1 HANDLING RISK ON HIGH TECHNOLOGY PROGRAMS Without metrics, you’re just another guy with an opinion.Niwot Ridge LLC — Stephan Leschka, Hewlett Packard
Agenda for the Next 4 Hours2 Review the five principles of Risk Management. Introduce SEI’s Continuous Risk Management (CRM). Illustrate each CRM process area with example artifacts or outcomes. Familiarize all participants with the concept of Risk Management and their contributions to the 1st step – Identifying Risk. Understand what data needs to be gathered, so the 1st cut at a measure of program risk can be constructed.
But, Before we Start, Let’s Understand our Role Here …3 Risk Management is a profession. Risk Management is Program Management. Risk Management is how adults manage projects. Managing risks goes hand-in-glove with managing work, people, processes, vendors, and the client.
But we can’t make decisions until we get the right information, right?5
Risks are part of the project, handled the same way all other work is handled – with a plan6
Five Easy Pieces of Risk Management Risk Management is morethan the processes called out in PMBOK® (Chapter 11) Risk Management IS Project Management 7
1. Hope is not a strategy2. No single point estimate of cost or schedule can be correct3. Cost, Schedule, and Technical Performance are inseparable4. Risk management requires adherence to a well defined process5. Communication is the Number One success factor 8
A Ship on the Beach is a Lighthouse to the Sea – Dutch ProverbI Hope is Not a Strategy 9
No Point Estimate By Itself Can Be CorrectII 10
Cost, Schedule, & Technical Performance are InseparableIII 11
Risk Management Demands a Well Defined ProcessIV 12
Risk Management Demands Direct Communication Between All PartiesV 13
The Project Train Wrecks Starts When There is… Inattention to Lack of predictive budgetary variance analysis responsibilities Untimely and unrealistic Work authorizations Latest Revised Estimates that are not always (LRE) followed Progress not monitored Issues with Budget and in a regular and data reconciliation consistent manner Lack of an integrated Lack of vertical and management system horizontal traceability Baseline fluctuations cost and schedule data and frequent replanning for corrective action Current period and Lack of internal retroactive changes surveillance and Improper use of controls management reserve Managerial actions not Mary K. Evans Picture Library EV techniques that do demonstrated using not reflect actual Earned Value performance 14
Principles and Practices are not the same16 In theory there is no difference between theory and practice. In practice there is.
Three Conditions of Risk17 The potential for loss must exist. Uncertainty with respect to the eventual outcome must be present. Some choice or decision is required to deal with the uncertainty and potential for loss.
Mission-Oriented Success Analysis and Improvement Criteria (MOSAIC)18 Establish and maintain confidence that objectives will be achieved successfully A suite of risk–based methods for assessing and managing complex projects and processes. Produces a broad overview of the current state of risk and opportunity for a project or process.
Mission Work Processes Constraints Tasking, Orders, and Plans Operational Processes Resources Stability Validity Formality Familiarity Schedule Budget Completeness Feasibility Suitability Product Control Staff Facilities Clarity Precedent Process Tools Timeliness Control Mission Execution Maintenance Process Policies Efficiency Timeliness Formality Familiarity Laws and Restrictions Effectiveness Safety Suitability Service Quality Regulations Contractual Complexity Process Constraints Control Product and Service Management Processes Interfaces Usability Accuracy Planning Management Customer / Senior Effectiveness Correctness Organization Experience User Leadership Timeliness Operational Program Community Vendors Systems Interfaces Associate Politics Agencies Contractors Operational Systems Management Methods Throughput Security Monitoring Quality Suitability Inventory Personnel Assurance Usability Installations Management Configuration Familiarity System Management Reliability Support Work Environment Quality Attitude Communication 19 Cooperation Morale
An Introduction to20 Continuous Risk Management (CRM) CRM is the Software Engineering Institute’s framework for managing risk in the context of system integration, technology based product development, and the management of these activities.
Continuous Risk Management has Six Components 21
Continuous Risk Management22Stage Actionable Steps Identify Continually ask, “what could go wrong?” Continually ask, “which risks are most critical to Analyze mitigate?” Plan Develop mitigation approaches for the most critical risks Track Track the mitigation plan and the risk Control Make decisions based on data Communicate Ensure a free-flow of information throughout the project
Putting Continuous Risk Management Together23 Subproject and partner data/constraints, hazard analysis, FMEA, FTA, etc. Identify Statement of risk Identify Risk Issues and Concerns Risk data: test data, expert Risk classification, Likelihood opinion, hazard analysis, FMEA, FTA, lessons learned, technical Analyze Consequence, Timeframe Risk prioritization analysis Evaluate, classify, and prioritize risks Resources Research, Watch (tracking requirements) Replan Mitigation Plan Acceptance Rationale, Mitigation Plans Decide what should be done about risks Risk status reports on: Program/project data (metrics information) Track Risks Risk Mitigation Plans Monitor risk metrics and verify/validate mitigations Close or Accept Risks Control Invoke contingency plans Continue to track Make risk decisions
Four (4) Steps to Deploying CRM24 Step Action Establish an enterprise risk SEU CRM Process with Mitre Risk1 management process Registry Establish Risk Process owner and Org chart Risk Manager2 document the process established, Risk owners for deliverables are next Provide training in the standard Engage risk owners3 risk management process Monitor and enforce the Weekly risk board meeting4 implementation of Risk Management
Search for and locate risks before they become issues or problems. Capture statements ofrisk and context. 25
Capture a Statement of Risk26 Consider and record the conditions that are causing concern Create a statement of the risk in a concise description, which can be understood and acted on Condition: a single phrase describing the circumstances Consequences: a single phrase describing the key, possible negative outcome(s)
Capture the Context of a Risk27 A brief, concise description of the conditions and consequences of the risk Provide enough information to ensure the original intent of the risk can be understood, especially after some time has passed
Transform risk data into decision making information. Risk analysis is performed todetermine what is important to the project and to set priorities. 28
Evaluating Attributes of Risks29 Impact: the loss or effect on the project if the risk occurs Probability: the likelihood the risk will occur Timeframe: the period when action is required in order to mitigate or retire the risk
Sample Risk Evaluation30 A B C D E Negligible Minor Moderate Significant Severe E Very Likely Low Med Medium Med Hi High High D Likely Low Low Med Medium Med Hi High C Possible Low Low Med Medium Med Hi Med Hi B Unlikely Low Low Med Low Med Medium Med Hi A Very Unlikely Low Low Low Med Medium Medium
Classifying Risks31 Grouping risks based on shared characteristics Identify duplicate risks
Risk Evaluation Classification32 Probability Risk Rating Budget Over Run Impact Rating > 70% E: Very Likely > 15% of budget E: Severe 40% to 70% D: Likely 10% to 15% of budget D: Significant 10% to 40% C: Possible 6% to 10% of budget C: Moderate 1% to 40% B: Unlikely 2% to 6% of budget B: Minor < 1% A: Very Unlikely < 2% of budget A: Negligible
Prioritizing Risks33 Partitioning risks or groups of risks based on the Borda “vital few” scale Ranking the risks based on a criteria Separate risk to be dealt with first (the vital few) when allocating resources
The Borda Rank34 Which risk of more critical? Where should resources be allocated to eliminate the most troublesome areas in the program? Using this approach – ties for “the most important – often result. Borda Ranking deals with this result, which ranks risks according to their probability of bi N rik occurrence and their impact k “Risk Matrix: An Approach for Identifying, Assessing, and Ranking Program Risks,” Paul Garvey and Zachary Lansdowne, Air Force of Logistics, Vol XXII, Number 1
Translate risk information into decisions and mitigating actions and implement thoseactions. Produce plans for mitigating risks. 35
Assign Responsibility36 Three choices for assigning responsibility Keep the risk Transfer the risk upward in the organization or to another organization Delegate the risk within the organization
Determine the Approach37 Accept the risk – do nothing Mitigate the risk – eliminate or reduce Watch the risk – monitor for critical changes
Define Scope and Actions38 Action Item List for less complex mitigations A simple means of documenting and tracking risk mitigations Task Plans with schedules and budgets for complex mitigations Theseplans must be embedded in the Integrated Master Schedule
Monitor risk indicators and mitigation plans. Indicators and trends provide information toactivate plans and contingencies. Review these plans periodically to measure progress andidentify new risks. 39
Integrate Risk with the Master Schedule41 Budget and resources assigned from Risk Management reserve. Activation of risk activities through the Risk Management Board. Adjustments to Performance Measurement Baseline reflect Risk activities. Measure risk activities in the same way as other planned activities.
Correct for deviations from the risk mitigation plans. Actions can lead to corrections inproducts or processes. Changes to risks, risks that become problems, or faulty plansrequire adjustments in plans or actions. 42
Analyze Risks43 Examine risks for trends, deviations, and anomalies. Achieve a clear understanding of the current status of each risk and mitigation plan.
Decide44 Replan Close the risk Invoke the contingency plan Continue tracking and executing the current plan
Execute45 If a planned action is made, open the Work Packages for the mitigation or retirement activities. If it decided to continue tracking, the risk remains in the tracking state until the next review.
Provide information and feedback to the project on the risk activities, current risks, andemerging risks. 46
Risk Communication Process 47 Risk Management Processes and their Communication to the Program TeamDetermine sources and categories Define parameters to analyze and categorize risksDefine parameters used to control the risk Establish and maintain a strategy for riskmanagement effort management Evaluate and categorize each identified risk usingIdentify and document risks defined categories and parameters and determine relative priorityDevelop risk Handling Plan for important risks as Monitor status of risk periodically and implement riskdefined by the risk management strategy handling plan as appropriate Provide adequate resources for performing riskEstablish and maintain organizational policy for management, developing work products andplanning and performing risk management providing servicesAssign responsibility and authority for performing the Train staff in support of risk management processesprocessPlace designated work products under appropriate Identify and involve relevant stakeholdersconfiguration management Objectively evaluate adherence to risk managementMonitor and control risk management processes processes