Programmatic risk management
Upcoming SlideShare
Loading in...5

Programmatic risk management



Managing risk is a critical success factor for any project. Steps here guide that success

Managing risk is a critical success factor for any project. Steps here guide that success



Total Views
Views on SlideShare
Embed Views



2 Embeds 9 5 4


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Programmatic risk management Programmatic risk management Document Transcript

  • ProgrammaticRiskManagementRisk Management is HowAdults Manage ProjectsGlen B. AllemanNiwot Ridge,
  • MarchRisk Management is How Adults Manage Projects† 2008 1Risk management is essential for the success of any significant project. Information about key project cost,performance, and schedule attributes is often unknown until the project is underway. Risks identified early in theproject that impacts the project later are often termed “known unknowns.” These risks can be mitigated, reduced,or retired with a risk management process. For risks that are beyond the vision of the project team, a properlyimplemented risk management process can also rapidly quantify the risks impact and provide sound plans formitigating their affects. Risk management is concerned with the outcome of a future event. Events whose impacts are unknown. Riskmanagement is about dealing with this uncertainty. Outcomes are categorized as favorable or unfavorable. Riskmanagement is the art and science of planning, assessing, handling, and monitoring future events to ensurefavorable outcomes. A good risk management process is proactive and fundamentally different than reactive issuemanagement or problem solving. This paper describes the fundamentals of Risk Management with 5 simple concepts:1. Hope is not a strategy – Hoping that something positive happens or something negative will not happen does not lead to success. Preparing for success is the basis of success.2. All single point estimates are wrong – Single point estimates of cost, schedule, and technical performance are no better than 50/50 guesses in the absence of knowledge about the variances of the underlying distribution.3. Without integrating Cost, Schedule, and Technical Performance, you are driving in the rearview mirror. The effort to produce the product or service and the resulting value cannot be made without making these connections.4. Without a model for risk management, you are driving in the dark with the headlights off – Risk management is not an ad hoc process that you can make up as you go. A formal foundation for risk management is needed. Choose one that has worked in high-risk domains – defense, nuclear power, manned spaceflight, or examples.5. Risk Communication is everything – Identifying risks without communicating them is a waste of time for all the participants. Risk management is an important skill that can be applied to a wide variety of projects. In an era of downsizing,consolidation, shrinking budgets, increasing technological sophistication, and shorter development times, riskmanagement provides valuable insight to help key project personnel plan for risks. It alerts them to potential riskissues, which can then be analyzed, and plans develop, implemented, and monitored to address risks before theysurface as issues and adversely affect project cost, performance, and schedule.Hope is Not a Strategy Hoping that the project will proceed as planned is not a strategy for success. Project managers who constantlyseek ways to eliminate or control risk, variance and uncertainly are engaging in a hopeless pursuit. Managing “in the presence” of risk, variance, and uncertainty is the key to success. Some projects have fewuncertainties –only the complexity of tasks and relationships is important – but most projects are characterized byseveral types of uncertainty. Although each uncertainty type is distinct, a single project may encounter some 2combination of four types:1. Variation – comes from many small influences and yields a range of values in a particular activity. Attempting to control these variances outside their natural boundaries is a waste of time.2. Foreseen Uncertainties – are identifiable and understood influences that the team cannot be sure will occur. There needs to be a mitigation plan for these foreseen uncertainties.3. Unforeseen Uncertainties – can’t be identified during project planning. When these occur, a new plan is needed.4. Chaos – appears in the presence of “unknown unknowns” and must be addressed through a replanning process.1 “Risk Management during Requirements,” Tom DeMarco and Tim Lister, IEEE Software, September/October, 20032 “Managing Project Uncertainty: From Variation to Chaos,” Arnoud De Meyer, Christoph H. Loch and Michael T. Pich, MIT Sloan Management Review, Winter 2002† “How Much Risk is Too Much Risk,” Tim Lister, Boston SPIN, 20 January 2004 2 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503
  • MarchRisk Management is How Adults Manage Projects† 2008 Plans are strategies for the successful completion of the project. Plans are different than schedules. Schedulesshow “how” the project will be executed. Plans show “what” accomplishments must be performed and the successcriteria for these accomplishments along the way to completion. The Plan describes the increasing maturity of the projectthrough assessment points. The unit of measure for thismaturity must be meaningful to the stakeholders.Something that can be connected to the investment theyhave made in the project. When we speak the word “Hope,” it lays the foundationfor failure. In the use of Hope, we really mean “success ispossible but not probable.” When we speak the word Figure 1 – The Plan for the project must assure risk is being“Plan,” it does not assure success, but success is a probable reduced in proportion to the project’s tolerance for riskoutcome. It is the definition of the probability of successP(s), that is the foundation of the Plan. Having a Plan–A, Plan–B, and possibly a Plan–C exposes risk, assigns 3mitigations, and measures the probability of success. The idea of a Plan as a Strategy is critical to making changes in the behavior of the project teams that can leadto “risk adjusted project management.” Without a Plan, the schedule is simply a list of activities to be performed.The reason for their performance may be understood, but it is unlikely these activities fit in any cohesive Strategy.Strategies have goals, critical success factors, and key performance indicators. Project Strategies – the Master Plan– must also contain goals, critical success factors, and key performance indicators that assure the project is makingphysical progress in the presence of uncertainty in cost, schedule, and technical performance.No Single Point Estimate of Cost, Schedule or Technical Performance Can Correct How long will this take? How much is it going to cost? Will the product or service meet the requirements thatare defined for any specific point in time? What is the confidence in those numbers? These are three questionsthat must be answered for the project team to have a credible discussion with the stakeholders about success.Deciding what accuracy is needed to provide a credible answer is a starting point. But that does not address thequestion – “how can that accuracy be obtained.” There are many checklists for estimating cost and schedule, with simple guidance on how to build estimates.Most of this advice is wrong in a fundamental way. The numbers produced by the estimating process do not havetheir variance defined in any statistically sound manner. By statistically sound it means that the underlyingprobability distributions are known. If they are not known, then some form of estimating taking this unknown intoaccount must be used. The Project Management Institute (PMI) advices producing three estimates – optimistic, most likely,pessimistic. But these numbers are fraught with error. We can’ttell how these numbers were arrived at? Are they based onbest engineering judgment? Based in historical data? What is ndthe variance on the variance of this distribution – the 2standard deviation? In the absence of this information, they areof little use in estimating risk. The use of point estimates for duration and cost is the firstapproach in an organization low on the project managementmaturity scale. Understanding that cost and durations areactually “random variables,” drawn from an underlyingdistribution of possible value is the starting point for managingin the presence of uncertainty. Figure 2 – triangle distributions are useful when there is limited information about the characteristics of the random variables are all that is available.3 “Probability of Success Operations Guide, Acquisition, Logistics & Technology Enterprise Systems & Services, Office of the Assistant Security ofthe Army for Acquisition 3 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503
  • MarchRisk Management is How Adults Manage Projects† 2008 In probability theory, every random variable is attributed to a probability distribution. The probabilitydistribution associated with cost or duration describes the variance of these random variables. A commondistribution of probabilistic estimates for cost and schedule is the Triangle Distribution. The Triangle Distribution in Figure 2 can be used as a subjective description of a population for which there isonly limited sample data, and especially where the relationship between variables is known but data is scarce. It isbased on the knowledge of the minimum and maximum and a “best guess” of the modal value (the Most Likely). Using the Triangle Distribution for cost and duration, a Monte Carlo simulation of the network of activities andtheir costs can be performed. In technical terms, Monte Carlo methods numerically transform and integrate theposterior quantitative risk assessment into a confidence interval. The result is a “confidence” model for the costand completion times for the project based on the upper and lower bounds of each distribution assigned to theduration and cost.Integrating Cost, Schedule, and Technical Performance In many project management methods – cost, schedule, and qualityare described as an “Iron Triangle.” Change one and the other twomust change. This is too narrow a view of whats happening on aproject. It’s the Technical Performance Measurement that replacesQuality. Quality is one Technical Performance measure. Cost and Schedule are obvious elements of the project. TechnicalPerformance Measures (TPM) describes the status of technicalachievement of the project at any point in time. The planned technicalachievement is part of the Performance Measurement Baseline (PMB). The Technical Performance Measurement System (TPMS) uses the Figure 3 – the “new” triangle must be used.techniques of risk analysis and probability to provide project managers One where cost, schedule, and technicalwith the early warnings needed to avoid unplanned costs and slippage performance are schedule. Systems engineering uses technical performancemeasurements to balance cost, schedule, and performance throughout the project life cycle. Connecting Cost, Schedule, and Technical Performance Measures closes the loop on how well a project isachieving its technical performance requirements while maintaining its cost and schedule goals. IEEE 1220, EIA632, and "A Guide to the Project Management Body of Knowledge“all provide guidance for TPM planning and 4measurement and for integrating TPM with cost and schedule performance measures (Earned Value). Technical performance measurements compare actual versus planned technical development and design. Theyreport the degree to which system requirements are met in terms of performance, cost, schedule, and progress inimplementing risk retirement. Technical Performance Measures are traceable to user–defined capabilities.Integrating these three attributes produce a Performance Measurement Baseline that: Is a plan driven by product quality requirements rather than work or effort requirements? Focuses on technical maturity and quality, in addition to cost and schedule. Focuses on progress toward meeting success criteria of technical reviews. Enables insightful variance analysis. Ensures a lean and cost–effective approach to project planning and controls. Enables scalable scope and complexity depending on risk. Integrates risk management activities with the performance measurement baseline. Integrates risk management outcomes into the Estimate at Completion. The Cost and Schedule “measures” are straightforward in most cases. The measures of Technical Performanceinvolve measures Effectiveness and Performance. Measures of Effectiveness (MOE) are the operational mission success factor defined by the customer. Theseare:4 Performance Based Earned Value, Paul Solomon and Ralph Young, John Wiley & Sons, 2006. 4 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503
  • MarchRisk Management is How Adults Manage Projects† 20081. Stated from the customer point of view2. Focused on the most critical mission performance needs3. Independent of any particular solution4. Actual measures at the end of development Measures of Performance (MOP) characterize physical or functional attributes relating to the system operation:5. Supplier’s point of view6. Measured under specified testing or operational conditions7. Assesses delivered solution performance against critical system level specified requirements8. Risk indicators that are monitored progressivelyProgrammatic Risk Must Follow a Well Defined Process Using an ad hoc risk management process is its self risky. Thefirst place to start to look for risk management processes is wheremanaging risk is mandatory – aerospace, defense, and missioncritical projects and projects. These also include ERP andEnterprise IT projects. Technical performance is a concept absent from the traditionalapproaches to risk management. Yet it is the primary driver of riskin many technology intensive projects. Cost growth and scheduleslippage often occur when unrealistically high levels ofperformance are required and little flexibility is provided todegrade performance during the course of the project. Quality is Figure 4 – this risk management process is the “gold standard.” Anything less is inviting additional risk.often a cause rather than an impact to the project and cangenerally be broken down into Cost, Performance, and Schedule components. The framework shown in Figure 4 provides guidance for: Risk management policy Risk management structure Risk Management Process Model Organizational and behavioral considerations for implementing risk management The performance dimension of consequence of occurrence The performance dimension of Monte Carlo simulation modeling A structured approach for developing a risk handling strategyRisk Communication To be effective the activities of risk management must properly communicate risk to all the participants. Risk isusually a term to be avoided in normal business. Being in the risk management business is not desirable in mostbusinesses – except insurance. It is common to “avoid” the discussion of risk. Communicating risk is the first step in managing risk. Listing the risks and making them public is necessary butfar from sufficient. Risk communication is the basis of risk mitigation and retirement. It serves no purpose to havea risk management plan and the defined mitigations in the absence of a risk communication. The Risk Management Plan must address: Executive summary – a short summary of the project and the risks associated with the activities of the project. Each risk needs an ordinal rank, a planned mitigation is the risk is active (a risk approved by the Risk Board), and the mitigations shown in the schedule with associated costs. Project description – a detailed description of the project and the risk associated with each of the deliverables. Risk reduction activities by phase – using some formal risk management process that connects risk, mitigation and the IMS. The efforts for mitigation need to be in the schedule. 5 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503
  • MarchRisk Management is How Adults Manage Projects† 2008 5 Risk management methodology – using the DoD Risk Management process is a good start. This approach is proven and approved by high risk, high reward projects. The steps in the processes are not optional and should be executed for ALL risk processes. In order to communicate risk, a clear and concise language isneeded. English is not the best choice. Ambiguity andinterpretation are two issues. Communicating in mathematicalterms is also a problem, since the symbols and units of measuremay be confusing. 6 Figure 5 is from the Active Risk Manager tool that connectsrisk management with the scheduling system. ARM is a proprietaryrisk management system, but illustrates how risk is retired overtime in accordance with a plan. The concept shows explicitly wheneach risk will be “bought down” or “retired” during the projectexecution. The Risk Registry and the Integrated Master Schedulemust be connected in some way. Without this connection, there isno Risk Management process that can be used to forecast impactson cost or schedule. Figure 5 – this risk retirement waterfall shows where in the plan risk will be mitigated or retired. At each project maturity point, current risks, the plannedretirements of these risks, and the impact of the project must bevisible in the schedule. With these connections, project managers can then answer the questions: What happens if this risk is not retired? What effort is needed to retire this risk before a specific point in time? If this risk becomes an issue, what is Plan-B? How much will Plan-B cost? What is the impact of Plan-B on the deliverables? What cost and schedule reserve is needed to cover all the currently active risks?Wrap Up Once cost, schedule, and techncial performance are integrated into the Performance Measurement Baseline,risk management can be applied to all three elements. With these connections in place, the project managementteam can say with confidence – “we are doing risk management on this project.” The final reminder is to make sure all five elements of risk management are present. Leaving one out not onlyreduces the effectiveness of the risk management process, but increases in the risk to the project. Project riskmanagement is a Practice. The theory of Project Risk Management is important, but the Practice is how project riskgets managed. Risk Management Process Without identifying all risk, providing mitigations and retirement plans, and having Hope is not a strategy Plan-B’s for all risks, hope is the only result Each value for cost, duration, and technical performance is actually a random variable. Single point estimates are wrong Knowing the underlying probability distribution is the start of understanding the impact of this randomness on the success of the project Integrate Cost, Schedule, and Managing the tradeoffs between these three dependent variables is the role of project Technical Performance management in the presence of uncertainty Use a Formal Risk Management Following the guidance of proven methods is simply good project management. Go it Process alone, or making it up as you go is simply poor project management In order to “manage in the presence of uncertainty” all participates must be on the Risk Communication is everything same page. Communication is the glue that engages all the participants in the conversation about managing in the presence of risk.5 Risk Management Guide for DoD Acquisition 2003 (Fifth Edition, Version 2.0), 6 Niwot Ridge, LLC, 4347 Pebble Beach, Niwot, Colorado, 80503