presentation from march 7, 2007 dinner meeting
TRANSCRIPT
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
1/32
Chip Justice and Courtney Lane7 March 2007
Communicating and Managing Risks
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
2/32
2Communicating and Managing Risks
Agenda
Defining Risk Management Chip
Programmatic Development Courtney
Identifying Managing Risks Courtney
Changing A Culture Chip
Applying Risk Management to your
organization Chip
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
3/32
3Communicating and Managing Risks
Agenda
Defining Risk Management Chip
Industry Definition vs the customers definition
Purpose & Goals
Value of Risk Management
Opportunities & Issues
Programmatic Development Courtney
Identifying and Managing Risks Courtney
Changing A Culture Chip
Applying Risk Management to your organization Chip
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
4/32
4Communicating and Managing Risks
What is a Risk?
A threat or obstacle that prevents an organization from achieving itsobjectives
A hazard
The future chance or probability of loss
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
5/32
5Communicating and Managing Risks
Lets take a look how Industry defines RiskRisk
The potential inability to achieve overall program objectives within defined cost, schedule,and technical constraints and has two components
(1) the probability/likelihood of failing to achieve a particular outcome, and
(2) the consequences/impacts offailing to achieve that outcome. [1]
...an uncertain event or condition that, if it occurs, has a positive or negative effect on a
project objective. [2]
RISK (risk) n. [Fr. risqu < Ital. risco.] 1. Possibility of suffering harm or loss: DANGER. 2.
A factor, course, or element involving uncertain danger: HAZARD. 3. a. The danger of
probability of loss to an insurer. b. The amount that an insurance company stands to lose.
c. One considered with respect to the possibility of loss to an insurer . [3]
[1] Risk Management Guide for DoD Acquisition, Fourth Edition DoD, DAU, DSMC, February 2001
[2] Project Management Institute PMBOK, 2001 Edition[3] Websters II University Dictionary
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
6/326Communicating and Managing Risks
Our customer tends to define risk much like that of the DAU butfurther breaks it down into three categories
RiskThe potential inability to achieve objectives
Opportunity
The potential ability to exceed objectives
Issue
An unfavorable circumstance that is certain to affect achievement of objectives
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
7/327Communicating and Managing Risks
How do you communicate your risks?
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
8/32 8Communicating and Managing Risks
Process
Define a risk management process
based on the ERM process Introduce risk management
process documents into theEnterprise Configuration Control
Board (ECCB) Recommend process
improvements Decision making process /
Decision point (Requirements,
spending)
Our customer communicates their risks through standardizedprocesses utilizing People, Processes, and Technologies
People
Process Technology
People
Promote a risk management culture
that is supported and championed by
leadership across the Enterprise Communicate the standup of the risk
management process through known
and established communication channels Provide training through established
workshops
Technology
Promote the use of the web-based Risk, Issue, and Opportunity Tool (RIOT) to
capture and report information regarding risks, issues and opportunities
At Booz Allen Hamilton, we focus on People, Process & Technology in their transformation initiatives
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
9/32 9Communicating and Managing Risks
Understanding your risk management process and the outcomeyou desire is the key to defining your purpose & goals
Purpose & Goals
Identify your customers/firm/organizations Top Risks so that Leadership can directthe right amount of resources, at the right time, to implement the right solution
Ensure that all involved understand the identified risk with a mitigation plan that iscreated from a common frame of reference
Create a bottom-up and top-down approach to Enterprise Risk Management
Track overarching or summary level risks and use that information to assist withstrategic decisions
Instill the belief in the workforce that communicating risks is a positive, not negative,process that is rewarded, not punished
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
10/32 10Communicating and Managing Risks
The value of risk management is that it is inline with Industry bestpractices and coincides with your organizations mission
Process compliant with industry standards
Unified risk management process
Web-based risk management tool
Improved participation and communication throughout your organization
Increase visibility with all stakeholders
Achievement of organizational objectives
Defining the value of the ERM process is different for every organization, the key isunderstanding how you define Value
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
11/32 11Communicating and Managing Risks
So why implement a Enterprise Risk Management (ERM) program?
It can almost be thought of as situational awareness and capital improvement all inone
By identifying risks, executive leadership and mid level management can make a
decision that is based on solid information with a strategy to mitigate the risk at hand
Management can look to see which are the most critical risks within the organization
and then define the appropriate resources to resolve the issue
If implemented correctly, the entire enterprise will benefit from understanding the
most important issues and the biggest challenges
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
12/32 12Communicating and Managing Risks
Agenda
Defining Risk Management Chip
Programmatic Development Courtney
Our Risk Management Process
Implementation at the Program Level
Identifying and Managing Risks Courtney
Changing A Culture Chip
Applying Risk Management to your organization Chip
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
13/3213Communicating and Managing Risks
An enterprise risk management process should be documented toensure standardization
Process documentation contains the following information: Tasks required to implement the ERM process
Entry and exit criteria
Inputs and outputs
Roles and responsibilities
Required measures
Templates and training materials should be made available
Risk management plan templates
Briefing templates
Enterprise risk management training package
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
14/3214Communicating and Managing Risks
Projects and programs should tailor the ERM process to meet theirneeds
The following elements of the ERM process can be tailored by projects andprograms:
Stakeholders
Probability and consequence definitions
Risk tolerance thresholds
Roles and responsibilities
Communication plan
Measures
Each project and program should document their risk management process in a risk
management plan
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
15/3215Communicating and Managing Risks
Risk management should be an iterative, tailorable process
Source: Adapted from the Software Engineering InstitutesContinuous Risk Management Guidebook
Lessons
learned
Validated risks,
issues,opportunities
Classification
Rating
HandlingPriority
Mitigation Plans
Contingency Plans
TriggersStatus
reports
Communication
Project Kick-Off
ERM 03
Analyze
ERM 04
Plan
ERM 05
Monitor
ERM 06
Control
ERM 02
Identify
ERM 01
DevelopStrategy
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
16/32
16Communicating and Managing Risks
Agenda
Defining Risk Management Chip
Programmatic Development Courtney
Identifying and Managing Risks Courtney
Identifying Risks Analysis and Planning
Monitor and Control
Changing A Culture Chip
Applying Risk Management to other Organizations Chip
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
17/32
17Communicating and Managing Risks
There are four elements to risk identification
Title Captures the so-what
Statement For risks and opportunities: If [concern], then [consequence orbenefit]
For issues: [Statement of concern]; thus, [consequence]
ContextFacts only (who, what, when, where, why)
Avoid assumptions
Do not introduce new risks
Avoid blame
Closure Criteria Must alleviate the concern in the statement to an acceptable level
Must be specific, actionable, and measurable
4
2
1
3
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
18/32
18Communicating and Managing Risks
Risks are analyzed and handled using the appropriate method
Qualitative analysis is performed to determine:
The level of cost, schedule, and performance impacts
The probability of occurrence (probability is 100% if it is an issue)
Results are mapped on a probability impact diagram to
determine the risk level
A handling method is chosen depending on the type of risk:
Mitigate, Resolve, Exploit
Watch
Transfer
Assume
Plans for reducing the probability of occurrence or severity
of consequence if the risk occurs are developed
Probability Impact Diagram
Probability
ofOccurrence
Consequence Level
Negligible Marginal Significant Catastrophic
0-19%
Highly Unlikely
20-39%Unlikely
40-59%
Likely
60-79%
Highly Likely
80-99%
Near Certain
100%
Issue
Critical
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
19/32
19Communicating and Managing Risks
Risks and progress on their plans must be monitored andcontrolled
Monitoring risks is extremely important
New programs are created
Resource levels change
Funding status changes
New supporting information is discovered
Risks should be updated to reflect any changes found in the Monitor step
Controls (risk boards) are in place at every level of our customers organization to monitor risks.These boards can make several decisions about each risk:
Reject (need more information or rework)
Accept
Escalate
Return for status
Close
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
20/32
20Communicating and Managing Risks
Risk Controls boards/groups
Directorate 3Directorate 1 Directorate 2
Program 1 Program 3Program 2
Key Component Risk, Issue, and OpportunityManagement Board
(KC-ROMB)
Risk Management Core Team
(RMCT)
ELG
Strategic Risks
Enterprise Risks
Directorate
Level Risks
Program Risks
Joint RiskProcess
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
21/32
21Communicating and Managing Risks
Agenda
Defining Risk Management Chip
Programmatic Development Chip
Identifying and Managing Risks Courtney
Changing A Culture Chip
Obtaining Buy-in & Support
Risk & Reward vs. Exposure & Condemnation
Defining a Concept of Operations (ConOps)/ Risk Management Plan
Applying Risk Management to other Organizations Chip
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
22/32
22Communicating and Managing Risks
Where do you stand with the evolution of risk management?
Problem Stage
Im too busy to
apply a formal risk
management
practice.
Risk identification
not seen as positive.
What went wrong?
Mitigation Stage
Risk Management
is What Managers
Have to Do
Aware of risks but
not sure how to
communicate them
What can go wrong
and what are the
consequences?
Prevention Stage
Risk Management
is everybodys
responsibility.
Risk management is
viewed as a teamactivity
Identification and
elimination of root
causes
What caused the
risk?
Anticipation Stage
We can focus on
the right priorities
Use of measures to
anticipate
predictable risks
Alternatives are
easy to compareusing a quantitative
approach
How can we
proactively attack
risks and assessalternatives?
Opportunity Stage
Where there is risk,
there is opportunity
Risks are a chance
to do better than
planned
Risk management is
used to innovate
and shape the future
Engineering
excellence
How can we take
advantage of risks?
Increasing levels of knowledge, commitment, communication, efficiency, and effectivenessenable transformation through each stage
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
23/32
23Communicating and Managing Risks
Defining and utilizing the risk management process will notsucceed with just executive level support
The risk management process has to be embraced by the entire organization and
championed by Leadership
Obtain buy-in through:
Using checklist for standardization
Providing guidelines
Encouraging and welcoming open communications between individuals,departments, and organizations
Taking Surveys
Evaluating the upside and downside of the risk
Obtain commitment and resource from leadership. At this point, risk managementautomatically becomes a management priority and leadership becomes an advocate
of risk management and supports the process
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
24/32
24Communicating and Managing Risks
Changing a culture is not easy, but a little praise could not hurt
The key is to understand that 'risk' exists and it can be managed and rewarded
Training, Training, and Training instilling Risk & Reward vs. Exposure &
Condemnation
Leadership Communications
Talking points
Brown bags
Define why holding risk information is not a benefit
Transition to a Risk Aware (Manage the Risk), not Risk Adverse culture
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
25/32
25Communicating and Managing Risks
Defining a Risk Management Plan is a must if you want your ERMprogram to succeed
Identify, Evaluate and Manage the process for risks management
Develop Comprehensive Safety/Loss Control Programs Policies and Procedures
that is tailorable to specific risk
Establish a Catastrophic Business Continuation or COOP Program
Transfer Risk Whenever Economically Feasible through Insurance, Legal Contracts,and Avoidance
Analyze/Re-evaluate Your Risks on a reoccurring basis
Identify best practices
Benchmark and define standards/metrics
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
26/32
26Communicating and Managing Risks
Agenda
Defining Risk Management Chip
Programmatic Development Chip
Identifying and Managing Risks Courtney
Changing a culture Chip
Applying Risk Management to other Organizations Chip
Lessons Learned
Best Practices
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
27/32
27Communicating and Managing Risks
Communicating risks can be implemented better by understandingthe Lessons Learned from previous risks
Identify
Communicate
Learn
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
28/32
28Communicating and Managing Risks
Implementing best practices assists in communicating effectively
Using a Risk Management process that is consistent with existing
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
29/32
29Communicating and Managing Risks
PlanStandard
definitionsProcessesTeam training
PlanStandard
definitionsProcessesTeam training
Using a Risk Management process that is consistent with existinggovernment and industry best practices results in easier clientbuy-in, implementation and results
DAU Risk Management Community of Practice
IdentifySituationUncertaint
yImpactActions
IdentifySituationUncertaint
yImpactActions
ControlMitigationContingency
Plans
ControlMitigationContingency
Plans
AnalyizeProbabilityImpactOutcomes
AnalyizeProbabilityImpactOutcomes
MonitorMaintain historyMonitor plansPeriodic
updates
MonitorMaintain historyMonitor plansPeriodic
updates
One Firm delivering results that endure
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
30/32
30Communicating and Managing Risks
How to Learn More
DAU
PMCoP (https://acc.dau.mil/CommunityBrowser.aspx)
New Risk Management Guide, Aug 2006 Acquisition Review Quarterly, Risk Special Edition, Spring 2003
PMI http://www.pmi.org/info/default.asp
PMBOK
Risk SIG
INCOSE https://www.incose.org
Risk Management Working Group
Prince2 Projects in controlled environments
http://www.tsoshop.co.uk
Read!
http://www.pmi.org/info/default.asphttps://www.incose.org/http://www.tsoshop.co.uk/http://www.tsoshop.co.uk/https://www.incose.org/http://www.pmi.org/info/default.asp -
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
31/32
31Communicating and Managing Risks
Closing Remarks
The Director of Central Intelligence Directive (DCID) 8/1, identifies risk management
as Balancing the goal of greater intelligence information sharing with the need toprotect sources and methods requires IC members to apply a risk management
methodology. This policy must be implemented in ways that balance the risk of
unauthorized disclosure of sources and methods against the imperative to provide
the most useful and responsive intelligence. The information needs of the customer
must be given important weight in this risk management determination.
-
8/9/2019 Presentation from March 7, 2007 Dinner Meeting
32/32
32Communicating and Managing Risks
Q&A