Risk management systems exist because every business activity carries a distinct amount of uncertainty for a business. This is all the more so in times when changes like digitalisation and Big Data are afoot. More and more companies are using agile projects to manage these developments, because agility helps them to push certain key themes in their companies.
Basic knowledge: what is risk management and why is it so important?
Every project carries a certain amount of risk, and risk management is about the scheduled measurement, monitoring and controlling of it. The objective of judicious risk management and all the activities it entails is to guard the business or project against potential risks and crises, which is essential to success. It is also about indentifying and carefully weighing up predicted opportunities and threats.
Modern risk management is more and more professionalised these days, and more effectively integrated into other management systems. It began in large multinationals and is now spreading in small and medium sized enterprises, says Dr Margarete Schramböck, Austria’s Federal Minister for Digitalisation, in the Austrian Yearbook for Risk Management 2019.
It is important for small businesses to look closely at their own business risks and analyse them as comprehensively as possible. This is essential for developing and integrating the right precautions. The Yearbook showcases the Austrian Centre for Industrial Biotechnology, or acib, which is a good example of successful analysis, strategy and the risk management systems built upon it.
The challenge: treading the risk management line between open innovation and secrecy
An international centre for industrial biotechnology, acib employs over 200 scientists. Their common objective is to make industrial processes more eco-friendly and resource-efficient. In its everyday business, acib’s projects operate precisely “on the interface between academic research and industrial development,” says managing director Mathias Drexler, describing the particular challenge that his establishment’s management faced in setting up a risk management system.
It was a challenge involving a contradiction fraught with risk: on the one hand, scientists want to and have to publish exciting new research results as quickly as possible – as a measure of their success. But businesses collaborating in the chemical, pharmaceutical and biotechnology industries strive to keep new methods and innovative products secret for as long as possible. Exclusivity, after all, raises the value of newly tested methods and processes.
“This is what creates such a challenging risk management conflict between the drive for secrecy and the drive for publicity,” explain managing director Mathias Drexler and IT security consultant Michael Krausz in their joint article, Risk management in application-related research. The four steps shown below – identifying, evaluating, strategising and controlling risks – illustrate how they managed to successfully resolve the dichotomy.
Risk management for small businesses: the key steps
“There’s no such thing as a generic risk management concept you can simply impose,” says the Austrian Yearbook. “Every business has to identify, analyse and assess its own risks so as to develop an appropriate precautionary concept. The relevant standards can provide a degree of support.”
But there are four key steps that every small businesses and every New Work project should take when setting up a risk management system, to minimise the likelihood of unpleasant surprises.
Risk management step 1: Identifying and recording risks
In the aforementioned example of the acib research centre, one major risk of regular business is the conflict between the push to publish from researchers on the one side, and the push for secrecy from businesses involved in the research on the other. In real terms, the work involves collaboration between more than 50 academic institutions and more than 100 partner businesses in over 200 bi- and multi-lateral research projects – “a highly complex organisational scenario,” says managing director Mathias Drexler. This complex scenario mainly produces high-value measurement and analysis data and information.
Risk management step 2: Evaluating and analysing risks
As well as contradictory interests in data and information, and the effects these have on the way data is handled and the issue of how to control it, there are statutory and technical data protection regulations that have to be managed in terms of compliance. In the case of acib, an initial risk assessment revealed that a) their technology is well equipped and b) data is not processed in their system in any way which might endanger the rights of individuals.
Risk management step 3: Strategically planning risks
That is why their risk management involves organisational activities, training and education that creates, raises and safeguards employees’ awareness and sensitivity to the secrecy needs of the businesses involved.
They decided not to plan strict access or information flow controls such as those stipulated by industrial standards, since these might have stifled a creative academic environment, and resourceful researchers could probably circumvent them anyway.
Risk management step 4: Controlling risks and implementing activities
As well as regular training and education, DPO/CISO-as-a-service was set up. This means the work done by data protection officers and chief information security officers is farmed out to eliminate conflicts of interest from the outset.
Training employees increases awareness of how to sensitively handle valuable research results while maintaining a creative, academic environment in a complex system so that they can work as freely and innovative as possible.
Getting aligned: every industry has its own business risks
It makes a difference what industry a project is in, of course. Project managers in the financial industry have to accommodate different risks from those affecting projects in the chemical or healthcare industry. And there are other risks aside from industry-specific ones; the following list shows some of them. But it ought to be said that managing risks is an ongoing process that needs to be regularly evaluated and adjusted to the progress of a project.
Different risks in agile projects
- Competition (such as supplier, liability and contractual risks)
- Management (such as planning, coordination, information and communication risks)
- Development (such as technical, quality and launch risks)
- Social interaction (such as risks involving motivation, frustration and overextension).
A new risk culture in projects and New Work
The good news is that some potential mistakes are already implicitly deflected by agile projects. That’s because successful projects as well as good risk management require effective teamwork. Most of today’s project teams work as transparently as they can and incorporate frequent feedback loops into their project schedule. This significantly reduces the risk of planning and coordination errors.
In many New Work projects, every team member takes responsibility for decisions as opposed to just the project manager, which reduces social risks. Working together in an atmosphere of trust often engenders a better culture around mistakes. In other words, there is less anxiety among employees about admitting a mistake – such as wrongly assessing the quality of a product – and this reduces the risks involved in development.
The example of acib shows just how individualised risk management systems can be. What’s important for anyone responsible for projects and small businesses is to recognise that risk management is essential nowadays, and that there are many creative ways of going about it.