company, here is the story that we can learn from their case.

Does JetBlue Airways need ERM?

Standard and Poor’s proposed a unique approach to ERM in 2008. Instead of a specific formula or checklist, S&P believes managing enterprise risk depends largely on the quality of management. Still, even a high-quality management team can stumble if it does not use ERM. An Example came on February 14, 2007, when New York City’s Kennedy Airport was hit by a nasty ice storm. JetBlue Airways, the largest airline at Kenedy, used the airport as the hub of its entire network. The company was not prepared such a risk event. The result was thousands of passengers trapped in planes on runways for up to eight hours. Aircraft ran out of food. Toilets overflowed. The airline canceled more than 1,000 flights and required six days to get the backlog cleared.

If JetBlue, implemented ERM, they could have some options. First, they could arrange to have buses available for an emergency. It could unload passengers stuck in planes sitting on the tarmac when all gates are full. Second, it could provide additional personnel to solve problems, handle luggage, and mitigate discomfort. The company headquarters was a short distance from the airport. The company could train office staff on tasks needed during a crisis. Third, the company could institute rapid-response capabilities for weather or other crisis. Any approach used would be good risk management compared to leaving passengers stuck on planes.

Before the incident, a Business Week magazine survey ranked Jet Blue Airways fourth in the US in customer satisfaction. After the incident, prior to the single event, the magazine pulled the ranking and reported the failure in considerable detail.


Lesson Learned: An ERM program with constant scanning and sharing of risks might have avoided losses that exceeded $30 million.


Written by:

Alin Veronika, MT, PMP, PMI-RMP

COO of Avenew Indonesia & Chapter President of Project Management Institute (PMI) Indonesia Chapter


Hampton, J. Fundamentals of Enterprise Risk Management. Amacom. 2009.

Protiviti Independent Risk Consulting. Guide to Enterprise Risk Management.

Saches, P.M. Project and Enterprise Risk Management at California Department of Transportation. Intech. 2012

No Comments

Post A Comment

WhatsApp chat