Operational and strategic risks on projects
Risk management is an important component of all project management frameworks and methodologies, so most project managers are well aware of the need to manage risks on their projects. However, most books and training courses offer little or no guidance about the relative importance of different categories of risks. One useful way to look at risks is by whether they pose operational or strategic threats. The former category includes risks that impact project execution and the latter those that affect project goals. A recent paper entitled, Categorising Risks in Seven Large Projects – Which Risks do the Projects Focus On?, looks at how strategic and operational risks are treated in typical, real-life projects. This post is a summary and review of the paper.
Operational and strategic risks
For the purpose of their study, the authors of the paper categorise risks as follows:
- Operational risk: A risk that affects a project deliverable.
- Short term strategic risk: A risk that impacts an expected outcome of the project. That is, the results expected directly from a deliverable. For example, an order processing system (deliverable) might be expected to reduce processing time by 50% on average (outcome).
- Long term strategic risk: A risk that affects the strategic goal that the project is intended to address. For example, an expected strategic outcome of a new order processing system might be to boost sales by 25% over the next 2 years.
It is also necessary to define unambiguous criteria by which risks can be assigned to one of the above categories. The authors use the following criteria to classify risks:
- A risk is an operational risk if it can impact a deliverable that is set out in the project definition (scope document, charter etc.) or delivery contract.
- A risk is a short-term strategic if it can have an effect on functionality that is not clearly mentioned in the project documentation, but is required in order to achieve the project objectives.
- A risk is considered to be a long-term strategic if it affects the long-term goals of the project and does not fall into the prior two categories.
The authors use the third category as a catch-all bucket for risks that do not fall into the first two categories.
The authors collected data from the risk registers of seven large projects. Prior to data collection, the conducted interviews with relevant project personnel to get an understanding of the goals and context of the project. Further interviews were conducted, as needed, mainly to clarify points that came up in the analysis.
A point to note is that the projects studied were all in progress, but in different phases ranging from initiation to closure.
Results and discussion
The authors’ findings can be summed up in a line: the overwhelming majority of risks were operational. The fraction of risks that were classified as long-term strategic was less than 0.5 % of the total (with over 1300 risks were classified in all).
Why is the number of strategic risks so low? The authors offer the following reasons:
- Strategic risks do not occur while a project is in progress: The authors argue that this is plausible because strategic risks are (or should be) handled prior to a project being given the go-ahead. This makes sense, so in a well-vetted project strategic risks will occur only if there are substantial changes in the hosting organisation and/or its environment.
- Long term strategic risks are not the project’s responsibility: This is a view taken by most project management methodologies: a project exists only to achieve its stated objectives; its long-term impact is irrelevant. Put another way, the focus is on efficiency, not (organisational) effectiveness (I’ll say more about this in a future post). The authors recommend that project risk managers need to be aware of strategic issues, even though these are traditionally out of the purview of the project. Why? Well, because such issues can have a major impact on how the project is perceived by the organisation.
- Strategic risks are mainly the asset owner’s (or sponsor’s) responsibility: According to conventional management wisdom strategic risks are the responsibility of management, not the project team. In contrast, the authors suggest that the project team is perhaps better placed to identify some strategic risks long before they come to management’s attention. From personal experience I can vouch that this is true, but would add that it can be difficult to raise awareness of these risks in a politically acceptable way.
The main point that the article makes is that strategic risks, though often ignored, can have a huge effect on projects and how they are viewed by the larger organisation. It is therefore in important that these risks are identified and escalated to sponsors and other decision makers in a timely manner. This is a message that organisations would do well to heed, particularly those that have a “shoot the messenger” culture which discourages honest and open communication about such risks.