This case study introduces the next course in the SSI RM Academy Risk Management Series, ‘Level II – Building a Risk Management Capability’. It is a cautionary tale of what happens when a risk management process operates inside an organisation (doing everything right) but the warnings it is giving you are ignored (still getting it wrong).

The subject of this case study is a professional services company in a foreign country. This company was providing consultancy services to the government in the areas of procurement and capability management. The consultancy was relatively small with a turnover of approximately two million dollars a year. The government was this company’s only client.

While the company implemented a risk management process, both at the corporate level and for each project, this process was not fully integrated into all the company’s other processes. Consequently the output of the risk management process did not sufficiently influence decision-making at the strategic level.


The company was established by a group of investors seeking to grow a locally-owned consultancy that could compete with larger, more established, foreign-owned consultancies in specific areas in the domestic market. The company rapidly won short duration contracts providing professional services to the government and recruited the consultants to deliver these contracts.

Within a short period of time the relationship with the client became difficult. The principal issues were late payments and unilateral changes to requirements. These issues were successfully resolved with the client by senior management but they clearly highlighted what the commercial risks of doing business with this client were.

These risks were fully assessed and recorded in the corporate risk register with clear actions specified. These actions primarily focused on terms and conditions to be included in future contracts with this client, for example, more regular payment milestones tied to quantitative deliverables, more structure requirements management, binding mechanisms for change management, etc. So far, so good.


The client continued to commission work from the company but, during contract negotiations, the revised terms and conditions proposed, the ones that contained all the risk management actions necessary to manage the commercial risks of doing business with the client, were rejected.

This was an opportunity for senior management to decline to take further business from the client but that would have certainly resulted in redundancies among the consultants and the loss of the subject matter expertise necessary to win new clients.


Faced with this choice the decision was taken to proceed ‘on risk’, an acknowledgement that the commercial relationship with this client posed a number of threats that needed ongoing management. The risk threshold was raised, risk management meetings increased in frequency, and management attention was focused on four or five risks that were the most relevant to the situation.

At first the contract proceeded smoothly enough but over time various indicators and warnings raised concerns that the commercial situation was deteriorating again. Senior management were once again able, over a period of very stressful months, to secure payment for the services delivered.

To this point the risk management process had been functioning effectively. From the Board down to the consultants in the projects the risk management process was understood and employed appropriately. The effectiveness of some risk controls had been undermined by the rejection of the revised terms and conditions but the use of indicators and warnings had provided sufficient notice that risks were about to become issues.


The client came to the company requesting an extension to an existing project. It was explained that the need was urgent and that work would have to start straight away. The Board was nervous as on two previous occasions the commercial relationship between the company and the client had nearly broken down and now there was no contractual protection in place before work was requested to commence.

The Board took its concerns to the shareholders and presented them with a risk report and a recommendation that the offer be declined. Plans were presented for redundancies and cost cutting to ensure that the company continues to trade while it searched for new clients.

The shareholders rejected this advice and the supporting plans, deciding instead to proceed on the basis that the risks were ‘manageable’. The basis of this decision was not clear as the shareholders did not implement a risk management process, rather they relied on their experience and knowledge of the client and the market as expressed through ‘intuition’.

However, what the shareholders did not take account of is the situation was not the same as before. On this occasion there was no contract in place before the work started. What was already a lopsided relationship with the client was now one where the client held all the power. The shareholders took a ‘risk’ but was it a considered one? How do you manage commercial risk without a formal contract?


The inevitable happened. The company proceeded to deliver services while concurrently trying compel the client to conclude a contract. The client, getting what it wanted for nothing, postponed doing so as the company’s costs continued to build. Eventually the company ran out of leverage as its sunk costs grew – it became desperate for payment.

The payment never came and the company stopped trading when the shareholders were no longer willing to underwrite the losses any longer. The client received all the services it sought.

This case is subject to a legal case and that is why names have not been provided.


  • The risk management process must engage the entire organisation, in this instance from the shareholders all the way down to the consultants, and not just discrete parts of it.
  • The risk management process is trying to tell shareholders and managers what hazards will potentially cause harm to the organisation, it should be heeded.
  • A risk management strategy will state the context within which risk management decisions are taken, it is not enough to just implement a risk management process as other elements are necessary.
  • Risk decisions are taken by humans and consequently those decisions can be influenced by many factors, e.g. emotions. It is vital that the individuals involved in risk decisions try to understand the motivations and influences that are acting upon them.  Similarly it is important that the process is informed by rational/analytic data wherever possible and not just intuition.





Harry Thomsett is a consultant at the security and risk management consultancy SSI RM (  SSI-RM provides security and risk management services to organisations operating in high threat areas around the world.