Integrating Project Risk Management (PRM) into Enterprise Risk Management (ERM) is a multi-year journey and has long term value. ERM provides a holistic view to existing risks and overcomes the disadvantage of risk being managed in silos in PRM. The main aim of integration of two approaches is to mange risk from both macro and micro perspectives by exploiting opportunities while balancing the downside of risk. The chapter provides a fundamental understanding of what ERM is and its components and shows how PRM is a subset of ERM. Issues and opportunities in integrating PRM into ERM are discussed using real life examples. Furthermore, the chapter brings attention to formal and informal ways of integration and concludes by making six recommendations.
TopIntroduction
Integrating Project Risk Management (PRM) into Enterprise Risk Management (ERM) is a multi-year progressive journey with a long-term value to all stakeholders. ERM is a broad and complex concept, which requires understanding of interrelatedness among integrated risks within an organisation.
ERM and PRM differ fundamentally on the basis of unique point of view of analysing risk. ERM is a holistic approach to manage risk such as operational risk, market risk, project risk and many others by involving all senior management in the organisation. PRM rather provides a more granular approach to assess and manage risks at a project or portfolio level. For a project-based company, possibility of aggregation of project risks is likely during a volatile or crisis situation. Currency fluctuations, economic sanctions, and liquidity issues in particular economy may lead to series of mid-term delays, cost overruns, and cancellation of projects. In such situations, a proactive approach and resilient approach (Agarwal & Ansell, 2016) to integrate PRM into ERM is more beneficial than a reactive approach of dealing with issues (Hillson, 2003; Virine & Trumper, 2007; Virine & Trumper, 2013).
Risk management is considered as an essential and key discipline of project management. It enables managers to effectively identify, assess and control key risks of projects (Kutsch & Hall, 2010). A project-based company is expected to manage risks both at corporate level (macro level) and at project level (micro level). At macro level, risk must be aggregated to provide holistic view whereas at micro level project specific operational risk should be given priority.
In last two decades, there is a shift in thinking of the way risk to be managed. A large number of professional institutions, consultancy companies such KPMG, E&Y and credit rating agencies such as Standard & Poor have started discussion on ERM frameworks, standards and provided practical guide of implementation of ERM. ERM is a broader term which extends Enterprise Project Management as it enables board of directors of the companies to manage risk and uncertainty at enterprise level (Dinsmore, 1999). Managing risk at enterprise level is substantially different than managing risks at project level.
ERM links all risks within organisation whether it is internal or external with organisational objective (Bromiley, McShane, Nair, & Rustambekov, 2014; COSO, 2004). Under this approach each risk class such as market risk, operational risk, reputational risk or compliance risk is a part of firms overall risk portfolio (Beasley, Clune, & Hermanson, 2005; Hoyt & Liebenberg, 2011; Nocco & Stulz, 2006; Pagach & Warr, 2010).
Multiple reporting of similar risks from different projects to CFO of the company is one of the major reasons why ERM came into existence and overcame one of the drawbacks of PRM’s ability to manage risks in ‘silos’. For instance, every project manager is expected to report project specific risks and corporate risks to a CFO/CRO. Corporate risks are usually common across projects and repetitive in nature. ERM supports collective decision making by board of directors and senior management of company. It improves from the separatist approach to a collective approach to risk based decision- making.