• Confidentiality: Inadvertent or purposeful release of critical client information not for public consumption causing embarrassment or dam-
age to the client, particularly sensitive for public companies
• Travel/geography: Risks associated with the specific point of delivery of the product or service, including difficulty of getting to client site;
324
Services Delivery: Taking Care of Business
specific dangers based on geography of the project (environment, political stability, neighborhood safety, etc.)
• Staff knowledge: Specific knowledge found in limited number of staff that is critical to the project or service; exposure to unplanned staff departure risk that will adversely affect the client
• Resource availability: Availability when needed of the proper internal delivery resources and professional staff
Client Risks
• Personnel changes: Critical client project sponsors leaving, being demoted, promoted, or having their responsibilities change
• Financial trouble: Client running into financial difficulties or bankruptcy, resulting in project or service contract cancellation and exposure on existing sunk costs and receivables
• Gaming: Dishonest clients attempting to procure additional services for free or dispute service quality or delivery in order to receive unwarranted fee reductions
• Scope changes: Changes in scope of project, affecting ability to complete the project, project budget, or client interest in completing project
• Mergers and acquisitions: Client acquisition or merger with another company, resulting in project or service contract cancellation, renegotiation, or elimination
• Project or service cancellation: Change in client priorities or budget, resulting in elimination of the project or service contract
• Receivable prioritization: Client in financial difficulties prioritizing receivables, resulting in nonessential service providers’ exposure to bad debt
• Client concentration: High reliance on a single client or small number of clients for revenues, margin, and staff billability
• Industry concentration: High reliance on clients in a specific industry or related industries for revenues, margin, and staff billability
External Risks
• Natural disasters: Hurricanes, f loods, earthquake, fire, tornadoes, vol-canic eruptions, and other natural catastrophic events
• Political unrest: Political demonstrations, unrest, or instability resulting in danger to physical safety, client, or project viability
• Terrorism/war: War or terrorist acts that threaten staff physical safety, client, or project viability
• Currency conversion: Changes in currency exchange rates that adversely affect receivables
Risk Management and Quality Assurance
325
• Legislation: Legislative changes that adversely affect the project by eliminating its rationale or changing client priorities
Risk Management Methodology
Exhibit 14.4 shows a methodology for the risk management process in a professional services firm. The first step in generating a risk management program is to (within reason) identify the possible undesirable outcomes. The categories and risks mentioned in the previous section form a good starter set, but each type of firm must determine its specific needs. Doctors and lawyers must be concerned with malpractice, real estate agents with interest rates, and technology consultants with IT budgets.
After the possible risks have been identified and inventoried, the firm must determine the expected value of each risk—simply the likelihood of occurrence (probability) and the cost of a bad outcome. This is the most difficult step and the step most open to interpretation.
Probabilities of events are notoriously difficult to estimate, as are costs of outcomes. In fact, research shows that low-probability events are even more difficult to estimate. Studies conducted by researchers at the Wharton Schools Risk Management and Decision Process Center at the University of Pennsylvania demonstrated that individuals have the best chance of estimating expected value when a variety of low-probability events are aggregated to generate a probability (e.g., “estimate the probability that there will be Identify
Determine
Quantify
possible
mitigation and
Repeat and
expected
undesirable
management
revisit
value
outcomes
approach
• Internal risks
• Likelihood of
• Change behavior
• Revisit
• External risks
occurrence
• Change decision
periodically as
• Controllable risks
(probability)
process
assumptions
• Uncontrollable
•Cost of bad
• Insure against
change
risks
outcome
risk
•Continual
•Prioritize risks
• Institute policy/
identification of
based on
process
new undesirable
expected value
• Training
outcomes
•Sanity check
• Combination of
“binary” risks
approaches
Exhibit 14.4
Risk Management Process Methodology
326
Services Delivery: Taking Care of Business
either an earthquake, f lood, or hurricane” versus estimating the likelihood of each event individually).6
Studies by Kunreuther, Novemsky, and Kahneman also indicate that individuals are more effective when assessing possible outcomes relative to low-probability events they are familiar with (e.g. “estimate the risk of a chemical plant accident versus the risk of having a traffic accident”).7 Making matters worse, similar studies found that decision makers regarding low-probability, high impact events tended to either over-insure, assuming that recurrence of a low-probability event was inevitable, or ignore the event entirely, thinking “that can’t happen to me.”8
Once the expected value has been determined, the risks can be prioritized for management. In some cases, the probability will be very low, but the cost very high (e.g., “Pascal’s Wager”). In these cases, a common-sense approach to prioritization and mitigation should prevail.
The mitigation for a given risk will likely be a combination of actions, policies, or decisions as opposed to a single approach. Some of the typical options are changing behavior (“no more sodas in the server room”), changing decision processes (“let’s implement better screening for new employee hires”), instituting policies or processes (“two signatures required on every check over $10,000”), training (“all staff will attend client management skills seminars”), or other business changes.
Improving Risk Management
As mentioned previously in the chapter, the importance of good decision making in the risk management process cannot be overstated. A step that professional services firms can take to improve decision making is training and decision audits. Sales teams should focus training and development on mitigating client and project risk. Delivery teams should focus on project risk, internal resources on project and internal risk, and senior management on client, project, internal, and external risk. Good decision-making habits should be made part of the firm culture, and reading the basic literature in the field of decision science should be part of the basic training for all firm professionals.
Good decision making can be enhanced by implementing postmortem re-
views for key business events: the conclusion of a large project, the acquisition (or loss) of a key client, the completion of a good (or bad) quarter.
Significant events represent a chance to review what went well and what should change going forward, as well as understand better what went right (and determining if it was “dumb luck” or “deserved success”). In our own business consulting practice, after each major client engagement is completed, a full post-mortem analysis is required of the delivery team. The learnings from that postmortem are used to drive changes in all parts of the
Risk Management and Quality Assurance
327
business: sales, delivery, training, intellectual property, hiring, and support.
While this practice has entailed extra effort, the business improvement benefits have paid a more than adequate return to the investment.
A crucial part of good decision making for professional services firms is the pursuit decision for new business. Many successful service providers have an aggressive, sales-oriented culture. While this is effective for driving revenue, oftentimes the firm will overreach when selling the next deal and wind up too far to the right-hand side of the risk continuum. A successful senior executive from a professional services firm put it succinctly: “Good business in. Good business out.”
This phenomenon has been dubbed “The Winner ’s Curse” and is a topic of study by Richard Thaler, a prominent behavioral economics researcher at the University of Chicago. In his book The Winner’s Curse: Paradoxes and Anomalies of Economic Life, Thaler outlines the dilemma:
Suppose that each participant in the auction is willing to bid just a little bit less than the amount he or she thinks the land is worth (leaving some room for profits). Of course, no one knows exactly how much [the project] is worth: some bidders will guess too high, others too low. Suppose, for the sake of argument, that the bidders have accurate estimates on average. Then, who will be the person who wins the auction? The winner will be the person who was the most optimistic about the [value of the project], and that person may well have bid more than the [project] was worth. This is the dreaded winner ’s curse. In an auction with many bidders, the winning bidder is often a loser. A key factor in avoiding the winner ’s curse is bidding more conservatively when there are more bidders.
While this may seem counter-intuitive, it is the rational thing to do.9
Finally, one of the most effective risk-mitigation approaches employed by firms is simple, but rigorously enforced, policy and procedure. The larger the firm, the more important it is to put risk mitigation on “auto-pilot” through these methods. The importance (and positive effect) of this was recently highlighted for us. A senior manager of a service company we are acquainted with had his company acquired by a Fortune 50 entity. Immediately, all manner of new policies was implemented, which was both startling and amazing to a small company. Armed guards, sign-in protocols for guests, document disposal guidelines, new systems security requirements, and other changes both large and small were the order of the day.