Successfully reported this slideshow.

Essentials of Risk Management



Upcoming SlideShare
Managing Risk Attitude
Managing Risk Attitude
Loading in …3
1 of 31
1 of 31

More Related Content

Viewers also liked

Related Books

Free with a 14 day trial from Scribd

See all

Essentials of Risk Management

  1. 1. TM Frederic L. Casagrande, PMP®
  2. 2.  Introduction  Risk Management Governance  Risk Management Culture  Key elements of a Risk Register  Risk Assessment Approaches
  3. 3. The Speaker What is a Risk?
  4. 4.  2009 – Vice-Chair (PMI® PMO Specific Interest Group)  2011 – Vice-President (PMI® PMO Community of Practice)  2011 & 2012 – Program Chair (PMI® PMO Symposium)  2013 – Judge (PMI® PMO of the Year® Award)  2007 – Director of PMO (Interoute)  2008 – Head of PMO (Universal Studios)  2009 – PMO Director (AMER Group)  2011 – Head of PMO (Emiraje Systems)  2014 – Program Governance & Controls (ENEC)
  5. 5. An uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives Practice Standard for Project Risk Management PMI (2009)
  6. 6. An Dr. David Hillson “The Risk Doctor” (2007)
  7. 7. Governance Key Objectives Constitutive Elements
  8. 8.  Governance defines actions, grants power and verifies performance. In Risk Management, it has several key Objectives: ◦ Define Project Specific Risk Scorecard ◦ Determine Project Risk Categories (and eventually sub-categories) ◦ Prepare the Risk Register Structure (aligned to the Project WBS) ◦ Ensure a Known Estimate at Completion (EAC) is given for the Project ◦ Define the Risk Appetite and the level of Project Risk Management effort ◦ Break down the Risk Impact into further categories – at minimum – Financial Impact, Schedule Impact and Performance Impact (but additional impact categories may be added, should they be required for Enterprise Risk Management purposes, e.g. Reputation or Health & Safety)
  9. 9.  Governance can be established through a series of linked documents that flow-down the requirements: ◦ A Policy Framework (e.g. a Project Specific Risk Management Policy, and/or an Enterprise Risk Management Policy) ◦ An Enterprise Risk Management Guideline (that defines company- wide mechanisms for dealing with risks) ◦ A Project Risk Management Plan (based on a project specific customization of the Enterprise Guideline, if available) ◦ A Risk Management Process and its relevant Process Assets (forms, templates, risk register, etc)
  10. 10.  Keep it simple ◦ A single Policy is enough ◦ Two pages is enough  Define a clear purpose ◦ “To enforce Risk Management best practices”  Define a scope of application ◦ Project Specific; Portfolio Related or All Company Operations  Define Roles & Responsibilities  Empower the Risk Manager  SIGN-OFF BY CEO
  11. 11.  A more elaborated document, describing the Risk Management Process in greater detail  If the Risk Management Policy is established for a single project, this might be combined with the Risk Management Plan  Otherwise, provides general rules that are not project specific: ◦ How to operate within the Risk Management Process ◦ How to use the Risk Management Process Assets ◦ How to communicate Risks at various stakeholders level
  12. 12. Level Very Low Low Medium High Very High Probability 1 to 20% 21 to 40% 41 to 60% 61 to 80% 81 to 99% Financial Impact Insignificant cost increase x < 0.25% (of contract value) Minor cost increase 0.25% <= x < 0.5% (of contract value) Moderate cost increase 0.5% <= x < 1% (of contract value) Critical cost increase 1% <= x < 2% (of contract value) Catastrophic cost increase x >= 2% (of contract value) Schedule Impact Insignificant time increase to the most critical milestone or very low time impact Time increase to the most critical milestone(s) or minor schedule delays Time increase to the most critical milestone(s) or moderate schedule delays Time increase to the most critical milestone(s) or critical schedule delays Time increase to the most critical milestone(s) or catastrophic schedule delay Performance Impact Very minor scope decrease, quality degradation barely noticeable Only very demanding scenarios or minor areas of scope affected Quality reduction requires customer approval, major areas of scope affected Scope/Quality reduction unacceptable to customer Final project deliverable is useless
  13. 13.  In a multi-project environment, each project will have a specific Risk Management Plan, flowing down from the ERM Guideline if it exists, and from the Policy Framework. It is the Reference Document  It provides Project Specific metrics & KPI’s, and project specific scorecards that have been approved and signed off by the Project Manager and Senior Management  It does not have to be a separate document and can be an integrated section of the Project Management Plan
  14. 14.  Their number and forms can vary from one organization to another, but it is recommended that they include at minimum the following four Process Assets: ◦ Risk Identification Form ◦ Contingency Release Form ◦ Risk Register Template ◦ Risk Reporting Template
  15. 15. Critical Success Factors Shoot the Messenger
  16. 16. Risk Management Success Integrate with Project Management Recognize the Value of Risk Management Individual Commitment & Responsibility Open & Honest Communication Organizational Commitment Scale Risk Effort to Project Risk Management Success Integrate with Project Management Recognize the Value of Risk Management Individual Commitment & Responsibility Open & Honest Communication Organizational Commitment Scale Risk Effort to Project
  17. 17. “If I don’t speak out and this risk realizes, I will be in trouble, but… If I speak out, they will shoot the messenger!”  Raising a Project Risk is always a dilemma for a team member!  Employees need to feel that they can raise their hands to identify new risks without fear of adverse consequences on their jobs!  For Risk Management to succeed, you need to enable a culture where the Messenger is no longer Shot…
  18. 18.  This needs a massive mentality change at all levels of the organization  Switching to a Risk Culture is no different to any transformation initiative. You will need to: ◦ Understand your Stakeholders and their Risk Appetite ◦ Commit the Highest Level of the organization to the Risk Culture ◦ Start small and address the low hanging fruits  Raising a Risk is not a sign of weakness!  Acknowledging a Proposed Risk is not a sign of failing!
  19. 19.  First proposed during the Project Risk Forum (Prague, CZ, 2008), the concept is to work with various stakeholders risk profiles  At the crossroads of Risk Management and Stakeholders Management  Enables you to map on a matrix the risk appetite of your stakeholders groups to build specific “behaviors” (Communications, Trainings or Awareness Sessions, Hand- holding, etc.)  This is essential in multicultural environments!
  20. 20. Objectives of the Risk Register Structure of the Risk Register
  21. 21.  The Risk Register is a tool that serves several purposes: ◦ Collecting all identified risks, regardless of their source or status ◦ Providing the organization with a clear and complete snapshot of the overall risk exposure of a project/portfolio/company  Depending on the platform used (MS-Excel, Integrated Risk Management Software, ERP), the features will change (e.g. variance tracking, history graphs, etc.), but those two key elements have to be present  You can start with a very simple MS-Excel spreadsheet
  22. 22.  Risk Information ◦ Risk ID Unique Risk Identifier (can include “R” or “O” to identify opportunities) ◦ Risk Description “There is a Risk that…” (describes impact as well) ◦ Raised Date When has the Risk been identified (form) ◦ Risk Status Proposed, Open/Rejected, Closed/Realized ◦ Risk Owner Accountable for the specific risk ◦ Risk Category Derived from the Risk Management Plan ◦ WBS Highest element impacted by the Risk ◦ Severity Low/Medium/High (Calculated, based on Scorecard)
  23. 23.  Impact Information ◦ Un-weighted Exposure Estimated by SME ◦ Probability Estimated by SME ◦ Weighted Exposure Calculated ◦ Financial Impact Low/Medium/High (Calculated) ◦ Schedule Impact Low/Medium/High (Estimated by SME) ◦ Performance Impact Low/Medium/High (Estimated by SME)
  24. 24.  Response Information ◦ Strategy Accept/Reduce/Transfer/Avoid ◦ Response Owner Can be different from Risk Owner ◦ Response Description Explains what needs to be done ◦ Response Cost To be compared with the Weighted Risk
  25. 25.  When choosing a platform, bare in mind that the information contained in the Risk Register must be easy to filter and compile: ◦ To provide an accurate subset based on specific criteria (Top Risks, Risks pertaining to a domain of work, a department, a specific product, or a WBS element) ◦ To provide a unique, demonstrable and undisputed value of the overall risk exposure for the organization (or the project). This will give you your requirement for Contingency, and ultimately your “Risk Index” (the ratio between the exposure level and the available contingency)
  26. 26. The Best Approach Top-Down Bottom-Up
  27. 27.  There is constant argument as to which is the best approach to risk assessment: Top-Down or Bottom-Up?  The key there is to identify as many real risks as possible  How to best enable this? By capturing as many risks as possible (real ones, duplicates, wrong ones, fake ones, etc.). Consider the Risk Management process as a funnel. You need an enormous amount of risks at the entrance to end with an accurate depiction of your risk portfolio  For this, you will perform both a Top-Down and a Bottom- Up Risk Assessment! And you will do so continuously!
  28. 28.  The Top-Down Approach is inherited from the audit industry. This is where the most senior members of the team identify the key risks that have an overall impact on the project or the program  In most of the cases, those “meta-risks” are already identified at the bid phase, although they might evolve over time
  29. 29.  The Bottom-Up Approach assigns risk impact based on the Work Breakdown Structure of the project  It typically involves a larger portion of the project team (ideally … everyone)  The goal of this exercise is to identify ALL possible risks, even if it implies to identify the same risk at several levels  The Risk Manager will “de-duplicate” risks with the individuals who raised risks deemed identical