Handling risk


Published on

How to install a risk management program to "handle" risks before they become issues.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Handling risk

  1. 1. 1 HANDLING RISK ON HIGH TECHNOLOGY PROGRAMS Without metrics, you’re just another guy with an opinion.Niwot Ridge LLC — Stephan Leschka, Hewlett Packard
  2. 2. Agenda for the Next 4 Hours2  Review the five principles of Risk Management.  Introduce SEI’s Continuous Risk Management (CRM).  Illustrate each CRM process area with example artifacts or outcomes.  Familiarize all participants with the concept of Risk Management and their contributions to the 1st step – Identifying Risk.  Understand what data needs to be gathered, so the 1st cut at a measure of program risk can be constructed.
  3. 3. But, Before we Start, Let’s Understand our Role Here …3  Risk Management is a profession.  Risk Management is Program Management.  Risk Management is how adults manage projects.  Managing risks goes hand-in-glove with managing work, people, processes, vendors, and the client.
  4. 4. What’s Risk Management All About?4
  5. 5. But we can’t make decisions until we get the right information, right?5
  6. 6. Risks are part of the project, handled the same way all other work is handled – with a plan6
  7. 7. Five Easy Pieces of Risk Management Risk Management is morethan the processes called out in PMBOK® (Chapter 11) Risk Management IS Project Management 7
  8. 8. 1. Hope is not a strategy2. No single point estimate of cost or schedule can be correct3. Cost, Schedule, and Technical Performance are inseparable4. Risk management requires adherence to a well defined process5. Communication is the Number One success factor 8
  9. 9. A Ship on the Beach is a Lighthouse to the Sea – Dutch ProverbI Hope is Not a Strategy 9
  10. 10. No Point Estimate By Itself Can Be CorrectII 10
  11. 11. Cost, Schedule, & Technical Performance are InseparableIII 11
  12. 12. Risk Management Demands a Well Defined ProcessIV 12
  13. 13. Risk Management Demands Direct Communication Between All PartiesV 13
  14. 14. The Project Train Wrecks Starts When There is… Inattention to  Lack of predictive budgetary variance analysis responsibilities  Untimely and unrealistic Work authorizations Latest Revised Estimates that are not always (LRE) followed  Progress not monitored Issues with Budget and in a regular and data reconciliation consistent manner Lack of an integrated  Lack of vertical and management system horizontal traceability Baseline fluctuations cost and schedule data and frequent replanning for corrective action Current period and  Lack of internal retroactive changes surveillance and Improper use of controls management reserve  Managerial actions not Mary K. Evans Picture Library EV techniques that do demonstrated using not reflect actual Earned Value performance 14
  15. 15. 15 Putting these Principles into Practice
  16. 16. Principles and Practices are not the same16 In theory there is no difference between theory and practice. In practice there is.
  17. 17. Three Conditions of Risk17  The potential for loss must exist.  Uncertainty with respect to the eventual outcome must be present.  Some choice or decision is required to deal with the uncertainty and potential for loss.
  18. 18. Mission-Oriented Success Analysis and Improvement Criteria (MOSAIC)18  Establish and maintain confidence that objectives will be achieved successfully  A suite of risk–based methods for assessing and managing complex projects and processes.  Produces a broad overview of the current state of risk and opportunity for a project or process.
  19. 19. Mission Work Processes Constraints Tasking, Orders, and Plans Operational Processes Resources Stability  Validity  Formality  Familiarity  Schedule  Budget Completeness  Feasibility  Suitability  Product Control  Staff  Facilities Clarity  Precedent  Process  Tools  Timeliness Control Mission Execution Maintenance Process Policies Efficiency  Timeliness  Formality  Familiarity  Laws and  Restrictions Effectiveness  Safety  Suitability  Service Quality Regulations  Contractual Complexity  Process Constraints Control Product and Service Management Processes Interfaces Usability  Accuracy  Planning  Management  Customer /  Senior Effectiveness  Correctness  Organization Experience User Leadership Timeliness  Operational  Program Community  Vendors Systems Interfaces  Associate  Politics Agencies  Contractors Operational Systems Management Methods Throughput  Security  Monitoring  Quality Suitability  Inventory  Personnel Assurance Usability  Installations Management  Configuration Familiarity  System Management Reliability Support Work Environment  Quality Attitude  Communication 19  Cooperation  Morale
  20. 20. An Introduction to20 Continuous Risk Management (CRM) CRM is the Software Engineering Institute’s framework for managing risk in the context of system integration, technology based product development, and the management of these activities.
  21. 21. Continuous Risk Management has Six Components 21
  22. 22. Continuous Risk Management22Stage Actionable Steps Identify Continually ask, “what could go wrong?” Continually ask, “which risks are most critical to Analyze mitigate?” Plan Develop mitigation approaches for the most critical risks Track Track the mitigation plan and the risk Control Make decisions based on data Communicate Ensure a free-flow of information throughout the project
  23. 23. Putting Continuous Risk Management Together23 Subproject and partner data/constraints, hazard analysis, FMEA, FTA, etc. Identify Statement of risk Identify Risk Issues and Concerns Risk data: test data, expert Risk classification, Likelihood opinion, hazard analysis, FMEA, FTA, lessons learned, technical Analyze Consequence, Timeframe Risk prioritization analysis Evaluate, classify, and prioritize risks Resources Research, Watch (tracking requirements) Replan Mitigation Plan Acceptance Rationale, Mitigation Plans Decide what should be done about risks Risk status reports on: Program/project data (metrics information) Track Risks Risk Mitigation Plans Monitor risk metrics and verify/validate mitigations Close or Accept Risks Control Invoke contingency plans Continue to track Make risk decisions
  24. 24. Four (4) Steps to Deploying CRM24 Step Action Establish an enterprise risk SEU CRM Process with Mitre Risk1 management process Registry Establish Risk Process owner and Org chart Risk Manager2 document the process established, Risk owners for deliverables are next Provide training in the standard Engage risk owners3 risk management process Monitor and enforce the Weekly risk board meeting4 implementation of Risk Management
  25. 25. Search for and locate risks before they become issues or problems. Capture statements ofrisk and context. 25
  26. 26. Capture a Statement of Risk26  Consider and record the conditions that are causing concern  Create a statement of the risk in a concise description, which can be understood and acted on  Condition: a single phrase describing the circumstances  Consequences: a single phrase describing the key, possible negative outcome(s)
  27. 27. Capture the Context of a Risk27  A brief, concise description of the conditions and consequences of the risk  Provide enough information to ensure the original intent of the risk can be understood, especially after some time has passed
  28. 28. Transform risk data into decision making information. Risk analysis is performed todetermine what is important to the project and to set priorities. 28
  29. 29. Evaluating Attributes of Risks29  Impact: the loss or effect on the project if the risk occurs  Probability: the likelihood the risk will occur  Timeframe: the period when action is required in order to mitigate or retire the risk
  30. 30. Sample Risk Evaluation30 A B C D E Negligible Minor Moderate Significant Severe E Very Likely Low Med Medium Med Hi High High D Likely Low Low Med Medium Med Hi High C Possible Low Low Med Medium Med Hi Med Hi B Unlikely Low Low Med Low Med Medium Med Hi A Very Unlikely Low Low Low Med Medium Medium
  31. 31. Classifying Risks31  Grouping risks based on shared characteristics  Identify duplicate risks
  32. 32. Risk Evaluation Classification32 Probability Risk Rating Budget Over Run Impact Rating > 70% E: Very Likely > 15% of budget E: Severe 40% to 70% D: Likely 10% to 15% of budget D: Significant 10% to 40% C: Possible 6% to 10% of budget C: Moderate 1% to 40% B: Unlikely 2% to 6% of budget B: Minor < 1% A: Very Unlikely < 2% of budget A: Negligible
  33. 33. Prioritizing Risks33  Partitioning risks or groups of risks based on the Borda “vital few” scale  Ranking the risks based on a criteria  Separate risk to be dealt with first (the vital few) when allocating resources
  34. 34. The Borda Rank34  Which risk of more critical?  Where should resources be allocated to eliminate the most troublesome areas in the program?  Using this approach – ties for “the most important – often result.  Borda Ranking deals with this result, which ranks risks according to their probability of bi    N  rik  occurrence and their impact k “Risk Matrix: An Approach for Identifying, Assessing, and Ranking Program Risks,” Paul Garvey and Zachary Lansdowne, Air Force of Logistics, Vol XXII, Number 1
  35. 35. Translate risk information into decisions and mitigating actions and implement thoseactions. Produce plans for mitigating risks. 35
  36. 36. Assign Responsibility36  Three choices for assigning responsibility  Keep the risk  Transfer the risk upward in the organization or to another organization  Delegate the risk within the organization
  37. 37. Determine the Approach37  Accept the risk – do nothing  Mitigate the risk – eliminate or reduce  Watch the risk – monitor for critical changes
  38. 38. Define Scope and Actions38  Action Item List for less complex mitigations A simple means of documenting and tracking risk mitigations  Task Plans with schedules and budgets for complex mitigations  Theseplans must be embedded in the Integrated Master Schedule
  39. 39. Monitor risk indicators and mitigation plans. Indicators and trends provide information toactivate plans and contingencies. Review these plans periodically to measure progress andidentify new risks. 39
  40. 40. The Risk Registry40
  41. 41. Integrate Risk with the Master Schedule41  Budget and resources assigned from Risk Management reserve.  Activation of risk activities through the Risk Management Board.  Adjustments to Performance Measurement Baseline reflect Risk activities.  Measure risk activities in the same way as other planned activities.
  42. 42. Correct for deviations from the risk mitigation plans. Actions can lead to corrections inproducts or processes. Changes to risks, risks that become problems, or faulty plansrequire adjustments in plans or actions. 42
  43. 43. Analyze Risks43  Examine risks for trends, deviations, and anomalies.  Achieve a clear understanding of the current status of each risk and mitigation plan.
  44. 44. Decide44  Replan  Close the risk  Invoke the contingency plan  Continue tracking and executing the current plan
  45. 45. Execute45  If a planned action is made, open the Work Packages for the mitigation or retirement activities.  If it decided to continue tracking, the risk remains in the tracking state until the next review.
  46. 46. Provide information and feedback to the project on the risk activities, current risks, andemerging risks. 46
  47. 47. Risk Communication Process 47 Risk Management Processes and their Communication to the Program TeamDetermine sources and categories Define parameters to analyze and categorize risksDefine parameters used to control the risk Establish and maintain a strategy for riskmanagement effort management Evaluate and categorize each identified risk usingIdentify and document risks defined categories and parameters and determine relative priorityDevelop risk Handling Plan for important risks as Monitor status of risk periodically and implement riskdefined by the risk management strategy handling plan as appropriate Provide adequate resources for performing riskEstablish and maintain organizational policy for management, developing work products andplanning and performing risk management providing servicesAssign responsibility and authority for performing the Train staff in support of risk management processesprocessPlace designated work products under appropriate Identify and involve relevant stakeholdersconfiguration management Objectively evaluate adherence to risk managementMonitor and control risk management processes processes
  48. 48. Glen B. Alleman 4347 Pebble Beach Drive Niwot, Colorado 80503 glen.alleman@niwotridge.com +1.303.241.963348