57086 14 management_ofrisk

57086 Contract and Project Management14David Sowden, The University of Hull

David Sowden, The University of Hull

1457086 Contract and Project Management

Management of Risk

Overview

• Management of Risk– What is Risk Management?

– Risk Principles

– The risk management cycle

– Risk responsibilities

– Risk ownership

– Risk tolerance

– Risk analysis

– Risk profile

– Budgeting for risk management

– Further considerations

3

What is Risk Management?

4


Risk management involves having:

4



4



– Access to reliable, up-to-date information about risks

4




– Decision-making processes supported by a framework of risk analysis and evaluation

4





– Processes in place to monitor risk

4





– Processes in place to monitor risk

– The right balance of control in place to deal with those risks (Risk tolerance)

4

Risk Principles

5

Risk Principles– The Project Board (Supervisors) support and promotes risk management, and

understand and accept the time and resource implementation.

5



– Risk management policies and the benefits of effective risk management are clearly communicated to all staff

5




– A consistent approach to risk management is fully embedded in the project management processes

5





– Management of risk is an essential contribution to the achievement of business objectives

5






– Risks through working with programmes and tother projects are assessed and managed

5







– There is a clear structure to the risk process so that each element of level of risk identification fits into an overall structure

5







– There is a clear structure to the risk process so that each element of level of risk identification fits into an overall structure

– Where the project is part of a programme, change in the state of any project risks that also identified as programme risks must be flagged to programme management or designated risk management function in the programme.

5

Risk Management Cycle

6

Risk analysis Risk management


6

Identify the risks



6

Identify the risks


Evaluate the risks


6

Identify the risks


Identify suitable responses to risk

Evaluate the risks


6

Identify the risks


Select


Evaluate the risks


6

Identify the risks


Select

Plan and resourceIdentify suitable responses to risk

Evaluate the risks


6

Identify the risks

Monitor and report


Select


Evaluate the risks


6

Identify the risks

Monitor and report


Select


Evaluate the risks


7

Identify the risks


7

Identify the risks

–Strategic/commercial


7

Identify the risks


–Economic/financial/market


7

Identify the risks



–Legal and regulatory


7

Identify the risks




–Organisational/management/human factors


7

Identify the risks





–Political


7

Identify the risks





–Political

–Environmental


7

Identify the risks





–Political

–Environmental

–Technical/operational/infrastructure

Evaluate the risksRisk Management Cycle

8


8

–Probability/Likelihood (of the risk happening)


8

–Probability/Likelihood (of the risk happening)–Impact (should the risk happen)


8


–time


8


–time–cost


8


–time–cost–quality


8


–time–cost–quality–scope


8


–time–cost–quality–scope–benefits


8


–time–cost–quality–scope–benefits–people/resources

9

EXAMPLEIdentify suitable responses to risk

9

EXAMPLE

PreventionTerminate the risk - by doing things differently and thus removing the risk, where it is feasible to do so. Countermeasures are put in place that either stop the the threat or problem from occurring or prevent it having any impact

ReductionTreat the risk - take action to control it in some way where the actions either reduce the likelihood of the risk developing or limit the impact

Transference

This is a specialist form of risk reduction where the management of the risk is passed to a third party via, for instance, an insurance policy or penalty clause, such that the impact of the risk is no longer an issue for the health of the project. Not all risks can be transferred in this way

AcceptanceTolerate the risk - perhaps because nothing can be done at a reasonable cost to mitigate it or the likelihood and impact of the risk occurring are at an acceptable level

ContingencyThese are actions planned and organised to come into force as and when the risk occurs


9

EXAMPLE



Transference





9

EXAMPLE



Transference





9

EXAMPLE



Transference





9

EXAMPLE



Transference





Balance the risk

10

Cost of actions

Probability and impact of risk

occurring

Select

Risk action selection

11

Selection

Risk tolerance

Risk tolerance

Cost/time

Cost/timeCost/time

Possibleaction 1

Possibleaction 2

Possibleaction 3

Select

Risk action selection

11

Selection

Risk tolerance

Risk tolerance

Cost/time

Cost/timeCost/time

Possibleaction 1

Possibleaction 2

Possibleaction 3

Impact onother parts

of the project

Impact onBusiness Case

Impact on business or programme

Impact onplans

Select

Plan and resourceRisk Management Cycle

12


12

Planning, which for countermeasure actions consist of:


12

Planning, which for countermeasure actions consist of:– Identifying the quantity and type of resources required to carry out

the actions


12


the actions– Developing a detailed plan of action


12


the actions– Developing a detailed plan of action– Confirming the desirability of carrying out the actions


12


the actions– Developing a detailed plan of action– Confirming the desirability of carrying out the actions– Obtaining management approval


12



Resourcing, which to be used to conduct the work involved in carrying out the actions:


12



Resourcing, which to be used to conduct the work involved in carrying out the actions:– These assignments will be shown in Project and Stage Plans


12



Resourcing, which to be used to conduct the work involved in carrying out the actions:– These assignments will be shown in Project and Stage Plans– Resources requiring funding from the project budget


12



Resourcing, which to be used to conduct the work involved in carrying out the actions:– These assignments will be shown in Project and Stage Plans– Resources requiring funding from the project budget– Contingency actions will normally be funded from a contingency

budget

Monitor and reportRisk Management Cycle

13


13

Monitoring, may consist of:


13


–Checking that execution of the planned actions is having the desired effect


13



–Watching for the early warning signs that a risk is developing


13




–Modelling trends, predicting potential risks or opportunities


13




–Modelling trends, predicting potential risks or opportunities

–Checking that the overall management of risk is being applied effectively.

Risk Responsibilities

14


14

The Project Manager is responsible for ensuring that risks are identified, recorded and regularly reviewed. The Project Board has four responsibilities:


14


• Notifying the Project Manager of any external risk exposure to the project


14



• Making decisions on the Project Manager’s recommended reactions to risk


14




• Striking a balance between the level of risk and the potential benefits that the project may achieve


14




• Striking a balance between the level of risk and the potential benefits that the project may achieve

• Notifying corporate or programme management of any risks that affect the project’s ability to meet corporate or programme objectives.

Risk Ownership

15

Risk Ownership

15

Allocating ownership of the risk process as a whole and the various components is fundamental from the outset. When describing who owns the various elements of risk, it is important to identify who owns the following:

Risk Ownership

15


• The risk framework in totality

Risk Ownership

15



• Setting risk policy and the project team’s willingness to take risk

Risk Ownership

15




• Different elements of the risk process, such as identifying threats, through to producing risk response and reporting

Risk Ownership

15





• Implementation of the actual measures taken in response to the risks

Risk Ownership

15





• Implementation of the actual measures taken in response to the risks

• Interdependent risks that cross organisational boundaries, whether they be related to business processes, IT systems or other projects.

Risk Tolerance

16

EXAMPLE

Risk Analysis

17

1. Negligible2. Minor3. Moderate4. Major5. Critical6. Catastrophic

Asset ThreatWhat are you trying

to protect?What are you afraid

of happening?

Impact/SeverityWhat is the impact to the business?

1. Unforeseeable2. Very unlikely3. Possible4. Likely5. Very Likely6. Almost certain

Vulnerability MitigationHow could the threat occur?

What is currentlyreducing the risk?

Probability/LikelihoodHow likely is the threat?

Risk Log

Risk Log

18

EXAMPLERisk Log Tolerability level

12

Priority Hazard Impact (I)(1-6)

Probability (P)(1-6)

Risk rating (I x P)

1 Data loss due to virus 5 4 202 Denial of service attack 5 3 153 Theft of proprietary information 4 3 124 Insider net abuse 4 3 125 Abuse or wireless networks 3 4 126 Financial fraud 5 2 107 Laptop theft 3 3 98 Unauthorised access 3 3 99 Telecom fraud 2 3 610 Website hacking/defacement 3 2 611 System penetration 3 2 612 Sabotage 4 1 4

Risk Analysis

19

EXAMPLE

Risk Profile

20

EXAMPLE

Use of a easy-to-read diagram may assist in the visibility of risks and assist management decisions - these would be normally found in the Risk Logs

Risk Profile

20

High 1,2 5

Medium 4 3

Low 6,9 7,8

Low Medium High

Risk tolerance line

Impact

Probability/Likelihood

EXAMPLE

Analysing Risk

Factor Likelihood Impact Mitigation Strategy

Failure to recruit staff Medium High Minimise number of staff to be recruited. Ensure recruitment cycle begins as rapidly after project approved as possible. Ensure remuneration adequate to level of responsibility and expertise. Use specialist recruitment agency if necessary. Other staff seconded from other duties and additionally trained as triage solution.

Underestimate difficulty of specific technical development

Low Medium Close integration with OSS community effort to mobilise additional resource to bear on problem space.

Difficulty integrating with data sources for identity

Medium High Deploy Identity Management software based on open standards. Direct engagement with systems specialists.

Difficulty integrating the numerous electronic systems within the Engineering framework

Medium High Work with the various Engineering institutions to develop a concept concerning the creation and adoption of Standards (i.e. LEAP2A)

Project fails sufficiently to engage engineering communities

Low High Staff within the University of Hull, particularly the Knowledge Exchange will ensure that the ‘learner voice’ is represented throughout the project, inclusive of the broad diversity (including geographic) of learners represented within the partnership.

EXAMPLE

Budgeting for risk management

• A project needs to allocate and have embedded in the project environment:–Budget–Time–Resources (staff/skills/tools/techniques)

to ensure Risk Management is carried out successfully

• Experience shows that allocating the correct ‘budget’ to the risk management process early on will pay dividends later

22

Further considerations

– Project Interdependencies

– The relationship between benefit and delivery risks

– Internal versus external risks

23

TASK

Review your Project risks

57086 14 management_ofrisk

Economy & Finance

risk management policies

overview management

risk process

risk identification

risk principles5

risks risk tolerance4

framework of risk analysis

project management processes5