Handling risk

HANDLING RISK ON HIGH TECHNOLOGY PROGRAMS Without metrics, you’re just another guy with an opinion.

— Stephan Leschka, Hewlett Packard

1

Niwot Ridge LLC

Agenda for the Next 4 Hours 2

Review the five principles of Risk Management.

Introduce SEI’s Continuous Risk Management (CRM).

Illustrate each CRM process area with example artifacts or

outcomes.

Familiarize all participants with the concept of Risk

Management and their contributions to the 1st step –

Identifying Risk.

Understand what data needs to be gathered, so the 1st cut

at a measure of program risk can be constructed.

But, Before we Start, Let’s Understand our Role Here …

3

Risk Management is a profession.

Risk Management is Program Management.

Risk Management is how adults manage projects.

Managing risks goes hand-in-glove with managing

work, people, processes, vendors, and the client.

What’s Risk Management All About?

4

But we can’t make decisions until we get the right information, right?

5

Risks are part of the project, handled the same way all other work is handled – with a plan

6

Five Easy Pieces

of Risk Management

Risk Management is more than the processes called out

in PMBOK® (Chapter 11)

Risk Management

IS

Project Management

7

1. Hope is not a strategy 2. No single point estimate of cost or schedule can be correct 3. Cost, Schedule, and Technical Performance are inseparable 4. Risk management requires adherence to a well defined process 5. Communication is the Number One success factor

8

Hope is Not a Strategy

A Ship on the Beach is a Lighthouse to the Sea – Dutch Proverb

9 I

II

No Point Estimate By Itself Can Be Correct

10

Cost, Schedule, & Technical Performance are Inseparable

11 III

Risk Management Demands a Well Defined Process

12 IV

V

Risk Management

Demands Direct Communication

Between All Parties

13

Lack of predictive variance analysis

Untimely and unrealistic Latest Revised Estimates (LRE)

Progress not monitored in a regular and consistent manner

Lack of vertical and horizontal traceability cost and schedule data for corrective action

Lack of internal surveillance and controls

Managerial actions not demonstrated using Earned Value

Inattention to budgetary responsibilities

Work authorizations that are not always followed

Issues with Budget and data reconciliation

Lack of an integrated management system

Baseline fluctuations and frequent replanning

Current period and retroactive changes

Improper use of management reserve

EV techniques that do not reflect actual performance

The Project Train Wrecks Starts When There is…

14

Mary K. Evans Picture Library

Putting these Principles into Practice 15

Principles and Practices are not the same

16

In theory there is no difference

between theory and practice. In

practice there is.

Three Conditions of Risk 17

The potential for loss must exist.

Uncertainty with respect to the eventual outcome

must be present.

Some choice or decision is required to deal with the

uncertainty and potential for loss.

Mission-Oriented Success Analysis and Improvement Criteria (MOSAIC)

18

Establish and maintain confidence that objectives

will be achieved successfully

A suite of risk–based methods for assessing and

managing complex projects and processes.

Produces a broad overview of the current state of

risk and opportunity for a project or process.

19

Mission Work Processes Constraints

Tasking, Orders, and Plans Operational Processes Resources

Stability

Completeness

Clarity

Validity

Feasibility

Precedent

Timeliness

Formality

Suitability

Process

Control

Familiarity

Product Control

Schedule

Staff

Budget

Facilities

Tools

Mission Execution Maintenance Process Policies

Efficiency

Effectiveness

Complexity

Timeliness

Safety

Formality

Suitability

Process

Control

Familiarity

Service Quality

Laws and

Regulations

Restrictions

Contractual

Constraints

Product and Service Management Processes Interfaces

Usability

Effectiveness

Timeliness

Accuracy

Correctness

Operational

Systems

Planning

Organization

Management

Experience

Program

Interfaces

Customer /

User

Community

Associate

Agencies

Contractors

Senior

Leadership

Vendors

Politics

Operational Systems Management Methods

Throughput

Suitability

Usability

Familiarity

Reliability

Security

Inventory

Installations

System

Support

Monitoring

Personnel

Management

Quality

Assurance

Configuration

Management

Work Environment

Quality Attitude

Cooperation

Communication

Morale

CRM is the Software Engineering Institute’s

framework for managing risk in the context of

system integration, technology based product

development, and the management of these

activities.

An Introduction to Continuous Risk Management (CRM)

20

21

Continuous Risk Management has Six Components

Continuous Risk Management 22

Stage Actionable Steps

Identify Continually ask, “what could go wrong?”

Analyze Continually ask, “which risks are most critical to

mitigate?”

Plan Develop mitigation approaches for the most critical risks

Track Track the mitigation plan and the risk

Control Make decisions based on data

Communicate Ensure a free-flow of information throughout the project

Putting Continuous Risk Management Together

23

Identify

Analyze

Plan

Track

Control

Identify Risk Issues and Concerns

Evaluate, classify, and prioritize

risks

Decide what should be done

about risks

Monitor risk metrics and

verify/validate mitigations

Make risk decisions

Subproject and partner

data/constraints, hazard

analysis, FMEA, FTA, etc.

Risk data: test data, expert

opinion, hazard analysis, FMEA,

FTA, lessons learned, technical

analysis

Resources

Replan Mitigation

Program/project data

(metrics information)

Statement of risk

Risk classification, Likelihood

Consequence, Timeframe

Risk prioritization

Research, Watch (tracking requirements)

Acceptance Rationale, Mitigation Plans

Risk status reports on:

Risks

Risk Mitigation Plans

Close or Accept Risks

Invoke contingency plans

Continue to track

Four (4) Steps to Deploying CRM 24

Step Action

1 Establish an enterprise risk

management process

SEU CRM Process with Mitre Risk

Registry

2

Establish Risk Process owner and

document the process

Org chart Risk Manager

established, Risk owners for

deliverables are next

3 Provide training in the standard

risk management process

Engage risk owners

4

Monitor and enforce the

implementation of Risk

Management

Weekly risk board meeting

25

Search for and locate risks before they become issues or problems. Capture statements of risk and context.

Capture a Statement of Risk 26

Consider and record the conditions that are causing

concern

Create a statement of the risk in a concise

description, which can be understood and acted on

Condition: a single phrase describing the circumstances

Consequences: a single phrase describing the key,

possible negative outcome(s)

Capture the Context of a Risk 27

A brief, concise description of the conditions and

consequences of the risk

Provide enough information to ensure the original

intent of the risk can be understood, especially

after some time has passed

28

Transform risk data into decision making information. Risk analysis is performed to determine what is important to the project and to set priorities.

Evaluating Attributes of Risks 29

Impact: the loss or effect on the project if the risk

occurs

Probability: the likelihood the risk will occur

Timeframe: the period when action is required in

order to mitigate or retire the risk

Sample Risk Evaluation 30

A B C D E

Negligible Minor Moderate Significant Severe

E Very Likely Low Med Medium Med Hi High High

D Likely Low Low Med Medium Med Hi High

C Possible Low Low Med Medium Med Hi Med Hi

B Unlikely Low Low Med Low Med Medium Med Hi

A Very Unlikely Low Low Low Med Medium Medium

Classifying Risks 31

Grouping risks based on shared characteristics

Identify duplicate risks

Risk Evaluation Classification 32

Probability Risk Rating

> 70% E: Very Likely

40% to 70% D: Likely

10% to 40% C: Possible

1% to 40% B: Unlikely

< 1% A: Very Unlikely

Budget Over Run Impact Rating

> 15% of budget E: Severe

10% to 15% of budget D: Significant

6% to 10% of budget C: Moderate

2% to 6% of budget B: Minor

< 2% of budget A: Negligible

Prioritizing Risks 33

Partitioning risks or groups of risks based on the

Borda “vital few” scale

Ranking the risks based on a criteria

Separate risk to be dealt with first (the vital few)

when allocating resources

The Borda Rank 34

Which risk of more critical?

Where should resources be allocated to

eliminate the most troublesome areas in the

program?

Using this approach – ties for “the most

important – often result.

Borda Ranking deals with this result, which

ranks risks according to their probability of

occurrence and their impact

i ik

k

b N r “Risk Matrix: An Approach for Identifying, Assessing, and Ranking Program Risks,” Paul Garvey

and Zachary Lansdowne, Air Force of Logistics, Vol XXII, Number 1

35

Translate risk information into decisions and mitigating actions and implement those actions. Produce plans for mitigating risks.

Assign Responsibility 36

Three choices for assigning responsibility

Keep the risk

Transfer the risk upward in the organization or to

another organization

Delegate the risk within the organization

Determine the Approach 37

Accept the risk – do nothing

Mitigate the risk – eliminate or reduce

Watch the risk – monitor for critical changes

Define Scope and Actions 38

Action Item List for less complex mitigations

A simple means of documenting and tracking risk

mitigations

Task Plans with schedules and budgets for complex

mitigations

These plans must be embedded in the Integrated

Master Schedule

39

Monitor risk indicators and mitigation plans. Indicators and trends provide information to activate plans and contingencies. Review these plans periodically to measure progress and identify new risks.

The Risk Registry 40

Integrate Risk with the Master Schedule

41

Budget and resources assigned from Risk

Management reserve.

Activation of risk activities through the Risk

Management Board.

Adjustments to Performance Measurement Baseline

reflect Risk activities.

Measure risk activities in the same way as other

planned activities.

42

Correct for deviations from the risk mitigation plans. Actions can lead to corrections in products or processes. Changes to risks, risks that become problems, or faulty plans require adjustments in plans or actions.

Analyze Risks 43

Examine risks for trends, deviations, and anomalies.

Achieve a clear understanding of the current status

of each risk and mitigation plan.

Decide 44

Replan

Close the risk

Invoke the contingency plan

Continue tracking and executing the current plan

Execute 45

If a planned action is made, open the Work

Packages for the mitigation or retirement activities.

If it decided to continue tracking, the risk remains in

the tracking state until the next review.

46

Provide information and feedback to the project on the risk activities, current risks, and emerging risks.

Risk Communication Process 47

Risk Management Processes and their Communication to the Program Team

Determine sources and categories Define parameters to analyze and categorize risks

Define parameters used to control the risk

management effort

Establish and maintain a strategy for risk

management

Identify and document risks

Evaluate and categorize each identified risk using

defined categories and parameters and determine

relative priority

Develop risk Handling Plan for important risks as

defined by the risk management strategy

Monitor status of risk periodically and implement risk

handling plan as appropriate

Establish and maintain organizational policy for

planning and performing risk management

Provide adequate resources for performing risk

management, developing work products and

providing services

Assign responsibility and authority for performing the

process Train staff in support of risk management processes

Place designated work products under appropriate

configuration management Identify and involve relevant stakeholders

Monitor and control risk management processes Objectively evaluate adherence to risk management

processes

48

Glen B. Alleman

4347 Pebble Beach Drive

Niwot, Colorado 80503

[email protected]

+1.303.241.9633