57086 Contract and Project Management 14 David Sowden, The University of Hull
57086 Contract and Project Management14David Sowden, The University of Hull
David Sowden, The University of Hull
1457086 Contract and Project Management
Management of Risk
Overview
• Management of Risk– What is Risk Management?
– Risk Principles
– The risk management cycle
– Risk responsibilities
– Risk ownership
– Risk tolerance
– Risk analysis
– Risk profile
– Budgeting for risk management
– Further considerations
3
What is Risk Management?
4
What is Risk Management?
Risk management involves having:
4
What is Risk Management?
Risk management involves having:
4
What is Risk Management?
Risk management involves having:
– Access to reliable, up-to-date information about risks
4
What is Risk Management?
Risk management involves having:
– Access to reliable, up-to-date information about risks
– Decision-making processes supported by a framework of risk analysis and evaluation
4
What is Risk Management?
Risk management involves having:
– Access to reliable, up-to-date information about risks
– Decision-making processes supported by a framework of risk analysis and evaluation
– Processes in place to monitor risk
4
What is Risk Management?
Risk management involves having:
– Access to reliable, up-to-date information about risks
– Decision-making processes supported by a framework of risk analysis and evaluation
– Processes in place to monitor risk
– The right balance of control in place to deal with those risks (Risk tolerance)
4
Risk Principles
5
Risk Principles– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
5
Risk Principles– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
– Risk management policies and the benefits of effective risk management are clearly communicated to all staff
5
Risk Principles– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
– Risk management policies and the benefits of effective risk management are clearly communicated to all staff
– A consistent approach to risk management is fully embedded in the project management processes
5
Risk Principles– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
– Risk management policies and the benefits of effective risk management are clearly communicated to all staff
– A consistent approach to risk management is fully embedded in the project management processes
– Management of risk is an essential contribution to the achievement of business objectives
5
Risk Principles– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
– Risk management policies and the benefits of effective risk management are clearly communicated to all staff
– A consistent approach to risk management is fully embedded in the project management processes
– Management of risk is an essential contribution to the achievement of business objectives
– Risks through working with programmes and tother projects are assessed and managed
5
Risk Principles– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
– Risk management policies and the benefits of effective risk management are clearly communicated to all staff
– A consistent approach to risk management is fully embedded in the project management processes
– Management of risk is an essential contribution to the achievement of business objectives
– Risks through working with programmes and tother projects are assessed and managed
– There is a clear structure to the risk process so that each element of level of risk identification fits into an overall structure
5
Risk Principles– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
– Risk management policies and the benefits of effective risk management are clearly communicated to all staff
– A consistent approach to risk management is fully embedded in the project management processes
– Management of risk is an essential contribution to the achievement of business objectives
– Risks through working with programmes and tother projects are assessed and managed
– There is a clear structure to the risk process so that each element of level of risk identification fits into an overall structure
– Where the project is part of a programme, change in the state of any project risks that also identified as programme risks must be flagged to programme management or designated risk management function in the programme.
5
Risk Management Cycle
6
Risk analysis Risk management
Risk Management Cycle
6
Identify the risks
Risk analysis Risk management
Risk Management Cycle
6
Identify the risks
Risk analysis Risk management
Evaluate the risks
Risk Management Cycle
6
Identify the risks
Risk analysis Risk management
Identify suitable responses to risk
Evaluate the risks
Risk Management Cycle
6
Identify the risks
Risk analysis Risk management
Select
Identify suitable responses to risk
Evaluate the risks
Risk Management Cycle
6
Identify the risks
Risk analysis Risk management
Select
Plan and resourceIdentify suitable responses to risk
Evaluate the risks
Risk Management Cycle
6
Identify the risks
Monitor and report
Risk analysis Risk management
Select
Plan and resourceIdentify suitable responses to risk
Evaluate the risks
Risk Management Cycle
6
Identify the risks
Monitor and report
Risk analysis Risk management
Select
Plan and resourceIdentify suitable responses to risk
Evaluate the risks
Risk Management Cycle
7
Identify the risks
Risk Management Cycle
7
Identify the risks
–Strategic/commercial
Risk Management Cycle
7
Identify the risks
–Strategic/commercial
–Economic/financial/market
Risk Management Cycle
7
Identify the risks
–Strategic/commercial
–Economic/financial/market
–Legal and regulatory
Risk Management Cycle
7
Identify the risks
–Strategic/commercial
–Economic/financial/market
–Legal and regulatory
–Organisational/management/human factors
Risk Management Cycle
7
Identify the risks
–Strategic/commercial
–Economic/financial/market
–Legal and regulatory
–Organisational/management/human factors
–Political
Risk Management Cycle
7
Identify the risks
–Strategic/commercial
–Economic/financial/market
–Legal and regulatory
–Organisational/management/human factors
–Political
–Environmental
Risk Management Cycle
7
Identify the risks
–Strategic/commercial
–Economic/financial/market
–Legal and regulatory
–Organisational/management/human factors
–Political
–Environmental
–Technical/operational/infrastructure
Evaluate the risksRisk Management Cycle
8
Evaluate the risksRisk Management Cycle
8
–Probability/Likelihood (of the risk happening)
Evaluate the risksRisk Management Cycle
8
–Probability/Likelihood (of the risk happening)–Impact (should the risk happen)
Evaluate the risksRisk Management Cycle
8
–Probability/Likelihood (of the risk happening)–Impact (should the risk happen)
–time
Evaluate the risksRisk Management Cycle
8
–Probability/Likelihood (of the risk happening)–Impact (should the risk happen)
–time–cost
Evaluate the risksRisk Management Cycle
8
–Probability/Likelihood (of the risk happening)–Impact (should the risk happen)
–time–cost–quality
Evaluate the risksRisk Management Cycle
8
–Probability/Likelihood (of the risk happening)–Impact (should the risk happen)
–time–cost–quality–scope
Evaluate the risksRisk Management Cycle
8
–Probability/Likelihood (of the risk happening)–Impact (should the risk happen)
–time–cost–quality–scope–benefits
Evaluate the risksRisk Management Cycle
8
–Probability/Likelihood (of the risk happening)–Impact (should the risk happen)
–time–cost–quality–scope–benefits–people/resources
9
EXAMPLEIdentify suitable responses to risk
9
EXAMPLE
PreventionTerminate the risk - by doing things differently and thus removing the risk, where it is feasible to do so. Countermeasures are put in place that either stop the the threat or problem from occurring or prevent it having any impact
ReductionTreat the risk - take action to control it in some way where the actions either reduce the likelihood of the risk developing or limit the impact
Transference
This is a specialist form of risk reduction where the management of the risk is passed to a third party via, for instance, an insurance policy or penalty clause, such that the impact of the risk is no longer an issue for the health of the project. Not all risks can be transferred in this way
AcceptanceTolerate the risk - perhaps because nothing can be done at a reasonable cost to mitigate it or the likelihood and impact of the risk occurring are at an acceptable level
ContingencyThese are actions planned and organised to come into force as and when the risk occurs
Identify suitable responses to risk
9
EXAMPLE
PreventionTerminate the risk - by doing things differently and thus removing the risk, where it is feasible to do so. Countermeasures are put in place that either stop the the threat or problem from occurring or prevent it having any impact
ReductionTreat the risk - take action to control it in some way where the actions either reduce the likelihood of the risk developing or limit the impact
Transference
This is a specialist form of risk reduction where the management of the risk is passed to a third party via, for instance, an insurance policy or penalty clause, such that the impact of the risk is no longer an issue for the health of the project. Not all risks can be transferred in this way
AcceptanceTolerate the risk - perhaps because nothing can be done at a reasonable cost to mitigate it or the likelihood and impact of the risk occurring are at an acceptable level
ContingencyThese are actions planned and organised to come into force as and when the risk occurs
Identify suitable responses to risk
9
EXAMPLE
PreventionTerminate the risk - by doing things differently and thus removing the risk, where it is feasible to do so. Countermeasures are put in place that either stop the the threat or problem from occurring or prevent it having any impact
ReductionTreat the risk - take action to control it in some way where the actions either reduce the likelihood of the risk developing or limit the impact
Transference
This is a specialist form of risk reduction where the management of the risk is passed to a third party via, for instance, an insurance policy or penalty clause, such that the impact of the risk is no longer an issue for the health of the project. Not all risks can be transferred in this way
AcceptanceTolerate the risk - perhaps because nothing can be done at a reasonable cost to mitigate it or the likelihood and impact of the risk occurring are at an acceptable level
ContingencyThese are actions planned and organised to come into force as and when the risk occurs
Identify suitable responses to risk
9
EXAMPLE
PreventionTerminate the risk - by doing things differently and thus removing the risk, where it is feasible to do so. Countermeasures are put in place that either stop the the threat or problem from occurring or prevent it having any impact
ReductionTreat the risk - take action to control it in some way where the actions either reduce the likelihood of the risk developing or limit the impact
Transference
This is a specialist form of risk reduction where the management of the risk is passed to a third party via, for instance, an insurance policy or penalty clause, such that the impact of the risk is no longer an issue for the health of the project. Not all risks can be transferred in this way
AcceptanceTolerate the risk - perhaps because nothing can be done at a reasonable cost to mitigate it or the likelihood and impact of the risk occurring are at an acceptable level
ContingencyThese are actions planned and organised to come into force as and when the risk occurs
Identify suitable responses to risk
9
EXAMPLE
PreventionTerminate the risk - by doing things differently and thus removing the risk, where it is feasible to do so. Countermeasures are put in place that either stop the the threat or problem from occurring or prevent it having any impact
ReductionTreat the risk - take action to control it in some way where the actions either reduce the likelihood of the risk developing or limit the impact
Transference
This is a specialist form of risk reduction where the management of the risk is passed to a third party via, for instance, an insurance policy or penalty clause, such that the impact of the risk is no longer an issue for the health of the project. Not all risks can be transferred in this way
AcceptanceTolerate the risk - perhaps because nothing can be done at a reasonable cost to mitigate it or the likelihood and impact of the risk occurring are at an acceptable level
ContingencyThese are actions planned and organised to come into force as and when the risk occurs
Identify suitable responses to risk
Balance the risk
10
Cost of actions
Probability and impact of risk
occurring
Select
Risk action selection
11
Selection
Risk tolerance
Risk tolerance
Cost/time
Cost/timeCost/time
Possibleaction 1
Possibleaction 2
Possibleaction 3
Select
Risk action selection
11
Selection
Risk tolerance
Risk tolerance
Cost/time
Cost/timeCost/time
Possibleaction 1
Possibleaction 2
Possibleaction 3
Impact onother parts
of the project
Impact onBusiness Case
Impact on business or programme
Impact onplans
Select
Plan and resourceRisk Management Cycle
12
Plan and resourceRisk Management Cycle
12
Planning, which for countermeasure actions consist of:
Plan and resourceRisk Management Cycle
12
Planning, which for countermeasure actions consist of:– Identifying the quantity and type of resources required to carry out
the actions
Plan and resourceRisk Management Cycle
12
Planning, which for countermeasure actions consist of:– Identifying the quantity and type of resources required to carry out
the actions– Developing a detailed plan of action
Plan and resourceRisk Management Cycle
12
Planning, which for countermeasure actions consist of:– Identifying the quantity and type of resources required to carry out
the actions– Developing a detailed plan of action– Confirming the desirability of carrying out the actions
Plan and resourceRisk Management Cycle
12
Planning, which for countermeasure actions consist of:– Identifying the quantity and type of resources required to carry out
the actions– Developing a detailed plan of action– Confirming the desirability of carrying out the actions– Obtaining management approval
Plan and resourceRisk Management Cycle
12
Planning, which for countermeasure actions consist of:– Identifying the quantity and type of resources required to carry out
the actions– Developing a detailed plan of action– Confirming the desirability of carrying out the actions– Obtaining management approval
Resourcing, which to be used to conduct the work involved in carrying out the actions:
Plan and resourceRisk Management Cycle
12
Planning, which for countermeasure actions consist of:– Identifying the quantity and type of resources required to carry out
the actions– Developing a detailed plan of action– Confirming the desirability of carrying out the actions– Obtaining management approval
Resourcing, which to be used to conduct the work involved in carrying out the actions:– These assignments will be shown in Project and Stage Plans
Plan and resourceRisk Management Cycle
12
Planning, which for countermeasure actions consist of:– Identifying the quantity and type of resources required to carry out
the actions– Developing a detailed plan of action– Confirming the desirability of carrying out the actions– Obtaining management approval
Resourcing, which to be used to conduct the work involved in carrying out the actions:– These assignments will be shown in Project and Stage Plans– Resources requiring funding from the project budget
Plan and resourceRisk Management Cycle
12
Planning, which for countermeasure actions consist of:– Identifying the quantity and type of resources required to carry out
the actions– Developing a detailed plan of action– Confirming the desirability of carrying out the actions– Obtaining management approval
Resourcing, which to be used to conduct the work involved in carrying out the actions:– These assignments will be shown in Project and Stage Plans– Resources requiring funding from the project budget– Contingency actions will normally be funded from a contingency
budget
Monitor and reportRisk Management Cycle
13
Monitor and reportRisk Management Cycle
13
Monitoring, may consist of:
Monitor and reportRisk Management Cycle
13
Monitoring, may consist of:
–Checking that execution of the planned actions is having the desired effect
Monitor and reportRisk Management Cycle
13
Monitoring, may consist of:
–Checking that execution of the planned actions is having the desired effect
–Watching for the early warning signs that a risk is developing
Monitor and reportRisk Management Cycle
13
Monitoring, may consist of:
–Checking that execution of the planned actions is having the desired effect
–Watching for the early warning signs that a risk is developing
–Modelling trends, predicting potential risks or opportunities
Monitor and reportRisk Management Cycle
13
Monitoring, may consist of:
–Checking that execution of the planned actions is having the desired effect
–Watching for the early warning signs that a risk is developing
–Modelling trends, predicting potential risks or opportunities
–Checking that the overall management of risk is being applied effectively.
Risk Responsibilities
14
Risk Responsibilities
14
The Project Manager is responsible for ensuring that risks are identified, recorded and regularly reviewed. The Project Board has four responsibilities:
Risk Responsibilities
14
The Project Manager is responsible for ensuring that risks are identified, recorded and regularly reviewed. The Project Board has four responsibilities:
• Notifying the Project Manager of any external risk exposure to the project
Risk Responsibilities
14
The Project Manager is responsible for ensuring that risks are identified, recorded and regularly reviewed. The Project Board has four responsibilities:
• Notifying the Project Manager of any external risk exposure to the project
• Making decisions on the Project Manager’s recommended reactions to risk
Risk Responsibilities
14
The Project Manager is responsible for ensuring that risks are identified, recorded and regularly reviewed. The Project Board has four responsibilities:
• Notifying the Project Manager of any external risk exposure to the project
• Making decisions on the Project Manager’s recommended reactions to risk
• Striking a balance between the level of risk and the potential benefits that the project may achieve
Risk Responsibilities
14
The Project Manager is responsible for ensuring that risks are identified, recorded and regularly reviewed. The Project Board has four responsibilities:
• Notifying the Project Manager of any external risk exposure to the project
• Making decisions on the Project Manager’s recommended reactions to risk
• Striking a balance between the level of risk and the potential benefits that the project may achieve
• Notifying corporate or programme management of any risks that affect the project’s ability to meet corporate or programme objectives.
Risk Ownership
15
Risk Ownership
15
Allocating ownership of the risk process as a whole and the various components is fundamental from the outset. When describing who owns the various elements of risk, it is important to identify who owns the following:
Risk Ownership
15
Allocating ownership of the risk process as a whole and the various components is fundamental from the outset. When describing who owns the various elements of risk, it is important to identify who owns the following:
• The risk framework in totality
Risk Ownership
15
Allocating ownership of the risk process as a whole and the various components is fundamental from the outset. When describing who owns the various elements of risk, it is important to identify who owns the following:
• The risk framework in totality
• Setting risk policy and the project team’s willingness to take risk
Risk Ownership
15
Allocating ownership of the risk process as a whole and the various components is fundamental from the outset. When describing who owns the various elements of risk, it is important to identify who owns the following:
• The risk framework in totality
• Setting risk policy and the project team’s willingness to take risk
• Different elements of the risk process, such as identifying threats, through to producing risk response and reporting
Risk Ownership
15
Allocating ownership of the risk process as a whole and the various components is fundamental from the outset. When describing who owns the various elements of risk, it is important to identify who owns the following:
• The risk framework in totality
• Setting risk policy and the project team’s willingness to take risk
• Different elements of the risk process, such as identifying threats, through to producing risk response and reporting
• Implementation of the actual measures taken in response to the risks
Risk Ownership
15
Allocating ownership of the risk process as a whole and the various components is fundamental from the outset. When describing who owns the various elements of risk, it is important to identify who owns the following:
• The risk framework in totality
• Setting risk policy and the project team’s willingness to take risk
• Different elements of the risk process, such as identifying threats, through to producing risk response and reporting
• Implementation of the actual measures taken in response to the risks
• Interdependent risks that cross organisational boundaries, whether they be related to business processes, IT systems or other projects.
Risk Tolerance
16
EXAMPLE
Risk Analysis
17
1. Negligible2. Minor3. Moderate4. Major5. Critical6. Catastrophic
Asset ThreatWhat are you trying
to protect?What are you afraid
of happening?
Impact/SeverityWhat is the impact to the business?
1. Unforeseeable2. Very unlikely3. Possible4. Likely5. Very Likely6. Almost certain
Vulnerability MitigationHow could the threat occur?
What is currentlyreducing the risk?
Probability/LikelihoodHow likely is the threat?
Risk Log
Risk Log
18
EXAMPLERisk Log Tolerability level
12
Priority Hazard Impact (I)(1-6)
Probability (P)(1-6)
Risk rating (I x P)
1 Data loss due to virus 5 4 202 Denial of service attack 5 3 153 Theft of proprietary information 4 3 124 Insider net abuse 4 3 125 Abuse or wireless networks 3 4 126 Financial fraud 5 2 107 Laptop theft 3 3 98 Unauthorised access 3 3 99 Telecom fraud 2 3 610 Website hacking/defacement 3 2 611 System penetration 3 2 612 Sabotage 4 1 4
Risk Analysis
19
EXAMPLE
Risk Profile
20
EXAMPLE
Use of a easy-to-read diagram may assist in the visibility of risks and assist management decisions - these would be normally found in the Risk Logs
Risk Profile
20
High 1,2 5
Medium 4 3
Low 6,9 7,8
Low Medium High
Risk tolerance line
Impact
Probability/Likelihood
EXAMPLE
Analysing Risk
Factor Likelihood Impact Mitigation Strategy
Failure to recruit staff Medium High Minimise number of staff to be recruited. Ensure recruitment cycle begins as rapidly after project approved as possible. Ensure remuneration adequate to level of responsibility and expertise. Use specialist recruitment agency if necessary. Other staff seconded from other duties and additionally trained as triage solution.
Underestimate difficulty of specific technical development
Low Medium Close integration with OSS community effort to mobilise additional resource to bear on problem space.
Difficulty integrating with data sources for identity
Medium High Deploy Identity Management software based on open standards. Direct engagement with systems specialists.
Difficulty integrating the numerous electronic systems within the Engineering framework
Medium High Work with the various Engineering institutions to develop a concept concerning the creation and adoption of Standards (i.e. LEAP2A)
Project fails sufficiently to engage engineering communities
Low High Staff within the University of Hull, particularly the Knowledge Exchange will ensure that the ‘learner voice’ is represented throughout the project, inclusive of the broad diversity (including geographic) of learners represented within the partnership.
EXAMPLE
Budgeting for risk management
• A project needs to allocate and have embedded in the project environment:–Budget–Time–Resources (staff/skills/tools/techniques)
to ensure Risk Management is carried out successfully
• Experience shows that allocating the correct ‘budget’ to the risk management process early on will pay dividends later
22
Further considerations
– Project Interdependencies
– The relationship between benefit and delivery risks
– Internal versus external risks
23
TASK
Review your Project risks