conf. 404- effective risk management and avoiding project disasters. a pragmatic approach
TRANSCRIPT
1
© CGI GROUP INC. All rights reserved
_experience the commitment TM
Effective Risk Management – A Pragmatic Approach to Avoiding Project DisastersPresented by Jane Davison, VP CGI
November 7, 2012
“”
Agenda
• Introduction
• Risk Management - Defined
• Risk Management - in Practice
• Risk Management - the Process
• Risk Management - Examples
• Risk/Contingency Relationship
• In Summary
• Questions
2
2
Introduction
• Jane Davison, Vice President Engagement Assessment Services
• Since 2009, responsible for team providing risk assessments & oversight of delivery for strategic projects & major outsourcing contracts within Canada
• Over 30 years’ consulting experience in the IT sector
• Achieved CMC designation in 1999; FCMC in 2008
Today, we will review how CGI has implemented the theory of Risk Management
Confidntial
3
CGI’s Health Check Process Benefits
• Based on CGI’s experience
• A pragmatic approach to risk management using the techniques we will review today has allowed CGI to reduce:
• The number of project failures
• Cost overruns
• Schedule delays
• Management time spent dealing with project failures
• Benefits realized include:
• Increased quality
• Increased customer satisfaction
• Increased member satisfaction
Confidential
4
3
Confidential
Risk Management - Defined
The Importance of Risk Management
“Any threat to the achievement of one of the primary objectives of the project”
• All projects face threats to their success
• To achieve success we must recognize and actively manage risk
Confidential
6
4
Keys to Successful Risk Management
• Identify and manage risks before they become issues – avoid surprises!
• Include all stakeholders (including the client) to ensure all resources can be
brought to bear on risks
• Maintain a proper risk log throughout the opportunity/project life cycle
• Ensures continuity – nothing falls between the cracks
• Key document for ensuring Quality Hand-Offs across life-cycle stages
• Be disciplined around reviewing risks in every applicable meeting
• Clearly identify responsibilities for all Risk Management activities
• Keep Risk Management activities visible internally & externally
• Ensure clear and safe escalation triggers
Effective Risk Management significantlyincreases the probability for project success
Confidential
7
Escalates (if persists and no
resolution)
Ensure Proper Escalation of Risks
• All risks must be visible to the appropriate level in a timely manner
• Escalation should only be utilized if normal communication channels have not addressed risk mitigation steps
• It is Management’s responsibility to provide a safe escalation environment
Addresses issues
Project Team Members
and Subcontractors
Client
Organization’s
Chain of command
Your
Organization’s
Chain of command
Risk Mgt Owner
BD Leader, Proposal
Leader, Contract Leader,
Project Manager
Confidential
8
5
Definitions
RISK
Project risk is an uncertain event or condition that, if it occurs, has a positive or a negative effect on a project’s objective
RISK MANAGEMENT
Approach by which uncertainty can be understood, assessed and managed within projects
Confidential
9
A PRAGMATIST’S DEFINITION OF RISK
There are things that might go wrong and, when they do, we better have a plan in place to deal with them
Confidential
Risk Management - in Practice
6
Things that can go wrong
• No clear scope baseline
• Change not managed
• Inappropriate original estimates & missed costs
• Failure to re-estimate and re-plan
• Insufficient project management resources
• Inadequate communication
• Inadequate or inappropriate staffing
• Failure to manage subcontractors
• Subcontractor inability to deliver
• Failure to manage client involvement, expectations
• Lack of, or inappropriate, technical architecture
• Unclear decision-making process
“How do projects get to be a year late?... One day at a time.”
Fred Brooks, The Mythical Man Month
Confidential
11
Risk Management identifies, reduces to an acceptable
level, and mitigates Risk over a
period of time.
Managing Risk Through the Life of a Project
Risk Management is a Continual, disciplined, and Visible process.
Manageable Risks
Unknown, Identified Potential Risks
Opportunity Dev
Proposal
Contract
Delivery - Start-Up
Man
ag
ing
Meeti
ng
of
the M
ind
s
Man
ag
ing
Ris
ks E
arl
y
Confidential
12
7
The Importance of Early Risk Management
Narrowing of Optionsas time passes
Increase of Coststo Mitigate Risk
As each decision point passes, options are reduced. We need to maximize the desirable quality of outcomes at each
phase.
If risk is not addressed, the costs to mitigate and resolve increase over time,
while options decrease.
Project Life Cycle
Opportunity Proposal Contract Delivery Start-Up Delivery Execution End of Contract
Development
Risk Management OwnersOpp Mgr => Proposal Mgr => Contract Mgr =>………………Project Manager………………………
Warm hand-off of assumptions & risks
Confidential
13
Example – Election Referendum Project RiskProposal Phase
Risk :
• To be election-ready at short-notice, we need to train in advance 3,000 electoral staff on the data entry application, who may not be available to work by the time the election is called
Mitigations:
• Confirm attrition percentage from previous electoral events with the client, across different Canadian geographies; that is, remote locations vs. towns vs. cities
• Train more people than needed to deal with attrition, based on the pre-established attrition percentage
• Establish a process & person responsible for monitoring attrition of trained staff, leading up to the Referendum Call
• Partner with a Canadian-wide agency to establish a process & persons responsible to identify a pipeline of candidates & fill staffing gaps quickly once the Referendum is called
Confidential
14
8
The CGI Approach to Risk Management
• Risk management on every project
• Project manager is responsible for risk management
• Start risk management as early as possible
• Disciplined approach to risk management
• Quality hand-offs between risk owners
• Risks are made visible
• Involves all stakeholders (including client, 3rd parties)
• Utilizes synergy groups
• Continually revisited
• Leverages lessons learned
• Follows CGI’s Risk Management Methodology
Risk Management is the responsibility of every member!
Confidential
15
Risk Management – Make it an integral part of Project Management
• Take an action-oriented focus
• All Status Reports should have a designated section for Risks and Issues
�e.g.: weekly status; monthly status; Steering Committee Agenda
• Weekly Status Reports
�Every team member submits a weekly written status report
�Reports status against project plan and schedule
�Designed section for Risks and Issues
– What would prevent you from meeting your milestones?
– What would prevent our team or our partners from meeting it’s milestones?
– What would prevent our client from meeting their milestones?
Confidential
16
9
Make Risks Visible
• Take an action-oriented focus (cont.)
• Weekly Status Meetings – Team Level
�Project Manager to ensure risk visibility
�Roundtable - Key questions to each team member
– Walkthrough your status report
• Status Meeting Rollup: From Team to Client Level
�Project Manager => Engagement Manager
�Engagement Manager / Project Manager => BU Management
�Engagement Manager / Project Manager => Client / Steering Committee
Confidential
17
Confidential
Risk Management at CGI – Beyond the Project Level (Health Check Process)
• Corporate EAS team provides independent assurance of project performance, through monthly monitoring
• Web Health Check Application, plus regular meetings
• Principles: value-added, independent, continuous, universal, timely
• Clearly defined framework for reporting
• Key project risks & issues are reported to Management Committees, plus the Risk and Audit Committee of the Board
• Enterprise level risks are managed through the internal Audit Department
• Corporate EAS team also promotes pro-active risk management through internal tools
• Sharing lessons learned & championing adoption of new methods/tools
• Providing workshops & coaching
• Initiating in-depth project reviews, with recommended corrective actions
18
10
Confidential
Risk Management - the Process
Risk Management Cycle
Adjust MitigationsReport
&Escalate
Identify, Prioritize &
Document Key Risks
Develop Mitigations
& Action Plans
Monitor & Re-assess Risks
Confidential
20
11
Develop the Risk Management Plan
• Good Risk Management starts with a Risk Management Plan
• Defines the process for managing risks on an project
• Determines the level, type and visibility of risk management to be applied
• Leverages processes, templates, and tools
• Attributes of a Successful Risk Management Plan• Involves the right people (including external parties) who should be
involved in risk reviews
• Addresses client-facing and internal risks
• Is an on-going process (monitoring and adjusting)• Updates provided on previous risks & mitigation action plan
• Elements of new risks identified through the project life cycle
• Includes details of individual risks & associated mitigations• Priorities, impact, action due dates & action owners
• Has appropriate visibility internally & externally; reporting and escalation
• Is understood and followed by the delivery team and client
Confidential
21
Identify Risks
• Determine which risks might affect the project
• Participants may include team, subject matter experts external to the team, project stakeholders, clients, users
• Inputs include (but are not limited to) the following:
• Risk management plan
• Risks identified in the opportunity phase
• Project plan, schedule, and estimates
• Resource plan
• Assumptions and constraints
• Client objectives and business strategies
• Output: A list of risks (start of the project risk log)
Note: New risks arise throughout the course of a project
Confidential
22
12
Constructive risk management
• Use brainstorming and collaboration
• Get input from every key player
• Cover every aspect of the project/program
• Think through very step of the delivery and ask: what could go wrong?
• Whittle down the list to those that would have the greatest impact and brainstorm an effective response
• Use outside help when stuck – to get creative ideas
• Make sure that the cost plan covers risk responses and/or contingency
Confidential
23
Example – Election Referendum Project RiskProposal Phase
Risk :
• To be election-ready at short-notice, we need to train in advance 3,000 electoral staff on the data entry application, who may forget their training by the time the election is called
Mitigations:
• Schedule ten last-minute, web-based training sessions for Returning Office train-the-trainers as a refresher; two for each time zone
• Per Returning Office, figure out how many computers need to be equipped for web-based training, and include in technical build specification
• Record (voice & video) an early training session and make two copies on DVD for each of the 295 Returning Offices
• Adjust the specification for at least two computers per Returning Office to include a DVD player
Confidential
24
13
Probability
“Highly Likely” Highly likely the risk will occur
“Likely” The risk will probably occur
“Unlikely” The risk may occur, but it is not likely
Severity
“Major” Very significant impact on clients, customers and/or budget, which would prevent achievement of the objective. Significant adjustment required to meet objectives.
“Moderate” Viability of project or achievement of objective(s) are threatened. Adjustments required to achieve objectives.
“Minor” Minor threat to the efficiency and effectiveness of some aspects of achievement. Little or no adjustments required.
* From “Guide to Managing Risk” (Audit & Risk Division), 2006
Analyze and Evaluate Risks
� What is the probability the risk will occur?
� What is severity (impact) if the risk occurs?
Confidential
25
Severity
Probability “Minor” “Moderate” “Major”
“Unlikely” Insignificant Low Medium
“Likely” Low Medium High
“Highly Likely” Medium High Very High
� Prioritize risks based on both Probability and Severity to come up with a risk priority
Prioritize Risks
Focus on the most important risks (no more than 10)For example, Very High, High, and selective Mediums
Confidential
26
14
Develop Mitigations and Action Plans
Avoid the riske.g. Do not proceed with the activity
which is the source of the risk;
(De-scope project)
Reduce likelihood of riske.g. Develop strategies to reduce the
likelihood of the risk event occurring;
(Regular project reviews etc.)
Use combination of
strategies
as appropriate
MitigatingRisks
Reduce the impact of riske.g. develop treatments to reduce
consequences should risk occur;
(establish help desk etc).
Share the riske.g. Transfer all or part of risk to third
party; (Ask another agency to
undertake control of the risk etc.)
� There are several risk mitigation strategies
Confidential
27
Clearly Articulate Mitigations
S pecific
M easurable
A greed
R ealistic
T imely
- Specific Who has ownership to ensure that the mitigation strategy is executed? What are the specific actions required ?
- Measurable How can we measure (track and manage) the mitigation strategy to completion?
- Agreed Mitigation strategy must be agreed with relevant parties
- Realistic Mitigation strategy must realistic and actionable
- Timely By when must the mitigation strategy be executed?
HOW WHEN
WHATWHO
THINK
“SMART”
Note: Mitigations should be reflected in the project plan and associated costs included in the financial forecast
Confidential
28
15
Example – Election Referendum Project RiskProposal Phase
Risk :
• Electoral staff have problems with the data entry application once it is up and running in the Returning Office (could be technical or application related)
Mitigations:
• Develop a “Frequently Asked Questions” document
• Write a User Manual for the data entry application, and include a trouble-shooting section for reference
• Set-up a Help Desk toll-free line for Returning Offices to call
• Staff the Help Desk to cover all time zones when Returning Offices are open, with a least two staff knowledgeable in the application
• At least two technical staff will be on call during all time zones when Returning Offices are open
• Include spare parts in each infrastructure kit for the Returning Office; specifically, two desktops & two cables.
Confidential
29
How do you know your Risk Management Process is Effective?
• Risk reviews have been built into standard agendas for progress meetings and management meetings
• Risks are visible & escalated appropriately
• If you asked project team members about the top 3 things that could go wrong, they would show on the risk log
• For the top risks, there is time and money allocated for mitigations
• Mitigation activities are included in the project plan, and/or contingency money is allocated
• Risks are being actively monitored regularly to determine if
• Mitigations have been implemented as planned
• Mitigations are working (i.e., effective)
• Project assumptions are still valid
• Risk exposure has changed
• Any new risks have arisen
Confidential
30
16
Confidential
Risk Management - Examples
Risks and Mitigation Actions – ExampleProposal Stage
Risk Category: Subcontractor
• Critical reliance on subcontractor subject matter experts and solution to deliver
Mitigations:
• Assign a Project Coordinator to produce a plan for subcontractor work; assign a CGI lead to oversee vendor and to work on vendor site 50% of the time
• Prepare a Teaming Agreement to include:
• A responsibility matrix tied to the RFP; put vendor’s code in escrow
• A statement of sign-off that technology/application will meet the RFP requirements
• Tie payment to CGI acceptance of deliverables and ultimate client acceptance
• Implement a joint internal steering committee
• Include activities to transition vendor’s work to CGI within the first year
• Vendor has provided a technical paper to confirm scalability; no infrastructure constraints or commitments in contract
Confidential
32
17
Risks and Mitigation Actions – ExampleProposal Stage
Risk Category: Technical
• Client has included performance criteria within the scope of the contract, which includes the use of shared production resources (routers; servers; firewall)
Mitigations:
• Client to provide a test environment within their architecture
• Evaluate the need/cost for a separate test environment to validate the raw performance of the new application
• Conduct testing baseline with network traffic at a minimum
• Conduct baselines of current environment to validate expectations (e.g. current environment may not be capable of supporting the performance without the new application running)
Confidential
33
Risks and Mitigation Actions – ExampleProposal Stage
Risk Category: Global Delivery
• We need to conduct project work in a geography that is new to us; we need to be well prepared to avoid risks (schedule/costs) to delivery of the project for the client
Mitigations:
• Research how to do business in that geography• Brief the project team on local customs
• Build in schedule delays for obtaining visas for staff; include visa costs in budget
• Include tax requirements/costs to company & individuals in the budget
• When staffing, ensure members have time for recommended immunization before going on site; build in schedule delay & costs
• Budget for travel costs based on clear assumptions of number of trips, per trip costs & number of team members travelling
• Budget for security services based on safety risk; such as, car & driver; kidnapping insurance
• Brief the project team on security & safety risks
• Identify safe hotels and budget accordingly as part of travel costs
• Budget for currency exchange risk over the life of the deal
Confidential
34
18
Risks and Mitigation Actions – ExampleProject Delivery
Risk Category: Schedule
• There is a key dependency on the quality of client’s data for conversion, in order to meet expected conversion quality outcome of 99% accuracy & the go-live date for the application
Mitigations:
• Conduct a data assessment early on in the project schedule to identify data quality issues
• Based on the issues identified, work with the client to identify required clean-up activities
• Build a plan for the clean-up activities, identify tasks, method (manual or automated), time line and persons responsible
• Identify key milestone checkpoints to ensure work is on track
• Report status on data cleanup
• Run pilot conversion routines early, so there is time to recover from any surprises
Confidential
35
Confidential
Risk/Contingency Relationship
19
How Much is the Right Amount of Contingency?
• Contingency should address specific anticipated issues or risks which could arise and which can not be avoided, transferred or mitigated with a specific action plan
• For each key risk, state in detail its probability, associated financial impact, the activities chosen to mitigate it and any specific contingency amount allocated to it. This way, the size of the overall contingency amount is supported through a factual analysis and can stay visible throughout all phases
• Project contingencies should always be identified separately in the schedule and in the budget, not buried at task levels
Contingency depends on risk factors of each project
There is no one-size fits all
Confidential
37
Confidential
In Summary
20
Challenges
ProjectActivities
Risk
Elements
Making Quality Decisions
Risks
Unmitigated
Risks
Addressing Early
Are the right people addressing the
right things at the right time?
Mitigation
Plan
Following Through
Mitigated
Risks
Did we do a thorough follow-
through until the risk is mitigated?
Are the right people at the table?
Is there a culture of accepting escalation?
Did we assess the impact of the decision?
Develop a Working Risk Management System
The Importance of Early Risk ManagementConfidential
39
Alignment with PMI Critical Success Factors
Integratewith ProjectManagement
Risk Management
Success
Recognize Value of RiskManagement
Scale RiskEffort
To Project
OrganizationalCommitment
IndividualCommitment/Responsibility
Open & HonestCommunication
Confidential
40
21
Critical Success Factors
• Use risks identified in the Proposal Stage to help establish costs & contingency for fixed-price projects
• Widen the focus of effort
• Instead of looking at risk just from your internal perspective, think about what would reduce risk for both your company & the client
• Instead of purely preventative techniques and building a large “list of assumptions”…..
• Leverage lessons learned & prior experience; create alternate & creative solutions
• Actively manage risks & mitigations; make them visible & start early
• No more than 10 key risks for each project
• Don’t fall into the trap of filling out templates & reports and forgetting about them because you are too busy
• Take risk management seriously & apply discipline
• Important to have executive level support in your organization
Confidential
41
In Summary
• Risk Management is• A pro-active process every project should practice
• The responsibility of every team member
• Revisited often (at least monthly)
• NOT just a list of every risk
• Risk Management should• Include the entire team and partners (client and vendors)
• Address real risks and plans for handling their occurrence
• Broken down by client facing and Your Company internal risks (two separate lists)
• Provide strong achievable mitigation strategies (not just closer management)
• Be adjusted throughout the project
• Take into account the impact to each aspect of the project
Confidential
42
22
Final Thought
• Keep it simple!
• There are many sophisticated models and methods available for performing detailed quantitative and qualitative risk analysis, but…
There’s no need to be fancy!
Just perform basic risk management and you’ll be in a much better position to achieve success
Confidential
43
Confidential
Questions
44