If you are a history buff like myself, you have probably come across the following statement, “Tactics win battles, but strategies win wars” or something to that effect. While I often find that martial analogies tend to be overused in discussions on project management, but I do think it is applicable when the topic is Enterprise Risk Management . Like an army, companies must adopt specific tactics to ensure the success of specific battles (projects), but at the same time support the underlying capabilities of the army (company) through high level planning and execution of strategies to ensure they win the war, or in the case of companies, remain profitable.

In the project management world, project managers are the officers who execute activities and tactics, monitor progress and make adjustments as needed to increase probability of winning the battle of delivering  a successful project.  In reality though, a significant portion of the risks and uncertainties that project managers face is beyond their immediate control and are symptoms of underlying weaknesses/strengths in their organizations capabilities. This type of risk has to be assessed and managed at a higher management level in the company. In this way we can see that risks can form a hierarchy  within an organization, each can have varying effects on different levels (projects, programs, etc) of the company. With this in mind, the manner in which the impact of these risks propagate through the various levels of the enterprise, should dictate the level at which they are managed.

Enter a formalized process of how to manage risks within an enterprise, which can be characterized as a portfolio of programs and projects. Enterprise risk management allows organizations to optimize how and where they manage risks. Some risks, which are specific to a location such a local regulations are best managed at the project level as they may have unique  characteristics that cannot be effectively managed at a higher level.  Manage other risks, such as resources, capital budgets, or changes in market conditions have systemic effects upon the entire organization and therefore need t o at higher level in organization.

What this means is a practical sense is you need the capability to manage multiple sets of risks (risk registers) that represent each level in your organization. For example, an enterprise risk register, could include all of those risks that are being managed by the head office, program risk registers would be used to manage program capabilities, and project risk registers would be include risks that can be controlled  at the project level.  In addition, the system should support the ability to modify where risks are being managed based upon their cumulative impact on the organization. A common example we see is resources. Often resource availability is a challenge for project managers whose resources shared across multiple projects. While resource availability may manifest itself in delays at the project level, an enterprise risk management system allows you to monitor the cumulative impact of these risks at a program level and apply appropriate actions to mitigate or alleviate the impacts. If a risk is critical enough, management of the risk can be transferred up to the  program level. This does not mean that a program risk will not have impacts on the underlying projects, but rather responsibility for reducing or resolving it will now be the responsibility of the program manager. In the example above, project managers would still have to account for the possible impacts of scarcity of resources, but would no longer be responsible for management of the risk.

The point of all of this is that Enterprise Risk Management allows you to address those underlying strategic or systemic issues that affect an organizations capability to deliver value, while delegating situation specific  actions or tactics to the level  at which they can be most effective.