Managing Risk Jean Morgan BCS Kingston & Croydon 20 th April 2004.

Managing Risk

Jean Morgan

BCS Kingston & Croydon

20th April 2004

Copyright Wilhen Associates Limited/ Project Frameworks Solutions Limited April 2004

• Introductions

• All about Risk

• Two Models

• Risk Assessment

• Some Pitfalls

AgendaMANAGING

RISK


Introductions

• Scope– Project and Operational (Turnbull Report)– Not the Monte Carlo method– Finish by Closing Time

MANAGING RISK


• PRINCE2

“The chance of exposure to the adverse consequences of future events”

What is Risk?MANAGING

RISK

• OGC

“uncertainty of outcome”


Turnbull Report

The board of a company should maintain a sound system of internal control

The directors should review the effectiveness of internal controls (at least annually)

The directors should report on the effectiveness to shareholders, including financial controls, operational controls, compliance controls and risk management

The board of a company should maintain a sound system of internal control

The directors should review the effectiveness of internal controls (at least annually)

The directors should report on the effectiveness to shareholders, including financial controls, operational controls, compliance controls and risk management

Nigel Turnbull, "Internal Control: Guidance for Directors on the combined Code“, Chairman, The Institute of Chartered Accountants in England and Wales, http://www.icaew.co.uk

MANAGING RISK


A ModelMANAGING

RISK

RiskIdentification - Workshop - Use - Checklist - Questionnaire

Risk Analysis - Probability - Impact - Severity - Proximity

Monitor &Control - Review Actions - Reassess Risk - New Actions

MitigatingAction - Dates - Actions - Names

RiskManagement

Method


• Something may happen, causing something else to happen, where the effect would be something adverse.

How to define RisksMANAGING

RISK

e.g. Information may get out regarding the project causing key people to leave the company where the effect would be the inability to support day to day operations


Nothing VenturedMANAGING

RISK


Nothing Ventured…Columbus’ trip tothe new world

You have heard from a Florentine that it should be possible to reach India bysailing west. Nobody seems to believe this but you are seeking a sponsor forthis ambitious project nonetheless. It could be that great rewards in the formof booty are there for the taking, on the other hand….Having received the patronage of Ferdinand and Isabella of Spain, your job isto set up the voyage and concoct the plans for the trip.

Manchester’sCommon-wealthGames

The aim has been to create a friendly, trouble-free games bringing credit tothe Manchester region through the warmth of the welcome, the competence ofthe organisation and the impression created by the urban environment andinfrastructure.Your job is to manage the project which mounts all aspects of the games fromthe construction and commissioning of the facilities to the organisation andoperation of the events. You will have to liaise closely with the City ofManchester authorities.

Amazon.com setup

Booksellers’ margins are high and the prospect of using the internet to sweepup a large proportion of the traditional High Street market is tempting.Internet selling can avoid the high fixed costs associated with retail outletswhilst providing high volume product throughput and a relatively low costbase. It is thought that most book sales result from customers who know whatthey want rather than those that browse.Your job is to set up the internet sales operation with a target of a financialbreak-even within 2 years of the launch date.

MANAGING RISK


MANAGING RISK


Resources may not be available for the Build phase causing the Build phase to be delayed where the effect would be a delay to the overall schedule

Resources may not have the required technical skills causing additional work to acquire resource where the effect would be a delay or significant increase in costs

Resources may not be available with domain knowledge causing inability to determine the requirements where the effect would be project does not get started

MANAGING RISKResources not Available


• Contain the impact CONTINGENCY– Extra time

– Extra people

– Extra money

– Extra facilities

– Communication Plan

• Prevent or minimise the probability PREVENTION– Transfer

– Avoid

– Reduce/Eliminate

– Ignore

Types of mitigating actionsMANAGING

RISK

‘Good communication is the enemy of Risk’


• Risk Register– Reference, Dates, Raised by– Risk Type– Description– Probability, Impact, Cost of Impact, Proximity– Mitigation, Cost Of Mitigating Actions– Status, Owner

• Risk Owner• Risk Manager/ Coordinator/ Specialist/ Project

Office/ Internal Audit

Getting to grips with the jargonMANAGING

RISK


• If it does happen how much does it matter? IMPACT • How likely? PROBABILITY

Why describe risks?MANAGING

RISK

Very High Probability

High Probability

Medium Probability

Low Probability

Very Low Probability

Very Low Impact

Low Impact Medium Impact

High Impact Very High Impact

Summary Risk Profile


Reporting Risks

Jan 2003 - Project New Business - Risk Profile

0

5

10

15

20Resources

Internal Dependencies

Ext Dependencies

PioneeringScope

Stakeholders

Regulation

Unacceptable

Critical

Significant

Minor

Area of Concern

MANAGING RISK


PitfallsMANAGING

RISK

‘Risks R Us’‘Blind leading the

Blind’

‘Rent-a-Risk’

‘Prevention is better than

cure’

‘Let’s shoot the Messenger’

‘Are the risks going away?’

‘Keep it to yourselves’


OGC M_o_R MANAGING RISK

• Complements the “Gateway” Process• A Toolbox• Guidance for Practitioners published by

TSO• Education

– Foundation, Practitioner & Professional– Accredited Trainers/ Examiners– Administered by APM Group


Framework for theManagement of Risk

Set acceptable levels of risk

Define a framework

Identify probable risk owners

Evaluate the risks

Identify suitable responses to risk

Gain assurance about

effectiveness

Embed and review

Identify the risks

Implement responses

MANAGING RISK


Strategic

Programme

Project

Operational

Decisions on business strategy

Decisions transferringstrategy into action

Decisions required forimplementing actions

Where risks occur

M_o_R Management Hierarchy

Think of examples that might occur at

each level

MANAGING RISK


• Senior managers will foster a culture to support well judged decisions about risks and opportunities, enabling innovation to be handled with confidence

• The management of risk will be integrated into existing processes

• Clear roles and definitions will be agreed relating to the accountability, management, escalation and communication of key risks

• Risks will be managed at the lowest level at which the manager has the authority, responsibility and resources to take action

• Minimum bureaucracy

• There will be consistent risk judgements to inform the decision making process

• The effectiveness of risk management will be subject to challenge through independent assessment

Developing a Risk Culture MANAGING

RISK


Making the Risk Management Transition

Where you are

"We must comply withTurnbull and other externallyimposed regulations but wedon't know whether we do ornot - maybe we 'll facecriticism from the StockExchange, the Regulators oreven the Shareholders"

"Risk Management seems tous an unfortunate overhead -but if we're doing it properlyit should really be making ourbusiness better run"

"We have a variety of riskmanagement practicesthroughout our businesswhich makes it hard toassemble an overall picturefor regulatory purposes - yetalone to see whether we aremanaging in the bestinterests of the business'future"

Where we are

"We must comply withTurnbull and other externallyimposed regulations but wedon't know whether we do ornot - maybe we 'll facecriticism from the StockExchange, the Regulators oreven the Shareholders"

"Risk Management seems tous an unfortunate overhead -but if we're doing it properlyit should really be making ourbusiness better run"

"We have a variety of riskmanagement practicesthroughout our businesswhich makes it hard toassemble an overall picturefor regulatory purposes - yetalone to see whether we aremanaging in the bestinterests of the business'future"

Where you should be

"We know that we complywith external requirements -and more - but we're notcomplacent"

"Never mind regulations ourrisk management processeshave changed our wholebusiness culture - we stillventure but now weanticipate - we are a betterrun and more confidentorganisation"

"We have common riskmanagement practicesthroughout our business -both in the operations, and inthe programmes and projectsthat deliver change - we havea clear overall picture of ourbusiness in terms of riskmanagement"

Where we want to be

"We know that we complywith external requirements -and more - but we're notcomplacent"

"Never mind regulations ourrisk management processeshave changed our wholebusiness culture - we stillventure but now weanticipate - we are a betterrun and more confidentorganisation"

"We have common riskmanagement practicesthroughout our business -both in the operations, and inthe programmes and projectsthat deliver change - we havea clear overall picture of ourbusiness in terms of riskmanagement"

WHAT MUST BE DONE

Consistent approach - introduce astandard approach to riskmanagement throughout theorganisation (operational areas,programmes and projects) whichcomplies with externalrequirements

Pilot - chose some exemplarprogrammes, projects andoperational areas on which thebusiness benefits of the newapproach can be rapidlydemonstrated

Transfer skills/knowledge - benefitfrom industry best practicethrough the introduction ofexternal experience

Integrate - link the businessexposures into a single overallpicture enabling you to focus yourmanagement effort

Coach staff - all levels of staffmust be aware of the newapproach - and start to behaveaccording to the new culture

WHAT MUST BE DONE

Consistent approach - introduce astandard approach to riskmanagement throughout theorganisation (operational areas,programmes and projects) whichcomplies with externalrequirements

Pilot - chose some exemplarprogrammes, projects andoperational areas on which thebusiness benefits of the newapproach can be rapidlydemonstrated

Transfer skills/knowledge - benefitfrom industry best practicethrough the introduction ofexternal experience

Integrate - link the businessexposures into a single overallpicture enabling you to focus yourmanagement effort

Coach staff - all levels of staffmust be aware of the newapproach - and start to behaveaccording to the new culture


Some References• BCS Practical guide – email us for publication information

• OGC – Management of Risk: Guidance for Practitioners - £35

• MANAGING RISK for projects and programmes – John Bartlett, Project Manager Today c£20

• The Institute of Chartered Accountants in England and Wales publishes a Boardroom Briefing document on its web site entitled Implementing Turnbull. The web site address is http://www.icaew.co.uk/ and search within the site for "Implementing Turnbull".

• The CRAMM User Group is a forum for information security and for using CRAMM. It can be contacted through:

PO Box 231, Burton upon Trent, DE13 8ZX, Telephone: 0707 122 3831 E-mail: [email protected]

• The Project Risk Analysis & Management Guide is available from the APM Group, a commercial organisation. More information is available from: Telephone 01494 452450 E-mail to [email protected] or [email protected]

• The Association for Project Management (APM) has a Specific Interest Groups on risk management which has a web address at http://www.eurolog.demon.co.uk/index.htm. The SIG meets four times per year to hear and discuss many topics around risk. Papers from previous meetings are accessible on the web site. These cover both project risk management and operational risk management with practical articles on implementing the Turnbull recommendations.

• Tools

MANAGING RISK


Risk CompensationDear Sir, Before any of your readers may be induced to cut their hedges as suggested by the secretary of the Motor Union they may like to know my experience of having done so. Four years ago I cut down the hedges and shrubs to a height of 4ft for 30 yards back from the dangerous crossing in this hamlet. The results were twofold: the following summer my garden was smothered with dust caused by fast-driven cars, and the average pace of the passing cars was considerably increased. This was bad enough, but when the culprits secured by the police pleaded that "it was perfectly safe to go fast" because "they could see well at the corner", I realized that I had made a mistake. Since then I have let my hedges and shrubs grow, and by planting roses and hops have raised a screen 8ft to 10ft high, by which means the garden is sheltered to some degree from the dust and the speed of many passing cars sensibly diminished. For it is perfectly plain that there are many motorists who can only be induced to go at a reasonable speed at crossroads by consideration for their own personal safety. Hence the advantage to the public of automatically fostering this spirit as I am now doing. To cut hedges is a direct encouragement to reckless driving. Your obedient servant, Willoughby Verner

From "RISK" by John Adams, UCL PressLetter to The Times, 13 July 1908, from Colonel Wjlloughby Verner

MANAGING RISK


Contacts

• Jean Morgan www.wilhen.co.uk

[email protected]

• Mike Bath www.pfsl.org.uk

[email protected]

MANAGING RISK

Project

Solutions

Frameworks

Managing Risk Jean Morgan BCS Kingston & Croydon 20 th April 2004.

Documents

Transcript of Managing Risk Jean Morgan BCS Kingston & Croydon 20 th April 2004.