Megan (Producer) (00:02):
Hi. Welcome to the latest edition of Risk! Engineers Talk Governance. My name's Megan and I work behind the scenes as producer of the podcast. In this episode, due diligence engineers Gaye Francis and Richard Robertson talk about risk managers and their role in organisations, in particular, their role in project governance.
(00:29):
The podcast is available across all podcast platforms, including Apple, Spotify, and Google. And if you like the episode, we'd love you to give us a rating just to help us spread the word.
(00:43):
Please enjoy this episode and if you have any feedback, please drop us a line.
Gaye Francis (00:50):
Good morning, Richard.
Richard Robinson (00:51):
Good morning. Yeah, good morning Megan.
Gaye Francis (00:53):
All ok for Monday morning. Today we thought we'd talk about risk managers and the role of the risk manager in organisations and projects. And part of this has led on from our book launch of project governance, which we're actually doing later in the week, and the role the risk manager plays in projects in particular. There's a lot of infrastructure projects going on in Australia at the moment and a lot of jobs being advertised, asking for risk managers and risk advisors.
(01:28):
For us that seems a bit of a strange request in risk management because we've always understood that the function of risk belongs with a line management function and belongs with the project director in the case of projects, or the board and the executive management team. So it's a line management function of business as usual.
Richard Robinson (01:46):
That's correct. So unless the risk manager, so called, is line management, then they can't be the risk manager, the best they can ever be as a risk advisor on whose advice line management can rely when they're talking their area of expertise. But to actually say that risk management is a separate function, we think is fundamentally a failure of corporate governance. And that seems to be happening an awful lot around Australia.
Gaye Francis (02:10):
That's right. So as you said, they can facilitate the process. They can provide advice. But what they can't be responsible is for the risk or the risk register for the organisation or the project.
Richard Robinson (02:26):
They can maintain it, but they're not the decision makers. And all the legislation that's been happening later and has just been focusing on that point. I mean the corporation's law basically says that directs have to demonstrate diligence that they can business can pay bills when they fall due. The environmental legislation has always been like that. And obviously the WHS legislation, we've been informed by various lawyers that the whole point of the WHS legislation was a governance document. And the intention was that if businesses couldn't comply with that legislation, they should be put outta business. Now, the idea that you appoint a risk manager to facilitate that compliance that's, or the function seems reasonable, but the actual decision making, the responsibility, which is the whole point of legislation, is Board, CEO and depending on the function of project manager or general manager or whatever you're doing.
Gaye Francis (03:15):
Yeah. I think one of the interesting things in the, the project space as we said was that there's been a lot of risk managers being advised for big infrastructure projects and there've been a request for to look at risks and opportunities. So there's still some confusion around what project due diligence or project governance's about. Most of the benefits for projects have actually been stated up front and you're doing a downside risk assessment to make sure that they don't manifest or impact those critical success outcomes.
Richard Robinson (03:47):
Before any of these big projects get up, and that's admittedly what the large Commonwealth government review seems to be about now, there's meant to be a proper upside downside to work out what all the value that this project will provide, like a new freeway or a new high speed rail. You do all these assessments and studies to sort of confirm what the commercial benefits and the societal benefits will be. But that's all done up front. When you actually decide to implement it and you go to spend the money, you're now basically having an argument about why you won't achieve the things that have been agreed to be achieved.
Gaye Francis (04:16):
So there's usually very little opportunities that can be wrung out of a project once it's sort of been specified what it is. And I think in the delivery team in particular, and unless you understand what those critical success outcomes are for the project overall, then it's really hard to do your delivery. One, you might get some minor benefits, opportunities in relation to, you know, you have really good weather, for example, so you say some of your contingency on wet weather. But they're relatively small compared to potential showstoppers that have the chance of threats that have the chance to impact on....
Richard Robinson (04:57):
And that sort of leads onto the point. I mean, our experience has been, and we were talking about that in other webinars and things like that, but our experience has been that the successful projects, and we've never had one which hasn't gone successfully adopting our, you know..
Gaye Francis (05:12):
Governance approach.
Richard Robinson (05:14):
Governance approach. But the ones we've watched, if there's been a risk manager in the place, they've tended to be ditched if they're acting with people like us around. I can remember that large road project, which we perhaps possibly won't talk about in great detail, but they'd imported at great expense this risk manager - about $2.5 billion project - they imported a risk manager at great expense from the UK. And when we were running the high level risk workshop with all the senior decision makers from the three large organisations, it was just being done in the morning. We were doing criticality, downside risk assessment with the promised upside risk position. And he kept talking about upside, downside risk. It took a couple of hours, but they've just chucked him outta the room and said just forget it.
Gaye Francis (05:58):
He was still trying to do the opportunities.
Richard Robinson (06:01):
That's been the case with all the big projects that we've done. Remember the large project in Queensland, they had two competing projects in that tunnel and we ran our vulnerability workshop coming top down and we were told afterwards that's the reason why they won it. Because the government's agencies were so impressed that all the things that they didn't want have happened. They knew what the benefits were already. That's why they'd asked the tenderers...
Gaye Francis (06:21):
to achieve...
Richard Robinson (06:22):
...to do the job. That, but we convinced them that they had the best grasp of what would make sure that none of the bad things, the downside stuff, would occur.
Gaye Francis (06:31):
And I think sometimes upfront getting all the stakeholders to agree on what all of those upside benefits are is half the battle. And being able to articulate that.
Richard Robinson (06:40):
Well, you remember that all the studies we have done, the owners or the final asset owner, and what their critical success outcomes are, is quite often different to the contractor's who wants to deliver on time, on budget and to spec, and so forth.
Gaye Francis (06:57):
Whereas the project performance one's about functionality. What if we're gonna get improved travel times, improved conductivity and we're gonna get all of these other benefits to be able to move for the infrastructure projects.
Richard Robinson (07:09):
Well, that's the other point. But if you've got this risk manager, they're doing upside downside on the contractor's side, against whom is their upside being against and tested? It's obviously against the owner or the client because that's the only place where they can extract further funds from their point of view. If they delivered on time and budget to spec, the only upside they can get is more money.
Gaye Francis (07:30):
From their client. Or done quicker.
Richard Robinson (07:31):
Yep. Or or they finish it earlier. But that's a positive benefit for everybody. Whereas you watch some of these contracts and then you see there's some inspected thing and there's a large couple of projects around Melbourne involving tunnels where some contamination was found and the delays in costs and the ultimate cost in that case to the government, and that means the taxpayer, was stupendous.
Gaye Francis (07:53):
Yeah, yeah. And that should have been identified way upfront.
Richard Robinson (07:58):
Yes. And I can't believe that wasn't a known issue, that would've been...
Gaye Francis (08:02):
But if you take the risk aspect of it and rather than just saying from criticality viewpoint, you know, is this credible and critical? The answer is yes. Well, we'll manage it from a governance viewpoint. If you take a risk look at it, yes, it has potential for high consequence, but what's the likelihood?
Richard Robinson (08:20):
You might remember that government, the cabinet in confidence project that we stopped and we're still not allowed to talk about.
Gaye Francis (08:27):
Yes.
Richard Robinson (08:28):
After we round a workshop.
Gaye Francis (08:29):
So we probably won't talk about it in this podcast, Richard.
Richard Robinson (08:33):
Possibly not.
Gaye Francis (08:36):
So from our viewpoint the role of... We don't think organisations really need a risk manager. It should be part of business as usual.
Richard Robinson (08:45):
Correct. Line manager is the risk manager.
Gaye Francis (08:47):
You should have risk advisors. And they can be internal or external. It doesn't really matter. And they need to understand a number of processes that can be undertaken, because it's not a one size fits all, tick box exercise, black/white.
Richard Robinson (09:01):
And just do not keep using the risk management standard. We cannot believe how many people are getting into trouble just using that, particularly from project point of view.
Gaye Francis (09:10):
So by having these good people around you that can advise you on projects, they can help you manage the process, they can help you manage the risk register or the precaution register, but they don't own it. And what we've found is sometimes when the risk manager owns the risk register or the precaution register, as we like to call it, the responsible people walk away from it and they make it so complicated that it's really, really tricky to understand and difficult to understand. And so they overcomplicate the risks' register...
Richard Robinson (09:48):
So the senior decision makers do not get it.
Gaye Francis (09:50):
No. And so your risk register for a project should be in the tens, not in the hundreds. If you've got a risk register as an organisation, as a project, that has hundreds of items on it, you miss the point.
Richard Robinson (10:04):
Correct. Cause it's not the big ones that will to kill the project. And we just find that what happens if you've got one of these sort of professional risk managers in there, you get such ginormous risk registers that the important thing is get lost in the dross. And senior management doesn't find out until it's too late.
Gaye Francis (10:19):
And as we said, they're the ones responsible for making the decisions. So, part of it, some of these topics build on each other. And then I guess that's a then a reporting discussion and mechanism of how the credible, critical things, the high level things, get escalated to the right level. And we don't see that done particularly successful at organisational, project level either. As we said (they) mainly have really, really big risk registers, hundreds of items instead of tens of items. So how do you make sure the important things get up to the people that do need to make the decision? Cuz as we said the risk management does not make the decision on what needs to be done to manage those risks.
Richard Robinson (11:01):
What seems to happens, the risk management turned into its own industry and it doesn't always necessarily act in the best interest of the business or the projects. And from our point of view, the effort and the costs that are going into these process, particularly when you create this own empire, I suppose, is just simply not commensurate with the value of the organisation's getting. And it's something we just have not understood. And it's never made sense to us. I can fairly say, over the last 30 or so years. And every time we've come across it, I suppose the risk management functions tends to suffer some slings and arrows. But that's perhaps what happens?
Gaye Francis (11:39):
So I hope you found our discussion interesting. This is sort of one of the topics that annoys me a little bit that this is not as valuable as it could be. Because if you've got a really good risk advisor in your organisation or on your project, it just makes a huge difference. You don't necessarily have to spend, you know, it's not a necessarily a 30 hour a week or a 40 hour a week job to maintain it. But at the right time, you get the right advice from people who know what they're doing.
(12:11):
So thank you for joining us again, and we hope to see you next at the next podcast. Have a great day.