I watched an interesting programme on television that celebrated the building of the 747, an unlikely success story by all accounts – it was meant to play second fiddle to Boeing’s supersonic jet (only the UK and France’s Concorde ever made it to be built). What interested me about it was how the 747 was so big, so expensive, that it nearly pushed Boeing to the bring of financial disaster.
This got me thinking about risk management. Does this, therefore, represent risk management success or risk management failure? In other words was it the presence of good risk management that enabled a calculated risk and ambitious strategy to be delivered that took over, or was it a lucky escape from the near disaster of an unmanaged, uncalculated risk? Well I am not close enough to the Company or its history to know, but either way good proximate risk (read issue) management was required at the final stages, not least with the engines.
I wonder, if I was auditing Boeing in the 1960s whether I, as an auditor, would have helped or hindered this project. First I guess I would have focused on the higher net risk and priority project, the supersonic plane (as the 747 was seen as a secondary project at the time). So in that sense I would not probably have spent enough audit attention on it. Second I guess I would have wanted to see the business case and whether this 747 project stacked up. I suspect I would have been quite sceptical. It was bigger than anything ever previously built, required the world’s biggest building to be built, in which to make it, had only one order for 25 ‘jumbos’ from PanAm at its inception, and was built on a large section of forest near Seattle (so in these days would have taken a hit from an environmental perspective). Third the project was so big it was all embracing for the Company. The programme stated that at one point it was burning £20m of cash per day with no income stream in sight. I suspect, therefore I would have given the report a red risk rating (i.e. high risk).
Whether I would have given it a tick for controls as designed and operated (that I assess against Company risk appetite) would have been very much driven by the top executive group’s views over whether the project was a risk the Company was willing to take. At the time the top executive group (from the programme) seemed to get cold feet half way through, but by that point were too committed financially to back away. So perhaps it would depend on when the project was audited. I would reflect the company risk appetite (now below the project’s actual risk) so conclude crosses on project as designed and operated. I would want to be commercial in m y audit thoughts and recommend that the Company had little choice but to see it through, and quickly.
From the surviving project leaders’ testimony on the programme, it seemed that safety, engineering and other programme controls were well operated. So if I audited the project management cycle, as a separate package of assurance I suspect I would form a positive view.
I guess the programme and reflecting on it about what I would add as an auditor, made me think. Do I promote risk aversion in my work? I hope not, but recognise the very human nature to avoid risk (at least once pointed out) and to avoid a red (even if no value judgement is attached to the red, it merely reflecting net risk). I would be very clear, for me, the risk taken would be an absolute judgement (as far as anyone can be absolute in a socially scientific world), but the acceptability of that risk would be as stated by senior management and the board. So here an audit is less about compliance ticking of controls, much more about understanding complex webs of risk, and assessing whether the argument for them and understanding of what is driving them, is reasonable; reasonable being determined by the senior executive and board.
I have been lucky to work for clients who make an outstanding and unique contribution to the world, through innovation and doing the new. So my audit regime I think must reflect that aim and client raison d’être. Does this mean I should shy away from pointing out risk, especially high net risk? Well I think, no. I should, however, be highly cognisant of the manner and way I do it, to avoid risk aversion. For a risk averse organisation is also potentially inefficient, ineffective and certainly not innovative enough to last in the long term.
So my audit view on the 747. Probably a risk management success. A project changed the whole flying game in less than 24 months. It worked and has been a long-proven well-designed machine. I would like to think that I, as an auditor, would have helped to give assurance to the organisation to take risks, for as the 747 project discovered, it takes bigger brakes (in this case air ones) to enable a plane to fly faster, so it is with organisations, the better informed about risk it is the more it can take.