CONF. 404- Effective risk management and avoiding project disasters. A pragmatic approach.


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CONF. 404- Effective risk management and avoiding project disasters. A pragmatic approach.

  1. 1. Effective Risk November 7, 2012 Management – A Pragmatic Approach to Avoiding Project Disasters Presented by Jane Davison, VP CGI © CGI GROUP INC. All rights reserved _experience the commitment TMAgenda• Introduction• Risk Management - Defined• Risk Management - in Practice• Risk Management - the Process• Risk Management - Examples• Risk/Contingency Relationship• In Summary• Questions 2 “” 1
  2. 2. Introduction• Jane Davison, Vice President Engagement Assessment Services • Since 2009, responsible for team providing risk assessments & oversight of delivery for strategic projects & major outsourcing contracts within Canada • Over 30 years’ consulting experience in the IT sector • Achieved CMC designation in 1999; FCMC in 2008 Today, we will review how CGI has implemented the theory of Risk Management 3 ConfidntialCGI’s Health Check Process Benefits• Based on CGI’s experience • A pragmatic approach to risk management using the techniques we will review today has allowed CGI to reduce: • The number of project failures • Cost overruns • Schedule delays • Management time spent dealing with project failures • Benefits realized include: • Increased quality • Increased customer satisfaction • Increased member satisfaction 4 Confidential 2
  3. 3. Risk Management - Defined ConfidentialThe Importance of Risk Management “Any threat to the achievement of one of the primary objectives of the project”• All projects face threats to their success• To achieve success we must recognize and actively manage risk 6 Confidential 3
  4. 4. Keys to Successful Risk Management• Identify and manage risks before they become issues – avoid surprises!• Include all stakeholders (including the client) to ensure all resources can be brought to bear on risks• Maintain a proper risk log throughout the opportunity/project life cycle • Ensures continuity – nothing falls between the cracks • Key document for ensuring Quality Hand-Offs across life-cycle stages• Be disciplined around reviewing risks in every applicable meeting• Clearly identify responsibilities for all Risk Management activities• Keep Risk Management activities visible internally & externally• Ensure clear and safe escalation triggers Effective Risk Management significantly increases the probability for project success 7 Confidential Ensure Proper Escalation of Risks • All risks must be visible to the Client Your appropriate level in a timely Organization’s Organization’s manner Chain of command Chain of command • Escalation should only be utilized if normal communication channels have not addressed Risk Mgt Owner risk mitigation steps BD Leader, Proposal Leader, Contract Leader, • It is Management’s responsibility Project Manager to provide a safe escalation environment Project Team Members and Subcontractors Addresses issues Escalates (if persists and no resolution) 8 Confidential 4
  5. 5. Definitions RISK Project risk is an uncertain event or condition that, if it occurs, has a positive or a negative effect on a project’s objective RISK MANAGEMENT Approach by which uncertainty can be understood, assessed and managed within projects A PRAGMATIST’S DEFINITION OF RISK There are things that might go wrong and, when they do, we better have a plan in place to deal with them 9 ConfidentialRisk Management - in Practice Confidential 5
  6. 6. Things that can go wrong• No clear scope baseline• Change not managed• Inappropriate original estimates & missed costs• Failure to re-estimate and re-plan• Insufficient project management resources• Inadequate communication• Inadequate or inappropriate staffing• Failure to manage subcontractors• Subcontractor inability to deliver• Failure to manage client involvement, expectations• Lack of, or inappropriate, technical architecture• Unclear decision-making process “How do projects get to be a year late?... One day at a time.” Fred Brooks, The Mythical Man Month 11 ConfidentialManaging Risk Through the Life of a Project Risk Management is a Continual, disciplined, and Visible process. Unknown, Identified Opportunity Dev Potential Risks Managing Meeting of the Minds Managing Risks Early Proposal Risk Management identifies, reduces to an acceptable level, and mitigates Risk over a Contract period of time. Delivery - Start-Up Manageable Risks 12 Confidential 6
  7. 7. The Importance of Early Risk Management Narrowing of Options Increase of Costs as time passes to Mitigate Risk If risk is not addressed, the costs to mitigate and resolve increase over time, while options decrease. As each decision point passes, options are reduced. We need to maximize the desirable quality of outcomes at each phase. Opportunity Proposal Contract Delivery Start-Up Delivery Execution End of Contract Development Project Life Cycle Risk Management Owners Opp Mgr => Proposal Mgr => Contract Mgr =>………………Project Manager……………………… Warm hand-off of assumptions & risks 13 ConfidentialExample – Election Referendum Project RiskProposal PhaseRisk :• To be election-ready at short-notice, we need to train in advance 3,000 electoral staff on the data entry application, who may not be available to work by the time the election is calledMitigations:• Confirm attrition percentage from previous electoral events with the client, across different Canadian geographies; that is, remote locations vs. towns vs. cities• Train more people than needed to deal with attrition, based on the pre- established attrition percentage• Establish a process & person responsible for monitoring attrition of trained staff, leading up to the Referendum Call• Partner with a Canadian-wide agency to establish a process & persons responsible to identify a pipeline of candidates & fill staffing gaps quickly once the Referendum is called 14 Confidential 7
  8. 8. The CGI Approach to Risk Management • Risk management on every project • Project manager is responsible for risk management • Start risk management as early as possible • Disciplined approach to risk management • Quality hand-offs between risk owners • Risks are made visible • Involves all stakeholders (including client, 3rd parties) • Utilizes synergy groups • Continually revisited • Leverages lessons learned • Follows CGI’s Risk Management Methodology Risk Management is the responsibility of every member! 15 ConfidentialRisk Management – Make it an integral part ofProject Management• Take an action-oriented focus • All Status Reports should have a designated section for Risks and Issues e.g.: weekly status; monthly status; Steering Committee Agenda • Weekly Status Reports Every team member submits a weekly written status report Reports status against project plan and schedule Designed section for Risks and Issues – What would prevent you from meeting your milestones? – What would prevent our team or our partners from meeting it’s milestones? – What would prevent our client from meeting their milestones? 16 Confidential 8
  9. 9. Make Risks Visible • Take an action-oriented focus (cont.) • Weekly Status Meetings – Team Level Project Manager to ensure risk visibility Roundtable - Key questions to each team member – Walkthrough your status report • Status Meeting Rollup: From Team to Client Level Project Manager => Engagement Manager Engagement Manager / Project Manager => BU Management Engagement Manager / Project Manager => Client / Steering Committee 17 Confidential Risk Management at CGI – Beyond the Project Level (Health Check Process)• Corporate EAS team provides independent assurance of project performance, through monthly monitoring • Web Health Check Application, plus regular meetings • Principles: value-added, independent, continuous, universal, timely • Clearly defined framework for reporting• Key project risks & issues are reported to Management Committees, plus the Risk and Audit Committee of the Board• Enterprise level risks are managed through the internal Audit Department• Corporate EAS team also promotes pro-active risk management through internal tools • Sharing lessons learned & championing adoption of new methods/tools • Providing workshops & coaching • Initiating in-depth project reviews, with recommended corrective actions 18 Confidential 9
  10. 10. Risk Management - the Process ConfidentialRisk Management Cycle Identify, Prioritize & Document Key Risks Report Develop Adjust Mitigations & Mitigations Escalate & Action Plans Monitor & Re-assess Risks 20 Confidential 10
  11. 11. Develop the Risk Management Plan• Good Risk Management starts with a Risk Management Plan • Defines the process for managing risks on an project • Determines the level, type and visibility of risk management to be applied • Leverages processes, templates, and tools• Attributes of a Successful Risk Management Plan • Involves the right people (including external parties) who should be involved in risk reviews • Addresses client-facing and internal risks • Is an on-going process (monitoring and adjusting) • Updates provided on previous risks & mitigation action plan • Elements of new risks identified through the project life cycle • Includes details of individual risks & associated mitigations • Priorities, impact, action due dates & action owners • Has appropriate visibility internally & externally; reporting and escalation • Is understood and followed by the delivery team and client 21 ConfidentialIdentify Risks• Determine which risks might affect the project• Participants may include team, subject matter experts external to the team, project stakeholders, clients, users• Inputs include (but are not limited to) the following: • Risk management plan • Risks identified in the opportunity phase • Project plan, schedule, and estimates • Resource plan • Assumptions and constraints • Client objectives and business strategies• Output: A list of risks (start of the project risk log) Note: New risks arise throughout the course of a project 22 Confidential 11
  12. 12. Constructive risk management • Use brainstorming and collaboration • Get input from every key player • Cover every aspect of the project/program • Think through very step of the delivery and ask: what could go wrong? • Whittle down the list to those that would have the greatest impact and brainstorm an effective response • Use outside help when stuck – to get creative ideas • Make sure that the cost plan covers risk responses and/or contingency 23 ConfidentialExample – Election Referendum Project RiskProposal PhaseRisk :• To be election-ready at short-notice, we need to train in advance 3,000 electoral staff on the data entry application, who may forget their training by the time the election is calledMitigations:• Schedule ten last-minute, web-based training sessions for Returning Office train-the-trainers as a refresher; two for each time zone• Per Returning Office, figure out how many computers need to be equipped for web-based training, and include in technical build specification• Record (voice & video) an early training session and make two copies on DVD for each of the 295 Returning Offices• Adjust the specification for at least two computers per Returning Office to include a DVD player 24 Confidential 12
  13. 13. Analyze and Evaluate Risks What is the probability the risk will occur? Probability “Highly Likely” Highly likely the risk will occur “Likely” The risk will probably occur “Unlikely” The risk may occur, but it is not likely What is severity (impact) if the risk occurs? Severity “Major” Very significant impact on clients, customers and/or budget, which would prevent achievement of the objective. Significant adjustment required to meet objectives. “Moderate” Viability of project or achievement of objective(s) are threatened. Adjustments required to achieve objectives. “Minor” Minor threat to the efficiency and effectiveness of some aspects of achievement. Little or no adjustments required. * From “Guide to Managing Risk” (Audit & Risk Division), 2006 25 ConfidentialPrioritize Risks Prioritize risks based on both Probability and Severity to come up with a risk priority Severity Probability “Minor” “Moderate” “Major” “Unlikely” Insignificant Low Medium “Likely” Low Medium High “Highly Likely” Medium High Very High Focus on the most important risks (no more than 10) For example, Very High, High, and selective Mediums 26 Confidential 13
  14. 14. Develop Mitigations and Action Plans There are several risk mitigation strategies Avoid the risk Reduce the impact of risk e.g. Do not proceed with the activity e.g. develop treatments to reduce which is the source of the risk; consequences should risk occur; (De-scope project) (establish help desk etc). Mitigating RisksReduce likelihood of risk Share the riske.g. Develop strategies to reduce the Use combination of e.g. Transfer all or part of risk to thirdlikelihood of the risk event occurring; strategies party; (Ask another agency to (Regular project reviews etc.) as appropriate undertake control of the risk etc.) 27 ConfidentialClearly Articulate Mitigations S pecific WHO WHAT M easurable THINK A greed “SMART” R ealistic HOW WHEN T imely - Specific Who has ownership to ensure that the mitigation strategy is executed? What are the specific actions required ? - Measurable How can we measure (track and manage) the mitigation strategy to completion? - Agreed Mitigation strategy must be agreed with relevant parties - Realistic Mitigation strategy must realistic and actionable - Timely By when must the mitigation strategy be executed? Note: Mitigations should be reflected in the project plan and associated costs included in the financial forecast 28 Confidential 14
  15. 15. Example – Election Referendum Project RiskProposal PhaseRisk :• Electoral staff have problems with the data entry application once it is up and running in the Returning Office (could be technical or application related)Mitigations:• Develop a “Frequently Asked Questions” document• Write a User Manual for the data entry application, and include a trouble- shooting section for reference• Set-up a Help Desk toll-free line for Returning Offices to call• Staff the Help Desk to cover all time zones when Returning Offices are open, with a least two staff knowledgeable in the application• At least two technical staff will be on call during all time zones when Returning Offices are open• Include spare parts in each infrastructure kit for the Returning Office; specifically, two desktops & two cables. 29 ConfidentialHow do you know your Risk ManagementProcess is Effective?• Risk reviews have been built into standard agendas for progress meetings and management meetings • Risks are visible & escalated appropriately• If you asked project team members about the top 3 things that could go wrong, they would show on the risk log• For the top risks, there is time and money allocated for mitigations• Mitigation activities are included in the project plan, and/or contingency money is allocated• Risks are being actively monitored regularly to determine if • Mitigations have been implemented as planned • Mitigations are working (i.e., effective) • Project assumptions are still valid • Risk exposure has changed • Any new risks have arisen 30 Confidential 15
  16. 16. Risk Management - Examples ConfidentialRisks and Mitigation Actions – ExampleProposal StageRisk Category: Subcontractor• Critical reliance on subcontractor subject matter experts and solution to deliverMitigations:• Assign a Project Coordinator to produce a plan for subcontractor work; assign a CGI lead to oversee vendor and to work on vendor site 50% of the time• Prepare a Teaming Agreement to include: • A responsibility matrix tied to the RFP; put vendor’s code in escrow • A statement of sign-off that technology/application will meet the RFP requirements • Tie payment to CGI acceptance of deliverables and ultimate client acceptance • Implement a joint internal steering committee• Include activities to transition vendor’s work to CGI within the first year• Vendor has provided a technical paper to confirm scalability; no infrastructure constraints or commitments in contract 32 Confidential 16
  17. 17. Risks and Mitigation Actions – ExampleProposal Stage Risk Category: Technical• Client has included performance criteria within the scope of the contract, which includes the use of shared production resources (routers; servers; firewall)Mitigations:• Client to provide a test environment within their architecture• Evaluate the need/cost for a separate test environment to validate the raw performance of the new application• Conduct testing baseline with network traffic at a minimum• Conduct baselines of current environment to validate expectations (e.g. current environment may not be capable of supporting the performance without the new application running) 33 ConfidentialRisks and Mitigation Actions – ExampleProposal Stage Risk Category: Global Delivery• We need to conduct project work in a geography that is new to us; we need to be well prepared to avoid risks (schedule/costs) to delivery of the project for the clientMitigations:• Research how to do business in that geography • Brief the project team on local customs • Build in schedule delays for obtaining visas for staff; include visa costs in budget • Include tax requirements/costs to company & individuals in the budget • When staffing, ensure members have time for recommended immunization before going on site; build in schedule delay & costs• Budget for travel costs based on clear assumptions of number of trips, per trip costs & number of team members travelling• Budget for security services based on safety risk; such as, car & driver; kidnapping insurance • Brief the project team on security & safety risks• Identify safe hotels and budget accordingly as part of travel costs• Budget for currency exchange risk over the life of the deal 34 Confidential 17
  18. 18. Risks and Mitigation Actions – ExampleProject Delivery Risk Category: Schedule• There is a key dependency on the quality of client’s data for conversion, in order to meet expected conversion quality outcome of 99% accuracy & the go-live date for the applicationMitigations:• Conduct a data assessment early on in the project schedule to identify data quality issues• Based on the issues identified, work with the client to identify required clean-up activities• Build a plan for the clean-up activities, identify tasks, method (manual or automated), time line and persons responsible• Identify key milestone checkpoints to ensure work is on track• Report status on data cleanup• Run pilot conversion routines early, so there is time to recover from any surprises 35 ConfidentialRisk/Contingency Relationship Confidential 18
  19. 19. How Much is the Right Amount ofContingency? Contingency depends on risk factors of each project There is no one-size fits all• Contingency should address specific anticipated issues or risks which could arise and which can not be avoided, transferred or mitigated with a specific action plan• For each key risk, state in detail its probability, associated financial impact, the activities chosen to mitigate it and any specific contingency amount allocated to it. This way, the size of the overall contingency amount is supported through a factual analysis and can stay visible throughout all phases• Project contingencies should always be identified separately in the schedule and in the budget, not buried at task levels 37 ConfidentialIn Summary Confidential 19
  20. 20. Develop a Working Risk Management System Challenges Risk Project Activities Mitigated Elements Risks Addressing Early Unmitigated Following Through Risks Are the right people addressing the Did we do a thorough follow- right things at the right time? through until the risk is mitigated? Making Quality Decisions Risks Are the right people at the table? Mitigation Plan Is there a culture of accepting escalation? Did we assess the impact of the decision? The Importance of Early Risk Management 39 ConfidentialAlignment with PMI Critical Success Factors Recognize Value of Risk Management Integrate Individual with Project Commitment/ Management Responsibility Risk Management Success Scale Risk Effort Open & Honest To Project Communication Organizational Commitment 40 Confidential 20
  21. 21. Critical Success Factors• Use risks identified in the Proposal Stage to help establish costs & contingency for fixed-price projects• Widen the focus of effort • Instead of looking at risk just from your internal perspective, think about what would reduce risk for both your company & the client• Instead of purely preventative techniques and building a large “list of assumptions”….. • Leverage lessons learned & prior experience; create alternate & creative solutions• Actively manage risks & mitigations; make them visible & start early• No more than 10 key risks for each project• Don’t fall into the trap of filling out templates & reports and forgetting about them because you are too busy• Take risk management seriously & apply discipline• Important to have executive level support in your organization 41 ConfidentialIn Summary• Risk Management is • A pro-active process every project should practice • The responsibility of every team member • Revisited often (at least monthly) • NOT just a list of every risk• Risk Management should • Include the entire team and partners (client and vendors) • Address real risks and plans for handling their occurrence • Broken down by client facing and Your Company internal risks (two separate lists) • Provide strong achievable mitigation strategies (not just closer management) • Be adjusted throughout the project • Take into account the impact to each aspect of the project 42 Confidential 21
  22. 22. Final Thought• Keep it simple! • There are many sophisticated models and methods available for performing detailed quantitative and qualitative risk analysis, but… There’s no need to be fancy! Just perform basic risk management and you’ll be in a much better position to achieve success 43 ConfidentialQuestions 44 Confidential 22