risk management best practices
TRANSCRIPT
Project Risk Management Best Practices
By Mohamad Boukhari [email protected]
What is a risk ? • A Risk is :
“An uncertain event, activity, or situation that can have a positive or a negative effect on any objective” -ARM
• A Project Risk is :
“an uncertain event or condition that, if it occurs, has a positive or negative effect on at least one project objective.” (PMBOK 4th)
Cause Effect
Uncertainty
Risk and Issue
– An Issue is a situation or circumstance that has occurred, is occurring, or has a 100% probability of occurring; and will have a detrimental impact on a program’s schedule, cost, customer satisfaction, technical or quality objectives
– Issues can be initiated as a result of findings or failure to mitigate risks.
Individual Risks
� Individual risks are the focus of day-to-day Project Risk Management in order to enhance the prospects of a successful project outcome.
� Individual risks refer to specific events or conditions that have the ability to affect project objectives positively or negatively.
� An individual risk may affect one or more project objectives, elements, or tasks.
Overall Project Risk
�The overall project risk is more than the sum of individual risks, and it represents the effect of uncertainty on the project as a whole.
�It represents the exposure of stakeholders to the implications of variations in project outcome.
Chapter 2: Principles and Concepts of Risk Management
Project Risk Management • “Project Risk Management includes the
processes concerned with conducting risk management planning, identification, analysis responses and monitoring & control on a project .”
Organisations are good at identifying Risks, but poor at doing something about them.
Risk Identification
is not
Risk Management.
Project Risk Management Objective
• “The objectives of Project Risk Management are to increase the probability and impact of positive events, and decrease the probability and impact of events adverse to the Project.”
Role of Project Risk Management in Project Management
“Risk management should be embedded in the
planning and operational documents of the project, and should not be considered as an optional activity.”
Chapter 1: Introduction to Risk Management Concepts
General Risk Management
“Continuous Risk Management”
• Identification – Risk sources can be external or internal.
• Assessment – How important? / So what? – What are the current trends?
• Treatment – What can we do / What will we do? – When do we need to manage the risk? Treat
Assess
Identify
Plan Risk Management • The process concerned with producing the
risk management plan focusing on how risks will be approached on the project.
• This process is high-level and takes place early in the project since the results of this (and other risk processes) can significantly influence decisions made about scope, time, cost, quality, and procurement.
Identify Risks • The process of determining which risks may
affect the project and documenting their characteristics
Perform Qualitative Risk Analysis
• The process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact
• This process helps you rank and prioritize the risks so that you can put the right emphasis on the right risks. It helps to ensure that time and resources are spent in the right risk areas.
QRA can answer the following questions …
• What is the risk? • Why might it occur? • How likely it is ? Probability • How good/bad might it be ? Impact • Does it matter ? • What can we do ? • When should we act ? • Who is responsible?
Critical Success Factors for the Perform Qualitative Risk Analysis Process
Perform Qualitative Risk Analysis
Probability-Impact Matrix
5 -5 -10 -15 -20 -25 25 20 15 10 5 5
4 -4 -8 -12 -16 -20 20 16 12 8 4 4
3 -3 -6 -9 -12 -15 15 12 9 6 3 3
2 -2 -4 -6 -8 -10 10 8 6 4 2 2
1 -1 -2 -3 -4 -5 5 4 3 2 1 1
-1 -2 -3 -4 -5 5 4 3 2 1
LIKE
LIHO
OD
Propability - Impact (P-I) Matrix
THREATS (NEGATIVE IMPACT)
OPPORTUNITIES (POSITIVE IMPACT)
RISK IMPACTS (CONSEQUENCES)
LIKE
LIHO
OD
Perform Qualitative Risk Analysis
Risk Score
Risk Score = Probability X Impact
The higher the Risk score the more serious the risk
Chapter 6: Perform Qualitative Risk Analysis
Qualitative Analysis - Risk Register Updates
Relative ranking or priority list of project risks Risks grouped by categories Causes of risk or project areas requiring
particular attention List of risks requiring response in the near-term List of risks for additional analysis and response Watch lists of low-priority risks Trends in qualitative risk analysis results
Perform Quantitative Risk Analysis • It is the process of numerically analyzing the
effect of identified risks on overall project objectives.
• It assigns a projected value to (quantify) the risks that have been ranked by performing Qualitative Risk Analysis.
Quantitative Analysis - Risk Register
Updates: Probabilistic analysis of the project
Probability of achieving cost and time objectives Prioritized list of quantified risks Trends in quantitative risk analysis results
Plan Risk Responses
• The process of developing options and actions to enhance opportunities and to reduce threats to project objectives
• It includes the identification and assignment of one person (the “risk response owner”) to take responsibility for each agreed-to and funded risk response.
Response Plan Strategies for Negative Risk
CAUSE
RISK
EFFECT
X
X
CAUSE
RISK
EFFECT
CAUSE
RISK
EFFECT
CAUSE
RISK
EFFECT
Avoid
Avoid
Transfer
=
=
Mitigate
Mitigate
Accept
Accept
Response Plan Strategies for Positive Risks
CAUSE
RISK
EFFECT
CAUSE
RISK
EFFECT
CAUSE
RISK
EFFECT
CAUSE
RISK
EFFECT
Exploit
Exploit
Share
+
+
Enhance
Enhance
Ignore
Ignore
Monitor and Control Risks
• The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project
• The project work should be continuously monitored for new, changing, and outdated risks.
Risk Identification- The Iterative Process
• Risk Identification should be repeated to find risks which were not evident earlier in the project.
• Input is required from a wide range of project stakeholders, since each will have a different perspective on the risks facing the project.
• Historical records and project documents are reviewed.
• Identified risks are not filtered, screened, or assessed at this stage; all identified risks are recorded.
• A risk owner is designated for each identified risk. It is the responsibility of the risk owner to manage the corresponding risk through all of the subsequent risk management processes.
Chapter 3: Introduction to Project Risk Management Processes
Risk Assessment
• Prioritizes • Evaluates the level of overall project risk • Determine appropriate responses
• Risk evaluation can be performed using:
– Qualitative techniques to address individual risks – Quantitative techniques for overall effect of risk on the
project outcome. – Integrated approach for both - requires different types of
data
Chapter 3: Introduction to Project Risk Management Processes
Qualitative Techniques • Gaining better understanding of individual risks, understanding and
prioritizing risks is a prerequisite to managing them • Qualitative techniques are used on most projects. • Outputs:
– Probability of occurrence – Degree of impact on project objectives – Manageability – Timing of possible impacts – Relationships with other risks – Common causes or effects
• Outputs are documented and communicated to key project stakeholders and form a basis for determining appropriate responses.
Chapter 3: Introduction to Project Risk Management Processes
Quantitative Techniques • May not be required for all projects • Provide combined effect of identified risks on the project
outcome by taking into account probabilistic or project-wide effects, such as: – Correlation between risks – Interdependency – Feedback loops – Degree of overall risk faced by the project.
• Outputs of quantitative analysis provide: – Focus for development of appropriate responses – The calculation of required contingency reserve levels – Documented and communicated to inform subsequent actions
Chapter 3: Introduction to Project Risk Management Processes
Risk Responses • Appropriate risk responses must be developed using an
iterative process which continues until an optimal set of responses has been developed.
• Strategies exists for both threats and opportunities.
• The risk owner should select an achievable, affordable, and appropriate strategy for each individual risk, based on its characteristics and assessed priority
• The use of a single strategy that addresses several related risks should be considered whenever possible.
Chapter 3: Introduction to Project Risk Management Processes
What is ERM ? (Enterprise Risk Management)
• The simple definition – Integrated risk management working as a co-ordinated activity
across the whole organisation. – Bringing together all risk management activities – Sharing them with all parts of the organisation – Using an an appropriate framework
• ERM is about the entire organisation not just bits of it and it is about performing all activities, not just some of them.
• COSO (Committee of Sponsoring Organisations)
– See’s ERM as appropriate level of controls being exercised in a series of interconnected functional layers
The COSO ERM Framework
What is ISO 31000 Risk Management ISO 31000:2009 sets out principles, a framework and a process for the management of risk that are applicable to any type of organization in public or private sector. It does not mandate a "one size fits all" approach, but rather emphasizes the fact that the management of risk must be tailored to the specific needs and structure of the particular organization.
ISO 31000 • ISO 31000:2009 has been received as a replacement to the existing
standard on risk management, AS/NZS 4360:2004 • Risk is the “effect of uncertainty on objectives” • Principles:
a) Risk management creates value. b) Risk management is an integral part of organizational processes. c) Risk management is part of decision making. d) Risk management explicitly addresses uncertainty. e) Risk management is systematic, structured and timely. f) Risk management is based on the best available information. g) Risk management is tailored. h) Risk management takes human and cultural factors into account. i) Risk management is transparent and inclusive. j) Risk management is dynamic, iterative and responsive to change. k) Risk management facilitates continual improvement and enhancement of the organization.