What Rio 2016 can teach us about effective risk management

With the Rio 2016 Olympics well under way, we examine effective strategies for managing risk on complex, large-scale projects.

A view of a sports stadium at night with many white tents outside

Risk management is a crucial part of any business. This is especially true in a world of increasing complexity and interconnectivity in which issues, such as supply chain management, and security and corporate reputation, are exposed to established and emerging risks on almost a daily basis.

So what do businesses need to consider when developing risk management and mitigation plans to help them better handle potential threats that might affect their operations, their staff, their customers and their balance sheet? And how can they be sure to adapt to new risks as they emerge?

EY’s Pedro Barros is part of the EY Brazil team that has been advising the Rio 2016 Organizing Committee for the Olympic Games (OCOG) since 2013, to help those managing the event be better prepared for, and ready to respond to, risks that might threaten its success. The steps he outlines can be applied to almost any business or major project.

Step 1. Build an effective risk profile

First and foremost, it’s essential to develop a comprehensive risk profile. For those involved in Rio 2016, this has meant taking a holistic approach, considering both the kind of risks that might impact the planning and preparation stages, and those that might affect operations during the course of the event itself.

One example was the country’s current economic crisis, which presented several risks and opportunities for the event. “One of the risks that had to be considered was around the impact of the crisis on ticketing sales, given that the price sensitivity could significantly increase with the rise of unemployment and inflation rates,” explains Barros. “This meant contingency plans for filling empty seats had to be prepared. In order to do that, the team used advanced analytics to predict the demand for each sporting session based on historic data from prior months and past events.”

During the months leading up to Rio 2016, the corruption scandals and the potential impact of the Zika virus only complicated matters further. In response, the committee mapped over 88 social projects that could be implemented in as little as two hours prior to the start of each match. 

“It’s important to take a broad approach in the first instance,” says Barros. “In assessing the top-level risks, the team factored in as many things as could feasibly impact Rio 2016, then drew up a matrix to capture them.”

The next step was to drill down into the operational risks: those that might materialize during the month Rio 2016 takes place. This involved developing a secondary matrix to catalogue some 600 separate risks, and develop approaches that would help mitigate them, together with contingency plans.

Step 2. Prioritize appropriately

With so many risks to consider, how can organizations be confident that they’re properly prepared? The key is effective prioritization.

For Rio 2016, this involved a complex process that sought to avoid resources being targeted at the more unlikely risks and, instead, focused on those that posed the biggest threat to the smooth operation of the event.

Barros says: “The team mapped 600 risk factors based on their potential operational and financial impact, as well as the potential for reputational damage to the image of Rio 2016. The team did the same for the probability of each risk, ranked on a one-to-five scale and then created an equation and heat map to determine the top 25 operational risks.”

Step 3. Monitor effectively

Once a view of the possible risks and their likelihood of creating issues is achieved, it’s important to keep track of any developments that may change their potential impact. There need to be regular status updates, says Barros: “What measures are in place? Are there any updates on the status of each one? What are teams doing to make sure the probability of these risks is not increasing?"

The emergence of the Zika virus in Brazil in the run-up to Rio 2016 is a prime example. Although the possibility of a major disease outbreak was included in the initial Rio risk matrix, it was not considered a particularly likely risk – albeit one that could have a significant impact. As the Zika virus began to spread, so did fears of its impact on people and Rio 2016. By monitoring the change in threat level, the team was able to change its plans and responses.
 
Step 4. Train your people

Finally, for all this to work, it is vital to make sure team members have the skills and understanding necessary to track and communicate the status of the issues effectively.

This information flow is dependent on personnel who have their own day-to-day tasks to perform. For this reason, it’s important to embed risk management reporting responsibilities into their daily roles. Starting this early is key, Barros says: "As soon as the risk matrices were in place, the teams were trained to monitor and follow up on those risks to help make sure the information was flowing from each of the functional areas to the directors."

Step 5. Prepare and practice

With plans in place and teams trained, "The next step was to run simulations so that, if any of those main risks materialized, the team would know how to respond,” says Barros. The simulations included communications processes, contingency plan executions, and helping everyone involved to understand and know their roles and responsibilities.

Each venue ran several real-world simulations to help them anticipate the demands of a variety of potential threats, from a terrorist attack to infrastructure failure. During these simulations, key personnel were in place, including, for example, the Brazilian Minister of Defense. The exercises help those involved to be better prepared if a crisis does happen; helping increase the chances that plans can be executed smoothly, and the impact can be managed.

Step 6. Be flexible

Once a risk profile has been developed and risk matrices are in place, it is essential to keep contingency plans up to date, based on any emerging and evolving risks that have been identified by broader monitoring. As well as the emergence of the Zika virus, Brazil’s recent economic and political turmoil is a case in point. Although planning for major macroeconomic or geopolitical changes is not easy, it’s important to think big when it comes to identifying specific areas of risk – because the biggest changes, even if considered unlikely to happen, will have the biggest impact.

"It is difficult to mitigate for changes in broader factors, such as the recent economic crisis, but the team has accounted for it,” says Barros. “It was mapped and is being monitored. The main impact, that the team actively monitors, is on the Rio 2016 budget, especially given currency fluctuations against the dollar, which can make procurement more expensive.” By monitoring such potential changes closely, it can be easier to prepare new contingency plans before changes become crises.

Applying the lessons

Rio 2016 may be unique, but the strategies outlined above can be applied to many organizations thinking about risk management plans. The most important thing is to carry out comprehensive and robust planning in advance, taking into account the following steps:

  1. Consider top-level existential risks, then drill down into the specifics of the operation. Construct matrices to capture those risks.
  2. Work out the risks most likely to affect the organization, then focus attention, resources and time on these.
  3. Identify the chief risks the organization faces, then regularly monitor these to help keep track of how they might evolve. Amend plans in response.
  4. Develop robust risk management processes and protocols. Train teams so that they know what they are and how to communicate and deploy them.
  5. Carry out regular real-time simulations to help those involved know how to execute contingency plans.
  6. Be flexible and think big. Consider the big picture and adapt and plan accordingly.

Discover more