Managing Risk in Organizations

Frame.ffirs 6/16/03 12:59 PM Page i

Frame.ffirs 6/16/03 12:59 PM Page ii

Managing Risk in Organizations

Frame.ffirs 6/16/03 12:59 PM Page iii

Frame.ffirs 6/16/03 12:59 PM Page iv

J. Davidson Frame

Managing Risk

in Organizations

A Guide for Managers

Q

Frame.ffirs 6/16/03 12:59 PM Page v

Copyright © 2003 by J. Davidson Frame.

Published by Jossey-Bass

A Wiley Imprint

989 Market Street, San Francisco, CA 94103-1741 www.josseybass.com

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in

any form or by any means, electronic, mechanical, photocopying, recording, scanning, or

otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright

Act, without either the prior written permission of the Publisher, or authorization through

payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222

Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-750-4470, or on the web at

www.copyright.com. Requests to the Publisher for permission should be addressed to the

Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030,

201-748-6011, fax 201-748-6008, e-mail: [email protected].

The Washington Post story on pp. 13–14 is © 2001, The Washington Post. Reprinted with

permission.

Jossey-Bass books and products are available through most bookstores. To contact Jossey-Bass

directly call our Customer Care Department within the U.S. at 800-956-7739, outside the U.S.

at 317-572-3986 or fax 317-572-4002.

Jossey-Bass also publishes its books in a variety of electronic formats. Some content that

appears in print may not be available in electronic books.

Library of Congress Cataloging-in-Publication Data

Frame, J. Davidson.

Managing risk in organizations : a guide for managers / by J. Davidson Frame.—1st ed.

p. cm.—(The Jossey-Bass business & management series)

Includes bibliographical references and index.

ISBN 0-7879-6518-9 (alk. paper)

1. Risk management. I. Title. II. Series.

HD61.F726 2003

658.15’5—dc21

2003008144

Printed in the United States of America

FIRST EDITION

HB Printing 10 9 8 7 6 5 4 3 2 1

Frame.ffirs 6/16/03 12:59 PM Page vi

The Jossey-Bass

Business & Management Series

Frame.ffirs 6/16/03 12:59 PM Page vii

Frame.ffirs 6/16/03 12:59 PM Page viii

ix

QContents

Preface xi

About the Author xix

1 The Big Picture 1

2 Practical Limitations of Risk Management 17

3 Organizing to Deal with Risk 32

4 Identifying Risk 49

5 Assessing Impacts of Risk Events—

Qualitative Impact Analysis 68

6 Assessing Impacts of Risk Events—

Quantitative Analysis 83

7 Assessing the Impacts of Risk Events:

The Role of Probability and Statistics 104

8 Planning to Handle Risk 134

9 Monitoring and Controlling Risk 150

10 Business Risk 177

11 Operational Risks 204

12 Project Risk 227

13 Conclusions 248

References 255

Index 259

Frame.ftoc 6/16/03 1:00 PM Page ix

To Yanping and Koko

Frame.ftoc 6/16/03 1:00 PM Page x

xi

QPreface

Toward the end of the 1990s, we approached the coming millennium

with a foreboding that was similar to what our ancestors experienced

a thousand years earlier. In 999, many of them envisioned the new

millennium as ushering in Armageddon and the end of the world.

Today, we are more sophisticated. Like our ancestors, we saw the new

millennium as bringing chaos and uncertainty, but this time it as￾sumed a peculiarly high-tech and secular cast in the form of what we

called “the Y2K problem.” We breathed a collective sigh of relief when

January 1, 2000, came and went with no collapse of our economic in￾frastructure. But whatever security we felt did not last long.

For the proponents of doom and gloom, the new millennium has

not been disappointing. Even as the economies of the industrialized

world reached unprecedented peaks of affluence at the outset of 2000,

they were caught in the grips of a free-fall decline within a year. Then

on September 11, 2001, an event of terrorism shook the capitalist

world to its roots. The attacks on the World Trade Center and Penta￾gon reinforced the view that despite all the appurtenances of wealth

and stability that we have grown accustomed to, the world is a dan￾gerous place. The subsequent anthrax attack on the U.S. postal system

confirmed this perspective.

Fear of terrorism and uncertainty took a big toll on global stock mar￾kets. Stock prices plunged. Retirees who had jumped on the bull market

bandwagon toward the end of the 1990s watched their savings being

wiped out. The pounding of the stock market continued when the

largest financial scandals of modern times were revealed. Major cor￾porations such as Enron, WorldCom, and Global Crossing confessed

that they had cooked their financial books, abetted by prestigious ac￾counting firms such as Arthur Andersen LLP.

These events reminded us of something many of us had forgotten:

the world is a risky place. Planet Earth itself is a bull’s eye on a target;

one day an asteroid will hit the mark, with devastating consequences.

Frame.fpref 6/16/03 1:00 PM Page xi

Global warming is causing ice caps to melt and sea levels to rise. One

portion of the planet experiences unprecedented floods, while another

faces unparalleled drought. Meanwhile, malcontents around the globe

justify unconscionable acts of murder and mayhem on religious, cul￾tural, or political grounds. And financial markets regularly prove that

Newton’s views on gravity prevail: what goes up must come down.

Awareness of life’s dangers has sparked an interest in risk and its

consequences. Untoward events are occurring regularly throughout

the world. We are loathe to stand by passively as they ruin our lives.

The question many people raise is: What can we do to lessen the like￾lihood of their occurrence and to reduce their impacts when they do

arise? That is, what can we do to manage risk?

This book is written to help you understand and cope with the

risks you come across on the job. It examines the risks you routinely

encounter and explains their origins. It offers prescriptions for as￾sessing their impacts and developing strategies to cope with them. It

suggests how you can organize your operations to deal with them. To

help you manage risk more effectively, it offers an abundance of tools

and techniques that risk practitioners regularly employ.

I have been teaching risk management in business schools and ex￾ecutive development programs since the mid-1980s. Although I have

come across a fair number of risk management books over the years,

I did not find any that addressed the risk management concerns of

general managers in business and government enterprises. This cre￾ated problems for me because there was little written work I could use

to supplement my class presentations. The risk management books I

encountered focused on narrow areas. There are a number of excel￾lent texts on understanding and handling risk from the perspective of

the insurance industry. I have come across other useful works that ap￾proach risk management from the purview of hazards and occupa￾tional safety. There are quite a few books written for investors in the

stock market that show readers how to accommodate investment risks.

Finally, there are substantial numbers of books that are heavily quan￾titative and approach risk management from the viewpoint of oper￾ations research. But there is very little that general managers would

find useful.

I hope this book fills the information gap that I perceive. I have de￾signed it to provide managers with all they need to know in the risk

management arena. I have attempted to increase its relevance to gen￾eral managers by offering a large number of practical examples and

case studies that bring theoretical principles to life. I have even in￾xii PREFACE

Frame.fpref 6/16/03 1:00 PM Page xii

cluded a friendly primer on statistics: Chapter Seven will help man￾agers appreciate better the quantitative aspects of risk management.

Beyond this, I have worked to make the book as up-to-date as possi￾ble. For example, I show how real options concepts borrowed from

the financial community can be employed to reduce project risk.

I encountered two major challenges in writing this book. The first

was putting boundaries around the topic. Everyone who works in the

risk area quickly recognizes that risk is ubiquitous. Insurance compa￾nies see it as the prospect of loss of or damage to assets. Financial in￾vestors see it in terms of returns on investments. Hazard and safety

managers approach it from the perspective of loss of life and limb. En￾vironmentalists worry about damage to the environment. Project

managers are primarily concerned with the possibility of missing

deadlines, or encountering cost overruns, or not achieving specifica￾tions. Operations managers view it as the prospect of the breakdown

of basic processes. Scientists and engineers focus on their ability to

work in uncharted terrain to achieve results that have never before

been achieved. And the ordinary citizen encounters it in all of its man￾ifestations: If I work in a room of smokers, will I get lung cancer?

Where should I invest my retirement savings to maximize returns and

minimize risk? Will I be able to handle a Christmas party with sixty

guests? Are my smoke detectors working?

The book’s title indicates the work’s boundaries. Managing Risk in

Organizations examines the daily risks we encounter as we carry out

our jobs in a business setting. The title is not fortuitous. I have already

written another book with the title Managing Projects in Organizations

(2003). In that work, I stress that your success or failure in executing

projects is more closely associated with organizational factors, such as

your ability to handle project politics and to motivate team members,

than with your skills in building a computerized schedule. Similarly,

in the business world, managing risk occurs within an organizational

context. If you ignore this context, your attempts at managing risk will

surely fail.

The second major challenge I faced when writing this book was to

establish a proper balance between the quantitative and qualitative di￾mensions of risk management. There are those who strongly believe

that the quantitative perspective has little to offer, because real-world

risks seldom lend themselves to ready and meaningful measurement.

After the 2001 terrorist attacks, I had several students ask me whether

I thought a quantitative approach to risk management could have pre￾dicted those catastrophic events. I answered no. But I added that a

Preface xiii

Frame.fpref 6/16/03 1:00 PM Page xiii

quantitative approach could be enormously helpful in assessing the

economic, personal, and infrastructure damage resulting from a col￾lapse of the twin towers. Thus, although it might not lead to accurate

predictions of the occurrence of a risk event, it could provide valuable

insights about its impact.

There are also those who believe that so long as risk management

is based on anecdotes and qualitative assessments, it lacks sufficient

rigor to make it truly useful. They are fond of quoting William Thom￾son, Lord Kelvin, who at the end of the nineteenth century stated that

if you are trying to explain something without including measures,

“your knowledge is of a meager and unsatisfactory kind” (Thomson,

1894). They point out that the tools of probability and statistics are

enormously helpful in identifying risk events and predicting their im￾pacts and that they provide important insights that you cannot gain

from purely qualitative assessments.

The arguments of both sides have merit, which suggests that people

interested in managing risk effectively must steer a course between the

two extremes. We must acknowledge that there is much more to man￾aging risk than plugging probability values into equations. And we must

also recognize that tools such as expected monetary value analysis and

Monte Carlo simulation have demonstrated their value over and over

again and that to ignore them weakens our ability to handle risk.

In this book, I provide readers with the quantitative background

they need to understand the basics of probability and statistics that

can help them improve their risk assessment capabilities. Readers with

good quantitative skills can breeze through the explanations. Those

who have eschewed math courses since squeaking through high school

algebra may have to work a little harder, but not that much. The quan￾titative skills the effective risk manager needs do not go much beyond

what you learned in high school.

ORGANIZATION OF THE BOOK

Chapters One through Three establish the context for understanding

risk management. Chapter One offers an overview. It defines the con￾cept of risk and shows how it is closely tied to the amount of informa￾tion that is available to make decisions: the less information is available,

the more risk you face. It describes various types of risk you can en￾counter: pure risk, operational risk, project risk, technical risk, busi￾ness risk, and political risk. Finally, it offers a framework for handling

xiv PREFACE

Frame.fpref 6/16/03 1:00 PM Page xiv