Frame.ffirs 6/16/03 12:59 PM Page i
Frame.ffirs 6/16/03 12:59 PM Page ii
Managing Risk in Organizations
Frame.ffirs 6/16/03 12:59 PM Page iii
Frame.ffirs 6/16/03 12:59 PM Page iv
J. Davidson Frame
Managing Risk
in Organizations
A Guide for Managers
Q
Frame.ffirs 6/16/03 12:59 PM Page v
Copyright © 2003 by J. Davidson Frame.
Published by Jossey-Bass
A Wiley Imprint
989 Market Street, San Francisco, CA 94103-1741 www.josseybass.com
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means, electronic, mechanical, photocopying, recording, scanning, or
otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright
Act, without either the prior written permission of the Publisher, or authorization through
payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222
Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-750-4470, or on the web at
www.copyright.com. Requests to the Publisher for permission should be addressed to the
Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030,
201-748-6011, fax 201-748-6008, e-mail: [email protected].
The Washington Post story on pp. 13–14 is © 2001, The Washington Post. Reprinted with
permission.
Jossey-Bass books and products are available through most bookstores. To contact Jossey-Bass
directly call our Customer Care Department within the U.S. at 800-956-7739, outside the U.S.
at 317-572-3986 or fax 317-572-4002.

Organizing to Deal with Risk 32
4
Identifying Risk 49
5
Assessing Impacts of Risk Events—
Qualitative Impact Analysis 68
6
Assessing Impacts of Risk Events—
Quantitative Analysis 83
7
Assessing the Impacts of Risk Events:
The Role of Probability and Statistics 104
8
Planning to Handle Risk 134
9
Monitoring and Controlling Risk 150
10
Business Risk 177
11
Operational Risks 204
12
Project Risk 227
13
Conclusions 248
References 255
Index 259
Frame.ftoc 6/16/03 1:00 PM Page ix
To Yanping and Koko
Frame.ftoc 6/16/03 1:00 PM Page x
xi

These events reminded us of something many of us had forgotten:
the world is a risky place. Planet Earth itself is a bull’s eye on a target;
one day an asteroid will hit the mark, with devastating consequences.
Frame.fpref 6/16/03 1:00 PM Page xi
Global warming is causing ice caps to melt and sea levels to rise. One
portion of the planet experiences unprecedented floods, while another
faces unparalleled drought. Meanwhile, malcontents around the globe
justify unconscionable acts of murder and mayhem on religious, cul-
tural, or political grounds. And financial markets regularly prove that
Newton’s views on gravity prevail: what goes up must come down.
Awareness of life’s dangers has sparked an interest in risk and its
consequences. Untoward events are occurring regularly throughout
the world. We are loathe to stand by passively as they ruin our lives.
The question many people raise is: What can we do to lessen the like-
lihood of their occurrence and to reduce their impacts when they do
arise? That is, what can we do to manage risk?
This book is written to help you understand and cope with the
risks you come across on the job. It examines the risks you routinely
encounter and explains their origins. It offers prescriptions for as-
sessing their impacts and developing strategies to cope with them. It
suggests how you can organize your operations to deal with them. To
help you manage risk more effectively, it offers an abundance of tools
and techniques that risk practitioners regularly employ.
I have been teaching risk management in business schools and ex-
ecutive development programs since the mid-1980s. Although I have
come across a fair number of risk management books over the years,
I did not find any that addressed the risk management concerns of
general managers in business and government enterprises. This cre-
ated problems for me because there was little written work I could use
to supplement my class presentations. The risk management books I

managers are primarily concerned with the possibility of missing
deadlines, or encountering cost overruns, or not achieving specifica-
tions. Operations managers view it as the prospect of the breakdown
of basic processes. Scientists and engineers focus on their ability to
work in uncharted terrain to achieve results that have never before
been achieved. And the ordinary citizen encounters it in all of its man-
ifestations: If I work in a room of smokers, will I get lung cancer?
Where should I invest my retirement savings to maximize returns and
minimize risk? Will I be able to handle a Christmas party with sixty
guests? Are my smoke detectors working?
The book’s title indicates the work’s boundaries. Managing Risk in
Organizations examines the daily risks we encounter as we carry out
our jobs in a business setting. The title is not fortuitous. I have already
written another book with the title Managing Projects in Organizations
(2003). In that work, I stress that your success or failure in executing
projects is more closely associated with organizational factors, such as
your ability to handle project politics and to motivate team members,
than with your skills in building a computerized schedule. Similarly,
in the business world, managing risk occurs within an organizational
context. If you ignore this context, your attempts at managing risk will
surely fail.
The second major challenge I faced when writing this book was to
establish a proper balance between the quantitative and qualitative di-
mensions of risk management. There are those who strongly believe
that the quantitative perspective has little to offer, because real-world
risks seldom lend themselves to ready and meaningful measurement.
After the 2001 terrorist attacks, I had several students ask me whether
I thought a quantitative approach to risk management could have pre-
dicted those catastrophic events. I answered no. But I added that a
Preface

titative skills the effective risk manager needs do not go much beyond
what you learned in high school.
ORGANIZATION OF THE BOOK
Chapters One through Three establish the context for understanding
risk management. Chapter One offers an overview. It defines the con-
cept of risk and shows how it is closely tied to the amount of informa-
tion that is available to make decisions: the less information is available,
the more risk you face. It describes various types of risk you can en-
counter: pure risk, operational risk, project risk, technical risk, busi-
ness risk, and political risk. Finally, it offers a framework for handling
xiv
PREFACE
Frame.fpref 6/16/03 1:00 PM Page xiv
risk: risk planning, risk identification, qualitative and quantitative im-
pact analysis, risk response planning, and risk monitoring and control.
Chapter Two looks at the practical limitations of risk management.
It steps through the risk management process with a view to identify-
ing things that it can and cannot do. The strengths and limitations of
risk management are illustrated through two detailed case studies.
Chapter Three examines how enterprises can organize their risk
management efforts. It emphasizes that effective risk management
does not happen by accident; it requires sustained support from the
most senior ranks of the enterprise and must be designed into the or-
ganization’s processes. These processes should enable staff to conduct
risk assessments, manage crises, and recover from disasters.
Chapters Four through Nine explore a systematic risk management
process comprising risk management planning, risk identification,
qualitative impact analysis, quantitative impact analysis, risk response
planning, and monitoring and control. Chapter Four describes the
importance of being able to identify risk events that you might en-

risk events that you have identified. It focuses on four standard treat-
ments: risk avoidance, risk mitigation, risk acceptance, and risk trans-
fer. In addition, it describes how contracts are, at their heart, risk
management tools and shows readers how to calculate budget and
schedule reserves on their projects.
Chapter Nine, which addresses risk monitoring and control, goes
beyond assessment into the action phase of risk management. The fact
is that it is not enough simply to prepare for risk. You also need to be
able to deal with it once the risk events arise. Monitoring enables you
to keep your fingers on the pulse of the organization and its environ-
ment. By continual review of pending issues, for example, you may be
able to surface serious risk events while they are still small and man-
ageable. Control requires you to get things back on track. If you are
facing a very bad situation, it may even require you to be good at man-
aging crises; consequently, current perspectives on crisis management
are discussed in this chapter.
Chapters Ten through Twelve examine the special issues and fea-
tures of business risk, operational risk, and project risk. In Chapter
Ten, readers see that an interesting aspect of business risk is that it of-
fers the opportunity for gain as well as the prospect of loss. (Up to this
point of the book, the discussion has focused on pure risk, where con-
cern is with loss.) It puts the spotlight on two special instances of
business risk: risk associated with new product development and fi-
nancial risk.
Chapter Eleven looks at operational risk, that is, the risk associated
with carrying out operations. It examines sources of this type of risk,
including poorly formulated procedures, incompetence, and poor main-
tenance of equipment and software. It also makes the case that quality
management is a special case of risk management, because quality man-
agement is concerned with avoiding deviations from a norm. Conse-

and education programs, since risk and uncertainty permeate all man-
agement decisions.
In the early years of teaching risk management in an academic set-
ting, I pursued a fairly conventional approach. I preached the value of
following a structured risk assessment methodology and exposed my
students to a range of standard tools and techniques. My approach to
teaching risk management underwent a dramatic metamorphosis in
the early 1990s, when I began offering risk management courses to
men and women in executive development courses. Suddenly I found
myself surrounded by management practitioners who were dealing
with risk issues urgently and on a day-to-day basis. One student who
worked in the New Zealand park service indicated that a number of
school children had recently died when the viewing platform they
were standing on collapsed down a mountainside. Another group of
five students informed me that they were sent to my class after they
had mishandled a water quality crisis that caused widespread panic in
a major metropolitan area. Still another student shared with the class
Preface
xvii
Frame.fpref 6/16/03 1:00 PM Page xvii
stories of how corruption in the ranks of senior managers had forced
his company into bankruptcy. There was nothing abstract about risk
management in these classes.
Consequently, in acknowledging my debt to the people who made
this book possible, I must highlight the contributions of my students
over a twenty-five-year period. They challenged me to keep my courses
relevant. They also provided me with a wealth of insights about the
real world of risk in real organizations.
Thanks are directed to my colleagues at the Australian Graduate
School of Management (AGSM), the business school for the Univer-

Frame.fpref 6/16/03 1:00 PM Page xviii
xix
Q
About the Author
J. Davidson Frame is academic dean at the University of Management
and Technology, where he runs graduate programs in project man-
agement. Prior to joining the UMT faculty, he was on the faculty of
the George Washington University, where he established the univer-
sity’s project management program and served as chair of the Man-
agement Science Department and director of the Program on Science,
Technology, and Innovation.
Since 1990, Frame has also served as director of the Project Man-
agement Certification Program and director of education services at
the Project Management Institute. Before entering academia in 1979,
he was vice president of Computer Horizons and manager of its Wash-
ington office. While there, he managed more than two dozen infor-
mation age projects. Since 1983, he has conducted project management
and risk management seminars through the United States and abroad.
Frame received his B.A. degree from the College of Wooster and
M.A. and Ph.D. degrees from American University, where he focused
on econometrics and economic development. He has written seven
books, including Managing Projects in Organizations (3rd edition,
Jossey-Bass 2003), The New Project Management (2nd edition, Jossey-
Bass, 2002), and Project Management Competence (Jossey-Bass, 1999).
Frame.flast 6/16/03 12:59 PM Page xix
Frame.flast 6/16/03 12:59 PM Page xx
Managing Risk in Organizations
Frame.flast 6/16/03 12:59 PM Page xxi
Frame.flast 6/16/03 12:59 PM Page xxii
CHAPTER ONE