www.onlyforward.org [email protected] 1 of 20 risk management for projects & programmes
TRANSCRIPT
www.onlyforward.org
[email protected] 2 of 20
What is Risk?
We know that plans are unlikely to be a precise prediction of the future.
Plans are a model of interconnected tasks believed certain to be required to achieve an objective.
There are also events which are less than certain, but if they happen, would impact the plan.
A risk is a significant, uncertain event that, if it occurs, has an effect on at least one task.
A risk can have detrimental or beneficiary effects:• A risk with a detrimental effect is a threat• A risk with a beneficial effect is an opportunity
Patsy, Monty Python and the Holy Grail, 1975
www.onlyforward.org
[email protected] 3 of 20
What is Risk Management?
Risk Management is how we act to manage significant uncertainty.
Uncertain events will always be part of any plan for the future.
Risk Management is a core PM competence.
“There are known knowns; there are things that we know that we know.There are known unknowns; that is to say, there are things that we know that we don’t know.But there are also unknown unknowns – there are things that we do not know we don’t know.”
Donald Rumsfeld, US Secretary of Defence, 2002
Project Management
Planning & Scheduling
RiskManagement
Context & Assumptions
significant insignificant
UncertainEvents
CertainEvents
www.onlyforward.org
[email protected] 4 of 20
Why do Risk Management?
Good Risk Management will Lead to more realistic plans Help to set expectations appropriate to value, risk and complexity Inform bid/no bid decisions Help in selecting the most appropriate contract type Inform PM selection, matching PM competence to value, risk and complexity Help set project level contingencies, rather than task level or a fixed amount Enable greater honesty, openness and understanding Reduce uncertainty by implementing responses to risk Enable simpler, more transparent reporting Reduce stress and reliance on a hero culture Significantly increase the likelihood of meeting time, cost and quality objectives
Cautions! Risk Management will not guarantee meeting time, cost and quality objectives! If undertaken as a tick box exercise, or only at bid time, the full value will not be realised! The effort invested should be proportional to value, risk and complexity
www.onlyforward.org
[email protected] 5 of 20
International Standards OrganisationISO 31000 [2009] Risk Management Principles & Guidelines ISO IEC 31010 [2009] Risk Management Risk Assessment Techniques ISO Guide 73 [2009] Risk Management Vocabulary
British StandardsBS 6079-3 [2000] Guide to the Management of Business Related Project Risk
Association for Project ManagementPRAM: Project Risk Analysis and Management Guide, 2nd Edition [2010] Interfacing Risk and Earned Value Management [2008] Prioritising Project Risks [2008]
Project Management InstitutePractice Standard for Project Risk Management [2009]
The Institute of Risk ManagementPublications that primarily deal with enterprise risk management
UK GovernmentThe Orange Book: Management of Risk, Principles and Concepts [2004]
Management of Risk, Guidance for Practitioners, 3rd edition [2010, Axelos]
Ministry of Defence Acquisition Operating Framework: Risk Management [v4.2.2]
Risk Management Best Practice Guidance
www.onlyforward.org
[email protected] 6 of 20
Risk Management TrainingCertification Valid Renewal Acquisition Pre-requisite
Association forProject Management
Risk CertificateLevel 1
- - 1 hour multiple choice exam: 60 questions, pass ≥60%
Confirms knowledge sufficient to allow contribution to risk management within a project.Can be taken as a 2 day course, cost £1,100 (inc. exam fee). Open exam fee £164 (£146 for APM members).
Risk CertificateLevel 2
- -3.25 hour exam: section A, 100 marks;section B, 100 marks, 2 from 4 questions, 2 relate to case study, pass ≥60%
Risk Certificate Level 1 knowledge (not certification)
Confirms knowledge, understanding and capability, sufficient to undertake project risk management.Can be taken as a 2 day course, cost £1,100 (inc. exam fee). Open exam fee £430 (£310 for APM members).
Combined Risk Levels 1 & 2 Open exam fee £558 (£384 for APM members).
UK Cabinet OfficeAxelos
M_o_RFoundation
- - 1 hour multiple choice exam: 75 questions of which 70 count, pass ≥50% (35/70)
Confirms sufficient knowledge and understanding to contribute to the identification, assessment and control of risks across any organization.
M_o_RPractitioner
5years
1hr exam,pass ≥55%
3 hour exam: 4 questions, 20 marks each, open book (specified M_o_R books only), pass ≥50% (40/80) M_o_R Foundation
Confirms sufficient understanding of how to apply and tailor M_o_R in a scenario situation.
M_o_R Foundation and Practitioner can be taken together in a 5 day course, cost £2,300.
Project Management Institute
PMI-RMPPMIRiskManagementProfessional
3years
30 PDUsover 3 years
3.5 hour multiple choice exam: 170 questions, 150 scoring, 'Modified Angoff Method' to determine pass
Degree, 2 years’ project risk management experience and 30 hours formal project risk management training
Recognises competence in assessing and identifying project risks, mitigating threats and capitalizing on opportunities, while still possessing a core knowledge and practical application in all areas of project management.2008 launch, 2,033 credential holders worldwide by 30 April 2013. Certification fee $670 ($520 for PMI members).
Project Risk Management is also covered in general PM certificationsAPM: APMP, PQ, RPP Axelos (OGC): PRINCE2 PMI: PMP
www.onlyforward.org
[email protected] 7 of 20
Context is the environment in which an organisation seeks to achieve its objectives.As the context changes, it may be necessary to adjust the approach to Risk Management.
Risk Management principles are the same at all levels – strategic, change & operational.
At the strategic level Risk Management is a significant part of corporate governance. How risk is to be managed across an organisation taking into account external factors such as legislation, government policy, market, domain and internal factors such as the organisation’s size, complexity and culture as well as the strategic vision, balance of risk across the organization, conflict resolution, risk appetite and lessons learned, may be described in a Risk Management Strategy. The RMS may be a single document or a number of documents, e.g. Policy, Process and Guidance.
Operational Risk Management covers day-to-day business functions such as health & safety, people, information security and business continuity.
Change is what projects and programmes deliver.Apply Risk Management through all project delivery phases – in a manner proportional to the value, risk and complexity at each phase.The nature and degree of freedom for responding to risk will change at different project phases, e.g. in the concept phase there will be a greater chance to adjust the scope and set budgets to manage risk.
Risk Management Context
www.onlyforward.org
[email protected] 8 of 20
Risk Management Process
Iterate to keep the Risk Exposure(the impact of risk on objective attainment),within the Risk Appetite(an agreed, acceptable level of risk),in a cost-effective manner.
Identify
Assess
Plan
Implement
Identify Risks: Experience, Checklist, SWOT, InterviewsCategorise
Probability & ImpactPrioritiseQualitativeQuantitative
Define Risk Response: Exploit/Avoid, Share/Transfer,Enhance/Mitigate, Realise/AcceptDefine Contingencies
Iterative
ImplementReview
CommunicateManage Stakeholders
Lessons Learned
www.onlyforward.org
[email protected] 9 of 20
Identify, Assess, Plan, Implement
Identify: What could happenIdentify & List Risks: Experience, Checklist, SWOT, PESTLE, Interviews, QuestionnairesCategorise: By project phase, system element, or other suitable risk event source breakdown
Assess: Understand consequencesQualitative assessment: Probability of the risk occurring and the size of the Impact on objectivesPrioritise: Rank the risks – focus on those with highest probability and impactTiming: Understand when the risk may occurQuantitative analysis: modelling, confidence levels, sensitivity
Plan: Define appropriate responsesExploit/Avoid, Share/Transfer, Enhance/MitigateDefine ContingenciesIgnore, Realise/AcceptResidual Risk: Risk that remains after taking enhancement/mitigation measuresSecondary Risk: Risk that arises as a result of taking enhancement/mitigation measures
Implement: Monitor and control the risksReview: Risk triggers, responses, add new risks, close dead risks & release risk potCommunicate: Key risksManage Stakeholders
www.onlyforward.org
[email protected] 10 of 20
Plan: Define appropriate responses
Allocate ownership to manage risk optimallyInsure (internally by pooling or externally)Reduce the uncertainty – if cost effective to do soFall-back, should the risk occur/not occur despite mitigation/enhancementRisk or Residual Risk after enhancement/mitigationMay also choose to treat as Risks and define a response etc.
Share/Transfer:
Enhance/Mitigate:Contingencies:
Realise/Accept:Secondary Risk:
Planning & Scheduling
Change Scope
Opportunities Threats
AvoidExploit
AcceptRealise
Log / Monitor
MitigateEnhance TransferShare
Contingency
Impact and/or Probability
Impact and/or Probability
ResidualRisk
Ignore
ResidualRisk
Specification Partners PBS, WBS Supplierse.g. Requirements
Contingency
SecondaryRisk
SecondaryRisk
www.onlyforward.org
[email protected] 11 of 20
Qualitative Assessment
Rank Risks by assessing risk probabilities and impacts having first adjusted to suit the project
Probability Impact DiagramMapping risks helps to decide wherebest to focus risk management effort.
Contingency SettingA Risk Register can calculate the totalContingency based on the entered data.This figure is at best a guideand must be subject to discussion.
Probability
VH
VH
Probability
H
H
M
M
L
L
VL
VL
VL L M H VH VH H M L VL
Negative Impact Positive Impact
Threats Opportunities
Focus effort onKey Risks
Very Low Low Medium High Very High
Schedule Impact < 2 weeks 2 weeks to < 1 month 1 to < 2 months 2 to < 4 months > 4 months
Cost Impact < 1% 1% to < 2% 2% to < 4% 4% to < 8% > 8%
Performance Impact
Minor impactin a secondary aspect
Multiple impactsin a secondary aspect
Minor impactsin one key aspect
Major impactin one key aspect
Major impactin multiple key aspects
Probability < 10% 10% to < 25% 25% to < 50% 50% to < 75% > 75%
www.onlyforward.org
[email protected] 12 of 20
Bias, Concurrency & Estimation Uncertainty
Optimism Bias can make assumptions too positive, perhaps as a result of making a plan fit fixed targets.Cognitive Bias is where personal past experience unscientifically skews estimates.
Plan dates and costs are often optimistic if estimation uncertainty is not considered.
Plans generally feature concurrent tasks with minimal float. Task effort estimates frequently use expert judgement, often given as single point, or deterministic, estimates.
The more concurrent tasks, the greater the impact on the project when, as is likely, some tasks finish later than estimated. Deterministic outcomes often have a very low probability.
Range estimates are more realistic, with3 points (minimum, most likely, maximum) advised. Key project dates and costs then also become ranges along with a probability.
Typical plan analysis: Yellow line is the probability of achieving the Deterministic Cost
www.onlyforward.org
[email protected] 13 of 20
Funding Estimation Uncertainty & Selective 4 Point Estimating
‘Most Likely’ means equally probable of being under or over, but estimates often have a negative bias such that most likely (ML) is not 50% probable.To avoid this negative bias, 4 points are recommended*, 3 point plus probability of the ‘most likely’ – just for the tasks that most impact the project, found by sensitivity analysis, as doing this for all tasks is typically not worthwhile.
Min ML P=50% Max
The business Risk Appetite can inform what probability to use across the business, e.g.:10% Team Target (likely risks do not occur)50% Best Estimate (as many risks occur as not)90% ‘Safe’ Estimate (several unlikely major risks occur)
One strategy is to use the cost difference between the project cost for the probability chosen according to the business Risk Appetite and the deterministic project cost as the main element of a ‘project risk pot’ to handle estimation uncertainty. Rewarding using as little of this risk pot as possible, whilst recognising that a proportion is likely to be required, encourages behaviour that enhances results whilst recognising uncertainty and setting realistic expectations.
4 Point Estimates
* See separate presentation, “Estimation for Projects & Programmes”
CautionDon’t confuse uncertainty with a lack of knowledge.Large ranges generally indicate guessing – experience is required to estimate rather than guess.
www.onlyforward.org
[email protected] 14 of 20
Risk Management for Projects & ProgrammesStrategy(Need)
Contingency
Opportunities
EnhancementTasks
SecondaryRisks
ProductBreakdownStructure
WorkBreakdownStructure
Work Packages& Tasks
Estimates
Zero Risk(Deterministic)
Cost
INFORM
Inform / Offset
ThreatsMitigationTasks
Programme& Project
Set-up
INFORM
Project Delivery Process,
PDP
Risk Register Tool, RRT
Risk Management Strategy, RMSRisk Management Plan, RMP
Held at Board level: Project, Programme or Business
Held at Project & Programme level
If cost effective
Contingency
ProjectRisk Pot
EstimationUncertainty
www.onlyforward.org
[email protected] 15 of 20
Risk Management Strategy• How risk is to be managed across an organisation, the corporate strategy & policy.
Generally an in-feed for a programme or project but may also be defined at this level, possibly as a flow-down from an organisation RMS.
Risk Management Plan• How risk will be managed in a programme or project, tailored to that programme or project,
i.e. how the Risk Management Strategy will be delivered.
Risk Management Documents & Tools
Risk Register Tool• Central repository for Risk Events, i.e. risk data
• Opportunity & Threat Log and Analysis• Risk Owner• Risk Response & Cost Estimation• Probability Impact Diagram, PID• Risk Triggers & Timing
• Classification marking• Internal Only option• Baselines & Risk History graphing• Contingency Estimation• Risk Exposure calculation
Quantitative Analysis ToolsQuantitative Analysis (uncertainty and probabilistic modelling – Monte Carlo analysis) is best done using purpose built tools, e.g. @Risk, or integrated scheduling and risk management tools, e.g. Oracle Primavera Risk Analysis.
www.onlyforward.org
[email protected] 16 of 20
• Risk assessment provides scientific advice on potential threats, often the basis for making decisions to address these threats via Risk Management.
• Europe separates the roles of Risk Assessor and Risk Manager in law to make clear the distinction between science and politics.
• Risk Assessment is concerned with preventing harm to people.The Health and Safety Executive in the UK defines Risk as the chance, high or low, of somebody being harmed by a hazard, and how serious the harm could be.Risk Management is minimising the impact of threats and maximising the benefit of opportunities.
• Risk Assessment actions are aimed at reducing the potential harm to zero, or at least to acceptable levels by taking reasonably practicable measures – balancing the level of risk against the measures needed to control the real risk in terms of money, time or trouble.Action need not be taken if it would be grossly disproportionate to the level of risk.
• Risk Assessment is an excellent, essential and in most countries mandatory method for understanding and reducing potential harm to people.However, Risk Assessment is not a substitute for Risk Management, e.g. there is no concept of up-side risk in Risk Assessment since there is no 'harm' in up-side risk.
Risk Management and Risk Assessment
www.onlyforward.org
[email protected] 17 of 20
• Prior to ‘Identify’ describe the project and goals of Risk Management for your project (often described in the Risk Management Plan). Then the project team can raise specific project risks.The danger of not doing this is that the risks identified may be generic and that this is carried throughout Risk Management for the project, significantly devaluing Risk Management.
• Risk descriptions need to be understandable outside the project, without further explanation.
• Risks should be accurately defined and as specific as possible.Avoid listing an effect rather than the risk leading to the effect.It may help to think in terms of cause, then risk arising from this cause, then the effect(s) of the risk.
• Probability and impact are often guesses and contain cognitive bias so it can be helpful to consider the relative risk scores rather than the absolute in deciding which risks to actively manage.
• Risk Management is more than just keeping a Risk Register.The Risk Register is only a tool to note the risks, our responses and to help with decision making.Completing the actions arising add the real value.
• Appropriate review frequency depends on project scale and phase.At some phases, weekly review may be worthwhile; at other phases, monthly may be sufficient.
Practical Risk Management: Hints & Tips I
www.onlyforward.org
[email protected] 18 of 20
• Experience is needed to judge the appropriate Risk Management effort, but investing more in managing risk than the cost if all the risks occur clearly makes no sense.The Risk Management process can be gone through in a few minutes for many risks, so the effort required need not be high.The effort level should not however be limited simply by a lack of competence (i.e. knowledge & experience) of those undertaking Risk Management.
• The number of risks typically identified depends on the project value and complexity; usually more than 10, less than 100. How many of the identified risk are selected for managing is an experienced based judgement; but very rarely all, except perhaps for a strategic Risk Register.
• Risk Assessments commonly involve a reassessment of the impact after the risk responses have been undertaken, since it is vital that we can see that potential harm to people has indeed been reduced to an acceptable level by our actions. This is much less common in Risk Management in projects and programmes where there’s often little value in this sort of reassessment.
• It can be difficult for many people to consider threats and opportunities concurrently– e.g. we don’t talk about the ‘risk’ of a beneficial event occurring in normal life.So it may help to consider threats and opportunities separately rather than concurrently when identifying risks.
Practical Risk Management: Hints & Tips II
www.onlyforward.org
[email protected] 19 of 20
SummaryMost projects and programmes have to deal with risk, this presentation summarises best practice for visible, repeatable and consistent risk management. Whilst best practice guidance offers no single definition, it is broadly aligned.
Some level of risk is not only inevitable, but desirable for success.
Project Risk Management is a core PM competence and should be practiced on all projects and programmes, in a manner appropriate to the value, complexity and risk.
Projects which do not undertake Risk Management are more likely to fail.Estimation uncertainty alone can reduce the probability of on-time delivery to less than 10%.
Risk Management has many benefits, not least being a higher likelihood of delivery to time and budget.
www.onlyforward.org
[email protected] 20 of 20
In my board role I led a team of 22 professional Project Managers and 5 Quality Engineers, and ensured Roke’s £79M project portfolio delivered better than budget profit. I set-up and ran a virtual PMO and created the Roke Engineering Process, REP, also managing the engineering tools to support it.
I created a project management competency framework and the PM Excellence Programme, which achieved APM corporate accreditation, scoring 24 out of a possible 25 points in the APM assessment.
I chaired a quarterly PM forum which shared best practice and built a supportive PM community – seven of the project managers I coached have achieved APM RPP, five have PQ, and all gained APMP.Together, these investments in PM professionalism led to a turn-around and annual improvement in project results across a typical portfolio of up to 400 projects a year and delivered an above budget performance in five consecutive years with profits totalling £7.9M above budget.I am a passionate advocate of PM professionalism, a Fellow of the APM and the IET, and author of articles published in Project and PM Today.
After four years as an electronics engineer for Siemens, achieving Chartered Engineer,I moved into project management for 14 years, at Siemens and Roke Manor Research. At Roke, my ability to successfully deliver the most challenging whole lifecycle product development projects on time and under budget led to a role as Projects Director and board member for 6 years. In 2013 I went back to hands-on project management, taking a Programme Director role at Cambridge Consultants, in the Cambridge Science Park.
Author Profile