The notion of complexity may take several forms:
• Technical complexity, or the level of specialist knowledge required. A business project will often involve issues of a technical nature that cannot be fully understood, dealt with or mitigated without the involvement of experts.
• Organisational complexity. The cross-functional nature of many business projects means that one must rely on inputs from a wide variety of people of different expertise. In some cases, there may also be third-party resources, contractors, partners or government departments involved.
• Interactions. Even where individual risks are identified and managed reasonably well using informal approaches, the possible effects of a large number of risks on the key aggregate metrics of project success (cost, time, quality, etc.) are hard to estimate by purely intuitive methods; this is even more the case when there are interdependencies between them, such as the knock-on effects on other project tasks if one particular activity is delayed. Such interactions can easily be overlooked, but – even where identified – their existence can make it more challenging to develop an understanding of the aggregate impacts of risks, and to correctly assess the value of various mitigation measures. Formal processes and the appropriate tools can help to address such issues in a more robust and transparent manner.
• Lack of previous experience with certain key elements. The more experience with similar situations one already has, the less is the level of complexity: if all elements of a project were essentially identical to those in many other already-implemented projects, then prior experience should be invaluable in designing projects and optimising their risk profile. On the other hand, where a project has non-standard components (e.g. in terms of technical, product, geographic, legal, regulatory, environment, team resources, or the requirement for the involvement for a wider than usual set of organisational departments), then there is a higher likelihood that it contains risks that may be overlooked or underestimated. Even where previous experience exists, an excessive reliance on it can have pitfalls because:
• The time and place are different, and contextual circumstances are likely to have changed in some way.
• The fact that risks did not materialise in earlier projects does not mean that they (the same or similar items) cannot happen in similar current projects.
• It is easy to underestimate new factors that may be involved, unless proper consideration is given to trying to identify them. For example, a company may have successfully launched a new product in one European country and then finds that its launch in another country fails due to cultural, legal or local regulatory requirements that could have been anticipated and mitigated with a more formal assessment, including research and information gathering.
In practice, larger projects are typically more complex (or risky) than smaller ones, although this does not need to be the case, at least in theory. In addition, where a project is large (even if it is apparently “simple”, such as the undertaking of a major construction project using a prefabricated template), then the consequences of the materialisation of an unforeseen risk may be too large to be absorbed within the available budget, whereas similar risks in smaller projects could be absorbed without undue attention. In this sense, of course, the concept of scale is a relative one, depending on the context and organisation concerned.
Measures to respond to risk can include changes to project scope, structures, deliverables, timelines, budgets, targets and objectives. In many personal situations, the individual concerned can make decisions related to such topics without reference to others. In contrast, in organisations and businesses (and in some personal situations) such actions would almost always require authorisation from others, typically from more senior management. In addition, project collaborators within the organisation, as well as third parties (external agencies, contractors, etc.), may also be impacted by any changes. Therefore, significant communication, negotiation and coordination are often required. Indeed, even fairly simple or common-sense risk measures may require significant analysis in order to prepare the groundwork for formal authorisation processes. The particular contexts in which this is mostly likely include:
• If the benefits of risk-response actions are “external” or highly asymmetric, such as where the costs of risk mitigation are borne by one department, but the benefits may accrue to another department or project.
• If changes are required to organisational processes, budgets, targets, timelines, quality or other performance indicators, or to contractual or other relationships with third parties.
• If the identification of risks may potentially expose issues of a political or motivational nature, for example if problems are uncovered that should have already been addressed within normal work, or if a lack of expertise capability or competence would be highlighted.
In such contexts, formalised risk assessment processes will support the activities of a project team by creating robustness in the analysis, in the assessment of the cost–benefit trade-offs, and will increase objectivity and transparency.
There is an increasing requirement for decisions within businesses to be supported by formal governance processes, particularly in publicly-quoted (listed) companies, where management is ultimately responsible to shareholders, and not to themselves. One may think of governance issues in two categories:
• Mandated governance requirements and guidelines.
• Processes that enhance general organisational effectiveness and competitive advantage (see later).
A complete description of published governance guidelines is beyond the scope of this text: their focus is typically on structured frameworks and processes to manage risk (especially operational risk) and less on the details of modelling issues and associated challenges. Here, we simply highlight a few examples from various contexts; the interested reader can no doubt easily find others by general internet or other searches:
• The UK Combined Code on Corporate Governance. This sets out standards of good practice in relation to Board leadership and effectiveness, remuneration, accountability and relations with shareholders. Certain listed companies are required to explain in their annual report and accounts how they have applied the Code. The Code includes the following (June 2010 edition):
• “Every company should be headed by an effective Board, which is collectively responsible for the success of the company … The Board's role is to provide entrepreneurial leadership within a framework of prudent and effective controls which enables risk to be assessed and managed …”
• “The Board should be supplied in a timely manner with information in the form and of a quality appropriate to enable it to discharge its duties. All directors should … regularly update and refresh their skills and knowledge.”
• “The Board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The Board should maintain sound risk management and internal control systems.”
• The Corporate Governance Council of the Australian Stock Exchange publishes Corporate Governance Principles and Recommendations (or Principles), of which Principle 7 concerns recognising and managing risk. Selected sections (2nd edition, 2010) state:
• “Risk management is the culture, processes and structures that are directed towards taking advantage of potential opportunities while managing potential adverse effects.”
• “Companies should establish policies for the oversight and management of material business risks and disclose a summary of those policies.”
• “The Board should require management to design and implement the risk management and internal control system to manage