APPLYING RISK RADAR TO HIGH RISK TECHNOLOGY PROJECTS Risk management is how adults manage projects – Tim Lister, Principle, Fellow & Senior Consultant, Cutter Consortium 1 Niwot Ridge LLC
Jun 09, 2015
APPLYING RISK RADAR TO HIGH RISK TECHNOLOGY PROJECTS Risk management is how adults manage projects
– Tim Lister, Principle, Fellow & Senior Consultant, Cutter Consortium
1
Niwot Ridge LLC
Risk Everyone involved in development, acquisition, or management of technology
projects talks about “risk” – trouble is, everyone means something different
by it. Many kinds of risk – can affect your project, program, or business. With
so many questions and variables, how can we make sense of it all? 2
Risk is …
The likelihood of loss.
A measure of the likelihood that a threat will lead
to a loss coupled with the magnitude of the loss.
Risk requires the following conditions:
A potential loss
Likelihood
Choice
Likelihood is a measure of Uncertainty.
3
What Is Uncertainty?
Uncertainty is about the “lack of certainty”
Uncertainty is about the “variability” in the
performance measures like cost, duration, or quality.
Uncertainty is about the “ambiguity” associated with a
lack of this clarity.
4
Uncertainty is about Probability
What is the
probability that a
risk will occur?
The underlying
statistical behavior
of the source of
the risk drives this
probability.
5
Components of Risk
Risk is comprised of two core components.
Threat – a circumstance with the potential to produce
loss.
Consequence – the loss that will occur when a threat is
realized.
Probability Impact
Cause Effect
6
Risks are not the same as Issues
An Issue is a loss or adverse consequence that has
occurred or is certain to occur.
An Issue has no uncertainty – the loss or adverse
consequence has taken place or is certain to take
place.
An Issue or Problem can also lead to (or contribute
to) other risks by:
Creating a circumstance that produces a new threat.
Making an existing threat more likely to occur.
Aggravating the consequences of existing risks.
7
A Risk Paradigm†
† Continuous Risk Management (CRM), Software Engineering Institute
8
CMMI Risk Management – RM 9
IF–THEN Risk Statement
IF THEN
Risk 1 If we miss our next milestone.
Then the program will fail to
achieve its product, cost, and
schedule objectives.
Risk 2
If our subcontractor is late in
getting their modules
completed on time.
Then the program’s schedule
will slip.
Probability
10
CONDITION–CONCERN A Risk Statement
Condition Concern
Risk 1
Data indicates that some tasks
are behind schedule and
staffing levels may be
inadequate.
The program could fail to
achieve its product, cost, and
schedule objectives.
Risk 2
Our subcontractor has not
provided much information
regarding the status of its
tasks.
The program’s schedule could
slip.
Probability
11
CONDITION–EVENT–CONSEQUENCE A Risk Statement
Condition Event Consequence
Risk 1
Data indicates that
some tasks are
behind schedule and
staffing levels may
be inadequate.
We could miss our
next milestone.
The program will
fail to achieve its
product, cost, and
schedule objectives.
Risk 2
The subcontractor
has not provided
much information
regarding the status
of its tasks.
The subcontractor
could be late in
getting its modules
completed on time.
The program’s
schedule will slip.
Probability
12
Risk Handling Strategies
Risk handling is the outcome of the risk management
strategy – they are not the same:
Assumption – understand what potential impacts may
occur and have resources available to deal with them.
Avoidance –make a change in the situation that creates
the risk.
Control – develop a proactive implementation
approach to reduce the risk.
Transfer – determine who (internally or external) can
better handle the risk.
13
Elements of Risk Analysis
What are the risks?
Name them in a clear and concise manner.
FDA requires additional toxicology and / or DME studies beyond those currently planned
Likelihood of occurrence.
What is the probability that the risk will occur?
There is a 30% chance the FDA will require additional toxicology studies
Consequence of the risk.
Schedule delays in FDA submittal
Additional Cohorts needed for study
14
Risk Analysis 15
1
2
3
4
5
1 2 3 4 5
Low
Moderate
High
Consequence
Lik
elih
oo
d
16. GLP compliance at BSL–4
USAMRIID required for The Animal
Rule
1. FDA requires additional toxicology
and/or ADME studies
2. FDA requires PK in pivotal animal
studies
17. Two Segment II tox studies in
non–rodent and/or Segment I and
Segment III studies required for
Category B label
18. FDA demands aerosol exposure
(i.e. viral challenge) experiments
be performed in nonhuman
primate efficacy studies [L/H]
10. Irreversible kidney toxicity is seen
in a subset of healthy volunteers at
therapeutic dose levels
11. Clinical trial enrolls more slowly
than expected.
12. Positive signal in QTc study
13. FDA requests clinical data in
Special Populations pre–licensure
14. FDA requests larger clinical safety
database than initially proposed
19. One of the pivotal animal efficacy
studies fails to achieve primary
clinical efficacy endpoint
20. No Observed Adverse Effect
Level is significantly lower than
expected [L/H]
3. Insufficient subunit purification at
vendor
4. Failure of purification equipment at
J–M
5. New impurities appear as a result of
scale up from 8L to 50L
6. Subunits or API temporarily
unavailable
7. Lot failures of subunits, API or drug
product
8. One or more manufacturers not
cGMP
15. Unsuccessful synthesis
scale–up from 50L to 300L
16. New impurities appear as a
result of scale up
Example Risk Summary Grid 16
Example Risk Briefing 17