The Stage of Business – Introducing Incidental Risk and the Critical Path

First of all, what is considered a risk? If we are going to identify the risks we will need to know what to look for. I have heard risk defined as the effect of uncertainty on objectives. That definition is all right but a bit too vague. To effectively identify risks for a particular project or initiative, I think you have to be a bit more specific to the objective.

As risk relates to the Project Streamâ„¢, best practices would dictate that each level is completed before the next level begins. As indicated in the diagram above, overlapping levels (as shown) will result in incidental risk and compromised results. This is a common occurrence and typically happens when levels stretch out and do not have a disciplined schedule for milestone start and completion.

“Delays have dangerous ends.” – William Shakespeare

When the project start and finish date are fixed, milestone durations should be planned with contingency durations. Otherwise any expansion of a milestone duration may compromise the adjacent milestones or possibly even the overall project risk.

Risk management scheduling is a critical part of project planning. The more time you spend crafting the schedule, the better chance you will have of project success. If you plan it well, you will be able to use the process schedule to effectively manage the project scope, schedule and budget.

“True nobility is exempt from fear.” – William Shakespeare

Make a Plan, Have a Plan. You will be glad you did!

Don’t be afraid to look to the past when crafting your plan for the future.

What Is a Cyber Security Risk Assessment and Why Do One?

Modern day companies face serious dangers from the cyber domain. The FBI recently reported that cybercrime increased 24% last year. The time has come for businesses to become proactive and conduct a cyber security risk assessment. It focuses on identifying the threats and vulnerabilities that confront an organization’s information assets.

Threats are forces that can harm organizations and destroy mission critical data. Vulnerabilities are the pathways that threats can follow to damage, steal, destroy or deny the use of information assets. Risks are realized when threats converge with vulnerabilities. Devastating losses can occur in a variety of ways.

A cyber risk assessment produces an understanding of the consequences associated with unauthorized disclosure of an organization’s confidential or mission critical information. A business owner or governing authority, with the results of a cyber risk assessment in hand, can decide to accept the risk, develop and use deploy countermeasures or transfer the risk.

The world is immersed in an enormous asymmetric threat environment that is enabled by an incalculable number of vulnerabilities. Cybercrime is growth industry has a low-risk with a high-pay off. The financial losses, due to data breaches, now exceed the dollar amount of the illegal global drug trade. Law enforcement, sadly, is unable to prevent cyber criminals from attacking your company. Organizations are largely on their own.

One of the few ways that a company can thwart cyber risks is to realistically assess its exposure and to implement controls that lower the chance of risks from being realized. Cyber security must be regarded as a business process that requires precise managerial controls similar to those found in accounting and finance.

How can an organization accomplish the cyber risk assessment?

Information assets must first be identified. Internal and external threats and vulnerabilities need to be realistically and objectively measured. The consequences of failing to offset risk needs to be understood. Existing policies, procedures and controls should be aligned with security

best practices. Risk mitigation strategies, based upon organizational priorities, can be adopted.

Organizations would then be able to focus on increasing their information security efforts.

Failing to take extra information security steps can result in irreparable harm to the organization, violations of regulations, statutes, fines, lawsuits and damage to the value of the company and customer base.

The directors of publicly owned corporations and privately owned companies must comply with multiple laws, regulations and take all prudent steps to prevent information security breaches. Doing otherwise is irresponsible and stands as evidence of a lack of due diligence.

The findings of a cyber risk assessment can point the way for an organization to develop and follow through upon an information security plan that assures mission critical information.

Avoiding the steps to correct any weaknesses that are discovered very well be considered to be a lack of due diligence.

The Energy Risk Professional Exam: What It Is, What to Expect, and How to Prepare

The Energy Risk Professional (ERP) is a professional designation from the American Petroleum Institute (API) and the Global Association of Risk Managers (GARP) aimed at risk professionals working in the physical and financial fields of energy. When I studied for other financial designations I became interested in energy risk management. It was intuitive to me to use energy financial instruments for risk management and hedging, but the physical aspects of the energy risk professional designation were not entirely clear to me. I eventually took the plunge and registered for the November exam in summer of 2010.

My main thought behind registering for the exam was that I found energy and risk management of energy extremely interesting and was (still am) sure that this field would grow tremendously in importance soon. All commerce is in some way related to energy, and I am sure that physical and financial energy risk management will soon spread to other business than simply airlines and petroleum refineries, as is the case today. I would not be surprised if there will also be new energy hedging products on the market soon, but this will clearly veer too far off the topic for now.

The ERP curriculum stretches from physical aspects of petroleum (hydrocarbon genesis, refining, transport with tankers, pipelines) over coal and natural gas, to alternative energy such as solar, hydro, wind, and biomass. There is also a segment of nuclear energy, financial trading instruments, valuation of energy transactions, financial disclosure, and laws and regulations. A large part of the material is electricity.

The physical aspects were actually much more interesting to me, as they contained ideas and concepts that were new to me. Even simple truths like the fact that electricity is not storable and what this means for trading electricity derivatives seem trite at first, but when you get into it further, it opens up a whole new universe.

My main challenge was reviewing and learning the study material. Looking back, I spent about 200 hours preparing for the exam, and passed. If this sounds like a lot, it was. There were simply no tools available at the time that I could have used for a shortcut.

If you work in the energy industry, I encourage you to look into the Energy Risk Professional (ERP) from GARP. This designation is new, but I believe it will grow tremendously in importance over the next few years, and has the potential to help you in your career. I wish you all the best for your exam preparation!