Applying risk radar (v2)

APPLYING RISK RADAR TO HIGH RISK TECHNOLOGY PROJECTS Risk management is how adults manage projects

– Tim Lister, Principle, Fellow & Senior Consultant, Cutter Consortium

1

Niwot Ridge LLC

Risk Everyone involved in development, acquisition, or management of technology

projects talks about “risk” – trouble is, everyone means something different

by it. Many kinds of risk – can affect your project, program, or business. With

so many questions and variables, how can we make sense of it all? 2

Risk is …

The likelihood of loss.

A measure of the likelihood that a threat will lead

to a loss coupled with the magnitude of the loss.

Risk requires the following conditions:

A potential loss

Likelihood

Choice

Likelihood is a measure of Uncertainty.

3

What Is Uncertainty?

Uncertainty is about the “lack of certainty”

Uncertainty is about the “variability” in the

performance measures like cost, duration, or quality.

Uncertainty is about the “ambiguity” associated with a

lack of this clarity.

4

Uncertainty is about Probability

What is the

probability that a

risk will occur?

The underlying

statistical behavior

of the source of

the risk drives this

probability.

5

Components of Risk

Risk is comprised of two core components.

Threat – a circumstance with the potential to produce

loss.

Consequence – the loss that will occur when a threat is

realized.

Probability Impact

Cause Effect

6

Risks are not the same as Issues

An Issue is a loss or adverse consequence that has

occurred or is certain to occur.

An Issue has no uncertainty – the loss or adverse

consequence has taken place or is certain to take

place.

An Issue or Problem can also lead to (or contribute

to) other risks by:

Creating a circumstance that produces a new threat.

Making an existing threat more likely to occur.

Aggravating the consequences of existing risks.

7

A Risk Paradigm†

† Continuous Risk Management (CRM), Software Engineering Institute

8

CMMI Risk Management – RM 9

IF–THEN Risk Statement

IF THEN

Risk 1 If we miss our next milestone.

Then the program will fail to

achieve its product, cost, and

schedule objectives.

Risk 2

If our subcontractor is late in

getting their modules

completed on time.

Then the program’s schedule

will slip.

Probability

10

CONDITION–CONCERN A Risk Statement

Condition Concern

Risk 1

Data indicates that some tasks

are behind schedule and

staffing levels may be

inadequate.

The program could fail to

achieve its product, cost, and

schedule objectives.

Risk 2

Our subcontractor has not

provided much information

regarding the status of its

tasks.

The program’s schedule could

slip.

Probability

11

CONDITION–EVENT–CONSEQUENCE A Risk Statement

Condition Event Consequence

Risk 1

Data indicates that

some tasks are

behind schedule and

staffing levels may

be inadequate.

We could miss our

next milestone.

The program will

fail to achieve its

product, cost, and

schedule objectives.

Risk 2

The subcontractor

has not provided

much information

regarding the status

of its tasks.

The subcontractor

could be late in

getting its modules

completed on time.

The program’s

schedule will slip.

Probability

12

Risk Handling Strategies

Risk handling is the outcome of the risk management

strategy – they are not the same:

Assumption – understand what potential impacts may

occur and have resources available to deal with them.

Avoidance –make a change in the situation that creates

the risk.

Control – develop a proactive implementation

approach to reduce the risk.

Transfer – determine who (internally or external) can

better handle the risk.

13

Elements of Risk Analysis

What are the risks?

Name them in a clear and concise manner.

FDA requires additional toxicology and / or DME studies beyond those currently planned

Likelihood of occurrence.

What is the probability that the risk will occur?

There is a 30% chance the FDA will require additional toxicology studies

Consequence of the risk.

Schedule delays in FDA submittal

Additional Cohorts needed for study

14

Risk Analysis 15

1

2

3

4

5

1 2 3 4 5

Low

Moderate

High

Consequence

Lik

elih

oo

d

16. GLP compliance at BSL–4

USAMRIID required for The Animal

Rule

1. FDA requires additional toxicology

and/or ADME studies

2. FDA requires PK in pivotal animal

studies

17. Two Segment II tox studies in

non–rodent and/or Segment I and

Segment III studies required for

Category B label

18. FDA demands aerosol exposure

(i.e. viral challenge) experiments

be performed in nonhuman

primate efficacy studies [L/H]

10. Irreversible kidney toxicity is seen

in a subset of healthy volunteers at

therapeutic dose levels

11. Clinical trial enrolls more slowly

than expected.

12. Positive signal in QTc study

13. FDA requests clinical data in

Special Populations pre–licensure

14. FDA requests larger clinical safety

database than initially proposed

19. One of the pivotal animal efficacy

studies fails to achieve primary

clinical efficacy endpoint

20. No Observed Adverse Effect

Level is significantly lower than

expected [L/H]

3. Insufficient subunit purification at

vendor

4. Failure of purification equipment at

J–M

5. New impurities appear as a result of

scale up from 8L to 50L

6. Subunits or API temporarily

unavailable

7. Lot failures of subunits, API or drug

product

8. One or more manufacturers not

cGMP

15. Unsuccessful synthesis

scale–up from 50L to 300L

16. New impurities appear as a

result of scale up

Example Risk Summary Grid 16

Example Risk Briefing 17