. 55
( 92 .)


luck justice

Exhibit 14.2 Relationship between Decision Making and
Decision Outcomes

While there are myriad risks encountered by the professional services
firm, most of them can be generally categorized into four key areas:

1. Internal risks: Risks of undesirable outcomes that emanate from activ-
ities taking place inside the firm, including financial risks, employee
risks, hiring risks, and systems risks.
2. Delivery risks: Risks related to the delivery of services to clients,
whether on-site or off.
3. Client risks: Risks associated with the specific client but not a partic-
ular project.

Internal risks Delivery risks Client risks External risks

Controllability of risk

Controllable risks Uncontrollable risks
Risks that are reasonably Risks that are part of
foreseeable and can be the environment or
controlled through that are difficult or too
process and execution expensive to manage
Primarily manage through Manage through
process or policy insurance, contingency
planning, or avoidance

Exhibit 14.3 Professional Service Firm Risk Categories and Controllability
322 Services Delivery: Taking Care of Business

4. External risks: General risks such as natural disasters arising from
being in business but not associated with a specific client, project, or
internal operation.

These risks can be placed on a rough continuum of controllability, as de-
picted in Exhibit 14.3. Internal risks tend to be the easiest to manage be-
cause they are related to the firm™s own operations and staff. Moving from
left to right, delivery, client, and, finally, external risks become less and less
easily controlled.
In general, controllable risks can be addressed via the usual methods”to
mitigate these problems, senior management can simply dictate process, poli-
cies, and terms geared to providing the appropriate amount of f lexibility and
risk reduction. As the risk areas move down the controllability continuum,
the less effective process and policy become, and the more important insur-
ance, contingency planning, and avoidance become. The best written
processes and policies have little effect on an earthquake in progress.
The following section details some sample risks that we have identified in
each category, followed by a model for assessing risk and probability and
evaluating options for mitigating risks.

Sample Risks by Category
The large number of risks faced by a specific professional services firm is
difficult to inventory. The risks may vary by firm type (law versus medicine
versus business consulting versus other), specific type of work, firm geogra-
phy, client geography, staff type, project size, and even the personalities of
the senior management team. We identify some of the possible risks in each
category that may be faced by a professional services provider. While this list
is clearly not comprehensive, it can serve as a good starter set or the founda-
tion of brainstorming activities for firms to generate their own inventory of
specific risks in each category.

Internal Risks
• Fraud/embezzlement: Internal theft by employees through fraud, em-
bezzlement, or other intentional deceit
• Accounting error: Unintentional errors made by accounting staff that
impact firm income statement, balance sheet, cash f lows, general
ledger, or other financial information
• Billing accuracy: Generation of bills that accurately ref lect the proper
fixed fees, time and material, and expense charges to clients
• Hiring: Hiring practices that ensure individuals of the highest ethics
• Records: Retention of accurate client records, working papers, financial
statements, and other firm operating documents for appropriate length
of time
Risk Management and Quality Assurance

• Corporate espionage: Loss of firm intellectual property, client informa-
tion, or other proprietary information to competitors
• Systems and data security: Access to computing information systems
and data restricted to authorized firm professionals and staff
• Systems backup and recovery: Reliable backups of data and rapid recov-
ery from system crashes, errors, or inadvertently deleted information
• Physical security: Physical access to firm and client project sites and se-
curity of working papers and firm property
• Staff malfeasance: Theft of property, disparagement, or other deliber-
ate misconduct by staff members that damages the firm
• Intellectual capital: Loss or theft of critical intellectual capital that dis-
tinguishes the firm or gives it competitive advantage or advanced capa-
• Staff departures: Resignation of key internal staff due to retirement,
dissatisfaction, outside recruiting, moves, or other reasons
• Succession: Firm senior and junior leadership succession plans
• Resource management: Pipeline of resources to be available for new
business as well as proper management of resources during downtimes

Delivery Risks
• Skills: Availability of the specific skills or knowledge on the team to
successfully complete the project or service
• Scope: Well-defined parameters for project or service activities; clearly
delineated goals and milestones and an unambiguous understanding of
what will be regarded as successful completion in advance of com-
mencement of the project or service
• Underbidding: Underestimate of level of effort, skill set required, or
other resources required to complete the project
• Execution: “Do-ability” of the project (Do resources or skills exist
within the firm, or any firm, for successfully delivering the project or
service”also known as the “bridge-to-the-moon” problem?)
• Dependencies: Project or service tasks that depend on client initiatives,
staff, timelines, dates, or other events not controlled by the firm
• Third-party reliance: Reliance on outside individuals or entities for
completion of critical tasks in delivery of the project or service (e.g.,
third-party contract labor)
• Confidentiality: Inadvertent or purposeful release of critical client in-
formation not for public consumption causing embarrassment or dam-
age to the client, particularly sensitive for public companies
• Travel/geography: Risks associated with the specific point of delivery
of the product or service, including difficulty of getting to client site;
324 Services Delivery: Taking Care of Business

specific dangers based on geography of the project (environment, polit-
ical stability, neighborhood safety, etc.)
• Staff knowledge: Specific knowledge found in limited number of staff
that is critical to the project or service; exposure to unplanned staff de-
parture risk that will adversely affect the client
• Resource availability: Availability when needed of the proper internal
delivery resources and professional staff

Client Risks
• Personnel changes: Critical client project sponsors leaving, being de-
moted, promoted, or having their responsibilities change
• Financial trouble: Client running into financial difficulties or bank-
ruptcy, resulting in project or service contract cancellation and expo-
sure on existing sunk costs and receivables
• Gaming: Dishonest clients attempting to procure additional services for
free or dispute service quality or delivery in order to receive unwar-
ranted fee reductions
• Scope changes: Changes in scope of project, affecting ability to com-
plete the project, project budget, or client interest in completing project
• Mergers and acquisitions: Client acquisition or merger with another
company, resulting in project or service contract cancellation, renegoti-
ation, or elimination
• Project or service cancellation: Change in client priorities or budget, re-
sulting in elimination of the project or service contract
• Receivable prioritization: Client in financial difficulties prioritizing re-
ceivables, resulting in nonessential service providers™ exposure to bad
• Client concentration: High reliance on a single client or small number
of clients for revenues, margin, and staff billability
• Industry concentration: High reliance on clients in a specific industry
or related industries for revenues, margin, and staff billability

External Risks
• Natural disasters: Hurricanes, f loods, earthquake, fire, tornadoes, vol-
canic eruptions, and other natural catastrophic events
• Political unrest: Political demonstrations, unrest, or instability resulting
in danger to physical safety, client, or project viability
• Terrorism/war: War or terrorist acts that threaten staff physical safety,
client, or project viability
• Currency conversion: Changes in currency exchange rates that ad-
versely affect receivables
Risk Management and Quality Assurance

• Legislation: Legislative changes that adversely affect the project by
eliminating its rationale or changing client priorities

Risk Management Methodology
Exhibit 14.4 shows a methodology for the risk management process in a pro-
fessional services firm. The first step in generating a risk management pro-
gram is to (within reason) identify the possible undesirable outcomes. The
categories and risks mentioned in the previous section form a good starter
set, but each type of firm must determine its specific needs. Doctors and
lawyers must be concerned with malpractice, real estate agents with interest
rates, and technology consultants with IT budgets.
After the possible risks have been identified and inventoried, the firm
must determine the expected value of each risk”simply the likelihood of
occurrence (probability) and the cost of a bad outcome. This is the most dif-
ficult step and the step most open to interpretation.
Probabilities of events are notoriously difficult to estimate, as are costs of
outcomes. In fact, research shows that low-probability events are even more
difficult to estimate. Studies conducted by researchers at the Wharton
Schools Risk Management and Decision Process Center at the University of
Pennsylvania demonstrated that individuals have the best chance of estimat-
ing expected value when a variety of low-probability events are aggregated
to generate a probability (e.g., “estimate the probability that there will be

Identify Determine
possible mitigation and Repeat and
undesirable management revisit
outcomes approach

• Internal risks • Likelihood of • Change behavior • Revisit
• External risks occurrence • Change decision periodically as
• Controllable risks (probability) process assumptions
• Uncontrollable •Cost of bad • Insure against change
risks outcome risk •Continual
•Prioritize risks • Institute policy/ identification of
based on process new undesirable
expected value • Training outcomes
•Sanity check • Combination of
“binary” risks approaches

Exhibit 14.4 Risk Management Process Methodology
326 Services Delivery: Taking Care of Business

either an earthquake, f lood, or hurricane” versus estimating the likelihood
of each event individually).6
Studies by Kunreuther, Novemsky, and Kahneman also indicate that indi-
viduals are more effective when assessing possible outcomes relative to low-
probability events they are familiar with (e.g. “estimate the risk of a
chemical plant accident versus the risk of having a traffic accident”).7 Mak-
ing matters worse, similar studies found that decision makers regarding low-
probability, high impact events tended to either over-insure, assuming that
recurrence of a low-probability event was inevitable, or ignore the event en-
tirely, thinking “that can™t happen to me.”8
Once the expected value has been determined, the risks can be priori-
tized for management. In some cases, the probability will be very low, but
the cost very high (e.g., “Pascal™s Wager”). In these cases, a common-sense
approach to prioritization and mitigation should prevail.
The mitigation for a given risk will likely be a combination of actions,
policies, or decisions as opposed to a single approach. Some of the typical
options are changing behavior (“no more sodas in the server room”), chang-
ing decision processes (“let™s implement better screening for new employee
hires”), instituting policies or processes (“two signatures required on every
check over $10,000”), training (“all staff will attend client management skills
seminars”), or other business changes.

Improving Risk Management
As mentioned previously in the chapter, the importance of good decision
making in the risk management process cannot be overstated. A step that
professional services firms can take to improve decision making is training
and decision audits. Sales teams should focus training and development on
mitigating client and project risk. Delivery teams should focus on project
risk, internal resources on project and internal risk, and senior management
on client, project, internal, and external risk. Good decision-making habits
should be made part of the firm culture, and reading the basic literature in
the field of decision science should be part of the basic training for all firm
Good decision making can be enhanced by implementing postmortem re-
views for key business events: the conclusion of a large project, the acquisi-
tion (or loss) of a key client, the completion of a good (or bad) quarter.
Significant events represent a chance to review what went well and what
should change going forward, as well as understand better what went right
(and determining if it was “dumb luck” or “deserved success”). In our own
business consulting practice, after each major client engagement is com-
pleted, a full post-mortem analysis is required of the delivery team. The
learnings from that postmortem are used to drive changes in all parts of the
Risk Management and Quality Assurance


. 55
( 92 .)