10 managing risk
TRANSCRIPT
Project Risk Management:“Getting it Before it Gets You”
Conceptual
Planning
Alternatives
AnalysisConstruction
Final
DesignBid
Preliminary
Engineering
Most LikelyCost
Most LikelyCost
Most LikelyCost
ActualCost
Cost range
Project Cost and Uncertainty Over Time
What Went Wrong?KPMG, a large consulting firm, published a study in 1995 found that 55 percent of runaway projects (with significant cost or schedule overruns) did no risk management at all; 38 percent did some (but half of them did not use their risk findings after the project was underway); and 7 percent did not know whether they did risk management or not
The timing of risk management is also an important consideration
Risk Management ProcessRisk Management Process
RiskRiskUncertain or chance events that planning can not Uncertain or chance events that planning can not overcome or control.overcome or control.
Risk ManagementRisk ManagementA proactive attempt to recognize and manage A proactive attempt to recognize and manage internal events and external threats that affect the internal events and external threats that affect the likelihood of a project’s success.likelihood of a project’s success.What can go wrong (risk event/problems).What can go wrong (risk event/problems).
What can be done before an event occurs (anticipation of What can be done before an event occurs (anticipation of Alternatives) Alternatives)
How to minimize the risk event’s impact (consequences).How to minimize the risk event’s impact (consequences).
What to do when an event occurs (contingency plans).What to do when an event occurs (contingency plans).
REAL REASON WE NEED TO DO RISK MANAGEMENTREAL REASON WE NEED TO DO RISK MANAGEMENTIS IS NOT TO AVOID RISKSNOT TO AVOID RISKS
BUT TO ENABLE AGGRESSIVE RISK TAKINGBUT TO ENABLE AGGRESSIVE RISK TAKING
REAL REASON WE NEED TO DO RISK MANAGEMENTREAL REASON WE NEED TO DO RISK MANAGEMENTIS IS NOT TO AVOID RISKSNOT TO AVOID RISKS
BUT TO ENABLE AGGRESSIVE RISK TAKINGBUT TO ENABLE AGGRESSIVE RISK TAKING
What is Project Risk?Definition:
An event that, if it occurs, causes either a positive or negative impact on a project
Risk is a measure of future uncertainties in achieving program performance goals and objectives within defined cost, schedule, and performance constraints.
Keys attributes of RiskUncertainty
Positive and Negative
Cause and Consequence
Known v Unknown Risks
Risk Reward Analysis
What is Risk Management (by PMI)?“The systematic application of management policies, standards, procedures, and practices to the tasks of identifying, assessing/analyzing, responding to, and monitoring to project risk”
A structured, iterative process with defined scope and objectives
Proactive and anticipatory
Objective is to decrease the probability and/or impact of negative events OR increase the probability and/or impact of positive events
Risk Management needs to be integrated into an organization’s decision making process
How can we stay ahead?
Identify and Manage the Risks to the project Formal methods
Determined by Industry, Regulatory, or Corporate standards
Templates, processes, audits Informal methods
Use what works for you at the time Use “Lessons Learned” in Project Post-Mortems to
learn from past mistakes
Risk management Steps by PMI Risk Management Planning Risk Identification Qualitative/Quantitative Risk Analysis for Risk
Assessment Risk Response Planning/ Contingency planning Risk Monitoring & Control
The Risk Management Process
1. Risk Management Planning
What should it include?How you will identify, quantify or qualify riskMethods and tools
Budget…(including contingency funding)
Who is doing what
How often
When a risk is really a risk
Reporting requirements- Who, when, how often, what, etc
Monitoring, tracking and documenting strategiesMake sure you are not OVER Planning
Risk Management PlanningThe main output of risk management planning is a risk management plan—a plan that documents the procedures for managing risk throughout a project
The project team should review project documents and understand the organization’s and the sponsor’s approaches to risk
The level of detail will vary with the needs of the project
2. Identifying RiskContinuous, Iterative Process
What is it and what does it look like- Different for each project and person consulted.
The sooner it is identified the better it is for project
The more the involvement of stakeholders the better the process outcome
A fact is not a risk- If you know something is going to occur then you plan for it not the risk of it. RISK vs PROBLEM
Be specific- identify the risk and a trigger/cause of the risk
Don’t try to do everything at once- qualify, quantify, or remedy
Identification Techniques
Brainstorming
Checklists- Lists developed to aid in identifying risks
Interviewing
SWOT Analysis
Delphi Technique
Diagramming TechniquesCause & effect – Ishikawa or Fishbone
Flow Charts etc.
Risk Identification: Classifications
Schedule/Cost Risks
Requirement/Expectation Risks
Technical Risks
3. Risk Assessment
This information should be developed for each risk:Description of riskAll the possible outcomes of the riskThe magnitude or severity of the outcomesLikelihood (probability) of the risk occurring, and likelihood of each possible outcomeWhen the risk might occur during the project Interaction of the risk outcomes with other parts of this project or other projects
Risk Analysis ToolsProbability analysis
Decision tree analysis
PERT analysis
Sensitivity analysis
Expected value analysis
Scenario analysis
Risk assessment matrix / risk severity matrix
Failure Mode and Effects Analysis (FMEA)
Monte Carlo simulation analysis
Delphi techniques for consensus etc.
Analyzing Risk - Qualitative
Subjective & Educated GuessHigh, Medium, Low
Red, Yellow, Green
1-10
Prioritized/Ranked list of ALL identified risks
First step in risk analysis!
Risk Assessment: A Simple Classification & Tracking Method
Probability of Occurrence vs Impact
1 to 5 Scale
PrioritiesRed - HighYellow - MedGreen - Low
Review/Present Chart Periodically
R isk #1
R isk #4
R isk #2R isk #3
R isk #5
Probability o f O ccurrance
Imp
act
H igher P robab ilityLow er P robab ility
Hig
her
Impa
ctLo
wer
Impa
ct
RISK SEVERITY MATRIX
Risk Assessment Form
In 1-10 scale
Probability/Impact Chart Showing High-, Medium-, and Low-Risk
Probability/Impact Matrix
A probability/impact matrix or chart lists the relative probability of a risk occurring on one side of a matrix or axis on a chart and the relative impact of the risk occurring on the other
List the risks and then label each one as high, medium, or low in terms of its probability of occurrence and its impact if it did occur
Can also calculate risk factors
Numbers that represent the overall risk of specific events based on their probability of occurring and the consequences to the project if they do occur
Probability & Impact Analysis
Risk Probability
1 25%
2 50%
3 30%
The biggest risk isn’t always the biggest risk!
Impact
$45,000
$2,000
$100,000
Expected Value
$11,250
$1,000
$30,000
Decision Trees andExpected Monetary Value (EMV)
A decision tree is a diagramming analysis technique used to help select the best course of action in situations in which future outcomes are uncertain
Estimated monetary value (EMV) is the product of a risk event probability and the risk event’s monetary value
You can draw a decision tree to help find the EMV
Decision Tree Analysis
Decision Definition Chance Node Net ImpactProbability Impact Cost + Total EV
Early10% +$15,000
Develop In House On Time ($32,500)($20,000) 20% $0
Delayed70% -$20,000
Develop In House or TOTAL ($12,500)Contract?
Early $1,50010% +$15,000
Contract On Time $0 ($31,500)($30,000) 70% $0
Delayed ($3,000)20% -$15000
TOTAL ($1,500)
$0
($14,000)
Decision NodeCost of the Decision
Prob x Impact
$1,500
SimulationSimulation uses a representation or model of a system to analyze the expected behavior or performance of the system
Monte Carlo analysis simulates a model’s outcome many times to provide a statistical distribution of the calculated results
Sensitivity Analysis
Sensitivity analysis is a technique used to show the effects of changing one or more variables on an outcome
4. Risk Response Planning“What are we going to do about it?”
Techniques/Strategies:
Mitigating Risk
Transferring
Avoiding Risk
Sharing Risk
Retaining Risk
Strategy should be commensurate with risk
Hint: Don’t spend more money preventing the risk than the impact of the risk would be if it occurs
The Risk Response Plan/Risk Response Register
4. Risk Response Planning Techniques
Mitigating Risk- Conducting more tests, add resources or time
to project, Designing redundancy into a systemReducing the likelihood an adverse event will occur.
Reducing impact of adverse event.
Transferring Risk- Insurance, performance bonds, warranties,
guarantees Paying a premium to pass the risk to another party.
Avoiding Risk: Changing the project plan to eliminate the risk
or condition
Retaining Risk: Making a conscious decision to accept the risk.
Sharing Risk: Allocating risk to different parties
Risk Register
The main output of the risk identification process is a list of identified risks and other information needed to begin creating a risk register
A risk register is:
A document that contains the results of various risk management processes and that is often displayed in a table or spreadsheet format
Risk Register ContentsAn identification number for each risk eventA rank for each risk eventThe name of each risk eventA description of each risk eventThe category under which each risk event fallsThe root cause of each riskTriggers for each risk; triggers are indicators or symptoms of actual risk eventsPotential responses to each riskThe risk owner or person who will own or take responsibility for each riskThe probability and impact of each risk occurringThe status of each risk
Sample Risk Register
RISK REGISTER
Project Component
Risk ID
Risk/Opportunity Description of Issue and Potential
Management Action Affected Project
Activities1
Probability of
Occurrence
Change in Cost
($000)
Change in Duration/ Schedule (months)
1. Right-of-Way R1 Right-of-Way costs and/or schedule
greater than anticipated ; includes: uncertainty in amount of ROW unit prices excessive condemnation relocation, demolition business mitigation
Row-of-way cost and quantity estimates are out of date and not based upon the latest design drawings; additional takes affect businesses in Line Section 3. Risks affect project cost estimate and start of construction in certain line sections.
All construction line sections; components,
01-10
.5 (.5)
$2,000.0 ($0)
6 (0)
2. Utilities U1 City waterline project not completed
as planned Delay causes project delay and increased overhead costs for project
Components 02-05
.25
.25 TBD 6
12 U2 City sewer project not completed as
planned Delay causes project delay and increased overhead costs for project
Components 02-05
.25
.25 TBD 6
12 U3 City vaults not completed as planned Delay causes project delay and increased
overhead costs for project Components
02-05 .9 TBD 4
U4 Private utility relocations not completed as planned (utility company fails to move on time)
Delay causes project delay and increased overhead costs for project
All construction line sections, components
01-10
T=.1 T=.5 T=.9
TBD TBD TBD
2 4 6
U5 Delay in obtaining agreement between grantee and private utilities
Delays FFGA/grant award and potentially start of construction
Components 01-10
.8
.2 TBD TBD
2 3
U6 Project’s adjustment budget for private utilities is too low
Cost increase to grantee for payment of additional relocation costs
Components 01-10
.5
.1 $2,000.0 $3,000.0
0 0
U7 Encounter unexpected utilities during construction
Change order claim by contractor results; cost and schedule impacts
Components 01-10
.5
$500.0 1
3. Environmental, Permitting, and
Agreements
E1 Delay in gaining signoff on programmatic agreements
Delay in issuing bid documents and subsequent construction delayed
Components 05, 06
.5 .25
TBD TBD
1 2
ETC.
Example of Risk Register
Contingency Planning
A contingency plan is an alternative plan used if a risk event or condition occurs.
Examples:
Having a backup supplier for a key material
Carrying a safety stock for a key part
Having an alternate distribution channel to send products (air instead of boat)
Having hurricane/flood/earthquake/cyclone evacuation plans
Risk Response Matrix
Risk and Contingency PlanningTechnical Risks
Backup strategies if chosen technology fails.
Assessing whether technical uncertainties can be resolved.
Schedule Risks
Use of slack increases the risk of a late project finish.
Imposed duration dates (absolute project finish date)
Compression of project schedules due to a shortened project duration date.
Risk and Contingency PlanningCosts Risks
Time/cost dependency links: costs increase when problems take longer to solve than expected.
Deciding to use the schedule to solve cash flow problems should be avoided.
Price protection risks (a rise in input costs) increase if the duration of a project is increased.
Funding Risks
Changes in the supply of funds for the project can dramatically affect the likelihood of implementation or successful completion of a project.
General Risk Mitigation Strategies for Technical, Cost, and Schedule Risks
Contingency Funding & Time BuffersContingency Funds
Funds to cover project risks—identified and unknown.Size of funds reflects overall risk of a project
Budget reservesAre linked to the identified risks of specific work packages.
Management reservesAre large funds to be used to cover major unforeseen risks
(e.g., change in project scope) of the total project.
Time Buffers
Amounts of time used to compensate for unplanned delays in the project schedule.
Time and Cost Padding
Padding is a commonly used approach to address risks, since it is very easy to implement and since it protects against most minor risks
Padding refers to inflating the original time or cost estimates for activities or for the project
Unfortunately, this leads to longer project durations and higher costs
Time and Cost Padding
People will generally use up as much time and money as they are allowed (if you don’t use it you lose it!)
Student syndrome if extra padding is built into activity time estimates, some people are likely to procrastinate getting started, and then the protection against risk is lost
Although padding can be useful in reducing the severity of risk, it can also lead to inefficiencies and waste
5. Risk Monitoring & ControlContinuous, Iterative ProcessDone right the risk should NEVER occur
Someone IS responsibleWatch for risk triggersCommunicate…Communicate…CommunicateTake corrective action - ExecuteRe-evaluate and look for new risk constantly
Tools:Risk Reviews- regular meeting where the risk team evaluates the risk register for any necessary additions, deletions, or changes to prioritization due to probability or impact changes.Risk Audits- review by outside person of risk response plan and how it is being implemented. Good for future use on projects
Tools & Tricks
Risk Identification Spreadsheet
Qualitative Risk Spreadsheet
Templates
Checklists
Make your own depending on your project
Microsoft Excel Worksheet
Microsoft Excel Worksheet
Microsoft Excel Worksheet
Risk Form
Risk Register II
Risk Checklist
Risk Progress Checklist
Risk Register Sample Risk Response
Action Plan
Risk Management Plan Template
CA Risk Mgmt Plan Outline
Change Management Control
Sources of Change
Project scope changes
Implementation of contingency plans
Improvement changes
Change Management Control
The Change Control Process
Identify proposed changes.
List expected effects of proposed changes on schedule and budget.
Review, evaluate, and approve or disapprove of changes formally.
Negotiate and resolve conflicts of change, condition, and cost.
Communicate changes to parties affected.
Assign responsibility for implementing change.
Adjust master schedule and budget.
Track all changes that are to be implemented
The Change Control Process
Benefits of a Change Control System
1. Inconsequential changes are discouraged by the formal process.
2. Costs of changes are maintained in a log.
3. Integrity of the WBS and performance measures is maintained.
4. Allocation and use of budget and management reserve funds are tracked.
5. Responsibility for implementation is clarified.
6. Effect of changes is visible to all parties involved.
7. Implementation of change is monitored.
8. Scope changes will be quickly reflected in baseline and performance measures.
Change Request Form
Integrated Risk Management extracts actionable information from traditionally stove-piped data streams
Enables critical decision makingEnables critical decision making
Risk Exposure?
Impact Relationships?
Goals Too Risky?
Which Design?
More Reserves?
Major Drivers?
Adequately Mitigated?
Characteristics of Successful Risk Management ApproachesCharacteristicsCharacteristics
A clear and consistent Risk Management champion
Requirements supported by leadership and stakeholders
A close partnership with users and stakeholders
Mature risk management processes
Established thresholds and criteria for proactively implementing defined risk mitigation plans
Resourced risk mitigation plans
Periodic risk assessments
Integrated data environments that maximize participation
A clear and consistent Risk Management champion
Requirements supported by leadership and stakeholders
A close partnership with users and stakeholders
Mature risk management processes
Established thresholds and criteria for proactively implementing defined risk mitigation plans
Resourced risk mitigation plans
Periodic risk assessments
Integrated data environments that maximize participation
Successful ApproachesSuccessful Approaches
A documented and mature risk management process
Quantitative assessments of risk impacts estimated against cost and schedule baselines
Defined risk filtration criteria
Risk reduction at the lowest level of the organization
A defined set of risk consequence definitions for performance, schedule, and cost
Structured approached for communicating risk across multiple programs/organizational levels
A documented and mature risk management process
Quantitative assessments of risk impacts estimated against cost and schedule baselines
Defined risk filtration criteria
Risk reduction at the lowest level of the organization
A defined set of risk consequence definitions for performance, schedule, and cost
Structured approached for communicating risk across multiple programs/organizational levels
Different Organizational Levels Face Different Types of Risks
- How does a risk to one program affect the delivery of other related programs?
- Which external stakeholders have the ability to influence the success of one or more programs?
- How can a successful risk mitigation strategy for one program be leveraged by other programs?
- How does a risk to one program affect the delivery of other related programs?
- Which external stakeholders have the ability to influence the success of one or more programs?
- How can a successful risk mitigation strategy for one program be leveraged by other programs?
- Is the project on track to meet or exceed its threshold requirements?
- How do current risk levels impact the ability to meet critical schedule milestones?
- Which design solution provides the optimal balance between capital and operating costs?
- Is the project on track to meet or exceed its threshold requirements?
- How do current risk levels impact the ability to meet critical schedule milestones?
- Which design solution provides the optimal balance between capital and operating costs?
- What are the technical performance risks associated with delivering a given requirement or capability?
- How will assembly, integration, and test schedules be impacted by a given risk event?
- What are the cost impacts of delays in subcontractor deliveries?
- What are the technical performance risks associated with delivering a given requirement or capability?
- How will assembly, integration, and test schedules be impacted by a given risk event?
- What are the cost impacts of delays in subcontractor deliveries?
Risks ultimately should be filtered to the lowest level possible for ownership and mitigation
Enterprise Level
Program Level
Project Level
Subproject Level
RISKS
Common risk factorsRisk factors
Lack of top management commitment to the project
Failure to gain user commitment
Misunderstanding the requirement
Lack of adequate user involvement
Failure to manage end user expectation
Changing scope and objectives
Lack of required knowledge/skill in the project personnel
New technology
Insufficient / inappropriate staffing
Conflict between user departments
Key Contributors to Success
Risk Management promotes a clear value proposition
Program input actively sought for framework development.
A clear and consistent risk sponsor.
• Demonstrate how resources will be saved or more efficiently applied
• Demonstrate how information will be more widely shared
• Establish working group or other forum
• Gather feedback prior to go-live
• Promotes buy-in
• Sustains participation
• Creates understanding of information
• Defines linkages
Integrate Cost, Schedule and Risk personnel
COMMUNICATION
Risk Management’s Benefits
A proactive rather than reactive approach.
Reduces surprises and negative consequences.
Prepares the project manager to take advantage of appropriate risks.
Provides better control over the future.
Improves chances of reaching project performance objectives within budget and on time.
Benefits from Software Risk Management Practices*
*Kulik, Peter and Catherine Weber, “Software Risk Management Practices – 2001,” KLCI Research Group (August 2001).
What Went Wrong?
Many information technology projects fail because of technology risk. One project manager learned an important lesson on a large IT project:
focus on business needs first, not technology. David Anderson, a project manager for Kaman Sciences Corp., shared his experience from
a project failure in an article for CIO Enterprise Magazine. After spending two years and several hundred thousand dollars on a project to
provide new client/server-based financial and human resources information systems for their company, Anderson and his team finally admitted they had a failure on their hands. Anderson revealed that he had been too enamored of the use of cutting-edge technology and had
taken a high-risk approach on the project. He "ramrodded through" what the project team was going to do and then admitted that he was
wrong. The company finally decided to switch to a more stable technology to meet the business needs of the company.
Hildebrand, Carol. “If At First You Don’t Succeed,” CIO Enterprise Magazine, April 15, 1998
Regularly Heard Comments in Programs
….we need to focus on the technical risks..
…I know what I am doing. I am applying risk management but I don’t want to write anything down…
…this activity is part of our normal way of doing business. There is no risk…
…let’s not make that risk red, we need to be careful what we report…
…let’s make that a risk, I want to poke the PM in the eye…
…there is no cost risk, but I am not confident about the estimate….
…there is no schedule risk, let’s just move that activity out a few weeks…
….why do I need to do this…especially since the board doesn’t have any money to help me…
…this is not a development contract, we don’t have any risks…
My favorite: ….you are the risk manager, what are my risks?....