Risk and the learning organisation

As risk management continues to attract increased attention, organisations are beginning to recognise how dependent success in this field is on effective KM. Tom Knight and Trevor Howes explore the various forms of risk commercial enterprises must contend with, in turn explaining how knowledge management can help businesses overcome or avoid these.

We have entered an era in which organisations with globally recognised brands and reputations are facing legal action or even total collapse because of the misdeeds of senior executives. Others, once highly regarded for competence, are making headlines for large-scale project failure. As a result, it is no surprise that risk management has become a hot topic this year in organisations from all sectors and spheres.

It would seem to be intuitive that good knowledge management leads naturally to the more effective management of risk. Better knowledge of influencing factors and the actions needed to cope with these can only help reduce the possibility of things going wrong. But as with anything else to do with KM, the devil is in the detail. This article attempts to identify various types of risk faced by organisations and to demonstrate how KM approaches can be used to manage or mitigate these risks.

But first, a word about risk itself. The popularly held view, that risk is always a negative to be avoided, isn’t necessarily true or sensible. Risk is something all people face, and their different perceptions, evaluations and reactions to that risk help make the world a far more interesting place. Indeed, risk can be an opportunity. When an entrepreneur takes advantage of a gap in the market, or a stock market analyst identifies an organisation whose share price seems very low given its performance or the potential market for its product range, they weigh the risk of exploiting an uncertain situation against the benefits of winning and making large amounts of money. The essential premise of capitalism is that those with capital risk it through investment in order to obtain a return. Global trade runs on perceptions of risk and the actions people take on the basis of these perceptions. In short, there is no return without risk, so intelligent risk taking ought to be encouraged.

When it comes to individuals, it’s that same perception of risk – in going on a roller-coaster ride, doing a bungee jump, placing a large bet or facing rejection when asking out a member of the opposite sex – that provides the very frisson that is central to the experience. Those in the business of providing amusement parks take great pains to find ways to heighten the unconscious perception of danger, while at the same time also reaffirming to the rational mind that everything will be alright. Yet human beings are very bad at assessing risk in a rational way. We regularly witness the knock-on effects of media scares associated with relatively minor risks to the mass population, such as salmonella in eggs. Meanwhile, far more significant risks such as smoking or being run over by cars speeding in residential areas (two of the top five killers in the UK today) are often met with apathy.

In the corporate sphere, those responsible for managing risk must strip away the impressions and perceptions surrounding it. Methods of risk evaluation and objective assessment of the situation must be found and followed by plans for mitigating risk in order to ensure a positive business outcome. It is at this point that the tools and approaches associated with knowledge management become essential. To make a proper risk evaluation, you first need an appropriate and accurate input of information that can be understood and interpreted in the correct context – a discipline at the heart of KM thinking.

The risks facing organisation can be divided roughly into three categories:

Corporate risk – risk with a strong strategic element where the very future of the organisation or its ability to conduct business might be compromised;
Project risk – risk to successful outcomes in specific projects. These are essentially tactical in nature, although if projects are sufficiently large or important to the business’s future, the impact may be more strategic;
Operational risk – risks faced daily in normal business, for example issues such as business continuity or operational compliance with legal or regulatory requirements. While corporate risk is often to do with external or large-scale threats, operational risk relates much more to internal processes, quality, skills and leadership.

Corporate risk

Of these categories, corporate risk is currently the most topical risk area and certainly the one with the most potential impact. Where risk factors impinge on the very future of the organisation, the way those risks are managed becomes crucial to long-term survival.

Corporate risk tends to come from two quarters: from the external environment and from the limits or problems associated with internal capabilities. It is external risks that are focused on by those charged with gathering market intelligence, such as competitor activities, new products or services on the horizon, innovations in pricing and delivery, or the impacts of national, regional or global trading conditions. Other external risks might include forthcoming legal or regulatory changes that might impact on the content or delivery of products and services, or impose substantial training or IT burdens.

The standard tools for evaluating corporate risk include Steepl analysis. Steepl is the breakdown of the external challenges, problems or opportunities presented by sociological, technological, economic, environmental, political and legal change factors. Such analysis is often supplemented by scenario planning – a powerful technique first used by Shell in the 1970s built around the premise of thinking the unthinkable. It works by constructing scenarios where current Steepl trends, (usually constructed around unlikely but still feasible events, such as wars, currency collapse or major technological breakthroughs), are extrapolated to generate very different scenarios for future business environments. Use of such techniques enabled Shell, which had devised contingency for the possible impact of drastically lower oil prices, to fare far better than arch-rival BP, which was forced into dramatic retrenchment when oil prices did indeed collapse in the late 1970s.

To be successful, such processes need reliable and accurate information input. For example, market intelligence should be gathered from a good range of third-party sources, such as industry analysts, specialist media or from participation in industry forums, think-tanks and conferences. After all, the risk judgements made in Steepl analysis and in scenario planning workshops are only as good as the information the participants have to work with and the tacit knowledge that the individuals involved have about market conditions that puts that information into context.

A specific example of how KM techniques might be used to mitigate corporate risk is in the area of succession planning. This term has come to have a fairly narrow meaning – typically, the identification and ‘grooming’ of chief executives and other senior managers. But the demographic time bomb about to materialise in most of the western democracies, as the baby-boom generation reaches retirement age, has led to an expansion in the use of the term. One G8 nation, Canada, will lose 50 per cent of its civil servants in the next ten years and 70 per cent of current senior civil servants in the next five years. The situation in the UK is not quite so dramatic, but many organisations (especially in more traditional market sectors such as manufacturing) will face this problem relatively soon.

This situation brings issues around training, skills transfer and knowledge capture into play. In particular, transferring the tacit knowledge built up by workers over years of experience to new and a potentially smaller numbers of workers is a major challenge. Managing the situation successfully requires a whole raft of KM techniques to be deployed, including exit interviews, databases of expertise, improvements in information handling skills throughout the organisation and even wholesale redesign of business processes. One major change, for example, is that senior management is starting to recognise the tacit knowledge that their organisations lose when they choose to downsize the organisation through providing incentives for large-scale early retirement.

Corporate risk does not just come from external influences. Internal factors are also a major factor, in particular if there is the potential for activities to embarrass the company and cause significant reputational risk. The exposed malpractices that surrounded Enron provide but one example (see also ‘Dealing with reputational risk’ on page 23).

One difficulty faced by companies is that traditional management information systems have tended to focus on performance data. Yet such methods are simply not good enough in an era where those responsible for corporate direction and communication between the business and shareholders, analysts and the media need continual, up-to-date and accurate information on what the organisation has been doing. Furthermore, communications plans need to include information about which people in a company have relevant expertise and who are accountable for specific business activities.

This information and communications infrastructure, which ensures the visibility of people and business activity across all operations, is becoming a core organisational capability. Such visibility and transparency is also the cornerstone of corporate governance, another hot topic. In this area the debate has focused on the ethical structures in place within organisations, as well as on ensuring that appropriate skills and training are available to those in senior positions to ensure that they know what their responsibilities are. Again, however, the appropriate information infrastructure in terms of access to documentation and communications tools must be in place if training and ethical compliance regimes are to succeed. Support for corporate governance activity and an increasing awareness at a senior level of the need to better manage documentation such as contracts and communications between the organisation and customers or staff that may have important legal status, are also becoming a dominant feature of KM implementation programmes.

Project risk

Most organisations conduct risk management within projects and it is certainly a feature of the most commonly-used project and programme management methodologies such as Prince2, which includes detailed processes for uncovering risks and for risk logging, monitoring and management. Risk therefore comes into the typical project manager’s remit, as something to be measured, assessed and dealt with as a daily task.

The principles deployed by project and programme managers risk assessment are hardly new. In fact, the approach can be said to date back to 1654, when the mathematicians Blaise Pascal and Peirre de Fermat created the first mathematical probability model that enabled early approaches to assessment and quantification of risk.

Today’s project managers classify risk across two dimensions: the possible impact of the risk and the likelihood of it occurring. This enables efforts to be made to focus on either prevention or mitigation (see figure 1). For example, strenuous efforts might be made to prevent a low probability but high-impact event like an oil spill or chemical explosion, which may in turn lead to huge environmental and reputational damage. In this case, all efforts would be focused on ensuring the event does not occur. At the other extreme, there might be a high probability of a project being hit by delays due to bad weather, something that cannot be physically prevented. However, the impact on the project can be mitigated by taking some steps in advance, such as adding in contingency time and budget to allow for weather (based on reasonable predictions of likely delay), using particular materials or methods less susceptible to weather-based delay, or finding ways to share the risk in some way with customers or suppliers.

Figure 1 - classifying risk along the two dimensions

At the heart of project risk assessment is understanding: making assumptions plain, coming to an in-depth understanding of the situation and making sense of the various influences and possibilities. The level of understanding determines the degree to which impacts and probabilities can be calculated and activities planned and directed towards mitigation or prevention. The gathering of information and gaining of knowledge about these risks is closely aligned to the following knowledge processes:

Gaining understanding of the requirements in any risk situation;
Identifying, acquiring and putting information to use;
Developing, preserving and sharing relevant information, as well as personal knowledge and experience.

In project-related knowledge management activity, we can define this as adding ‘knowledge steps’ into the normal activities surrounding projects, for example building in debriefing sessions at the end of projects or getting project managers together to talk about their projects, the problems and risks that they have been facing, and what they have been doing about them.

In project-related KM, a major part of our efforts have tended to address documentation issues. Often there is no central repository for project materials. In many cases, there is not even a formal log of ongoing or closed projects. As a result, even though project reports may have been written and stored, complete with details of lessons learnt, these can often not be accessed by those in the organisation who would benefit most from reading them.

Building in new or improved ‘knowledge steps’ at the start of a project, at a project review stage and at project closure can go a long way in ‘de-risking’ projects and improving effectiveness in project delivery. Techniques can include using creative, no-blame techniques for end of project assessment such as after-action reviews or storytelling, supported as appropriate by document sharing technologies.

This approach should always be informed, particularly in service organisations, by the view that risk is, at least in part, a good thing. Most service organisations make their money from accepting and managing a degree of risk on behalf of the customer, who in turn gets significant benefit from this transfer of risk to suppliers. This is what justifies a fair margin for the service. Of course, this depends on whether the customer appreciates and values this risk transfer. Often the risks are not spelt out in advance, and may even be unknown to the customer. Therefore, any service organisation that can use prior knowledge of similar situations to demonstrate successful risk management may be able to gain significant commercial advantage over apparently cheaper rivals that fail to demonstrate the same depth of understanding of what might go wrong, and what they might do about it.

It also follows that if organisations manage project risk with an open evaluation of risk, this may provide a significant differentiator in a crowded marketplace. As a result, projects need proper risk support, including training of project, programme and bid managers, together with the right technology and information infrastructure to support project-related knowledge processes. In practical terms, this is an important prerequisite to moving away from unsophisticated approaches such as using shared drives for project documentation storage and hoping that will be enough, towards a much more process and technology-aware, knowledge-friendly approach, as described above.

Operational risk

Everyday operational business may not seem especially risky, but it is in this area that the battle for growth, profit and organisational survival is won or lost. It is also here that day-to-day issues such as the ability to respond to customer demand or meet legal or contractual operational requirements such as health and safety or other rules and data protection regulations can make or break a business.

This is where many KM disciplines come into their own in a business setting. Issues such as the quality of induction (how quickly individuals can obtain the knowledge they need to be effective in a particular business environment) and the ability of people to share informal, tacit knowledge and insight (whether about customers, products, procedures, technologies or the location of expertise) become critical.

The main KM input to de-risking daily operations is two-fold:

Ensuring that the environment properly supports tacit or informal knowledge sharing in order to help people perform at their best;
Ensuring that the formal information infrastructure meets the needs of operational business.

We class operations as having three elements:

Design;
Planning, execution and control;
Improvement.

Design is about the way organisations decide to produce and create products and services and get them to customers, as well as the design of the products and services themselves. Through learning from the past and involving knowledgeable people, incorporating best practice and previous lessons learnt, appropriate risks can be accommodated right from the start. The possible risks in design are too many to list, but include the impact of poor quality, building inflexible relationships and features, and incurring costs that are untenable.

Planning, execution, and control are more about day-to-day working and ensuring materials, people and capacity satisfy customer demands. Knowledge sharing and working in supported learning teams allows people to understand and take action when the probability of risks being realised increases. Risks surface constantly, be they petrol delivery driver strikes, large customers going out of business, or the wrong part being delivered at a time critical stage, but the right support and culture can help people to cope with the results.

Improvement is the third area of operations and is essential whenever organisations have competitors seeking to gain an advantage. It includes KM disciplines around ‘knowing what you know’ and developing understanding about what is going on internally within the organisation. It also includes applying intelligence techniques to find out and evaluate competitor activity and allows companies to take more control, putting them in a better place to dictate the rules of play, rather than being constrained by them.

The above are core practices for knowledge management, aimed at improving organisational effectiveness and efficiency by increasing the ‘yield’ from knowledge assets. But there is one major additional operational area where KM has a significant input: business continuity. The events of 11 September 2001 made many companies aware of the need for a proper risk assessment of business continuity, a phrase that has tended to mean the particular area of disaster management and in particular physical security such as system integrity and back-up/restoration procedures. But there is a big KM issue here, too, concerning whether people have the skills and knowledge to handle a disaster situation. Organisations must consider whether there are processes around knowledge and information in place to minimise operational risks to the business. There is no point in having back-up technology in place if the people and process aspects have not been thought through.

Putting it all together

It is clear, therefore, that knowledge management disciplines are closely linked with the management of risk in an organisational setting. In particular, KM can make a difference in the following areas:

Technology and information infrastructure – information management disciplines and technologies have a lot to offer, from intranets and communications/collaboration software to document management, search tools, taxonomies and so on. Proper access to information and expertise assists the process of understanding risk, without which proper risk management is impossible. This is particularly true in project contexts where access to information about previous projects (especially failures or problems overcome) might have significant impact on assessments made and, consequently, on decisions on pricing, contingency levels or the setting of deadlines;
People, skills and culture – the issues around skills, behaviours and motivation, which are at the centre of KM thinking, are also at the heart of risk management. The challenge is to change thinking, which in turn leads to changed behaviours. For example, government departments are faced with a massive document and records management challenge in order to meet deadlines for freedom of information, seen by many as essentially a technical information management matter. But given that the potential impact may be embarrassment to ministers and senior civil servants if wrong or misleading information is collected and made available, it is clear that there are also significant cultural and behavioural issues to consider;
Knowledge processes – in all situations, the quality of information available on which risk decisions are based depends heavily on which knowledge processes are embedded in corporate, project and operational practices. The challenge runs across identifying, obtaining, using and sharing risk information and having appropriate decision-making and learning processes in place.

Of all of these aspects, we believe that the most important are the process and cultural elements. Ultimately, the vision for any risk management strategy must be to create an environment in which knowledge is systematically and consciously used to assess, exploit, prevent and mitigate risk. There is another name for this: the learning organisation. The end goal of any KM practitioner must be to help create or develop a business climate through which the organisation is able to learn from both its own internal activities – whether corporate, project or operational – and from the external environment. The lessons learnt must then be applied to improve efficiency, effectiveness and, ultimately, profitability.

Tom Knight and Trevor Howes are principal consultants in the Knowledge Management Consultancy Practice at Fujitsu Services. Their new book, Knowledge Management: A Blueprint for Delivery - Practical Programme for Building the Learning Organisation (Butterworth-Heinemann) goes on general sale this month. Tom Knight can be contacted at: tom.knight@services.fujitsu.com