Académique Documents
Professionnel Documents
Culture Documents
By : Widiananda Prabowo
Brawijaya University
d. Risk management
BAA believes that “project management is a tool of the risk management
approach, not vice-versa”. Risk control ratings are set in the overall programme.
These ratings cascade through the project’s management and transform into personal
plans and objectives of all team members. The data in the system is supposed to be
meaningful and purposeful. The “root cause” of each risk is identified by the risk
process which enables the risk to be eradicated in the most effective way. BAA
identifies four levels of risk control. The primary objective is to keep all risks between
level 2 and 3 in the following scale:
- The solution does not manage the risk at an acceptable level.
- The risk is managed at an acceptable level with the possibility of improvement.
- The solution reached is optimal and cannot be improved upon.
- The solution excels the level of risk, and should be adjusted.
- Early on, the most critical risks are identified and where suitable, the solutions are
tested in beforehand to determine effectiveness of the solution.
f. Key Lessons
- The risk is always borne by the client.
- Project management is a tool for risk and opportunity management and not vice
versa.
- Those who are best able to manage the risk should be handed over the
management activity, and take over forms of contract that supports a risk
management approach.
- All parties reap substantial benefits from collaborative, integrated working
arrangement with suppliers.
- Board level leadership and sponsorship is utmost important.
- Safer construction and fewer defects can be attained by off-site prefabrication
and assembly of elements.
- Major projects should be done under excellent and highly experienced people.
This minimizes confrontation and establishes trust and openness in working
relationships.
2. CHIPOTLE CASE STUDY – EITHER MANAGE RISK OR DISCLOSE LACK OF RISK
MANAGEMENT
That blog detailed an important ruling: it refers not only to integrated risk
management competency at the executive level, but at all employee levels that have
an impact on company performance. This perfectly mirrors a risk management mantra
– risk should make up a part of everyone’s – not just risk managers’ – job description.
In 2007, regulators released Sarbanes-Oxley Audit Standard 5 (SOX AS5), which holds
management accountable for the risk of misstated company financials. The SEC
disclosure rule is similar in the sense that it uses materiality, not specific risks, as a
measure of what needs to be mitigated. It differs, however, in the sense that it applies
to all risks, not only financial concerns, and does not take into account an
organization’s size. In other words, everyone should be concerned with ERM
compliance.
This leads to a fork in the road : organizations need to either adopt an effective risk
management program or bite the bullet and disclose their ineffectiveness. There is no
third option – maintaining ineffective risk management tools without disclosure is
considered negligence, and is easier to prove than fraud is.
b. The Challenges
Chipotle’s recent fiasco demonstrates the results of poor risk management
According to Business Insurance, Chipotle’s problems don’t end with a host of recent
salmonella outbreaks, which have been linked to food sold in numerous branches. The
company also “failed to disclose that its ‘quality controls were inadequate to
safeguard consumer and employee health,’ according to a civil lawsuit.”
The company is now suffering a major reduction in share prices (35% since the end of
October 2016), reduced sales (December 2016, sales were down 30% in some
locations), and a marred reputation that relies upon the appeal of safe, sustainably
grown food. The manner in which the company misled shareholders is almost entirely
responsible for the civil suit.
Chipotle introduced a great innovation in the food industry: fresh, healthy, locally
sourced fast food. However, the company failed to implement the risk management
necessary to support that innovation. Enterprise risk management is as much about
enabling innovation as it is about facilitating compliance, health, and safety.
The check-the-box approach of disclosing the “usual risks” was made unacceptable
back in 2010, if ever it was acceptable. Every business innovates, and every business
therefore needs to find the unique risks it introduces, get them covered, and disclose
them to shareholders.
c. Risk Management
Had Chipotle’s management implemented an enterprise risk management solution,
either of two outcomes would have occurred:
- Food might never have been contaminated, since ERM extends to a robust vendor
risk management methodology that helps identify risks associated with a
company’s supply chain.
- Even if the outbreaks had still happened, Chipotle would have been able to
use enterprise risk management reporting capabilities to evidence its risk
program. This would have avoided regulatory penalties, provided evidence of
control activities, and guided risk disclosure, all of which would have eliminated
liability for non-disclosure of risk.
These outcomes aren’t just possible, they’ve happened before. In 2009, a Morgan
Stanley executive was found to have evaded internal controls. The company itself
avoided prosecution thanks to the robustness of its internal policies and procedures.
Unlike Chipotle, Morgan Stanley “maintained a system of internal controls meant to
ensure accountability,” and pointed to these systems when asked about the adequacy
of its risk management program. There is never a 100-percent guarantee that
surprises won’t happen. Sometimes, human error and external threats can’t be
predicted. What’s important is minimizing the likelihood of those surprises, and ERM
software accomplishes just that. At the very least, a robust, well-documented solution
provides an easy way for organizations to maintain full disclosure and avoid regulatory
action.
3. CASE STUDY 3 – TRIBUTYLTIN RISK MANAGEMENT IN THE UNITED STATES
b. Risk Management
Dr. Kentula commented that the case study (like others in the workshop) focused on
individuals and populations and thus took a bottom-up approach. An alternative, top-
down approach is to conduct an ecosystem risk assessment from a landscape
perspective. For example, Kentula stated that EPA's Wetlands Research Program is
developing methods to assess impacts on landscape function due to cumulative
wetlands loss. The method proceeds in two-stages: a landscape characterization map
is used to classify and rank units of the landscape according to relative risk, and can
also be used to set priorities for effort and allocation of resources; a response curve
expresses the hypothesized relationship between stressors (such as loss or
modification of wetlands) and reduction in landscape functions (e.g., maintenance of
water quality, or life support). The system can be used both to identify areas at risk
and to guide management decisions for landscapes that are already affected.
Dr. Loucks commented that the case study presents the consequences of the stress to
one local owl population at one time. For assessment of risk to the regional or total
population, one would need to construct a "dose-response" relationship, in which
"dose" would be a measure of the degree of stress (e.g., the percentage of the old-
growth forest that has been destroyed) and "response" would be the probability of
extinction of the population within an appropriate period (e.g., 250 years). Calculation
of the probability from the birth, death, and dispersal rates estimated in the case
study would require stochastic population modeling that takes account of uncertainty
and variability in the population parameters.
The Endangered Species Act is an example of preemptive risk management, in that a
high probability of extinction of a single species is designated as unacceptable. A
species-by-species approach, however, does not lead to quantitative assessment of
the risk of impoverishment of an ecosystem. Where possible, ecological risk
assessment should work across levels of organization and should assess risks of
reduction in system utility.
5. CASE STUDY 5 – ECOLOGICAL RISK ASSESSMENT FOR TERRESTRIAL WILDLIFE
EXPOSED TO AGRICULTURAL CHEMICALS
Addressing the ecological risks associated with the use of an agricultural chemical
involves a complex array of laboratory and field studies—in essence, a research
program. This paper provides examples of integrated field and laboratory research
programs, such as The Institute for Wildlife and Environmental Toxicology (TIWET) at
Clemson University. Preliminary toxicological and biochemical evaluations include
measurements of acute toxicity (LC50 and LD50), toxicokinetics, and observations of
wildlife in areas of field trials. Assessment of reproductive toxicity includes studies
with various birds and other wildlife, particularly European starlings that nest at high
densities in established nest boxes; these studies include measurements of embryo
and nestling survival, postfledgling survival, behavior, diet, and residue chemistry.
Nonlethal assessment methods include measurement of plasma cholinesterase
activity associated with organophosphate pesticide exposures. A wide variety of birds,
mammals, and invertebrates have been used in these studies.
The activities presented in the case study have a large research component, which is
focused on dose-response assessment and exposure assessment. One discussant
characterized risk assessment, as presented in the case study, as a retrospective
exercise based on focused characterization of hazard and exposure in wildlife. Given
the difficulties in conducting environmental risk assessments, the four-part paradigm
might not be applicable at levels of organization above that of the population.