Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Project Risk Management

These slides describe why good Risk Management is vital to successful programme and project delivery, as well as current best practice.

  • Login to see the comments

Project Risk Management

  1. 1. 1 of 22 Risk Management for Projects & Programmes Known knowns Things that we know that we know Known unknowns Things that we know that we don’t know Unknown unknowns Things that we do not know we don’t know ?
  2. 2. 2 of 22 What is Risk? We know that plans are unlikely to be a precise prediction of the future Plans are a model of interconnected tasks believed certain to be required to achieve an objective There are also events which are less than certain, but if they happen, would impact the plan A Risk is a significant but uncertain event that, if it occurs, has an effect on the plan A risk can have detrimental or beneficial effects Threat A risk with a detrimental effect Opportunity A risk with a beneficial effect Patsy, Monty Python and the Holy Grail, 1975
  3. 3. 3 of 22 What is Risk Management? How we act to manage significant uncertainty Uncertain events will always be part of any plan for the future Risk Management is a core PM competence “There are known knowns; there are things that we know that we know. There are known unknowns; that is to say, there are things that we know that we don’t know. But there are also unknown unknowns – there are things that we do not know we don’t know.” Donald Rumsfeld, US Secretary of Defence, 2002 Project Management Planning & Scheduling Risk Management Context & Assumptions significant insignificant Uncertain Events Certain Events
  4. 4. 4 of 22 Why do Risk Management? Good Risk Management will  Lead to more realistic plans  Help to set expectations appropriate to value, risk and complexity  Inform bid/no bid decisions  Help in selecting the most appropriate contract type  Inform PM selection, matching PM competence to value, risk and complexity  Help set project level contingencies, rather than task level or a fixed amount  Enable greater honesty, openness and understanding  Reduce uncertainty by implementing responses to risk  Enable simpler, more transparent reporting  Reduce stress and reliance on a hero culture  Significantly increase the likelihood of meeting time, cost and quality objectives Cautions ! Risk Management will not guarantee meeting time, cost and quality objectives ! If undertaken as a tick box exercise, or only at bid time, the full value will not be realised ! The effort invested should be proportional to value, risk and complexity
  5. 5. 5 of 22 International Standards Organisation ISO 31000 [2009] Risk Management Principles & Guidelines  ISO IEC 31010 [2009] Risk Management Risk Assessment Techniques  ISO Guide 73 [2009] Risk Management Vocabulary  British Standards BS 6079-3 [2000] Guide to the Management of Business Related Project Risk  Association for Project Management PRAM: Project Risk Analysis and Management Guide, 2nd Edition [2010]  Interfacing Risk and Earned Value Management [2008]  Prioritising Project Risks [2008]  Project Management Institute Practice Standard for Project Risk Management [2009]  The Institute of Risk Management Publications that primarily deal with enterprise risk management  UK Government The Orange Book: Management of Risk, Principles and Concepts [2004]  Management of Risk, Guidance for Practitioners, 3rd edition [2010, Axelos]  Ministry of Defence Acquisition System Guidance: Risk Management [v4.2.2] Risk Management Best Practice Guidance
  6. 6. 6 of 22 Risk Management Training Certification Valid Renewal Acquisition Pre-requisite Association for Project Management Risk Certificate Level 1 - - 1 hour multiple choice exam: 60 questions, pass ≥60% Confirms knowledge sufficient to allow contribution to risk management within a project. Can be taken as a 2 day course, cost £1,100 (inc. exam fee). Open exam fee £164 (£146 for APM members). Risk Certificate Level 2 - - 3.25 hour exam: section A, 100 marks; section B, 100 marks, 2 from 4 questions, 2 relate to case study, pass ≥60% Risk Certificate Level 1 knowledge (not certification) Confirms knowledge, understanding and capability, sufficient to undertake project risk management. Can be taken as a 2 day course, cost £1,100 (inc. exam fee). Open exam fee £430 (£310 for APM members). Combined Risk Levels 1 & 2 Open exam fee £558 (£384 for APM members). UK Cabinet Office Axelos M_o_R Foundation - - 1 hour multiple choice exam: 75 questions of which 70 count, pass ≥50% (35/70) Confirms sufficient knowledge and understanding to contribute to the identification, assessment and control of risks across any organization. M_o_R Practitioner 5 years 1hr exam, pass ≥55% 3 hour exam: 4 questions, 20 marks each, open book (specified M_o_R books only), pass ≥50% (40/80) M_o_R Foundation Confirms sufficient understanding of how to apply and tailor M_o_R in a scenario situation. M_o_R Foundation and Practitioner can be taken together in a 5 day course, cost £2,300. Project Management Institute PMI-RMP PMI Risk Management Professional 3 years 30 PDUs over 3 years 3.5 hour multiple choice exam: 170 questions, 150 scoring, 'Modified Angoff Method' to determine pass Degree, 2 years’ project risk management experience and 30 hours formal project risk management training Recognises competence in assessing and identifying project risks, mitigating threats and capitalizing on opportunities, while still possessing a core knowledge and practical application in all areas of project management. 2008 launch, 2,033 credential holders worldwide by 30 April 2013. Certification fee $670 ($520 for PMI members). Project Risk Management is also covered in general PM certifications APM: PFQ, PQ, RPP Axelos (OGC): PRINCE2 PMI: PMP
  7. 7. 7 of 22 Context is the environment in which an organisation seeks to achieve its objectives. As the context changes, it may be necessary to adjust the approach to Risk Management. Risk Management principles are the same at all levels – strategic, change & operational. At the strategic level Risk Management is a significant part of corporate governance. How risk is to be managed across an organisation taking into account external factors such as legislation, government policy, market, domain and internal factors such as the organisation’s size, complexity and culture as well as the strategic vision, balance of risk across the organization, conflict resolution, risk appetite and lessons learned, may be described in a Risk Management Strategy. The RMS may be a single document or a number of documents, e.g. Policy, Process and Guidance. Operational Risk Management covers day-to-day business functions such as health & safety, people, information security and business continuity. Change is what projects and programmes deliver. Apply Risk Management through all project delivery phases – in a manner proportional to the value, risk and complexity at each phase. The nature and degree of freedom for responding to risk will change at different project phases, e.g. in the concept phase there will be a greater chance to adjust the scope and set budgets to manage risk. Risk Management Context
  8. 8. 8 of 22 Risk Management Process Iterate to keep the Risk Exposure (the impact of risk on objective attainment), within the Risk Appetite (an agreed, acceptable level of risk), in a cost-effective manner. Identify Assess Plan Implement Identify Risks: Experience, Checklist, SWOT, Interviews Categorise Probability & Impact Prioritise Qualitative Quantitative Define Risk Response: Exploit/Avoid, Share/Transfer, Enhance/Mitigate, Realise/Accept Define Contingencies Iterative Implement Review Communicate Manage Stakeholders Lessons Learned
  9. 9. 9 of 22 Identify, Assess, Plan, Implement Identify: What could happen Identify & List Risks: Experience, Checklist, SWOT, PESTLE, Interviews, Questionnaires Categorise: By project phase, system element, or other suitable risk event source breakdown Assess: Understand consequences Qualitative assessment: Probability of the risk occurring and the size of the Impact on objectives Prioritise: Rank the risks – focus on those with highest probability and impact Timing: Understand when the risk may occur Quantitative analysis: modelling, confidence levels, sensitivity Plan: Define appropriate responses Exploit/Avoid, Share/Transfer, Enhance/Mitigate Define Contingencies Ignore, Realise/Accept Residual Risk: Risk that remains after taking enhancement/mitigation measures Secondary Risk: Risk that arises as a result of taking enhancement/mitigation measures Implement: Monitor and control the risks Review: Risk triggers, responses, add new risks, close dead risks & release risk pot Communicate: Key risks Manage Stakeholders
  10. 10. 10 of 22 Plan: Define appropriate responses Allocate ownership to manage risk optimally Insure (internally by pooling or externally) Reduce the uncertainty – if cost effective to do so Fall-back, should the risk occur/not occur despite mitigation/enhancement Risk or Residual Risk after enhancement/mitigation May also choose to treat as Risks and define a response etc. Share/Transfer: Enhance/Mitigate: Contingencies: Realise/Accept: Secondary Risk: Planning & Scheduling Change Scope Opportunities Threats AvoidExploit AcceptRealise Log / Monitor MitigateEnhance TransferShare Contingency Impact and/or Probability Impact and/or Probability Residual Risk Ignore Residual Risk  Specification  Partners PBS, WBS  Supplierse.g.  Requirements Contingency Secondary Risk Secondary Risk
  11. 11. 11 of 22 Qualitative Assessment Rank Risks by assessing risk probabilities and impacts having first adjusted to suit the project Probability Impact Diagram Mapping risks helps to decide where best to focus risk management effort. Contingency Setting A Risk Register can calculate the total Contingency based on the entered data. This figure is at best a guide and must be subject to discussion. Probability VH VH Probability H H M M L L VL VL VL L M H VH VH H M L VL Negative Impact Positive Impact Threats Opportunities Focus effort on Key Risks Very Low Low Medium High Very High Schedule Impact < 2 weeks 2 weeks to < 1 month 1 to < 2 months 2 to < 4 months > 4 months Cost Impact < 1% 1% to < 2% 2% to < 4% 4% to < 8% > 8% Performance Impact Minor impact in a secondary aspect Multiple impacts in a secondary aspect Minor impacts in one key aspect Major impact in one key aspect Major impact in multiple key aspects Probability < 10% 10% to < 25% 25% to < 50% 50% to < 75% > 75%
  12. 12. 12 of 22 Bias, Concurrency & Estimation Uncertainty Optimism Bias can make assumptions too positive, perhaps as a result of making a plan fit fixed targets. Cognitive Bias is where personal past experience unscientifically skews estimates. Plan dates and costs are often optimistic if estimation uncertainty is not considered. Plans generally feature concurrent tasks with minimal float. Task effort estimates frequently use expert judgement, often given as single point, or deterministic, estimates. The more concurrent tasks, the greater the impact on the project when, as is likely, some tasks finish later than estimated. Deterministic outcomes often have a very low probability. Range estimates are more realistic, with 3 points (minimum, most likely, maximum) advised. Key project dates and costs then also become ranges along with a probability. Typical plan analysis: Yellow line is the probability of achieving the Deterministic Cost
  13. 13. 13 of 22 Funding Estimation Uncertainty & Selective 4 Point Estimating ‘Most Likely’ means equally probable of being under or over, but estimates often have a negative bias such that most likely (ML) is not 50% probable. To avoid this negative bias, 4 points are recommended*, 3 point plus probability of the ‘most likely’ – just for the tasks that most impact the project, found by sensitivity analysis, as doing this for all tasks is typically not worthwhile. Min ML P=50% Max The business Risk Appetite can inform what probability to use across the business, e.g.: 10% Team Target (likely risks do not occur) 50% Best Estimate (as many risks occur as not) 90% ‘Safe’ Estimate (several unlikely major risks occur) One strategy is to use the cost difference between the project cost for the probability chosen according to the business Risk Appetite and the deterministic project cost as the main element of a ‘project risk pot’ to handle estimation uncertainty. Rewarding using as little of this risk pot as possible, whilst recognising that a proportion is likely to be required, encourages behaviour that enhances results whilst recognising uncertainty and setting realistic expectations. 4 Point Estimates * See separate presentation, “Estimation for Projects & Programmes” Caution Don’t confuse uncertainty with a lack of knowledge. Large ranges generally indicate guessing – experience is required to estimate rather than guess.
  14. 14. 14 of 22 Risk Management for Projects & Programmes Strategy (Need) Contingency Opportunities Enhancement Tasks Secondary Risks Product Breakdown Structure Work Breakdown Structure Work Packages & Tasks Estimates Zero Risk (Deterministic) Cost INFORM Inform / Offset Threats Mitigation Tasks Programme & Project Set-up INFORM Project Delivery Process, PDP Risk Register Tool, RRT Risk Management Strategy, RMS Risk Management Plan, RMP Held at Board level: Project, Programme or Business Held at Project & Programme level If cost effective Contingency Project Risk Pot Estimation Uncertainty
  15. 15. 15 of 22 Risk Management Strategy How risk is to be managed across an organisation, the corporate strategy & policy. Generally an in-feed for a programme or project but may also be defined at this level, possibly as a flow- down from an organisation RMS. Risk Management Plan How risk will be managed in a programme or project, tailored to that programme or project, i.e. how the Risk Management Strategy will be delivered. Risk Management Documents & Tools Risk Register Tool Central repository for Risk Events, i.e. risk data • Opportunity & Threat Log and Analysis • Risk Owner • Risk Response & Cost Estimation • Probability Impact Diagram, PID • Risk Triggers & Timing • Classification marking • Internal Only option • Baselines & Risk History graphing • Contingency Estimation • Risk Exposure calculation Quantitative Analysis Tools Quantitative Analysis (uncertainty and probabilistic modelling – Monte Carlo analysis) is best done using purpose built tools, e.g. @Risk, or integrated scheduling and risk management tools, e.g. Oracle Primavera Risk Analysis or Safran Risk.
  16. 16. 16 of 22 Keep People Safe HSE: Health, Safety and Environment Do a Risk Assessment to expose potential hazards EN ISO 14121-1 is a useful guide in defining potential hazards Consider the whole lifecycle: hazards may differ from one phase to the next Plan actions to deal with the hazards identified and reduce to an acceptable level the probability of harm to the team and other stakeholders There may be tasks and costs arising from the risk assessment: include these in planning
  17. 17. 17 of 22 Risk Assessment provides scientific advice on potential threats, often the basis for making decisions to address these threats via Risk Management. Europe separates the roles of Risk Assessor and Risk Manager in law to make clear the distinction between science and politics. Risk Assessment is concerned with preventing harm to people The Health and Safety Executive in the UK defines Risk as the chance, high or low, of somebody being harmed by a hazard, and how serious the harm could be. Risk Management is minimising the impact of threats and maximising the benefit of opportunities Risk Assessment actions are aimed at reducing the potential harm to zero, or at least to acceptable levels by taking reasonably practicable measures – balancing the level of risk against the measures needed to control the real risk in terms of money, time or trouble. Action need not be taken if it would be grossly disproportionate to the level of risk. Risk Assessment is an excellent, essential and in most countries mandatory method for understanding and reducing potential harm to people. However, Risk Assessment is not a substitute for Risk Management, e.g. there is no concept of up-side risk in Risk Assessment since there is no 'harm' in up-side risk. Risk Management and Risk Assessment
  18. 18. 18 of 22 Risk Management: Test Strategy Unit Test on a PC Regression Test via a simulator automated on commit automated on commit get code coverage System Test the whole system Continuous Integration doing real things where possible probably involves people Field Trial Interoperability Test Site / Final Acceptance Test System Test Integration Test Bring-up Test Subsystem Production Test Subsystem Test Module Test Unit Test Low Level Tests Integration Level Tests System Level Tests Optional System Level Tests (required in some domains) Compliance Test System Production Test FPGA On-Board Test Design TestProduction Test
  19. 19. 19 of 22 Prior to ‘Identify’ describe the project and goals of Risk Management for your project (often described in the Risk Management Plan). Then the project team can raise specific project risks. The danger of not doing this is that the risks identified may be generic and that this is carried throughout Risk Management for the project, significantly devaluing Risk Management. Risk descriptions need to be understandable outside the project, without further explanation. Risks should be accurately defined and as specific as possible. Avoid listing an effect rather than the risk leading to the effect. It may help to think in terms of cause, then risk arising from this cause, then the effect(s) of the risk. Probability and impact are often guesses and contain cognitive bias so it can be helpful to consider the relative risk scores rather than the absolute in deciding which risks to actively manage. Risk Management is more than just keeping a Risk Register. The Risk Register is only a tool to note the risks, our responses and to help with decision making. Completing the actions arising add the real value. Appropriate review frequency depends on project scale and phase. At some phases, weekly review may be worthwhile; at other phases, monthly may be sufficient. Practical Risk Management: Hints & Tips I
  20. 20. 20 of 22 Experience is needed to judge the appropriate Risk Management effort, but investing more in managing risk than the cost if all the risks occur clearly makes no sense. The Risk Management process can be gone through in a few minutes for many risks, so the effort required need not be high. The effort level should not however be limited simply by a lack of competence (i.e. knowledge & experience) of those undertaking Risk Management. The number of risks typically identified depends on the project value and complexity; usually more than 10, less than 100. How many of the identified risk are selected for managing is an experienced based judgement; but very rarely all, except perhaps for a strategic Risk Register. Risk Assessments commonly involve a reassessment of the impact after the risk responses have been undertaken, since it is vital that we can see that potential harm to people has indeed been reduced to an acceptable level by our actions. This is much less common in Risk Management in projects and programmes where there’s often little value in this sort of reassessment. It can be difficult for many people to consider threats and opportunities concurrently – e.g. we don’t talk about the ‘risk’ of a beneficial event occurring in normal life. So it may help to consider threats and opportunities separately rather than concurrently when identifying risks. Practical Risk Management: Hints & Tips II
  21. 21. 21 of 22 Summary Most projects and programmes have to deal with risk, this presentation summarises best practice for visible, repeatable and consistent risk management. Whilst best practice guidance offers no single definition, it is broadly aligned. Some level of risk is not only inevitable, but desirable for success. Project Risk Management is a core PM competence and should be practiced on all projects and programmes, in a manner appropriate to the value, complexity and risk. Projects which do not undertake Risk Management are more likely to fail. Estimation uncertainty alone can reduce the probability of on-time delivery to less than 10%. Risk Management has many benefits, not least being a higher likelihood of delivery to time and budget.
  22. 22. 22 of 22 Author Profile In my board role I led a team of 22 Project Managers and 5 Quality Engineers, and ensured Roke’s £79m project portfolio delivered better than budget profit. I set-up and ran a virtual PMO and created REP, the Roke Engineering Process, also managing the engineering tools to support it. After 4 years as an electronics engineer for Siemens, achieving Chartered Engineer, I moved into project management for 14 years, at Siemens and Roke Manor Research. Successfully delivering Roke’s most challenging whole lifecycle product developments on time and under budget led to a role as Director and board member for 6 years. In 2013 I returned to hands-on project management as Programme Director at Cambridge Consultants, founder member of the Cambridge Science Park. Creator of the APM corporate accredited PM Excellence Programme, I chaired a quarterly PM forum to share best practice and built a supportive PM community. I coached seven PMs to RPP, five to PQ, and all passed APMP. These investments in PM professionalism led to a turn-around and annual improvement in project results across a 400 project portfolio and delivered an above budget performance in five consecutive years with profits totalling £7.9m above budget. Passionate advocate of PM professionalism, Fellow of the APM and the IET and author of articles published in Project and PM Today. Professional Development Winning Project Work Planning Estimating Risk Management Earned Value Management Change Control Stakeholder Management 3 Steps to Professional Project Management: Case Study ProjectManagementTopics